rpms/mod_auth_openidc
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI mod_auth_openidc-2.4.9.4-4.el9

Browse Source
This commit is contained in:
eabdullin 2023-11-07 12:00:43 +00:00
parent 13f531b35d
commit 1bd9974c61
3 changed files with 121 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
SOURCES/0001-CVE-2022-23527.patch Normal file
View File

@ -0,0 +1,77 @@
commit 4c494e4a59a15580e3226dcd6c02b24076b73421
Author: Tomas Halman <thalman@redhat.com>
Date: Mon Feb 27 13:18:55 2023 +0100
Backport of fixes for CVE-2022-23527
CVE-2022-23527 prevent open redirect in default setup
This patch is based on 87119f44, f38af0e2, 1a394a86 and
1c808c58 updates.
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
index b36f6c1..099c716 100644
--- a/src/mod_auth_openidc.c
+++ b/src/mod_auth_openidc.c
@@ -2543,6 +2543,20 @@ static apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c,
oidc_error(r, "%s: %s", *err_str, *err_desc);
return FALSE;
}
+ if ( (strstr(url, "/%09") != NULL) || (oidc_util_strcasestr(url, "/%2f") != NULL)
+ || (strstr(url, "/\t") != NULL)
+ || (strstr(url, "/%68") != NULL) || (oidc_util_strcasestr(url, "/http:") != NULL)
+ || (oidc_util_strcasestr(url, "/https:") != NULL) || (oidc_util_strcasestr(url, "/javascript:") != NULL)
+ || (strstr(url, "/〱") != NULL) || (strstr(url, "/〵") != NULL)
+ || (strstr(url, "/ゝ") != NULL) || (strstr(url, "/ー") != NULL)
+ || (strstr(url, "/〱") != NULL) || (strstr(url, "/ー") != NULL)
+ || (strstr(url, "/<") != NULL) || (oidc_util_strcasestr(url, "%01javascript:") != NULL)
+ || (strstr(url, "/%5c") != NULL) || (strstr(url, "/\\") != NULL)) {
+ *err_str = apr_pstrdup(r->pool, "Invalid URL");
+ *err_desc = apr_psprintf(r->pool, "URL value \"%s\" contains illegal character(s)", url);
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
+ }
return TRUE;
}
diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
index 2218d76..8757411 100644
--- a/src/mod_auth_openidc.h
+++ b/src/mod_auth_openidc.h
@@ -800,6 +800,7 @@ char *oidc_util_http_query_encoded_url(request_rec *r, const char *url, const ap
char *oidc_util_get_full_path(apr_pool_t *pool, const char *abs_or_rel_filename);
apr_byte_t oidc_enabled(request_rec *r);
char *oidc_util_http_form_encoded_data(request_rec *r, const apr_table_t *params);
+char* oidc_util_strcasestr(const char *s1, const char *s2);
/* HTTP header constants */
#define OIDC_HTTP_HDR_COOKIE "Cookie"
diff --git a/src/util.c b/src/util.c
index 4c46156..c6453d0 100644
--- a/src/util.c
+++ b/src/util.c
@@ -446,6 +446,24 @@ char* oidc_util_javascript_escape(apr_pool_t *pool, const char *s) {
return output;
}
+char* oidc_util_strcasestr(const char *s1, const char *s2) {
+ const char *s = s1;
+ const char *p = s2;
+ do {
+ if (!*p)
+ return (char*) s1;
+ if ((*p == *s) || (tolower(*p) == tolower(*s))) {
+ ++p;
+ ++s;
+ } else {
+ p = s2;
+ if (!*s)
+ return NULL;
+ s = ++s1;
+ }
+ } while (1);
+ return *p ? NULL : (char*) s1;
+}
/*
* get the URL scheme that is currently being accessed

24
SOURCES/0002-CVE-2023-28625.patch Normal file
View File

@ -0,0 +1,24 @@
commit 1a24e08ce506c2c19dd92a1bc9c2b9a1d9354934
Author: Tomas Halman <thalman@redhat.com>
Date: Tue Apr 11 11:39:55 2023 +0200
Backport fixe of CVE-2023-28625
CVE-2023-28625 mod_auth_openidc: NULL pointer dereference when
OIDCStripCookies is set and a crafted Cookie header is supplied
This patch is based on commit c0e1edac3c4c19988ccdc7713d7aebfce6ff916a
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
index 099c716..51eb53e 100644
--- a/src/mod_auth_openidc.c
+++ b/src/mod_auth_openidc.c
@@ -191,6 +191,8 @@ void oidc_strip_cookies(request_rec *r) {
do {
while (cookie != NULL && *cookie == OIDC_CHAR_SPACE)
cookie++;
+ if (cookie == NULL)
+ break;
for (i = 0; i < strip->nelts; i++) {
name = ((const char**) strip->elts)[i];

27
SPECS/mod_auth_openidc.spec
View File

@ -15,12 +15,14 @@
Name: mod_auth_openidc Name: mod_auth_openidc
Version: 2.4.9.4 Version: 2.4.9.4
Release: 1%{?dist} Release: 4%{?dist}
Summary: OpenID Connect auth module for Apache HTTP Server Summary: OpenID Connect auth module for Apache HTTP Server
License: ASL 2.0 License: ASL 2.0
URL: https://github.com/zmartzone/mod_auth_openidc URL: https://github.com/zmartzone/mod_auth_openidc
Source0: https://github.com/zmartzone/mod_auth_openidc/archive/v%{version}.tar.gz Source0: https://github.com/zmartzone/mod_auth_openidc/archive/v%{version}.tar.gz
Patch0: 0001-CVE-2022-23527.patch
Patch1: 0002-CVE-2023-28625.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: httpd-devel BuildRequires: httpd-devel
@ -40,7 +42,7 @@ This module enables an Apache 2.x web server to operate as
an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
%prep %prep
%setup -q %autosetup -p1
%build %build
# workaround rpm-buildroot-usage # workaround rpm-buildroot-usage
@ -88,17 +90,32 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache
%doc README.md %doc README.md
%{_httpd_moddir}/mod_auth_openidc.so %{_httpd_moddir}/mod_auth_openidc.so
%config(noreplace) %{_httpd_modconfdir}/10-auth_openidc.conf %config(noreplace) %{_httpd_modconfdir}/10-auth_openidc.conf
%config(noreplace) %{_httpd_confdir}/auth_openidc.conf %config(noreplace) %attr(0640, root, apache) %{_httpd_confdir}/auth_openidc.conf
%dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir} %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}
%dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/metadata %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/metadata
%dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache
%changelog %changelog
* Mon Apr 24 2023 Tomas Halman <thalman@redhat.com> - 2.4.9.4-4
Resolves: rhbz#2189268 - auth_openidc.conf mode 0640 by default
* Tue Apr 11 2023 Tomas Halman <thalman@redhat.com> - 2.4.9.4-3
- Resolves: rhbz#2184145 - CVE-2023-28625 NULL pointer dereference
when OIDCStripCookies is set and a crafted Cookie header is supplied
* Tue Feb 21 2023 Tomas Halman <thalman@redhat.com> - 2.4.9.4-2
- Resolves: rhbz#2153656 - CVE-2022-23527 - Open Redirect in
oidc_validate_redirect_url() using tab character
* Tue Nov 30 2021 Tomas Halman <thalman@redhat.com> - 2.4.9.4-1 * Tue Nov 30 2021 Tomas Halman <thalman@redhat.com> - 2.4.9.4-1
- Resolves: rhbz#2001852 - CVE-2021-39191 mod_auth_openidc: open redirect - Resolves: rhbz#2001852 - CVE-2021-39191 mod_auth_openidc: open redirect
by supplying a crafted URL in the target_link_uri by supplying a crafted URL in the target_link_uri
parameter parameter
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.8.2-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Fri Jul 30 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.4.9.1-1 * Fri Jul 30 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.4.9.1-1
- Resolves: rhbz#1987223 - CVE-2021-32792 mod_auth_openidc: XSS when using - Resolves: rhbz#1987223 - CVE-2021-32792 mod_auth_openidc: XSS when using
OIDCPreservePost On [rhel-9.0] OIDCPreservePost On [rhel-9.0]
@ -108,10 +125,6 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache
- Resolves: rhbz#1987204 - CVE-2021-32786 mod_auth_openidc: open redirect in - Resolves: rhbz#1987204 - CVE-2021-32786 mod_auth_openidc: open redirect in
oidc_validate_redirect_url() [rhel-9.0] oidc_validate_redirect_url() [rhel-9.0]
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.8.2-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.8.2-2 * Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.8.2-2
- Rebuilt for RHEL 9 BETA for openssl 3.0 - Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065 Related: rhbz#1971065