diff --git a/SOURCES/0001-CVE-2022-23527.patch b/SOURCES/0001-CVE-2022-23527.patch new file mode 100644 index 0000000..5c3440c --- /dev/null +++ b/SOURCES/0001-CVE-2022-23527.patch @@ -0,0 +1,77 @@ +commit 4c494e4a59a15580e3226dcd6c02b24076b73421 +Author: Tomas Halman +Date: Mon Feb 27 13:18:55 2023 +0100 + + Backport of fixes for CVE-2022-23527 + + CVE-2022-23527 prevent open redirect in default setup + + This patch is based on 87119f44, f38af0e2, 1a394a86 and + 1c808c58 updates. + +diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +index b36f6c1..099c716 100644 +--- a/src/mod_auth_openidc.c ++++ b/src/mod_auth_openidc.c +@@ -2543,6 +2543,20 @@ static apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c, + oidc_error(r, "%s: %s", *err_str, *err_desc); + return FALSE; + } ++ if ( (strstr(url, "/%09") != NULL) || (oidc_util_strcasestr(url, "/%2f") != NULL) ++ || (strstr(url, "/\t") != NULL) ++ || (strstr(url, "/%68") != NULL) || (oidc_util_strcasestr(url, "/http:") != NULL) ++ || (oidc_util_strcasestr(url, "/https:") != NULL) || (oidc_util_strcasestr(url, "/javascript:") != NULL) ++ || (strstr(url, "/〱") != NULL) || (strstr(url, "/〵") != NULL) ++ || (strstr(url, "/ゝ") != NULL) || (strstr(url, "/ー") != NULL) ++ || (strstr(url, "/〱") != NULL) || (strstr(url, "/ー") != NULL) ++ || (strstr(url, "/<") != NULL) || (oidc_util_strcasestr(url, "%01javascript:") != NULL) ++ || (strstr(url, "/%5c") != NULL) || (strstr(url, "/\\") != NULL)) { ++ *err_str = apr_pstrdup(r->pool, "Invalid URL"); ++ *err_desc = apr_psprintf(r->pool, "URL value \"%s\" contains illegal character(s)", url); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; ++ } + + return TRUE; + } +diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h +index 2218d76..8757411 100644 +--- a/src/mod_auth_openidc.h ++++ b/src/mod_auth_openidc.h +@@ -800,6 +800,7 @@ char *oidc_util_http_query_encoded_url(request_rec *r, const char *url, const ap + char *oidc_util_get_full_path(apr_pool_t *pool, const char *abs_or_rel_filename); + apr_byte_t oidc_enabled(request_rec *r); + char *oidc_util_http_form_encoded_data(request_rec *r, const apr_table_t *params); ++char* oidc_util_strcasestr(const char *s1, const char *s2); + + /* HTTP header constants */ + #define OIDC_HTTP_HDR_COOKIE "Cookie" +diff --git a/src/util.c b/src/util.c +index 4c46156..c6453d0 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -446,6 +446,24 @@ char* oidc_util_javascript_escape(apr_pool_t *pool, const char *s) { + return output; + } + ++char* oidc_util_strcasestr(const char *s1, const char *s2) { ++ const char *s = s1; ++ const char *p = s2; ++ do { ++ if (!*p) ++ return (char*) s1; ++ if ((*p == *s) || (tolower(*p) == tolower(*s))) { ++ ++p; ++ ++s; ++ } else { ++ p = s2; ++ if (!*s) ++ return NULL; ++ s = ++s1; ++ } ++ } while (1); ++ return *p ? NULL : (char*) s1; ++} + + /* + * get the URL scheme that is currently being accessed diff --git a/SOURCES/0002-CVE-2023-28625.patch b/SOURCES/0002-CVE-2023-28625.patch new file mode 100644 index 0000000..98e78dd --- /dev/null +++ b/SOURCES/0002-CVE-2023-28625.patch @@ -0,0 +1,24 @@ +commit 1a24e08ce506c2c19dd92a1bc9c2b9a1d9354934 +Author: Tomas Halman +Date: Tue Apr 11 11:39:55 2023 +0200 + + Backport fixe of CVE-2023-28625 + + CVE-2023-28625 mod_auth_openidc: NULL pointer dereference when + OIDCStripCookies is set and a crafted Cookie header is supplied + + This patch is based on commit c0e1edac3c4c19988ccdc7713d7aebfce6ff916a + +diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +index 099c716..51eb53e 100644 +--- a/src/mod_auth_openidc.c ++++ b/src/mod_auth_openidc.c +@@ -191,6 +191,8 @@ void oidc_strip_cookies(request_rec *r) { + do { + while (cookie != NULL && *cookie == OIDC_CHAR_SPACE) + cookie++; ++ if (cookie == NULL) ++ break; + + for (i = 0; i < strip->nelts; i++) { + name = ((const char**) strip->elts)[i]; diff --git a/SPECS/mod_auth_openidc.spec b/SPECS/mod_auth_openidc.spec index d805940..792ab92 100644 --- a/SPECS/mod_auth_openidc.spec +++ b/SPECS/mod_auth_openidc.spec @@ -15,12 +15,14 @@ Name: mod_auth_openidc Version: 2.4.9.4 -Release: 1%{?dist} +Release: 5%{?dist} Summary: OpenID Connect auth module for Apache HTTP Server License: ASL 2.0 URL: https://github.com/zmartzone/mod_auth_openidc Source0: https://github.com/zmartzone/mod_auth_openidc/archive/v%{version}.tar.gz +Patch0: 0001-CVE-2022-23527.patch +Patch1: 0002-CVE-2023-28625.patch BuildRequires: gcc BuildRequires: httpd-devel @@ -34,13 +36,14 @@ BuildRequires: cjose-devel BuildRequires: jq-devel %{?_with_hiredis:BuildRequires: hiredis-devel} Requires: httpd-mmn = %{_httpd_mmn} +Requires: cjose >= 0.6.1 %description This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. %prep -%setup -q +%autosetup -p1 %build # workaround rpm-buildroot-usage @@ -89,12 +92,26 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache %doc README.md %{_httpd_moddir}/mod_auth_openidc.so %config(noreplace) %{_httpd_modconfdir}/10-auth_openidc.conf -%config(noreplace) %{_httpd_confdir}/auth_openidc.conf +%config(noreplace) %attr(0640, root, apache) %{_httpd_confdir}/auth_openidc.conf %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir} %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/metadata %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache %changelog +* Tue Apr 25 2023 Tomas Halman - 2.4.9.4-5 + Related: rhbz#2141850 - fix cjose version dependency + +* Mon Apr 24 2023 Tomas Halman - 2.4.9.4-4 + Resolves: rhbz#2141850 - auth_openidc.conf mode 0640 by default + +* Tue Apr 11 2023 Tomas Halman - 2.4.9.4-3 +- Resolves: rhbz#2184144 - CVE-2023-28625 NULL pointer dereference + when OIDCStripCookies is set and a crafted Cookie header is supplied + +* Thu Feb 21 2023 Tomas Halman - 2.4.9.4-2 +- Resolves: rhbz#2153659 - CVE-2022-23527 - Open Redirect in + oidc_validate_redirect_url() using tab character + * Fri Apr 8 2022 Tomas Halman - 2.4.9.4-1 - Resolves: rhbz#2025368 - Rebase to new version