--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
Fixes CVE-2019-14857 (Open redirect in logout url when using URLs with
backslashes) by improving validation of the post-logout URL parameter
(backported from upstream, see https://salsa.debian.org/debian/libapache2-mod-
auth-openidc/commit/17e31b94a71ef02d1417bee6b0ef7b7379b40375)
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (700, 'stable-updates'), (700, 'stable'), (60, 'testing'), (50,
'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-6-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/changelog
libapache2-mod-auth-openidc-2.3.10.2/debian/changelog
--- libapache2-mod-auth-openidc-2.3.10.2/debian/changelog 2019-01-29
21:40:30.000000000 +0100
+++ libapache2-mod-auth-openidc-2.3.10.2/debian/changelog 2019-11-27
11:09:17.000000000 +0100
@@ -1,3 +1,10 @@
+libapache2-mod-auth-openidc (2.3.10.2-1+deb10u1) buster; urgency=medium
+
+ * Add patch for CVE-2019-14857
+ (Closes: #942165)
+
+ -- Moritz Schlarb <schla...@uni-mainz.de> Wed, 27 Nov 2019 11:09:17 +0100
+
libapache2-mod-auth-openidc (2.3.10.2-1) unstable; urgency=medium
* New upstream version 2.3.10.2
diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/gbp.conf
libapache2-mod-auth-openidc-2.3.10.2/debian/gbp.conf
--- libapache2-mod-auth-openidc-2.3.10.2/debian/gbp.conf 2019-01-29
21:40:30.000000000 +0100
+++ libapache2-mod-auth-openidc-2.3.10.2/debian/gbp.conf 2019-11-27
11:08:14.000000000 +0100
@@ -1,2 +1,3 @@
[DEFAULT]
pristine-tar = True
+debian-branch = buster
diff -Nru
libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0002-improve-validation-of-the-post-logout-URL-parameter-.patch
libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0002-improve-validation-of-the-post-logout-URL-parameter-.patch
---
libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0002-improve-validation-of-the-post-logout-URL-parameter-.patch
1970-01-01 01:00:00.000000000 +0100
+++
libapache2-mod-auth-openidc-2.3.10.2/debian/patches/0002-improve-validation-of-the-post-logout-URL-parameter-.patch
2019-11-27 11:08:14.000000000 +0100
@@ -0,0 +1,137 @@
+From: Moritz Schlarb <schla...@uni-mainz.de>
+Date: Wed, 16 Oct 2019 10:53:49 +0200
+Subject: improve validation of the post-logout URL parameter on logout
+
+From https://github.com/zmartzone/mod_auth_openidc/compare/5c15dfb~1...v2.4.0.3
+
+Fixes https://security-tracker.debian.org/tracker/CVE-2019-14857
+---
+ src/mod_auth_openidc.c | 101 ++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 63 insertions(+), 38 deletions(-)
+
+diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
+index 5b971d5..916d60d 100644
+--- a/src/mod_auth_openidc.c
++++ b/src/mod_auth_openidc.c
+@@ -2938,6 +2938,61 @@ out:
+ return rc;
+ }
+
++static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char
*url,
++ char **err_str, char **err_desc) {
++ apr_uri_t uri;
++ const char *c_host = NULL;
++
++ if (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) {
++ *err_str = apr_pstrdup(r->pool, "Malformed URL");
++ *err_desc = apr_psprintf(r->pool, "Logout URL malformed: %s",
url);
++ oidc_error(r, "%s: %s", *err_str, *err_desc);
++ return FALSE;
++ }
++
++ c_host = oidc_get_current_url_host(r);
++ if ((uri.hostname != NULL)
++ && ((strstr(c_host, uri.hostname) == NULL)
++ || (strstr(uri.hostname, c_host) ==
NULL))) {
++ *err_str = apr_pstrdup(r->pool, "Invalid Request");
++ *err_desc =
++ apr_psprintf(r->pool,
++ "logout value \"%s\" does not
match the hostname of the current request \"%s\"",
++ apr_uri_unparse(r->pool, &uri,
0), c_host);
++ oidc_error(r, "%s: %s", *err_str, *err_desc);
++ return FALSE;
++ } else if ((uri.hostname == NULL) && (strstr(url, "/") != url)) {
++ *err_str = apr_pstrdup(r->pool, "Malformed URL");
++ *err_desc =
++ apr_psprintf(r->pool,
++ "No hostname was parsed and it
does not seem to be relative, i.e starting with '/': %s",
++ url);
++ oidc_error(r, "%s: %s", *err_str, *err_desc);
++ return FALSE;
++ } else if ((uri.hostname == NULL) && (strstr(url, "//") == url)) {
++ *err_str = apr_pstrdup(r->pool, "Malformed URL");
++ *err_desc =
++ apr_psprintf(r->pool,
++ "No hostname was parsed and
starting with '//': %s",
++ url);
++ oidc_error(r, "%s: %s", *err_str, *err_desc);
++ return FALSE;
++ }
++
++ /* validate the URL to prevent HTTP header splitting */
++ if (((strstr(url, "\n") != NULL) || strstr(url, "\r") != NULL)) {
++ *err_str = apr_pstrdup(r->pool, "Invalid Request");
++ *err_desc =
++ apr_psprintf(r->pool,
++ "logout value \"%s\" contains
illegal \"\n\" or \"\r\" character(s)",
++ url);
++ oidc_error(r, "%s: %s", *err_str, *err_desc);
++ return FALSE;
++ }
++
++ return TRUE;
++}
++
+ /*
+ * perform (single) logout
+ */
+@@ -2946,6 +3001,9 @@ static int oidc_handle_logout(request_rec *r, oidc_cfg
*c,
+
+ /* pickup the command or URL where the user wants to go after logout */
+ char *url = NULL;
++ char *error_str = NULL;
++ char *error_description = NULL;
++
+ oidc_util_get_request_parameter(r, OIDC_REDIRECT_URI_REQUEST_LOGOUT,
&url);
+
+ oidc_debug(r, "enter (url=%s)", url);
+@@ -2963,44 +3021,11 @@ static int oidc_handle_logout(request_rec *r, oidc_cfg
*c,
+ } else {
+
+ /* do input validation on the logout parameter value */
+-
+- const char *error_description = NULL;
+- apr_uri_t uri;
+-
+- if (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) {
+- const char *error_description = apr_psprintf(r->pool,
+- "Logout URL malformed: %s", url);
+- oidc_error(r, "%s", error_description);
+- return oidc_util_html_send_error(r, c->error_template,
+- "Malformed URL", error_description,
+- HTTP_INTERNAL_SERVER_ERROR);
+-
+- }
+-
+- const char *c_host = oidc_get_current_url_host(r);
+- if ((uri.hostname != NULL)
+- && ((strstr(c_host, uri.hostname) == NULL)
+- || (strstr(uri.hostname,
c_host) == NULL))) {
+- error_description =
+- apr_psprintf(r->pool,
+- "logout value \"%s\"
does not match the hostname of the current request \"%s\"",
+-
apr_uri_unparse(r->pool, &uri, 0), c_host);
+- oidc_error(r, "%s", error_description);
+- return oidc_util_html_send_error(r, c->error_template,
+- "Invalid Request", error_description,
+- HTTP_INTERNAL_SERVER_ERROR);
+- }
+-
+- /* validate the URL to prevent HTTP header splitting */
+- if (((strstr(url, "\n") != NULL) || strstr(url, "\r") != NULL))
{
+- error_description =
+- apr_psprintf(r->pool,
+- "logout value \"%s\"
contains illegal \"\n\" or \"\r\" character(s)",
+- url);
+- oidc_error(r, "%s", error_description);
+- return oidc_util_html_send_error(r, c->error_template,
+- "Invalid Request", error_description,
+- HTTP_INTERNAL_SERVER_ERROR);
++ if (oidc_validate_post_logout_url(r, url, &error_str,
++ &error_description) == FALSE) {
++ return oidc_util_html_send_error(r, c->error_template,
error_str,
++ error_description,
++ HTTP_BAD_REQUEST);
+ }
+ }
+
diff -Nru libapache2-mod-auth-openidc-2.3.10.2/debian/patches/series
libapache2-mod-auth-openidc-2.3.10.2/debian/patches/series
--- libapache2-mod-auth-openidc-2.3.10.2/debian/patches/series 2019-01-29
21:40:30.000000000 +0100
+++ libapache2-mod-auth-openidc-2.3.10.2/debian/patches/series 2019-11-27
11:08:14.000000000 +0100
@@ -1 +1,2 @@
fix-parallel-build.patch
+0002-improve-validation-of-the-post-logout-URL-parameter-.patch
--- End Message ---
