Related: rhbz#1986806 - CVE-2021-3639 mod_auth_mellon: Open Redirect vulnerability in logout URLs

2021-07-30 16:29:48 +02:00 · 2021-07-30 16:29:48 +02:00 · 14ff788096
commit 14ff788096
parent b5c37f85fa
2 changed files with 54 additions and 2 deletions
--- a/0001-Prevent-redirect-to-URLs-that-begin-with.patch
+++ b/0001-Prevent-redirect-to-URLs-that-begin-with.patch
@ -0,0 +1,47 @@
+From 42a11261b9dad2e48d70bdff7c53dd57a12db6f5 Mon Sep 17 00:00:00 2001
+From: AIMOTO Norihito <aimoto@osstech.co.jp>
+Date: Tue, 6 Jul 2021 22:57:24 +0200
+Subject: [PATCH] Prevent redirect to URLs that begin with '///'
+
+Visiting a logout URL like this:
+    https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html
+would have redirected the user to fishing-site.example.com
+
+With the patch, this URL would be rejected.
+
+Fixes: CVE-2021-3639
+---
+ auth_mellon_util.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/auth_mellon_util.c b/auth_mellon_util.c
+index 2f8c9c3..6a686db 100644
+--- a/auth_mellon_util.c
+++ b/auth_mellon_util.c
+@@ -927,6 +927,10 @@ int am_check_url(request_rec *r, const char *url)
+ {
+     const char *i;
+ 
+    if (url == NULL) {
+        return HTTP_BAD_REQUEST;
+    }
+
+     for (i = url; *i; i++) {
+         if (*i >= 0 && *i < ' ') {
+             /* Deny all control-characters. */
+@@ -943,6 +947,12 @@ int am_check_url(request_rec *r, const char *url)
+         }
+     }
+ 
+    if (strstr(url, "///") == url) {
+        AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
+                          "URL starts with '///'");
+        return HTTP_BAD_REQUEST;
+    }
+
+     return OK;
+ }
+ 
+-- 
+2.26.3
+
--- a/mod_auth_mellon.spec
+++ b/mod_auth_mellon.spec
@ -1,7 +1,7 @@
 Summary: A SAML 2.0 authentication module for the Apache Httpd Server
 Name: mod_auth_mellon
 Version: 0.17.0
-Release: 5%{?dist}
+Release: 6%{?dist}
 Source0: https://github.com/latchset/mod_auth_mellon/releases/download/v0.17.0/mod_auth_mellon-0.17.0.tar.gz
 Source1: auth_mellon.conf
 Source2: 10-auth_mellon.conf
@ -22,6 +22,7 @@ Requires: httpd-mmn = %{_httpd_mmn}
 Requires: lasso >= 2.5.1-13
 Url: https://github.com/latchset/mod_auth_mellon

+Patch0001: 0001-Prevent-redirect-to-URLs-that-begin-with.patch

 %description
 The mod_auth_mellon module is an authentication service that implements the
@ -29,7 +30,7 @@ SAML 2.0 federation protocol. It grants access based on the attributes
 received in assertions generated by a IdP server.

 %prep
-%setup -q -n %{name}-%{version}
+%autosetup -n %{name}-%{version}

 %build
 export APXS=%{_httpd_apxs}
@ -102,6 +103,10 @@ in the doc directory for instructions on using the diagnostics build.
 %dir /run/%{name}/

 %changelog
+* Fri Jul 30 2021 Jakub Hrozek <jhrozek@redhat.com> - 0.17.0-6
+- Related: rhbz#1986806 - CVE-2021-3639 mod_auth_mellon: Open Redirect
+                          vulnerability in logout URLs
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.17.0-5
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688