Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: lemonldap...@packages.debian.org, y...@debian.org Control: affects -1 + src:lemonldap-ng User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] Lemonldap-ng <2.20.0 is vulnerable to a XSS injection (#1084979, CVE-2024-48933) [ Impact ] Low security issue unless admin change default regex for logins [ Tests ] Passed [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Add HTML escapes and change autofocus Cheers, Xavier
diff --git a/debian/NEWS b/debian/NEWS index 0bb3cc914..0b5732a86 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,16 @@ +lemonldap-ng (2.16.1+ds-deb12u3) UNRELEASED; urgency=medium + + Custom templates maybe vulnerable to XSS injection when default allowed + characters have been changed. To fix this, replace every + + <TMPL_VAR NAME="LOGIN"> + + by + + <TMPL_VAR NAME="LOGIN" ESCAPE=HTML> + + -- Yadd <y...@debian.org> Tue, 15 Oct 2024 19:27:47 +0200 + lemonldap-ng (2.16.1+ds-deb12u2) bookworm; urgency=medium A feature of OIDC allows the OpenID Provider to fetch the Authorization diff --git a/debian/changelog b/debian/changelog index 148164a94..c0bc25b80 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +lemonldap-ng (2.16.1+ds-deb12u3) bookworm; urgency=medium + + * Fix XSS issue (Closes: #1084979, CVE-2024-48933) + + -- Yadd <y...@debian.org> Tue, 15 Oct 2024 20:59:06 +0200 + lemonldap-ng (2.16.1+ds-deb12u2) bookworm; urgency=medium * Fix open redirection when OIDC RP has no redirect uris diff --git a/debian/patches/CVE-2024-48933.patch b/debian/patches/CVE-2024-48933.patch new file mode 100644 index 000000000..eb666a0dd --- /dev/null +++ b/debian/patches/CVE-2024-48933.patch @@ -0,0 +1,117 @@ +Description: Fix XSS vulnerability + A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.19.3 + allows remote attackers to inject arbitrary web script or HTML into the + login page via a username if userControl has been set to a non-default + value that allows special HTML characters. +Author: Maxime Besson +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3232 +Bug-Debian: https://bugs.debian.org/1084979 +Forwarded: not-needed +Applied-Upstream: 2.20.0, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/606 +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2024-10-15 + +--- a/lemonldap-ng-portal/site/coffee/portal.coffee ++++ b/lemonldap-ng-portal/site/coffee/portal.coffee +@@ -295,12 +295,9 @@ + if datas['choicetab'] + authMenuTabs.tabs "option", "active", $('#authMenu a[href="#' + datas['choicetab'] + '"]').parent().index() + +- if datas['login'] +- $("input[type=password]:first").focus() +- else +- # If there are no auto-focused fields, focus on first visible input +- if $("input[autofocus]").length == 0 +- $("input[type!=hidden]:first").focus(); ++ # If there are no auto-focused fields, focus on first visible input ++ if $("input[autofocus]").length == 0 ++ $("input[type!=hidden]:first").focus() + + # Open links in new windows if required + if datas['newwindow'] +--- a/lemonldap-ng-portal/site/templates/bootstrap/checkuser.tpl ++++ b/lemonldap-ng-portal/site/templates/bootstrap/checkuser.tpl +@@ -11,7 +11,7 @@ + <div class="input-group-prepend"> + <span class="input-group-text"><label for="userfield" class="mb-0"><i class="fa fa-user"></i></label></span> + </div> +- <input id="userfield" name="user" type="text" class="form-control" value="<TMPL_VAR NAME="LOGIN">" trplaceholder="user" aria-required="true"/> ++ <input id="userfield" name="user" type="text" class="form-control" value="<TMPL_VAR NAME="LOGIN" ESCAPE=HTML>" trplaceholder="user" aria-required="true"/> + </div> + <div class="input-group mb-3"> + <div class="input-group-prepend"> +--- a/lemonldap-ng-portal/site/templates/bootstrap/globallogout.tpl ++++ b/lemonldap-ng-portal/site/templates/bootstrap/globallogout.tpl +@@ -6,7 +6,7 @@ + <div class="row"> + <TMPL_IF NAME="SESSIONS"> + <div class="card col border-secondary"> +- <div class="text-center bg-light text-dark"><b><span trspan="activeSessions">ACTIVE SSO SESSIONS</span>: <u><TMPL_VAR NAME="LOGIN"></u></b></div> ++ <div class="text-center bg-light text-dark"><b><span trspan="activeSessions">ACTIVE SSO SESSIONS</span>: <u><TMPL_VAR NAME="LOGIN" ESCAPE=HTML></u></b></div> + <table class="table table-sm table-hover text-center"> + <thead> + <tr> +--- a/lemonldap-ng-portal/site/templates/bootstrap/gpgform.tpl ++++ b/lemonldap-ng-portal/site/templates/bootstrap/gpgform.tpl +@@ -5,7 +5,7 @@ + <div class="input-group-prepend"> + <span class="input-group-text"><label for="userfield" class="mb-0"><i class="fa fa-user"></i></label></span> + </div> +- <input id="userfield" name="user" type="text" class="form-control" value="<TMPL_VAR NAME="LOGIN">" trplaceholder="mail" required aria-required="true" /> ++ <input id="userfield" name="user" type="text" class="form-control" value="<TMPL_VAR NAME="LOGIN" ESCAPE=HTML>" trplaceholder="mail" required aria-required="true" /> + </div> + + <div class="input-group mb-3"> +--- a/lemonldap-ng-portal/site/templates/bootstrap/password.tpl ++++ b/lemonldap-ng-portal/site/templates/bootstrap/password.tpl +@@ -17,11 +17,11 @@ + + <TMPL_IF NAME="LOGIN"> + <div class="input-group mb-3"> +- <input name="user" type="hidden" value="<TMPL_VAR NAME=LOGIN>" /> ++ <input name="user" type="hidden" value="<TMPL_VAR NAME=LOGIN ESCAPE=HTML>" /> + <div class="input-group-prepend"> + <span class="input-group-text"><label for="staticUser" class="mb-0"><i class="fa fa-user"></i></label></span> + </div> +- <input id="staticUser" type="text" readonly class="form-control" value="<TMPL_VAR NAME=LOGIN>" /> ++ <input id="staticUser" type="text" readonly class="form-control" value="<TMPL_VAR NAME=LOGIN ESCAPE=HTML>" /> + </div> + </TMPL_IF> + +--- a/lemonldap-ng-portal/site/templates/bootstrap/standardform.tpl ++++ b/lemonldap-ng-portal/site/templates/bootstrap/standardform.tpl +@@ -10,21 +10,21 @@ + <div class="input-group-prepend"> + <span class="input-group-text"><label for="userfield" class="mb-0"><i class="fa fa-user"></i></label></span> + </div> +- <input id="userfield" name="user" type="text" class="form-control" value="<TMPL_VAR NAME="LOGIN">" trplaceholder="login" required aria-required="true"/> ++ <input id="userfield" name="user" type="text" class="form-control" value="<TMPL_VAR NAME="LOGIN" ESCAPE=HTML>" trplaceholder="login" required aria-required="true" <TMPL_UNLESS NAME="LOGIN">autofocus</TMPL_UNLESS> /> + </div> + <div class="input-group mb-3"> + <div class="input-group-prepend"> + <span class="input-group-text"><label for="passwordfield" class="mb-0"><i class="fa fa-lock"></i></label></span> + </div> + <TMPL_IF NAME="DONT_STORE_PASSWORD"> +- <input id="passwordfield" name="password" type="text" class="form-control" trplaceholder="password" autocomplete="off" required aria-required="true" aria-hidden="true"/> ++ <input id="passwordfield" name="password" type="text" class="form-control" trplaceholder="password" autocomplete="off" required aria-required="true" aria-hidden="true" <TMPL_IF NAME="LOGIN">autofocus</TMPL_IF> /> + <TMPL_IF NAME="ENABLE_PASSWORD_DISPLAY"> + <div class="input-group-append"> + <span class="input-group-text"><i id="toggle_password" class="fa fa-eye-slash toggle-password"></i></span> + </div> + </TMPL_IF> + <TMPL_ELSE> +- <input id="passwordfield" name="password" type="password" class="form-control" trplaceholder="password" required aria-required="true"/> ++ <input id="passwordfield" name="password" type="password" class="form-control" trplaceholder="password" required aria-required="true" <TMPL_IF NAME="LOGIN">autofocus</TMPL_IF> /> + <TMPL_IF NAME="ENABLE_PASSWORD_DISPLAY"> + <div class="input-group-append"> + <span class="input-group-text"><i id="toggle_password" class="fa fa-eye-slash toggle-password"></i></span> +--- a/lemonldap-ng-portal/site/templates/common/script.tpl ++++ b/lemonldap-ng-portal/site/templates/common/script.tpl +@@ -20,7 +20,6 @@ + { + "displaytab":"<TMPL_VAR NAME="DISPLAY_TAB">", + "choicetab":"<TMPL_VAR NAME="CHOICE_VALUE">", +- "login":"<TMPL_VAR NAME="LOGIN">", + "newwindow":<TMPL_VAR NAME="NEWWINDOW" DEFAULT="0">, + "appslistorder":"<TMPL_VAR NAME="APPSLIST_ORDER">", + "activeTimer":<TMPL_VAR NAME="ACTIVE_TIMER" DEFAULT="0">, diff --git a/debian/patches/series b/debian/patches/series index e4acf948c..ff8b2d3b0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -9,3 +9,4 @@ apply-user-control-to-authslave.patch fix-open-redirection.patch fix-open-redirection-without-OIDC-redirect-uris.patch SSRF-issue.patch +CVE-2024-48933.patch
