Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: secur...@debian.org, Debian Ruby Team <pkg-ruby-extras-maintain...@lists.alioth.debian.org>
* CVE-2023-34246: Improper Authentication (Closes: #1038950)
diffstat for ruby-doorkeeper-5.5.0 ruby-doorkeeper-5.5.0 changelog | 7 ++ patches/0001-Block-public-clients-automatic-authorization-skip.patch | 31 ++++++++++ patches/series | 1 3 files changed, 39 insertions(+) diff -Nru ruby-doorkeeper-5.5.0/debian/changelog ruby-doorkeeper-5.5.0/debian/changelog --- ruby-doorkeeper-5.5.0/debian/changelog 2021-08-27 14:15:52.000000000 +0300 +++ ruby-doorkeeper-5.5.0/debian/changelog 2024-12-08 23:42:11.000000000 +0200 @@ -1,3 +1,10 @@ +ruby-doorkeeper (5.5.0-2+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * CVE-2023-34246: Improper Authentication (Closes: #1038950) + + -- Adrian Bunk <b...@debian.org> Sun, 08 Dec 2024 23:42:11 +0200 + ruby-doorkeeper (5.5.0-2) unstable; urgency=medium [ Debian Janitor ] diff -Nru ruby-doorkeeper-5.5.0/debian/patches/0001-Block-public-clients-automatic-authorization-skip.patch ruby-doorkeeper-5.5.0/debian/patches/0001-Block-public-clients-automatic-authorization-skip.patch --- ruby-doorkeeper-5.5.0/debian/patches/0001-Block-public-clients-automatic-authorization-skip.patch 1970-01-01 02:00:00.000000000 +0200 +++ ruby-doorkeeper-5.5.0/debian/patches/0001-Block-public-clients-automatic-authorization-skip.patch 2024-12-08 23:41:54.000000000 +0200 @@ -0,0 +1,31 @@ +From 992ead90a17e368129bed6750da2f90e9e720e80 Mon Sep 17 00:00:00 2001 +From: Adam Heath <a...@polleverywhere.com> +Date: Fri, 17 Mar 2023 16:41:30 +0800 +Subject: Block public clients automatic authorization skip + +Non-confidential applications should not be able to skip the authorization stop, even if they have an existing matching_token. + +From the [issue](https://github.com/doorkeeper-gem/doorkeeper/issues/1589): +> According to RFC 8252 section 8.6, the authentication server should re-prompt for user consent, since the client's identity cannot be assured simply from the client_id parameter + +Fixes https://github.com/doorkeeper-gem/doorkeeper/issues/1589 +--- + app/controllers/doorkeeper/authorizations_controller.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/app/controllers/doorkeeper/authorizations_controller.rb b/app/controllers/doorkeeper/authorizations_controller.rb +index 71dce31c..81445875 100644 +--- a/app/controllers/doorkeeper/authorizations_controller.rb ++++ b/app/controllers/doorkeeper/authorizations_controller.rb +@@ -23,7 +23,7 @@ module Doorkeeper + private + + def render_success +- if skip_authorization? || matching_token? ++ if skip_authorization? || (matching_token? && pre_auth.client.application.confidential?) + redirect_or_render authorize_response + elsif Doorkeeper.configuration.api_only + render json: pre_auth +-- +2.30.2 + diff -Nru ruby-doorkeeper-5.5.0/debian/patches/series ruby-doorkeeper-5.5.0/debian/patches/series --- ruby-doorkeeper-5.5.0/debian/patches/series 1970-01-01 02:00:00.000000000 +0200 +++ ruby-doorkeeper-5.5.0/debian/patches/series 2024-12-08 23:42:10.000000000 +0200 @@ -0,0 +1 @@ +0001-Block-public-clients-automatic-authorization-skip.patch
