From 49aa4a31cb1c7447ecbc589bbf85746bd9cbd2f4 Mon Sep 17 00:00:00 2001
From: eabdullin <eabdullin@almalinux.org>
Date: Thu, 21 Sep 2023 19:34:20 +0000
Subject: [PATCH] import CS mod_auth_openidc-2.4.9.4-4.el9

---
 SOURCES/0001-CVE-2022-23527.patch | 77 +++++++++++++++++++++++++++++++
 SOURCES/0002-CVE-2023-28625.patch | 24 ++++++++++
 SPECS/mod_auth_openidc.spec       | 27 ++++++++---
 3 files changed, 121 insertions(+), 7 deletions(-)
 create mode 100644 SOURCES/0001-CVE-2022-23527.patch
 create mode 100644 SOURCES/0002-CVE-2023-28625.patch

diff --git a/SOURCES/0001-CVE-2022-23527.patch b/SOURCES/0001-CVE-2022-23527.patch
new file mode 100644
index 0000000..5c3440c
--- /dev/null
+++ b/SOURCES/0001-CVE-2022-23527.patch
@@ -0,0 +1,77 @@
+commit 4c494e4a59a15580e3226dcd6c02b24076b73421
+Author: Tomas Halman <thalman@redhat.com>
+Date:   Mon Feb 27 13:18:55 2023 +0100
+
+    Backport of fixes for CVE-2022-23527
+    
+    CVE-2022-23527 prevent open redirect in default setup
+    
+    This patch is based on 87119f44, f38af0e2, 1a394a86 and
+    1c808c58 updates.
+
+diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
+index b36f6c1..099c716 100644
+--- a/src/mod_auth_openidc.c
++++ b/src/mod_auth_openidc.c
+@@ -2543,6 +2543,20 @@ static apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c,
+ 		oidc_error(r, "%s: %s", *err_str, *err_desc);
+ 		return FALSE;
+ 	}
++	if (       (strstr(url, "/%09") != NULL) || (oidc_util_strcasestr(url, "/%2f") != NULL)
++			|| (strstr(url, "/\t") != NULL)
++			|| (strstr(url, "/%68") != NULL) || (oidc_util_strcasestr(url, "/http:") != NULL)
++			|| (oidc_util_strcasestr(url, "/https:") != NULL) || (oidc_util_strcasestr(url, "/javascript:") != NULL)
++			|| (strstr(url, "/〱") != NULL) || (strstr(url, "/〵") != NULL)
++			|| (strstr(url, "/ゝ") != NULL) || (strstr(url, "/ー") != NULL)
++			|| (strstr(url, "/〱") != NULL) || (strstr(url, "/ｰ") != NULL)
++			|| (strstr(url, "/<") != NULL) || (oidc_util_strcasestr(url, "%01javascript:") != NULL)
++			|| (strstr(url, "/%5c") != NULL) || (strstr(url, "/\\") != NULL)) {
++		*err_str = apr_pstrdup(r->pool, "Invalid URL");
++		*err_desc = apr_psprintf(r->pool, "URL value \"%s\" contains illegal character(s)", url);
++		oidc_error(r, "%s: %s", *err_str, *err_desc);
++		return FALSE;
++	}
+ 
+ 	return TRUE;
+ }
+diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
+index 2218d76..8757411 100644
+--- a/src/mod_auth_openidc.h
++++ b/src/mod_auth_openidc.h
+@@ -800,6 +800,7 @@ char *oidc_util_http_query_encoded_url(request_rec *r, const char *url, const ap
+ char *oidc_util_get_full_path(apr_pool_t *pool, const char *abs_or_rel_filename);
+ apr_byte_t oidc_enabled(request_rec *r);
+ char *oidc_util_http_form_encoded_data(request_rec *r, const apr_table_t *params);
++char* oidc_util_strcasestr(const char *s1, const char *s2);
+ 
+ /* HTTP header constants */
+ #define OIDC_HTTP_HDR_COOKIE							"Cookie"
+diff --git a/src/util.c b/src/util.c
+index 4c46156..c6453d0 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -446,6 +446,24 @@ char* oidc_util_javascript_escape(apr_pool_t *pool, const char *s) {
+     return output;
+ }
+ 
++char* oidc_util_strcasestr(const char *s1, const char *s2) {
++	const char *s = s1;
++	const char *p = s2;
++	do {
++		if (!*p)
++			return (char*) s1;
++		if ((*p == *s) || (tolower(*p) == tolower(*s))) {
++			++p;
++			++s;
++		} else {
++			p = s2;
++			if (!*s)
++				return NULL;
++			s = ++s1;
++		}
++	} while (1);
++	return *p ? NULL : (char*) s1;
++}
+ 
+ /*
+  * get the URL scheme that is currently being accessed
diff --git a/SOURCES/0002-CVE-2023-28625.patch b/SOURCES/0002-CVE-2023-28625.patch
new file mode 100644
index 0000000..98e78dd
--- /dev/null
+++ b/SOURCES/0002-CVE-2023-28625.patch
@@ -0,0 +1,24 @@
+commit 1a24e08ce506c2c19dd92a1bc9c2b9a1d9354934
+Author: Tomas Halman <thalman@redhat.com>
+Date:   Tue Apr 11 11:39:55 2023 +0200
+
+    Backport fixe of CVE-2023-28625
+    
+    CVE-2023-28625 mod_auth_openidc: NULL pointer dereference when
+    OIDCStripCookies is set and a crafted Cookie header is supplied
+    
+    This patch is based on commit c0e1edac3c4c19988ccdc7713d7aebfce6ff916a
+
+diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
+index 099c716..51eb53e 100644
+--- a/src/mod_auth_openidc.c
++++ b/src/mod_auth_openidc.c
+@@ -191,6 +191,8 @@ void oidc_strip_cookies(request_rec *r) {
+ 		do {
+ 			while (cookie != NULL && *cookie == OIDC_CHAR_SPACE)
+ 				cookie++;
++			if (cookie == NULL)
++				break;
+ 
+ 			for (i = 0; i < strip->nelts; i++) {
+ 				name = ((const char**) strip->elts)[i];
diff --git a/SPECS/mod_auth_openidc.spec b/SPECS/mod_auth_openidc.spec
index 7c2cf34..7aba426 100644
--- a/SPECS/mod_auth_openidc.spec
+++ b/SPECS/mod_auth_openidc.spec
@@ -15,12 +15,14 @@
 
 Name:		mod_auth_openidc
 Version:	2.4.9.4
-Release:	1%{?dist}
+Release:	4%{?dist}
 Summary:	OpenID Connect auth module for Apache HTTP Server
 
 License:	ASL 2.0
 URL:		https://github.com/zmartzone/mod_auth_openidc
 Source0:	https://github.com/zmartzone/mod_auth_openidc/archive/v%{version}.tar.gz
+Patch0:		0001-CVE-2022-23527.patch
+Patch1:		0002-CVE-2023-28625.patch
 
 BuildRequires:  gcc
 BuildRequires:	httpd-devel
@@ -40,7 +42,7 @@ This module enables an Apache 2.x web server to operate as
 an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
 
 %prep
-%setup -q
+%autosetup -p1
 
 %build
 # workaround rpm-buildroot-usage
@@ -88,17 +90,32 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache
 %doc README.md
 %{_httpd_moddir}/mod_auth_openidc.so
 %config(noreplace) %{_httpd_modconfdir}/10-auth_openidc.conf
-%config(noreplace) %{_httpd_confdir}/auth_openidc.conf
+%config(noreplace) %attr(0640, root, apache) %{_httpd_confdir}/auth_openidc.conf
 %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}
 %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/metadata
 %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache
 
 %changelog
+* Mon Apr 24 2023 Tomas Halman <thalman@redhat.com> - 2.4.9.4-4
+  Resolves: rhbz#2189268 - auth_openidc.conf mode 0640 by default
+
+* Tue Apr 11 2023  Tomas Halman <thalman@redhat.com> - 2.4.9.4-3
+- Resolves: rhbz#2184145 - CVE-2023-28625 NULL pointer dereference
+  when OIDCStripCookies is set and a crafted Cookie header is supplied
+
+* Tue Feb 21 2023 Tomas Halman <thalman@redhat.com> - 2.4.9.4-2
+- Resolves: rhbz#2153656 - CVE-2022-23527 - Open Redirect in
+  oidc_validate_redirect_url() using tab character
+
 * Tue Nov 30 2021 Tomas Halman <thalman@redhat.com> - 2.4.9.4-1
 - Resolves: rhbz#2001852 - CVE-2021-39191 mod_auth_openidc: open redirect
                            by supplying a crafted URL in the target_link_uri
                            parameter
 
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.8.2-3
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
 * Fri Jul 30 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.4.9.1-1
 - Resolves: rhbz#1987223 - CVE-2021-32792 mod_auth_openidc: XSS when using
                            OIDCPreservePost On [rhel-9.0]
@@ -108,10 +125,6 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache
 - Resolves: rhbz#1987204 - CVE-2021-32786 mod_auth_openidc: open redirect in
                            oidc_validate_redirect_url() [rhel-9.0]
 
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.8.2-3
-- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
-
 * Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.8.2-2
 - Rebuilt for RHEL 9 BETA for openssl 3.0
   Related: rhbz#1971065