From 3ee1d030a25d1f14dfd3ca850cf74578a940c4ba Mon Sep 17 00:00:00 2001 From: Tomas Halman Date: Tue, 11 Apr 2023 11:57:17 +0200 Subject: [PATCH] NULL pointer dereference Resolves: rhbz#2184144 - CVE-2023-28625 NULL pointer dereference when OIDCStripCookies is set and a crafted Cookie header is supplied --- 0002-CVE-2023-28625.patch | 24 ++++++++++++++++++++++++ mod_auth_openidc.spec | 7 ++++++- 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 0002-CVE-2023-28625.patch diff --git a/0002-CVE-2023-28625.patch b/0002-CVE-2023-28625.patch new file mode 100644 index 0000000..98e78dd --- /dev/null +++ b/0002-CVE-2023-28625.patch @@ -0,0 +1,24 @@ +commit 1a24e08ce506c2c19dd92a1bc9c2b9a1d9354934 +Author: Tomas Halman +Date: Tue Apr 11 11:39:55 2023 +0200 + + Backport fixe of CVE-2023-28625 + + CVE-2023-28625 mod_auth_openidc: NULL pointer dereference when + OIDCStripCookies is set and a crafted Cookie header is supplied + + This patch is based on commit c0e1edac3c4c19988ccdc7713d7aebfce6ff916a + +diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +index 099c716..51eb53e 100644 +--- a/src/mod_auth_openidc.c ++++ b/src/mod_auth_openidc.c +@@ -191,6 +191,8 @@ void oidc_strip_cookies(request_rec *r) { + do { + while (cookie != NULL && *cookie == OIDC_CHAR_SPACE) + cookie++; ++ if (cookie == NULL) ++ break; + + for (i = 0; i < strip->nelts; i++) { + name = ((const char**) strip->elts)[i]; diff --git a/mod_auth_openidc.spec b/mod_auth_openidc.spec index 370bec1..8a2cc6a 100644 --- a/mod_auth_openidc.spec +++ b/mod_auth_openidc.spec @@ -15,13 +15,14 @@ Name: mod_auth_openidc Version: 2.4.9.4 -Release: 2%{?dist} +Release: 3%{?dist} Summary: OpenID Connect auth module for Apache HTTP Server License: ASL 2.0 URL: https://github.com/zmartzone/mod_auth_openidc Source0: https://github.com/zmartzone/mod_auth_openidc/archive/v%{version}.tar.gz Patch0: 0001-CVE-2022-23527.patch +Patch1: 0002-CVE-2023-28625.patch BuildRequires: gcc BuildRequires: httpd-devel @@ -96,6 +97,10 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache %changelog +* Tue Apr 11 2023 Tomas Halman - 2.4.9.4-3 +- Resolves: rhbz#2184144 - CVE-2023-28625 NULL pointer dereference + when OIDCStripCookies is set and a crafted Cookie header is supplied + * Thu Feb 21 2023 Tomas Halman - 2.4.9.4-2 - Resolves: rhbz#2153659 - CVE-2022-23527 - Open Redirect in oidc_validate_redirect_url() using tab character