Bug#1087200: marked as done (bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u4)

Sat, 11 Jan 2025 03:10:16 -0800 

Your message dated Sat, 11 Jan 2025 11:03:09 +0000
with message-id <e1twzgn-009jyy...@coccia.debian.org>
and subject line Close 1087200
has caused the Debian Bug report #1087200,
regarding bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1087200: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087200
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: lemonldap...@packages.debian.org, y...@debian.org
Control: affects -1 + src:lemonldap-ng
User: release.debian....@packages.debian.org
Usertags: pu

[ Reason ]
lemonldap-ng is a Web-SSO. In Bookworm, it is vulnerable to:
 - XSS issue into the "Upgrade" plugin that allow user to upgrade their
   authentication level into current session (example, use a SSL card
   instead of login/password)
 - Escalation privilege when "Adaptative auth level" is used: user can
   apply the benefit more than one time using the "refresh- session"
   mechanism

[ Impact ]
Medium seciruty issues.

[ Tests ]
Test updated, passed

[ Risks ]
Low risk: patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
- don't apply adaptative rules when session is refreshed
- apply the "chackXSS" method on "Upgrade" plugin URLs

[ Other info ]
These 2 issues will have a CVE number soon

Best regards,
Xavier

diff --git a/debian/changelog b/debian/changelog
index c0bc25b80..8cb311051 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+lemonldap-ng (2.16.1+ds-deb12u4) bookworm; urgency=medium
+
+  * Fix authentication privilege
+  * Fix XSS in "Upgrade" plugin
+
+ -- Yadd <y...@debian.org>  Sat, 09 Nov 2024 18:47:24 +0400
+
 lemonldap-ng (2.16.1+ds-deb12u3) bookworm; urgency=medium
 
   * Fix XSS issue (Closes: #1084979, CVE-2024-48933)
diff --git a/debian/patches/fix-auth-level-escalation.patch 
b/debian/patches/fix-auth-level-escalation.patch
new file mode 100644
index 000000000..f6b213744
--- /dev/null
+++ b/debian/patches/fix-auth-level-escalation.patch
@@ -0,0 +1,72 @@
+Description: Do not run adaptativeAuthenticationLevel during refresh
+Author: Maxime Besson <maxime.bes...@worteks.com>
+Origin: upstream, 
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/5df0f833
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3255
+Forwarded: not-needed
+Applied-Upstream: 2.20.1, 
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/5df0f833
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2024-11-09
+
+--- 
a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/AdaptativeAuthenticationLevel.pm
++++ 
b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/AdaptativeAuthenticationLevel.pm
+@@ -35,6 +35,8 @@
+ sub adaptAuthenticationLevel {
+     my ( $self, $sub, $req ) = @_;
+ 
++    return $sub->($req) if $req->refresh;
++
+     my $userid = $req->sessionInfo->{ $self->conf->{whatToTrace} }
+       || $req->sessionInfo->{uid};
+     $self->logger->debug("Check adaptative authentication rules for $userid");
+--- a/lemonldap-ng-portal/t/61-AdaptativeAuthenticationLevel.t
++++ b/lemonldap-ng-portal/t/61-AdaptativeAuthenticationLevel.t
+@@ -42,20 +42,23 @@
+ count(1);
+ $id = expectCookie($res);
+ 
++my $session = getSession($id)->data;
++is( $session->{uid}, 'dwho', 'uid found' ) or explain( $json, "uid='dwho'" );
++is( $session->{authenticationLevel}, 3, 'Authentication level upgraded' );
++count(2);
++
+ ok(
+     $res = $client->_get(
+-        '/session/my/global', cookie => "lemonldap=$id"
++        '/refresh', cookie => "lemonldap=$id"
+     ),
+     'Get session'
+ );
+ count(1);
+-$json = expectJSON($res);
+ 
+-ok( $json->{uid} eq 'dwho', 'uid found' ) or explain( $json, "uid='dwho'" );
+-ok( $json->{authenticationLevel} == 3, 'Authentication level upgraded' );
+-ok( scalar keys %$json == 10, 'Ten exported attributes found' )
+-  or explain( scalar keys %$json, Dumper $json );
+-count(3);
++$session = getSession($id)->data;
++is( $session->{uid}, 'dwho', 'uid found' ) or explain( $json, "uid='dwho'" );
++is( $session->{authenticationLevel}, 3, 'Authentication level upgraded' );
++count(2);
+ 
+ ok( $client->logout($id), 'Logout' );
+ count(1);
+@@ -72,16 +75,8 @@
+ count(1);
+ $id = expectCookie($res);
+ 
+-ok(
+-    $res = $client->_get(
+-        '/session/my/global', cookie => "lemonldap=$id"
+-    ),
+-    'Get session'
+-);
+-count(1);
+-$json = expectJSON($res);
+-
+-ok( $json->{authenticationLevel} == 5, 'Authentication level upgraded' );
++$session = getSession($id)->data;
++ok( $session->{authenticationLevel} == 5, 'Authentication level upgraded' );
+ count(1);
+ 
+ ok( $client->logout($id), 'Logout' );
diff --git a/debian/patches/fix-xss-in-upgrade-plugin.patch 
b/debian/patches/fix-xss-in-upgrade-plugin.patch
new file mode 100644
index 000000000..c4879277d
--- /dev/null
+++ b/debian/patches/fix-xss-in-upgrade-plugin.patch
@@ -0,0 +1,21 @@
+Description: Check XSS in ::Plugins::Upgrade 
+Author: Maxime Besson <maxime.bes...@worteks.com>
+Origin: upstream, 
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/614
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3257
+Forwarded: not-needed
+Applied-Upstream: 2.20.1, 
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/600ba2c0b3d4bb0a4dd2eb9d8b612edcca8805dc
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2024-11-09
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Upgrade.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Upgrade.pm
+@@ -79,6 +79,9 @@
+     $self->logger->debug(" -> Skip confirmation is enabled")
+       if $self->conf->{"skip${action}Confirmation"};
+ 
++    $url = '' if $self->p->checkXSSAttack('url', $url);
++    $forceUpgrade = '' if $self->p->checkXSSAttack('forceUpgrade', 
$forceUpgrade);
++
+     # Display form
+     return $self->p->sendHtml(
+         $req,
diff --git a/debian/patches/series b/debian/patches/series
index ff8b2d3b0..d99c28333 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,5 @@ fix-open-redirection.patch
 fix-open-redirection-without-OIDC-redirect-uris.patch
 SSRF-issue.patch
 CVE-2024-48933.patch
+fix-auth-level-escalation.patch
+fix-xss-in-upgrade-plugin.patch

--- End Message ---
--- Begin Message --- 
Version: 12.9
This update has been released as part of 12.9. Thank you for your contribution.

--- End Message ---

Reply via email to