Hi LTS Team,

I have prepared a fixed version of the package by backporting the upstream
patch to bookworm and bullseye.
For the latter, please see the attached debdiff to check for good practice and
please advise me how to continue, since this is my first security fix in LTS
land. ;)

Thanks,
Moritz

On Tue, 2025-04-08 at 22:05 +0200, Salvatore Bonaccorso wrote:
> Source: libapache2-mod-auth-openidc
> Version: 2.4.16.10-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: car...@debian.org, Debian Security Team
> <t...@security.debian.org>
> 
> Hi,
> 
> The following vulnerability was published for libapache2-mod-auth-openidc.
> 
> CVE-2025-31492[0]:
> > mod_auth_openidc is an OpenID Certified authentication and
> > authorization module for the Apache 2.x HTTP server that implements
> > the OpenID Connect Relying Party functionality. Prior to 2.4.16.11,
> > a bug in a mod_auth_openidc results in disclosure of protected
> > content to unauthenticated users. The conditions for disclosure are
> > an OIDCProviderAuthRequestMethod POST, a valid account, and there
> > mustn't be any application-level gateway (or load balancer etc)
> > protecting the server. When you request a protected resource, the
> > response includes the HTTP status, the HTTP headers, the intended
> > response (the self-submitting form), and the protected resource
> > (with no headers). This is an example of a request for a protected
> > resource, including all the data returned. In the case where
> > mod_auth_openidc returns a form, it has to return OK from
> > check_userid so as not to go down the error path in httpd. This
> > means httpd will try to issue the protected resource.
> > oidc_content_handler is called early, which has the opportunity to
> > prevent the normal output being issued by httpd.
> > oidc_content_handler has a number of checks for when it intervenes,
> > but it doesn't check for this case, so the handler returns DECLINED.
> > Consequently, httpd appends the protected content to the response.
> > The issue has been patched in mod_auth_openidc versions >=
> > 2.4.16.11.
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2025-31492
>     https://www.cve.org/CVERecord?id=CVE-2025-31492
> [1]
> https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-59jp-rwph-878r
> [2]
> https://github.com/OpenIDC/mod_auth_openidc/commit/b59b8ad63411857090ba1088e23fe414c690c127
> 
> Please adjust the affected versions in the BTS as needed.
> 
> Regards,
> Salvatore
diff -Nru libapache2-mod-auth-openidc-2.4.9.4/debian/changelog libapache2-mod-auth-openidc-2.4.9.4/debian/changelog
--- libapache2-mod-auth-openidc-2.4.9.4/debian/changelog	2024-04-18 14:27:26.000000000 +0200
+++ libapache2-mod-auth-openidc-2.4.9.4/debian/changelog	2025-04-16 11:13:22.000000000 +0200
@@ -1,3 +1,13 @@
+libapache2-mod-auth-openidc (2.4.9.4-0+deb11u5) bullseye-security; urgency=high
+
+  * Fix CVE-2025-31492
+    "protected content leakage when using OIDCProviderAuthRequestMethod POST"
+    Backported applicable portions from upstream fix in
+    https://github.com/OpenIDC/mod_auth_openidc/commit/b59b8ad63411857090ba1088e23fe414c690c127
+    (Closes: #1102413)
+
+ -- Moritz Schlarb <mosch...@debian.org>  Wed, 16 Apr 2025 11:13:22 +0200
+
 libapache2-mod-auth-openidc (2.4.9.4-0+deb11u4) bullseye; urgency=high
 
   * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks
diff -Nru libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0005-Fix-CVE-2025-31492-protected-content-leakage-when-us.patch libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0005-Fix-CVE-2025-31492-protected-content-leakage-when-us.patch
--- libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0005-Fix-CVE-2025-31492-protected-content-leakage-when-us.patch	1970-01-01 01:00:00.000000000 +0100
+++ libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0005-Fix-CVE-2025-31492-protected-content-leakage-when-us.patch	2025-04-16 11:12:44.000000000 +0200
@@ -0,0 +1,90 @@
+From: Moritz Schlarb <schla...@uni-mainz.de>
+Date: Wed, 16 Apr 2025 10:53:13 +0200
+Subject: Fix CVE-2025-31492 "protected content leakage when using
+ OIDCProviderAuthRequestMethod POST"
+
+Backported applicable portions from upstream fix in
+https://github.com/OpenIDC/mod_auth_openidc/commit/b59b8ad63411857090ba1088e23fe414c690c127
+---
+ src/mod_auth_openidc.c |  6 +++++-
+ src/mod_auth_openidc.h |  3 ++-
+ src/proto.c            | 14 +++++++++-----
+ 3 files changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
+index 3e9147b..261708b 100644
+--- a/src/mod_auth_openidc.c
++++ b/src/mod_auth_openidc.c
+@@ -4257,7 +4257,11 @@ int oidc_content_handler(request_rec *r) {
+ 
+ 			rc = oidc_discovery(r, c);
+ 
+-		} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN) != NULL) {
++		} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST) != NULL) {
++
++			rc = OK;
++
++		} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE) != NULL) {
+ 
+ 			rc = OK;
+ 
+diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
+index 8757411..d2792e8 100644
+--- a/src/mod_auth_openidc.h
++++ b/src/mod_auth_openidc.h
+@@ -88,7 +88,8 @@ APLOG_USE_MODULE(auth_openidc);
+ #define OIDC_REQUEST_STATE_KEY_IDTOKEN "i"
+ #define OIDC_REQUEST_STATE_KEY_CLAIMS  "c"
+ #define OIDC_REQUEST_STATE_KEY_DISCOVERY  "d"
+-#define OIDC_REQUEST_STATE_KEY_AUTHN  "a"
++#define OIDC_REQUEST_STATE_KEY_AUTHN_POST  "a"
++#define OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE  "p"
+ 
+ /* parameter name of the callback URL in the discovery response */
+ #define OIDC_DISC_CB_PARAM "oidc_callback"
+diff --git a/src/proto.c b/src/proto.c
+index fd346d9..0fea511 100644
+--- a/src/proto.c
++++ b/src/proto.c
+@@ -591,7 +591,7 @@ static int oidc_proto_add_form_post_param(void *rec, const char *key,
+ /*
+  * make the browser POST parameters through Javascript auto-submit
+  */
+-static int oidc_proto_html_post(request_rec *r, const char *url,
++static void oidc_proto_html_post(request_rec *r, const char *url,
+ 		apr_table_t *params) {
+ 
+ 	oidc_debug(r, "enter");
+@@ -607,7 +607,7 @@ static int oidc_proto_html_post(request_rec *r, const char *url,
+ 	html_body = apr_psprintf(r->pool, "%s%s", data.html_body, "      </p>\n"
+ 			"    </form>\n");
+ 
+-	return oidc_util_html_send(r, "Submitting...", NULL,
++	oidc_util_html_send(r, "Submitting...", NULL,
+ 			"document.forms[0].submit", html_body, OK);
+ }
+ 
+@@ -739,8 +739,12 @@ int oidc_proto_authorization_request(request_rec *r,
+ 	if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_POST) {
+ 
+ 		/* construct a HTML POST auto-submit page with the authorization request parameters */
+-		rv = oidc_proto_html_post(r, provider->authorization_endpoint_url,
+-				params);
++		oidc_proto_html_post(r, provider->authorization_endpoint_url, params);
++
++		/* signal this to the content handler */
++		oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST, "");
++		r->user = "";
++		rv = OK;
+ 
+ 	} else if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_GET) {
+ 
+@@ -762,7 +766,7 @@ int oidc_proto_authorization_request(request_rec *r,
+ 		} else {
+ 
+ 			/* signal this to the content handler */
+-			oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN, "");
++			oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE, "");
+ 			r->user = "";
+ 			rv = OK;
+ 
diff -Nru libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series
--- libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series	2024-04-18 14:25:19.000000000 +0200
+++ libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series	2025-04-16 11:12:44.000000000 +0200
@@ -2,3 +2,4 @@
 0002-Fix-CVE-2022-23527-prevent-open-redirect.patch
 0003-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch
 0004-fix-DoS-CVE-2024-24814.patch
+0005-Fix-CVE-2025-31492-protected-content-leakage-when-us.patch

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to