Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: lemonldap...@packages.debian.org, y...@debian.org Control: affects -1 + src:lemonldap-ng User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] lemonldap-ng is a Web-SSO. In Bookworm, it is vulnerable to: - XSS issue into the "Upgrade" plugin that allow user to upgrade their authentication level into current session (example, use a SSL card instead of login/password) - Escalation privilege when "Adaptative auth level" is used: user can apply the benefit more than one time using the "refresh- session" mechanism [ Impact ] Medium seciruty issues. [ Tests ] Test updated, passed [ Risks ] Low risk: patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] - don't apply adaptative rules when session is refreshed - apply the "chackXSS" method on "Upgrade" plugin URLs [ Other info ] These 2 issues will have a CVE number soon Best regards, Xavier
diff --git a/debian/changelog b/debian/changelog index c0bc25b80..8cb311051 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +lemonldap-ng (2.16.1+ds-deb12u4) bookworm; urgency=medium + + * Fix authentication privilege + * Fix XSS in "Upgrade" plugin + + -- Yadd <y...@debian.org> Sat, 09 Nov 2024 18:47:24 +0400 + lemonldap-ng (2.16.1+ds-deb12u3) bookworm; urgency=medium * Fix XSS issue (Closes: #1084979, CVE-2024-48933) diff --git a/debian/patches/fix-auth-level-escalation.patch b/debian/patches/fix-auth-level-escalation.patch new file mode 100644 index 000000000..f6b213744 --- /dev/null +++ b/debian/patches/fix-auth-level-escalation.patch @@ -0,0 +1,72 @@ +Description: Do not run adaptativeAuthenticationLevel during refresh +Author: Maxime Besson <maxime.bes...@worteks.com> +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/5df0f833 +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3255 +Forwarded: not-needed +Applied-Upstream: 2.20.1, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/5df0f833 +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2024-11-09 + +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/AdaptativeAuthenticationLevel.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/AdaptativeAuthenticationLevel.pm +@@ -35,6 +35,8 @@ + sub adaptAuthenticationLevel { + my ( $self, $sub, $req ) = @_; + ++ return $sub->($req) if $req->refresh; ++ + my $userid = $req->sessionInfo->{ $self->conf->{whatToTrace} } + || $req->sessionInfo->{uid}; + $self->logger->debug("Check adaptative authentication rules for $userid"); +--- a/lemonldap-ng-portal/t/61-AdaptativeAuthenticationLevel.t ++++ b/lemonldap-ng-portal/t/61-AdaptativeAuthenticationLevel.t +@@ -42,20 +42,23 @@ + count(1); + $id = expectCookie($res); + ++my $session = getSession($id)->data; ++is( $session->{uid}, 'dwho', 'uid found' ) or explain( $json, "uid='dwho'" ); ++is( $session->{authenticationLevel}, 3, 'Authentication level upgraded' ); ++count(2); ++ + ok( + $res = $client->_get( +- '/session/my/global', cookie => "lemonldap=$id" ++ '/refresh', cookie => "lemonldap=$id" + ), + 'Get session' + ); + count(1); +-$json = expectJSON($res); + +-ok( $json->{uid} eq 'dwho', 'uid found' ) or explain( $json, "uid='dwho'" ); +-ok( $json->{authenticationLevel} == 3, 'Authentication level upgraded' ); +-ok( scalar keys %$json == 10, 'Ten exported attributes found' ) +- or explain( scalar keys %$json, Dumper $json ); +-count(3); ++$session = getSession($id)->data; ++is( $session->{uid}, 'dwho', 'uid found' ) or explain( $json, "uid='dwho'" ); ++is( $session->{authenticationLevel}, 3, 'Authentication level upgraded' ); ++count(2); + + ok( $client->logout($id), 'Logout' ); + count(1); +@@ -72,16 +75,8 @@ + count(1); + $id = expectCookie($res); + +-ok( +- $res = $client->_get( +- '/session/my/global', cookie => "lemonldap=$id" +- ), +- 'Get session' +-); +-count(1); +-$json = expectJSON($res); +- +-ok( $json->{authenticationLevel} == 5, 'Authentication level upgraded' ); ++$session = getSession($id)->data; ++ok( $session->{authenticationLevel} == 5, 'Authentication level upgraded' ); + count(1); + + ok( $client->logout($id), 'Logout' ); diff --git a/debian/patches/fix-xss-in-upgrade-plugin.patch b/debian/patches/fix-xss-in-upgrade-plugin.patch new file mode 100644 index 000000000..c4879277d --- /dev/null +++ b/debian/patches/fix-xss-in-upgrade-plugin.patch @@ -0,0 +1,21 @@ +Description: Check XSS in ::Plugins::Upgrade +Author: Maxime Besson <maxime.bes...@worteks.com> +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/614 +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3257 +Forwarded: not-needed +Applied-Upstream: 2.20.1, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/600ba2c0b3d4bb0a4dd2eb9d8b612edcca8805dc +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2024-11-09 + +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Upgrade.pm ++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Upgrade.pm +@@ -79,6 +79,9 @@ + $self->logger->debug(" -> Skip confirmation is enabled") + if $self->conf->{"skip${action}Confirmation"}; + ++ $url = '' if $self->p->checkXSSAttack('url', $url); ++ $forceUpgrade = '' if $self->p->checkXSSAttack('forceUpgrade', $forceUpgrade); ++ + # Display form + return $self->p->sendHtml( + $req, diff --git a/debian/patches/series b/debian/patches/series index ff8b2d3b0..d99c28333 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -10,3 +10,5 @@ fix-open-redirection.patch fix-open-redirection-without-OIDC-redirect-uris.patch SSRF-issue.patch CVE-2024-48933.patch +fix-auth-level-escalation.patch +fix-xss-in-upgrade-plugin.patch
