diff --git a/0001-Prevent-redirect-to-URLs-that-begin-with.patch b/0001-Prevent-redirect-to-URLs-that-begin-with.patch new file mode 100644 index 0000000..2c93c96 --- /dev/null +++ b/0001-Prevent-redirect-to-URLs-that-begin-with.patch @@ -0,0 +1,47 @@ +From 42a11261b9dad2e48d70bdff7c53dd57a12db6f5 Mon Sep 17 00:00:00 2001 +From: AIMOTO Norihito +Date: Tue, 6 Jul 2021 22:57:24 +0200 +Subject: [PATCH] Prevent redirect to URLs that begin with '///' + +Visiting a logout URL like this: + https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html +would have redirected the user to fishing-site.example.com + +With the patch, this URL would be rejected. + +Fixes: CVE-2021-3639 +--- + auth_mellon_util.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/auth_mellon_util.c b/auth_mellon_util.c +index 2f8c9c3..6a686db 100644 +--- a/auth_mellon_util.c ++++ b/auth_mellon_util.c +@@ -927,6 +927,10 @@ int am_check_url(request_rec *r, const char *url) + { + const char *i; + ++ if (url == NULL) { ++ return HTTP_BAD_REQUEST; ++ } ++ + for (i = url; *i; i++) { + if (*i >= 0 && *i < ' ') { + /* Deny all control-characters. */ +@@ -943,6 +947,12 @@ int am_check_url(request_rec *r, const char *url) + } + } + ++ if (strstr(url, "///") == url) { ++ AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r, ++ "URL starts with '///'"); ++ return HTTP_BAD_REQUEST; ++ } ++ + return OK; + } + +-- +2.26.3 + diff --git a/mod_auth_mellon.spec b/mod_auth_mellon.spec index 17f75dc..e5eb3dc 100644 --- a/mod_auth_mellon.spec +++ b/mod_auth_mellon.spec @@ -1,7 +1,7 @@ Summary: A SAML 2.0 authentication module for the Apache Httpd Server Name: mod_auth_mellon Version: 0.17.0 -Release: 5%{?dist} +Release: 6%{?dist} Source0: https://github.com/latchset/mod_auth_mellon/releases/download/v0.17.0/mod_auth_mellon-0.17.0.tar.gz Source1: auth_mellon.conf Source2: 10-auth_mellon.conf @@ -22,6 +22,7 @@ Requires: httpd-mmn = %{_httpd_mmn} Requires: lasso >= 2.5.1-13 Url: https://github.com/latchset/mod_auth_mellon +Patch0001: 0001-Prevent-redirect-to-URLs-that-begin-with.patch %description The mod_auth_mellon module is an authentication service that implements the @@ -29,7 +30,7 @@ SAML 2.0 federation protocol. It grants access based on the attributes received in assertions generated by a IdP server. %prep -%setup -q -n %{name}-%{version} +%autosetup -n %{name}-%{version} %build export APXS=%{_httpd_apxs} @@ -102,6 +103,10 @@ in the doc directory for instructions on using the diagnostics build. %dir /run/%{name}/ %changelog +* Fri Jul 30 2021 Jakub Hrozek - 0.17.0-6 +- Related: rhbz#1986806 - CVE-2021-3639 mod_auth_mellon: Open Redirect + vulnerability in logout URLs + * Mon Aug 09 2021 Mohan Boddu - 0.17.0-5 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688