Fixing gating issue - rebuild

bad user/group ownership for /run/mod_auth_mellon
Resolves: rhbz#2047948
2023-05-18 15:47:15 +00:00 · 2022-07-26 17:46:47 +02:00 · 2021-08-24 13:48:25 +02:00 · 2021-08-09 22:19:39 +00:00 · 2021-06-29 07:42:25 -05:00 · 2021-06-29 07:06:34 -05:00
8 changed files with 115 additions and 3 deletions
--- a/.mod_auth_mellon.metadata
+++ b/.mod_auth_mellon.metadata
@ -0,0 +1 @@
+df4039cca9d706b10c49ea3435af0382da2b959a mod_auth_mellon-0.17.0.tar.gz
--- a/0001-Prevent-redirect-to-URLs-that-begin-with.patch
+++ b/0001-Prevent-redirect-to-URLs-that-begin-with.patch
@ -0,0 +1,47 @@
+From 42a11261b9dad2e48d70bdff7c53dd57a12db6f5 Mon Sep 17 00:00:00 2001
+From: AIMOTO Norihito <aimoto@osstech.co.jp>
+Date: Tue, 6 Jul 2021 22:57:24 +0200
+Subject: [PATCH] Prevent redirect to URLs that begin with '///'
+
+Visiting a logout URL like this:
+    https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html
+would have redirected the user to fishing-site.example.com
+
+With the patch, this URL would be rejected.
+
+Fixes: CVE-2021-3639
+---
+ auth_mellon_util.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/auth_mellon_util.c b/auth_mellon_util.c
+index 2f8c9c3..6a686db 100644
+--- a/auth_mellon_util.c
+++ b/auth_mellon_util.c
+@@ -927,6 +927,10 @@ int am_check_url(request_rec *r, const char *url)
+ {
+     const char *i;
+ 
+    if (url == NULL) {
+        return HTTP_BAD_REQUEST;
+    }
+
+     for (i = url; *i; i++) {
+         if (*i >= 0 && *i < ' ') {
+             /* Deny all control-characters. */
+@@ -943,6 +947,12 @@ int am_check_url(request_rec *r, const char *url)
+         }
+     }
+ 
+    if (strstr(url, "///") == url) {
+        AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
+                          "URL starts with '///'");
+        return HTTP_BAD_REQUEST;
+    }
+
+     return OK;
+ }
+ 
+-- 
+2.26.3
+
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
--- a/mod_auth_mellon.spec
+++ b/mod_auth_mellon.spec
@ -1,7 +1,7 @@
 Summary: A SAML 2.0 authentication module for the Apache Httpd Server
 Name: mod_auth_mellon
 Version: 0.17.0
-Release: 1%{?dist}
+Release: 8%{?dist}
 Source0: https://github.com/latchset/mod_auth_mellon/releases/download/v0.17.0/mod_auth_mellon-0.17.0.tar.gz
 Source1: auth_mellon.conf
 Source2: 10-auth_mellon.conf
@ -9,6 +9,7 @@ Source3: mod_auth_mellon.conf
 Source4: mellon_create_metadata.sh
 Source5: README.redhat.rst
 License: GPLv2+
+BuildRequires: make
 BuildRequires:  gcc
 BuildRequires: curl-devel
 BuildRequires: glib2-devel
@ -21,6 +22,7 @@ Requires: httpd-mmn = %{_httpd_mmn}
 Requires: lasso >= 2.5.1-13
 Url: https://github.com/latchset/mod_auth_mellon

+Patch0001: 0001-Prevent-redirect-to-URLs-that-begin-with.patch

 %description
 The mod_auth_mellon module is an authentication service that implements the
@ -28,7 +30,7 @@ SAML 2.0 federation protocol. It grants access based on the attributes
 received in assertions generated by a IdP server.

 %prep
-%setup -q -n %{name}-%{version}
+%autosetup -n %{name}-%{version}

 %build
 export APXS=%{_httpd_apxs}
@ -98,9 +100,35 @@ in the doc directory for instructions on using the diagnostics build.
 %{_httpd_moddir}/mod_auth_mellon.so
 %{_tmpfilesdir}/mod_auth_mellon.conf
 %{_libexecdir}/%{name}
-%dir /run/%{name}/
+%dir %attr(-, apache, apache) /run/%{name}/

 %changelog
+* Wed Apr 5 2023 Tomas Halman <thalman@redhat.com> - 0.17.0-8
+- Fixing gating issue - rebuild
+  Resolves: rhbz#2184763
+
+* Tue Jul 26 2022 Tomas Halman <thalman@redhat.com> - 0.17.0-7
+- bad user/group ownership for /run/mod_auth_mellon
+  Resolves: rhbz#2047948
+
+* Fri Jul 30 2021 Jakub Hrozek <jhrozek@redhat.com> - 0.17.0-6
+- Related: rhbz#1986806 - CVE-2021-3639 mod_auth_mellon: Open Redirect
+                          vulnerability in logout URLs
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.17.0-5
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.17.0-4
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.17.0-3
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.17.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
 * Wed Sep 16 2020 Jakub Hrozek <jhrozek@redhat.com> - 0.17.0-1
 - New upstream version 0.17.0

--- a/tests/.fmf/version
+++ b/tests/.fmf/version
@ -0,0 +1 @@
+1
--- a/tests/provision.fmf
+++ b/tests/provision.fmf
@ -0,0 +1,5 @@
+---
+standard-inventory-qcow2:
+  qemu:
+    m: 3G
+    smp: 2
--- a/tests/scripts/run_tests.sh
+++ b/tests/scripts/run_tests.sh
@ -0,0 +1,12 @@
+#!/bin/bash
+
+export GIT_SSL_NO_VERIFY=true
+git clone https://github.com/latchset/federation_testing.git
+
+cd federation_testing
+if [ ! -d /tmp/artifacts ]; then
+    mkdir -p /tmp/artifacts
+fi
+
+./setup.sh
+./test_mellon.sh
--- a/tests/tests.yml
+++ b/tests/tests.yml
@ -0,0 +1,12 @@
+- hosts: localhost
+  roles:
+  - role: standard-test-basic
+    tags:
+    - classic
+    tests:
+    - mod_auth_mellon:
+        dir: scripts
+        run: ./run_tests.sh
+    required_packages:
+    - git
+
Author	SHA1	Message	Date
Tomas Halman	04e86bee53	Fixing gating issue - rebuild	2023-05-18 15:47:15 +00:00
Tomas Halman	c806712339	bad user/group ownership for /run/mod_auth_mellon Resolves: rhbz#2047948	2022-07-26 17:46:47 +02:00
Jakub Hrozek	14ff788096	Related: rhbz#1986806 - CVE-2021-3639 mod_auth_mellon: Open Redirect vulnerability in logout URLs	2021-08-24 13:48:25 +02:00
Mohan Boddu	b5c37f85fa	Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688 Signed-off-by: Mohan Boddu <mboddu@redhat.com>	2021-08-09 22:19:39 +00:00
Scott Poore	47cb7d3098	Fix git repo used to pull gating tests Resolves: rhbz#1977068	2021-06-29 07:42:25 -05:00
Scott Poore	19ad228592	Removing old gating script code. Resolves: rhbz#1977068	2021-06-29 07:06:34 -05:00
Scott Poore	2cf525413f	Enable gating for RHEL9. Resolves: rhbz#1977068	2021-06-28 16:35:42 -05:00
Mohan Boddu	4bfdc6b4e6	Rebuilt for RHEL 9 BETA for openssl 3.0 Related: rhbz#1971065 Signed-off-by: Mohan Boddu <mboddu@redhat.com>	2021-06-16 03:31:00 +00:00
Mohan Boddu	252d229889	- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 Signed-off-by: Mohan Boddu <mboddu@redhat.com>	2021-04-16 02:13:43 +00:00
DistroBaker	b5ef6d96cd	Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/mod_auth_mellon.git#09005a0274a9f374ae29e1825bb2c90169c1145d	2021-02-02 23:36:04 +00:00
				`@ -0,0 +1 @@`
				`df4039cca9d706b10c49ea3435af0382da2b959a mod_auth_mellon-0.17.0.tar.gz`