rpms/mod_auth_openidc
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI mod_auth_openidc-2.4.16.11-1.el9

Browse Source
This commit is contained in:
eabdullin 2025-11-11 15:39:55 +00:00
parent 16b77492dc
commit 77c71a3214
10 changed files with 11 additions and 1825 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/mod_auth_openidc-2.4.10.tar.gz
SOURCES/mod_auth_openidc-2.4.16.11.tar.gz

2
.mod_auth_openidc.metadata
View File

@ -1 +1 @@
d909f783d719ffd86b3d919ca6590b0eed4d8a51 SOURCES/mod_auth_openidc-2.4.10.tar.gz
16a962b610751320f83b8ceed220fb9ed713d299 SOURCES/mod_auth_openidc-2.4.16.11.tar.gz

15
SOURCES/0000-destdir.patch
View File

@ -1,15 +0,0 @@
diff --git a/Makefile.am b/Makefile.am
index e5d0a4d..e5bfa67 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -69,8 +69,8 @@ mod_auth_openidc.la: libauth_openidc.la
${APXS} -c -o $@ $< ${AM_CFLAGS} ${LIBADD}
install-exec-local:
- @APXS@ -i -a -n auth_openidc mod_auth_openidc.la
-# ${INSTALL} -p -m 755 -D .libs/mod_auth_openidc.so @APACHE_MODULEDIR@/mod_auth_openidc.so
+# @APXS@ -i -a -n auth_openidc mod_auth_openidc.la
+ ${INSTALL} -p -m 755 -D .libs/mod_auth_openidc.so $(DESTDIR)@APACHE_MODULEDIR@/mod_auth_openidc.so
LDADD = libauth_openidc.la ${LIBADD}

63
SOURCES/0001-CVE-2022-23527.patch
View File

@ -1,63 +0,0 @@
diff -up mod_auth_openidc-2.4.10/src/mod_auth_openidc.c.orig mod_auth_openidc-2.4.10/src/mod_auth_openidc.c
--- mod_auth_openidc-2.4.10/src/mod_auth_openidc.c.orig 2021-11-05 11:55:03.000000000 +0100
+++ mod_auth_openidc-2.4.10/src/mod_auth_openidc.c 2024-04-15 17:53:49.601539683 +0200
@@ -2537,6 +2537,20 @@ static apr_byte_t oidc_validate_redirect
oidc_error(r, "%s: %s", *err_str, *err_desc);
return FALSE;
}
+ if ( (strstr(url, "/%09") != NULL) || (oidc_util_strcasestr(url, "/%2f") != NULL)
+ || (strstr(url, "/\t") != NULL)
+ || (strstr(url, "/%68") != NULL) || (oidc_util_strcasestr(url, "/http:") != NULL)
+ || (oidc_util_strcasestr(url, "/https:") != NULL) || (oidc_util_strcasestr(url, "/javascript:") != NULL)
+ || (strstr(url, "/〱") != NULL) || (strstr(url, "/〵") != NULL)
+ || (strstr(url, "/ゝ") != NULL) || (strstr(url, "/ー") != NULL)
+ || (strstr(url, "/〱") != NULL) || (strstr(url, "/ー") != NULL)
+ || (strstr(url, "/<") != NULL) || (oidc_util_strcasestr(url, "%01javascript:") != NULL)
+ || (strstr(url, "/%5c") != NULL) || (strstr(url, "/\\") != NULL)) {
+ *err_str = apr_pstrdup(r->pool, "Invalid URL");
+ *err_desc = apr_psprintf(r->pool, "URL value \"%s\" contains illegal character(s)", url);
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
+ }
return TRUE;
}
diff -up mod_auth_openidc-2.4.10/src/mod_auth_openidc.h.orig mod_auth_openidc-2.4.10/src/mod_auth_openidc.h
--- mod_auth_openidc-2.4.10/src/mod_auth_openidc.h.orig 2021-11-09 10:00:40.000000000 +0100
+++ mod_auth_openidc-2.4.10/src/mod_auth_openidc.h 2024-04-15 17:53:49.601539683 +0200
@@ -819,6 +819,7 @@ char *oidc_util_http_query_encoded_url(r
char *oidc_util_get_full_path(apr_pool_t *pool, const char *abs_or_rel_filename);
apr_byte_t oidc_enabled(request_rec *r);
char *oidc_util_http_form_encoded_data(request_rec *r, const apr_table_t *params);
+char* oidc_util_strcasestr(const char *s1, const char *s2);
/* HTTP header constants */
#define OIDC_HTTP_HDR_COOKIE "Cookie"
diff -up mod_auth_openidc-2.4.10/src/util.c.orig mod_auth_openidc-2.4.10/src/util.c
--- mod_auth_openidc-2.4.10/src/util.c.orig 2021-11-05 11:55:03.000000000 +0100
+++ mod_auth_openidc-2.4.10/src/util.c 2024-04-15 17:53:49.602539684 +0200
@@ -435,6 +435,24 @@ char* oidc_util_javascript_escape(apr_po
return output;
}
+char* oidc_util_strcasestr(const char *s1, const char *s2) {
+ const char *s = s1;
+ const char *p = s2;
+ do {
+ if (!*p)
+ return (char*) s1;
+ if ((*p == *s) || (tolower(*p) == tolower(*s))) {
+ ++p;
+ ++s;
+ } else {
+ p = s2;
+ if (!*s)
+ return NULL;
+ s = ++s1;
+ }
+ } while (1);
+ return *p ? NULL : (char*) s1;
+}
/*
* get the URL scheme that is currently being accessed

12
SOURCES/0002-CVE-2023-28625.patch
View File

@ -1,12 +0,0 @@
diff -up mod_auth_openidc-2.4.10/src/mod_auth_openidc.c.orig mod_auth_openidc-2.4.10/src/mod_auth_openidc.c
--- mod_auth_openidc-2.4.10/src/mod_auth_openidc.c.orig 2024-04-15 17:56:53.022820648 +0200
+++ mod_auth_openidc-2.4.10/src/mod_auth_openidc.c 2024-04-15 17:57:23.325867066 +0200
@@ -175,6 +175,8 @@ void oidc_strip_cookies(request_rec *r)
do {
while (cookie != NULL && *cookie == OIDC_CHAR_SPACE)
cookie++;
+ if (cookie == NULL)
+ break;
for (i = 0; i < strip->nelts; i++) {
name = ((const char**) strip->elts)[i];

46
SOURCES/0003-CVE-2024-24814.patch
View File

@ -1,46 +0,0 @@
diff -up mod_auth_openidc-2.4.9.4/src/util.c.orig mod_auth_openidc-2.4.9.4/src/util.c
--- mod_auth_openidc-2.4.9.4/src/util.c.orig 2024-02-29 17:54:55.939797412 +0100
+++ mod_auth_openidc-2.4.9.4/src/util.c 2024-02-29 18:01:12.042842605 +0100
@@ -1270,25 +1270,24 @@ static char* oidc_util_get_chunk_cookie_
*/
char* oidc_util_get_chunked_cookie(request_rec *r, const char *cookieName,
int chunkSize) {
- char *cookieValue = NULL;
- char *chunkValue = NULL;
- int i = 0;
- if (chunkSize == 0) {
- cookieValue = oidc_util_get_cookie(r, cookieName);
- } else {
- int chunkCount = oidc_util_get_chunked_count(r, cookieName);
- if (chunkCount > 0) {
- cookieValue = "";
- for (i = 0; i < chunkCount; i++) {
- chunkValue = oidc_util_get_cookie(r,
- oidc_util_get_chunk_cookie_name(r, cookieName, i));
- if (chunkValue != NULL)
- cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue,
- chunkValue);
- }
- } else {
- cookieValue = oidc_util_get_cookie(r, cookieName);
+ char *cookieValue = NULL, *chunkValue = NULL;
+ int chunkCount = 0, i = 0;
+ if (chunkSize == 0)
+ return oidc_util_get_cookie(r, cookieName);
+ chunkCount = oidc_util_get_chunked_count(r, cookieName);
+ if (chunkCount == 0)
+ return oidc_util_get_cookie(r, cookieName);
+ if ((chunkCount < 0) || (chunkCount > 99)) {
+ oidc_warn(r, "chunk count out of bounds: %d", chunkCount);
+ return NULL;
+ }
+ for (i = 0; i < chunkCount; i++) {
+ chunkValue = oidc_util_get_cookie(r, oidc_util_get_chunk_cookie_name(r, cookieName, i));
+ if (chunkValue == NULL) {
+ oidc_warn(r, "could not find chunk %d; aborting", i);
+ break;
}
+ cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue ? cookieValue : "", chunkValue);
}
return cookieValue;
}

95
SOURCES/0004-race-condition.patch
View File

@ -1,95 +0,0 @@
diff -up mod_auth_openidc-2.4.10/src/cache/file.c.orig mod_auth_openidc-2.4.10/src/cache/file.c
--- mod_auth_openidc-2.4.10/src/cache/file.c.orig 2024-04-16 11:12:38.942552103 +0200
+++ mod_auth_openidc-2.4.10/src/cache/file.c 2024-04-16 11:13:09.890588209 +0200
@@ -329,8 +329,10 @@ static apr_status_t oidc_cache_file_clea
}
/* read the header with cache metadata info */
+ apr_file_lock(fd, APR_FLOCK_EXCLUSIVE);
rc = oidc_cache_file_read(r, path, fd, &info,
sizeof(oidc_cache_file_info_t));
+ apr_file_unlock(fd);
apr_file_close(fd);
if (rc == APR_SUCCESS) {
@@ -372,14 +374,15 @@ static apr_status_t oidc_cache_file_clea
/*
* write a value for the specified key to the cache
*/
-static apr_byte_t oidc_cache_file_set(request_rec *r, const char *section,
- const char *key, const char *value, apr_time_t expiry) {
+static apr_byte_t oidc_cache_file_set(request_rec *r, const char *section, const char *key,
+ const char *value, apr_time_t expiry) {
apr_file_t *fd = NULL;
apr_status_t rc = APR_SUCCESS;
char s_err[128];
/* get the fully qualified path to the cache file based on the key name */
- const char *path = oidc_cache_file_path(r, section, key);
+ const char *target = oidc_cache_file_path(r, section, key);
+ const char *path = apr_psprintf(r->pool, "%s.tmp", target);
/* only on writes (not on reads) we clean the cache first (if not done recently) */
oidc_cache_file_clean(r);
@@ -387,24 +390,22 @@ static apr_byte_t oidc_cache_file_set(re
/* just remove cache file if value is NULL */
if (value == NULL) {
if ((rc = apr_file_remove(path, r->pool)) != APR_SUCCESS) {
- oidc_error(r, "could not delete cache file \"%s\" (%s)", path,
- apr_strerror(rc, s_err, sizeof(s_err)));
+ oidc_error(r, "could not delete cache file \"%s\" (%s)", path, apr_strerror(rc, s_err, sizeof(s_err)));
}
return TRUE;
}
/* try to open the cache file for writing, creating it if it does not exist */
- if ((rc = apr_file_open(&fd, path,
- (APR_FOPEN_WRITE | APR_FOPEN_CREATE | APR_FOPEN_TRUNCATE),
- APR_OS_DEFAULT, r->pool)) != APR_SUCCESS) {
- oidc_error(r, "cache file \"%s\" could not be opened (%s)", path,
- apr_strerror(rc, s_err, sizeof(s_err)));
+ if ((rc = apr_file_open(&fd, path, (APR_FOPEN_WRITE | APR_FOPEN_CREATE),
+ APR_OS_DEFAULT, r->pool)) != APR_SUCCESS) {
+ oidc_error(r, "cache file \"%s\" could not be opened (%s)", path, apr_strerror(rc, s_err, sizeof(s_err)));
return FALSE;
}
/* lock the file and move the write pointer to the start of it */
apr_file_lock(fd, APR_FLOCK_EXCLUSIVE);
apr_off_t begin = 0;
+ apr_file_trunc(fd, begin);
apr_file_seek(fd, APR_SET, &begin);
/* construct the metadata for this cache entry in the header info */
@@ -413,22 +414,24 @@ static apr_byte_t oidc_cache_file_set(re
info.len = strlen(value) + 1;
/* write the header */
- if ((rc = oidc_cache_file_write(r, path, fd, &info,
- sizeof(oidc_cache_file_info_t))) != APR_SUCCESS)
+ if ((rc = oidc_cache_file_write(r, path, fd, &info, sizeof(oidc_cache_file_info_t)))
+ != APR_SUCCESS)
return FALSE;
/* next write the value */
- rc = oidc_cache_file_write(r, path, fd, (void *) value, info.len);
+ rc = oidc_cache_file_write(r, path, fd, (void*) value, info.len);
/* unlock and close the written file */
apr_file_unlock(fd);
apr_file_close(fd);
+ if (rename(path, target) != 0) {
+ oidc_error(r, "cache file: %s could not be renamed to: %s", path, target);
+ return FALSE;
+ }
+
/* log our success/failure */
- oidc_debug(r,
- "%s entry for key \"%s\" in file of %" APR_SIZE_T_FMT " bytes",
- (rc == APR_SUCCESS) ? "successfully stored" : "could not store",
- key, info.len);
+ oidc_debug(r, "%s entry for key \"%s\" in file of %" APR_SIZE_T_FMT " bytes", (rc == APR_SUCCESS) ? "successfully stored" : "could not store", key, info.len);
return (rc == APR_SUCCESS);
}

83
SOURCES/0005-CVE-2025-31492.patch
View File

@ -1,83 +0,0 @@
diff -up mod_auth_openidc-2.4.10/src/mod_auth_openidc.c.orig mod_auth_openidc-2.4.10/src/mod_auth_openidc.c
--- mod_auth_openidc-2.4.10/src/mod_auth_openidc.c.orig 2025-04-09 13:28:07.727364016 +0200
+++ mod_auth_openidc-2.4.10/src/mod_auth_openidc.c 2025-04-10 17:35:35.078190167 +0200
@@ -4284,7 +4284,11 @@ int oidc_content_handler(request_rec *r)
rc = oidc_discovery(r, c);
- } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN) != NULL) {
+ } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST) != NULL) {
+
+ rc = OK;
+
+ } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE) != NULL) {
rc = OK;
diff -up mod_auth_openidc-2.4.10/src/mod_auth_openidc.h.orig mod_auth_openidc-2.4.10/src/mod_auth_openidc.h
--- mod_auth_openidc-2.4.10/src/mod_auth_openidc.h.orig 2025-04-09 15:59:53.319640594 +0200
+++ mod_auth_openidc-2.4.10/src/mod_auth_openidc.h 2025-04-09 16:06:36.736950353 +0200
@@ -105,7 +105,8 @@ APLOG_USE_MODULE(auth_openidc);
#define OIDC_REQUEST_STATE_KEY_IDTOKEN "i"
#define OIDC_REQUEST_STATE_KEY_CLAIMS "c"
#define OIDC_REQUEST_STATE_KEY_DISCOVERY "d"
-#define OIDC_REQUEST_STATE_KEY_AUTHN "a"
+#define OIDC_REQUEST_STATE_KEY_AUTHN_POST "a"
+#define OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE "p"
/* parameter name of the callback URL in the discovery response */
#define OIDC_DISC_CB_PARAM "oidc_callback"
diff -up mod_auth_openidc-2.4.10/src/proto.c.orig mod_auth_openidc-2.4.10/src/proto.c
--- mod_auth_openidc-2.4.10/src/proto.c.orig 2021-11-05 11:55:03.000000000 +0100
+++ mod_auth_openidc-2.4.10/src/proto.c 2025-04-10 17:54:42.459819654 +0200
@@ -585,7 +585,7 @@ static int oidc_proto_add_form_post_para
/*
* make the browser POST parameters through Javascript auto-submit
*/
-static int oidc_proto_html_post(request_rec *r, const char *url,
+static void oidc_proto_html_post(request_rec *r, const char *url,
apr_table_t *params) {
oidc_debug(r, "enter");
@@ -601,8 +601,7 @@ static int oidc_proto_html_post(request_
html_body = apr_psprintf(r->pool, "%s%s", data.html_body, " </p>\n"
" </form>\n");
- return oidc_util_html_send(r, "Submitting...", NULL,
- "document.forms[0].submit", html_body, OK);
+ oidc_util_html_send(r, "Submitting...", NULL, "document.forms[0].submit", html_body, OK);
}
void add_auth_request_params(request_rec *r, apr_table_t *params,
@@ -733,8 +732,12 @@ int oidc_proto_authorization_request(req
if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_POST) {
/* construct a HTML POST auto-submit page with the authorization request parameters */
- rv = oidc_proto_html_post(r, provider->authorization_endpoint_url,
- params);
+ oidc_proto_html_post(r, provider->authorization_endpoint_url, params);
+
+ /* signal this to the content handler */
+ oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST, "");
+ r->user = "";
+ rv = OK;
} else if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_GET) {
@@ -742,7 +745,6 @@ int oidc_proto_authorization_request(req
authorization_request = oidc_util_http_query_encoded_url(r,
provider->authorization_endpoint_url, params);
- // TODO: should also enable this when using the POST binding for the auth request
/* see if we need to preserve POST parameters through Javascript/HTML5 storage */
if (oidc_post_preserve_javascript(r, authorization_request, NULL,
NULL) == FALSE) {
@@ -756,7 +758,7 @@ int oidc_proto_authorization_request(req
} else {
/* signal this to the content handler */
- oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN, "");
+ oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE, "");
r->user = "";
rv = OK;

1494
SOURCES/0006-CVE-2025-3891.patch
View File

File diff suppressed because it is too large Load Diff

24
SPECS/mod_auth_openidc.spec
View File

@ -14,20 +14,13 @@
%global httpd_pkg_cache_dir /var/cache/httpd/mod_auth_openidc
Name: mod_auth_openidc
Version: 2.4.10
Release: 1%{?dist}.2
Version: 2.4.16.11
Release: 1%{?dist}
Summary: OpenID Connect auth module for Apache HTTP Server
License: ASL 2.0
URL: https://github.com/OpenIDC/mod_auth_openidc
Source0: https://github.com/OpenIDC/mod_auth_openidc/releases/download/v%{version}/mod_auth_openidc-%{version}.tar.gz
Patch0: 0000-destdir.patch
Patch1: 0001-CVE-2022-23527.patch
Patch2: 0002-CVE-2023-28625.patch
Patch3: 0003-CVE-2024-24814.patch
Patch4: 0004-race-condition.patch
Patch5: 0005-CVE-2025-31492.patch
Patch6: 0006-CVE-2025-3891.patch
BuildRequires: gcc
BuildRequires: httpd-devel
@ -101,13 +94,14 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache
%dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache
%changelog
* Fri Apr 11 2025 Tomas Halman <thalman@redhat.com> - 2.4.10-1%{?dist}.2
Resolves: RHEL-95948 - mod_auth_openidc: DoS via Empty POST in mod_auth_openidc
with OIDCPreservePost Enabled (CVE-2025-3891)
* Tue Apr 8 2025 Tomas Halman <thalman@redhat.com> - 2.4.16.11-1
Rebase to version 2.4.16.11
- Resolves: RHEL-86221
* Fri Apr 11 2025 Tomas Halman <thalman@redhat.com> - 2.4.10-1%{?dist}.1
Resolves: RHEL-86224 - mod_auth_openidc allows OIDCProviderAuthRequestMethod
POSTs to leak protected data (CVE-2025-31492)
* Mon Mar 31 2025 Tomas Halman <thalman@redhat.com> - 2.4.16.10-1
Rebase to version 2.4.16.10
- Resolves: RHEL-44894
- Resolves: RHEL-3335
* Fri Apr 12 2024 Tomas Halman <thalman@redhat.com> - 2.4.10-1
Rebase to 2.4.10 version improves `state cookies piling up` problem