Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: libapache2-mod-auth-open...@packages.debian.org, Debian Security Team <t...@security.debian.org> Control: affects -1 + src:libapache2-mod-auth-openidc
[ Reason ] Backported redirect url validations from upstream version 2.4.12.2 which include a fix for CVE-2022-23527[1]: > Versions prior to 2.4.12.2 are vulnerable to Open Redirect. > When providing a logout parameter to the redirect URI, the > existing code in oidc_validate_redirect_url() does not properly > check for URLs that start with /\t, leading to an open redirect. [ Impact ] > Users unable to upgrade can mitigate the issue by configuring > mod_auth_openidc to only allow redirection when the destination > matches a given regular expression with OIDCRedirectURLsAllowed. [ Tests ] Manually tested the package with the fix on our infrastructure, no problems found. [ Risks ] Since I backported the whole check block, that includes more checks than just for the tab character, the change in this p-u is not quite minimal, but all the other checks do have a purpose of security enhancement, so I think it's worth to have them. And the whole block of code is already checked by more people. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] - Backported whole url check block in oidc_validate_redirect_url from the latest version 2.4.12.2 [2] - Also backported new helper function oidc_util_strcasestr as a dependency [ Other info ] (Anything else the release team should know.) [1]: https://security-tracker.debian.org/tracker/CVE-2022-23527 [2]: https://github.com/zmartzone/mod_auth_openidc/commit/87119f44b9a88312dbc1f752d720bcd2371b94a8
diff -Nru libapache2-mod-auth-openidc-2.4.9.4/debian/changelog libapache2-mod-auth-openidc-2.4.9.4/debian/changelog --- libapache2-mod-auth-openidc-2.4.9.4/debian/changelog 2022-02-23 12:16:08.000000000 +0100 +++ libapache2-mod-auth-openidc-2.4.9.4/debian/changelog 2022-12-20 12:20:52.000000000 +0100 @@ -1,3 +1,12 @@ +libapache2-mod-auth-openidc (2.4.9.4-0+deb11u2) bullseye; urgency=medium + + * Backport fix for CVE-2022-23527: prevent open redirect in default setup + when OIDCRedirectURLsAllowed is not configured + see: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53 + (Closes: #1026444) + + -- Moritz Schlarb <schla...@uni-mainz.de> Tue, 20 Dec 2022 12:20:52 +0100 + libapache2-mod-auth-openidc (2.4.9.4-0+deb11u1) bullseye; urgency=medium * New upstream version 2.4.9.4 diff -Nru libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0002-Fix-CVE-2022-23527-prevent-open-redirect.patch libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0002-Fix-CVE-2022-23527-prevent-open-redirect.patch --- libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0002-Fix-CVE-2022-23527-prevent-open-redirect.patch 1970-01-01 01:00:00.000000000 +0100 +++ libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0002-Fix-CVE-2022-23527-prevent-open-redirect.patch 2022-12-20 12:20:03.000000000 +0100 @@ -0,0 +1,82 @@ +From: Moritz Schlarb <schla...@uni-mainz.de> +Author: Hans Zandbelt <hans.zandb...@zmartzone.eu> +Date: Tue, 20 Dec 2022 12:04:24 +0100 +Subject: Fix CVE-2022-23527: prevent open redirect + +- CVE-2022-23527: prevent open redirect in default setup when OIDCRedirectURLsAllowed is not configured + see: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53 + +Origin: backport, https://github.com/zmartzone/mod_auth_openidc/commit/87119f44b9a88312dbc1f752d720bcd2371b94a8 +Forwarded: not-needed +--- + src/mod_auth_openidc.c | 14 ++++++++++++++ + src/mod_auth_openidc.h | 1 + + src/util.c | 18 ++++++++++++++++++ + 3 files changed, 33 insertions(+) + +diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +index b36f6c1..099c716 100644 +--- a/src/mod_auth_openidc.c ++++ b/src/mod_auth_openidc.c +@@ -2543,6 +2543,20 @@ static apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c, + oidc_error(r, "%s: %s", *err_str, *err_desc); + return FALSE; + } ++ if ( (strstr(url, "/%09") != NULL) || (oidc_util_strcasestr(url, "/%2f") != NULL) ++ || (strstr(url, "/\t") != NULL) ++ || (strstr(url, "/%68") != NULL) || (oidc_util_strcasestr(url, "/http:") != NULL) ++ || (oidc_util_strcasestr(url, "/https:") != NULL) || (oidc_util_strcasestr(url, "/javascript:") != NULL) ++ || (strstr(url, "/〱") != NULL) || (strstr(url, "/〵") != NULL) ++ || (strstr(url, "/ゝ") != NULL) || (strstr(url, "/ー") != NULL) ++ || (strstr(url, "/〱") != NULL) || (strstr(url, "/ー") != NULL) ++ || (strstr(url, "/<") != NULL) || (oidc_util_strcasestr(url, "%01javascript:") != NULL) ++ || (strstr(url, "/%5c") != NULL) || (strstr(url, "/\\") != NULL)) { ++ *err_str = apr_pstrdup(r->pool, "Invalid URL"); ++ *err_desc = apr_psprintf(r->pool, "URL value \"%s\" contains illegal character(s)", url); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; ++ } + + return TRUE; + } +diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h +index 2218d76..8757411 100644 +--- a/src/mod_auth_openidc.h ++++ b/src/mod_auth_openidc.h +@@ -800,6 +800,7 @@ char *oidc_util_http_query_encoded_url(request_rec *r, const char *url, const ap + char *oidc_util_get_full_path(apr_pool_t *pool, const char *abs_or_rel_filename); + apr_byte_t oidc_enabled(request_rec *r); + char *oidc_util_http_form_encoded_data(request_rec *r, const apr_table_t *params); ++char* oidc_util_strcasestr(const char *s1, const char *s2); + + /* HTTP header constants */ + #define OIDC_HTTP_HDR_COOKIE "Cookie" +diff --git a/src/util.c b/src/util.c +index 4c46156..c6453d0 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -446,6 +446,24 @@ char* oidc_util_javascript_escape(apr_pool_t *pool, const char *s) { + return output; + } + ++char* oidc_util_strcasestr(const char *s1, const char *s2) { ++ const char *s = s1; ++ const char *p = s2; ++ do { ++ if (!*p) ++ return (char*) s1; ++ if ((*p == *s) || (tolower(*p) == tolower(*s))) { ++ ++p; ++ ++s; ++ } else { ++ p = s2; ++ if (!*s) ++ return NULL; ++ s = ++s1; ++ } ++ } while (1); ++ return *p ? NULL : (char*) s1; ++} + + /* + * get the URL scheme that is currently being accessed diff -Nru libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series --- libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series 2022-02-23 12:16:08.000000000 +0100 +++ libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series 2022-12-20 12:14:25.000000000 +0100 @@ -1 +1,2 @@ fix-parallel-build.patch +0002-Fix-CVE-2022-23527-prevent-open-redirect.patch
