Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Fixes CVE-2019-14857 (Open redirect in logout url when using URLs with backslashes) by improving validation of the post-logout URL parameter (backported from upstream, see https://salsa.debian.org/debian/libapache2-mod- auth-openidc/commit/17e31b94a71ef02d1417bee6b0ef7b7379b40375) -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (700, 'stable-updates'), (700, 'stable'), (60, 'testing'), (50, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/changelog libapache2-mod-auth-openidc-2.3.10.2/debian/changelog --- libapache2-mod-auth-openidc-2.3.10.2/debian/changelog 2019-01-29 21:40:30.000000000 +0100 +++ libapache2-mod-auth-openidc-2.3.10.2/debian/changelog 2019-11-27 11:09:17.000000000 +0100 @@ -1,3 +1,10 @@ +libapache2-mod-auth-openidc (2.3.10.2-1+deb10u1) buster; urgency=medium + + * Add patch for CVE-2019-14857 + (Closes: #942165) + + -- Moritz Schlarb <schla...@uni-mainz.de> Wed, 27 Nov 2019 11:09:17 +0100 + libapache2-mod-auth-openidc (2.3.10.2-1) unstable; urgency=medium * New upstream version 2.3.10.2 diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/gbp.conf libapache2-mod-auth-openidc-2.3.10.2/debian/gbp.conf --- libapache2-mod-auth-openidc-2.3.10.2/debian/gbp.conf 2019-01-29 21:40:30.000000000 +0100 +++ libapache2-mod-auth-openidc-2.3.10.2/debian/gbp.conf 2019-11-27 11:08:14.000000000 +0100 @@ -1,2 +1,3 @@ [DEFAULT] pristine-tar = True +debian-branch = buster diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0002-improve-validation-of-the-post-logout-URL-parameter-.patch libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0002-improve-validation-of-the-post-logout-URL-parameter-.patch --- libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0002-improve-validation-of-the-post-logout-URL-parameter-.patch 1970-01-01 01:00:00.000000000 +0100 +++ libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0002-improve-validation-of-the-post-logout-URL-parameter-.patch 2019-11-27 11:08:14.000000000 +0100 @@ -0,0 +1,137 @@ +From: Moritz Schlarb <schla...@uni-mainz.de> +Date: Wed, 16 Oct 2019 10:53:49 +0200 +Subject: improve validation of the post-logout URL parameter on logout + +From https://github.com/zmartzone/mod_auth_openidc/compare/5c15dfb~1...v2.4.0.3 + +Fixes https://security-tracker.debian.org/tracker/CVE-2019-14857 +--- + src/mod_auth_openidc.c | 101 ++++++++++++++++++++++++++++++------------------- + 1 file changed, 63 insertions(+), 38 deletions(-) + +diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +index 5b971d5..916d60d 100644 +--- a/src/mod_auth_openidc.c ++++ b/src/mod_auth_openidc.c +@@ -2938,6 +2938,61 @@ out: + return rc; + } + ++static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url, ++ char **err_str, char **err_desc) { ++ apr_uri_t uri; ++ const char *c_host = NULL; ++ ++ if (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) { ++ *err_str = apr_pstrdup(r->pool, "Malformed URL"); ++ *err_desc = apr_psprintf(r->pool, "Logout URL malformed: %s", url); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; ++ } ++ ++ c_host = oidc_get_current_url_host(r); ++ if ((uri.hostname != NULL) ++ && ((strstr(c_host, uri.hostname) == NULL) ++ || (strstr(uri.hostname, c_host) == NULL))) { ++ *err_str = apr_pstrdup(r->pool, "Invalid Request"); ++ *err_desc = ++ apr_psprintf(r->pool, ++ "logout value \"%s\" does not match the hostname of the current request \"%s\"", ++ apr_uri_unparse(r->pool, &uri, 0), c_host); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; ++ } else if ((uri.hostname == NULL) && (strstr(url, "/") != url)) { ++ *err_str = apr_pstrdup(r->pool, "Malformed URL"); ++ *err_desc = ++ apr_psprintf(r->pool, ++ "No hostname was parsed and it does not seem to be relative, i.e starting with '/': %s", ++ url); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; ++ } else if ((uri.hostname == NULL) && (strstr(url, "//") == url)) { ++ *err_str = apr_pstrdup(r->pool, "Malformed URL"); ++ *err_desc = ++ apr_psprintf(r->pool, ++ "No hostname was parsed and starting with '//': %s", ++ url); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; ++ } ++ ++ /* validate the URL to prevent HTTP header splitting */ ++ if (((strstr(url, "\n") != NULL) || strstr(url, "\r") != NULL)) { ++ *err_str = apr_pstrdup(r->pool, "Invalid Request"); ++ *err_desc = ++ apr_psprintf(r->pool, ++ "logout value \"%s\" contains illegal \"\n\" or \"\r\" character(s)", ++ url); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; ++ } ++ ++ return TRUE; ++} ++ + /* + * perform (single) logout + */ +@@ -2946,6 +3001,9 @@ static int oidc_handle_logout(request_rec *r, oidc_cfg *c, + + /* pickup the command or URL where the user wants to go after logout */ + char *url = NULL; ++ char *error_str = NULL; ++ char *error_description = NULL; ++ + oidc_util_get_request_parameter(r, OIDC_REDIRECT_URI_REQUEST_LOGOUT, &url); + + oidc_debug(r, "enter (url=%s)", url); +@@ -2963,44 +3021,11 @@ static int oidc_handle_logout(request_rec *r, oidc_cfg *c, + } else { + + /* do input validation on the logout parameter value */ +- +- const char *error_description = NULL; +- apr_uri_t uri; +- +- if (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) { +- const char *error_description = apr_psprintf(r->pool, +- "Logout URL malformed: %s", url); +- oidc_error(r, "%s", error_description); +- return oidc_util_html_send_error(r, c->error_template, +- "Malformed URL", error_description, +- HTTP_INTERNAL_SERVER_ERROR); +- +- } +- +- const char *c_host = oidc_get_current_url_host(r); +- if ((uri.hostname != NULL) +- && ((strstr(c_host, uri.hostname) == NULL) +- || (strstr(uri.hostname, c_host) == NULL))) { +- error_description = +- apr_psprintf(r->pool, +- "logout value \"%s\" does not match the hostname of the current request \"%s\"", +- apr_uri_unparse(r->pool, &uri, 0), c_host); +- oidc_error(r, "%s", error_description); +- return oidc_util_html_send_error(r, c->error_template, +- "Invalid Request", error_description, +- HTTP_INTERNAL_SERVER_ERROR); +- } +- +- /* validate the URL to prevent HTTP header splitting */ +- if (((strstr(url, "\n") != NULL) || strstr(url, "\r") != NULL)) { +- error_description = +- apr_psprintf(r->pool, +- "logout value \"%s\" contains illegal \"\n\" or \"\r\" character(s)", +- url); +- oidc_error(r, "%s", error_description); +- return oidc_util_html_send_error(r, c->error_template, +- "Invalid Request", error_description, +- HTTP_INTERNAL_SERVER_ERROR); ++ if (oidc_validate_post_logout_url(r, url, &error_str, ++ &error_description) == FALSE) { ++ return oidc_util_html_send_error(r, c->error_template, error_str, ++ error_description, ++ HTTP_BAD_REQUEST); + } + } + diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/patches/series libapache2-mod-auth-openidc-2.3.10.2/debian/patches/series --- libapache2-mod-auth-openidc-2.3.10.2/debian/patches/series 2019-01-29 21:40:30.000000000 +0100 +++ libapache2-mod-auth-openidc-2.3.10.2/debian/patches/series 2019-11-27 11:08:14.000000000 +0100 @@ -1 +1,2 @@ fix-parallel-build.patch +0002-improve-validation-of-the-post-logout-URL-parameter-.patch
