Bug#1076784: bookworm-pu: package libapache2-mod-auth-openidc/2.4.12.3-2+deb12u2

Tue, 23 Jul 2024 02:12:16 -0700 

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libapache2-mod-auth-open...@packages.debian.org
Control: affects -1 + src:libapache2-mod-auth-openidc
User: release.debian....@packages.debian.org
Usertags: pu

[ Reason ]
This pu adds an (upstream) patch to fix a segfault when using
the apache module.

More information provided by upstream is at:
https://github.com/OpenIDC/mod_auth_openidc/discussions/1233

[ Impact ]
Segfaulting Apache processes when requests don't have the
forwarded headers set

[ Tests ]
Testsuite (includes a test specific for this problem and) passes,
manually tested the package.

[ Risks ]
Actual code change is three lines:
https://github.com/OpenIDC/mod_auth_openidc/commit/c2f200fb246f546e07c91f04e82345793af0c7c0

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Properly check for null pointers in function arguments and
return value.

[ Other info ]
Closes: #1076429

diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/changelog 
libapache2-mod-auth-openidc-2.4.12.3/debian/changelog
--- libapache2-mod-auth-openidc-2.4.12.3/debian/changelog       2024-04-18 
14:20:00.000000000 +0200
+++ libapache2-mod-auth-openidc-2.4.12.3/debian/changelog       2024-07-23 
10:47:49.000000000 +0200
@@ -1,3 +1,10 @@
+libapache2-mod-auth-openidc (2.4.12.3-2+deb12u2) bookworm; urgency=medium
+
+  * Add patch for "oidc_check_x_forwarded_hdr check segfaults"
+    (Closes: #1076429)
+
+ -- Moritz Schlarb <schla...@uni-mainz.de>  Tue, 23 Jul 2024 10:47:49 +0200
+
 libapache2-mod-auth-openidc (2.4.12.3-2+deb12u1) bookworm; urgency=medium
 
   * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks
diff -Nru 
libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0003-avoid-crash-when-the-Forwarded-header-is-not-present.patch
 
libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0003-avoid-crash-when-the-Forwarded-header-is-not-present.patch
--- 
libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0003-avoid-crash-when-the-Forwarded-header-is-not-present.patch
 1970-01-01 01:00:00.000000000 +0100
+++ 
libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0003-avoid-crash-when-the-Forwarded-header-is-not-present.patch
 2024-07-23 10:47:23.000000000 +0200
@@ -0,0 +1,50 @@
+From: Moritz Schlarb <schla...@uni-mainz.de>
+Date: Mon, 22 Jul 2024 14:16:02 +0200
+Subject: avoid crash when the Forwarded header is not present
+
+but OIDCXForwardedHeaders is configured for it; see #1171; thanks
+@daviddpd
+
+Signed-off-by: Hans Zandbelt <hans.zandb...@openidc.com>
+---
+ src/util.c  | 4 +++-
+ test/test.c | 4 ++++
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/util.c b/src/util.c
+index 7a86c24..8bcfb94 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -437,6 +437,8 @@ char* oidc_util_javascript_escape(apr_pool_t *pool, const 
char *s) {
+ char* oidc_util_strcasestr(const char *s1, const char *s2) {
+       const char *s = s1;
+       const char *p = s2;
++      if ((s == NULL) || (p == NULL))
++              return NULL;
+       do {
+               if (!*p)
+                       return (char*) s1;
+@@ -468,7 +470,7 @@ static const char* oidc_util_hdr_forwarded_get(const 
request_rec *r, const char
+               if (ptr)
+                       *ptr = '\0';
+       }
+-      return apr_pstrdup(r->pool, value);
++      return value ? apr_pstrdup(r->pool, value) : NULL;
+ }
+ 
+ /*
+diff --git a/test/test.c b/test/test.c
+index 714f523..c75a940 100755
+--- a/test/test.c
++++ b/test/test.c
+@@ -1343,6 +1343,10 @@ static char * test_current_url(request_rec *r) {
+ 
+       apr_table_unset(r->headers_in, "Forwarded");
+ 
++      // it should not crash when Forwarded is not present
++      url = oidc_get_current_url(r, OIDC_HDR_FORWARDED);
++      TST_ASSERT_STR("test_current_url (16)", url, 
"https://www.example.com/private/?foo=bar&param1=value1";);
++
+       apr_table_set(r->headers_in, "Host", "www.example.com");
+ 
+       return 0;
diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series 
libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series
--- libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series  2024-04-18 
14:20:00.000000000 +0200
+++ libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series  2024-07-23 
10:47:23.000000000 +0200
@@ -1,2 +1,3 @@
 0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch
 0002-fix-DoS-CVE-2024-24814.patch
+0003-avoid-crash-when-the-Forwarded-header-is-not-present.patch

Reply via email to