Import from AlmaLinux stable repository
This commit is contained in:
		
							parent
							
								
									95b4d74ef6
								
							
						
					
					
						commit
						50a90c8f98
					
				
							
								
								
									
										77
									
								
								SOURCES/0001-CVE-2022-23527.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										77
									
								
								SOURCES/0001-CVE-2022-23527.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,77 @@ | ||||
| commit 4c494e4a59a15580e3226dcd6c02b24076b73421 | ||||
| Author: Tomas Halman <thalman@redhat.com> | ||||
| Date:   Mon Feb 27 13:18:55 2023 +0100 | ||||
| 
 | ||||
|     Backport of fixes for CVE-2022-23527 | ||||
|      | ||||
|     CVE-2022-23527 prevent open redirect in default setup | ||||
|      | ||||
|     This patch is based on 87119f44, f38af0e2, 1a394a86 and | ||||
|     1c808c58 updates. | ||||
| 
 | ||||
| diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
 | ||||
| index b36f6c1..099c716 100644
 | ||||
| --- a/src/mod_auth_openidc.c
 | ||||
| +++ b/src/mod_auth_openidc.c
 | ||||
| @@ -2543,6 +2543,20 @@ static apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c,
 | ||||
|  		oidc_error(r, "%s: %s", *err_str, *err_desc); | ||||
|  		return FALSE; | ||||
|  	} | ||||
| +	if (       (strstr(url, "/%09") != NULL) || (oidc_util_strcasestr(url, "/%2f") != NULL)
 | ||||
| +			|| (strstr(url, "/\t") != NULL)
 | ||||
| +			|| (strstr(url, "/%68") != NULL) || (oidc_util_strcasestr(url, "/http:") != NULL)
 | ||||
| +			|| (oidc_util_strcasestr(url, "/https:") != NULL) || (oidc_util_strcasestr(url, "/javascript:") != NULL)
 | ||||
| +			|| (strstr(url, "/〱") != NULL) || (strstr(url, "/〵") != NULL)
 | ||||
| +			|| (strstr(url, "/ゝ") != NULL) || (strstr(url, "/ー") != NULL)
 | ||||
| +			|| (strstr(url, "/〱") != NULL) || (strstr(url, "/ー") != NULL)
 | ||||
| +			|| (strstr(url, "/<") != NULL) || (oidc_util_strcasestr(url, "%01javascript:") != NULL)
 | ||||
| +			|| (strstr(url, "/%5c") != NULL) || (strstr(url, "/\\") != NULL)) {
 | ||||
| +		*err_str = apr_pstrdup(r->pool, "Invalid URL");
 | ||||
| +		*err_desc = apr_psprintf(r->pool, "URL value \"%s\" contains illegal character(s)", url);
 | ||||
| +		oidc_error(r, "%s: %s", *err_str, *err_desc);
 | ||||
| +		return FALSE;
 | ||||
| +	}
 | ||||
|   | ||||
|  	return TRUE; | ||||
|  } | ||||
| diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
 | ||||
| index 2218d76..8757411 100644
 | ||||
| --- a/src/mod_auth_openidc.h
 | ||||
| +++ b/src/mod_auth_openidc.h
 | ||||
| @@ -800,6 +800,7 @@ char *oidc_util_http_query_encoded_url(request_rec *r, const char *url, const ap
 | ||||
|  char *oidc_util_get_full_path(apr_pool_t *pool, const char *abs_or_rel_filename); | ||||
|  apr_byte_t oidc_enabled(request_rec *r); | ||||
|  char *oidc_util_http_form_encoded_data(request_rec *r, const apr_table_t *params); | ||||
| +char* oidc_util_strcasestr(const char *s1, const char *s2);
 | ||||
|   | ||||
|  /* HTTP header constants */ | ||||
|  #define OIDC_HTTP_HDR_COOKIE							"Cookie" | ||||
| diff --git a/src/util.c b/src/util.c
 | ||||
| index 4c46156..c6453d0 100644
 | ||||
| --- a/src/util.c
 | ||||
| +++ b/src/util.c
 | ||||
| @@ -446,6 +446,24 @@ char* oidc_util_javascript_escape(apr_pool_t *pool, const char *s) {
 | ||||
|      return output; | ||||
|  } | ||||
|   | ||||
| +char* oidc_util_strcasestr(const char *s1, const char *s2) {
 | ||||
| +	const char *s = s1;
 | ||||
| +	const char *p = s2;
 | ||||
| +	do {
 | ||||
| +		if (!*p)
 | ||||
| +			return (char*) s1;
 | ||||
| +		if ((*p == *s) || (tolower(*p) == tolower(*s))) {
 | ||||
| +			++p;
 | ||||
| +			++s;
 | ||||
| +		} else {
 | ||||
| +			p = s2;
 | ||||
| +			if (!*s)
 | ||||
| +				return NULL;
 | ||||
| +			s = ++s1;
 | ||||
| +		}
 | ||||
| +	} while (1);
 | ||||
| +	return *p ? NULL : (char*) s1;
 | ||||
| +}
 | ||||
|   | ||||
|  /* | ||||
|   * get the URL scheme that is currently being accessed | ||||
							
								
								
									
										24
									
								
								SOURCES/0002-CVE-2023-28625.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								SOURCES/0002-CVE-2023-28625.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,24 @@ | ||||
| commit 1a24e08ce506c2c19dd92a1bc9c2b9a1d9354934 | ||||
| Author: Tomas Halman <thalman@redhat.com> | ||||
| Date:   Tue Apr 11 11:39:55 2023 +0200 | ||||
| 
 | ||||
|     Backport fixe of CVE-2023-28625 | ||||
|      | ||||
|     CVE-2023-28625 mod_auth_openidc: NULL pointer dereference when | ||||
|     OIDCStripCookies is set and a crafted Cookie header is supplied | ||||
|      | ||||
|     This patch is based on commit c0e1edac3c4c19988ccdc7713d7aebfce6ff916a | ||||
| 
 | ||||
| diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
 | ||||
| index 099c716..51eb53e 100644
 | ||||
| --- a/src/mod_auth_openidc.c
 | ||||
| +++ b/src/mod_auth_openidc.c
 | ||||
| @@ -191,6 +191,8 @@ void oidc_strip_cookies(request_rec *r) {
 | ||||
|  		do { | ||||
|  			while (cookie != NULL && *cookie == OIDC_CHAR_SPACE) | ||||
|  				cookie++; | ||||
| +			if (cookie == NULL)
 | ||||
| +				break;
 | ||||
|   | ||||
|  			for (i = 0; i < strip->nelts; i++) { | ||||
|  				name = ((const char**) strip->elts)[i]; | ||||
| @ -15,12 +15,14 @@ | ||||
| 
 | ||||
| Name:		mod_auth_openidc | ||||
| Version:	2.4.9.4 | ||||
| Release:	1%{?dist} | ||||
| Release:	5%{?dist} | ||||
| Summary:	OpenID Connect auth module for Apache HTTP Server | ||||
| 
 | ||||
| License:	ASL 2.0 | ||||
| URL:		https://github.com/zmartzone/mod_auth_openidc | ||||
| Source0:	https://github.com/zmartzone/mod_auth_openidc/archive/v%{version}.tar.gz | ||||
| Patch0:		0001-CVE-2022-23527.patch | ||||
| Patch1:		0002-CVE-2023-28625.patch | ||||
| 
 | ||||
| BuildRequires:  gcc | ||||
| BuildRequires:	httpd-devel | ||||
| @ -34,13 +36,14 @@ BuildRequires:	cjose-devel | ||||
| BuildRequires:	jq-devel | ||||
| %{?_with_hiredis:BuildRequires: hiredis-devel} | ||||
| Requires:	httpd-mmn = %{_httpd_mmn} | ||||
| Requires:	cjose >= 0.6.1 | ||||
| 
 | ||||
| %description | ||||
| This module enables an Apache 2.x web server to operate as | ||||
| an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. | ||||
| 
 | ||||
| %prep | ||||
| %setup -q | ||||
| %autosetup -p1 | ||||
| 
 | ||||
| %build | ||||
| # workaround rpm-buildroot-usage | ||||
| @ -89,12 +92,26 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache | ||||
| %doc README.md | ||||
| %{_httpd_moddir}/mod_auth_openidc.so | ||||
| %config(noreplace) %{_httpd_modconfdir}/10-auth_openidc.conf | ||||
| %config(noreplace) %{_httpd_confdir}/auth_openidc.conf | ||||
| %config(noreplace) %attr(0640, root, apache) %{_httpd_confdir}/auth_openidc.conf | ||||
| %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir} | ||||
| %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/metadata | ||||
| %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache | ||||
| 
 | ||||
| %changelog | ||||
| * Tue Apr 25 2023 Tomas Halman <thalman@redhat.com> - 2.4.9.4-5 | ||||
|   Related: rhbz#2141850 - fix cjose version dependency | ||||
| 
 | ||||
| * Mon Apr 24 2023 Tomas Halman <thalman@redhat.com> - 2.4.9.4-4 | ||||
|   Resolves: rhbz#2141850 - auth_openidc.conf mode 0640 by default | ||||
| 
 | ||||
| * Tue Apr 11 2023  Tomas Halman <thalman@redhat.com> - 2.4.9.4-3 | ||||
| - Resolves: rhbz#2184144 - CVE-2023-28625 NULL pointer dereference | ||||
|       when OIDCStripCookies is set and a crafted Cookie header is supplied | ||||
| 
 | ||||
| * Thu Feb 21 2023 Tomas Halman <thalman@redhat.com> - 2.4.9.4-2 | ||||
| - Resolves: rhbz#2153659 - CVE-2022-23527 - Open Redirect in | ||||
|       oidc_validate_redirect_url() using tab character | ||||
| 
 | ||||
| * Fri Apr 8 2022 Tomas Halman <thalman@redhat.com> - 2.4.9.4-1 | ||||
| - Resolves: rhbz#2025368 - Rebase to new version | ||||
| 
 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user