import UBI mod_auth_openidc-2.4.10-1.el9

2024-11-12 10:19:20 +00:00 · 2024-11-12 10:19:20 +00:00 · bae6508ce5
commit bae6508ce5
parent 1bd9974c61
8 changed files with 192 additions and 52 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/v2.4.9.4.tar.gz
+SOURCES/mod_auth_openidc-2.4.10.tar.gz
--- a/.mod_auth_openidc.metadata
+++ b/.mod_auth_openidc.metadata
@ -1 +1 @@
-47f8b949552c3d32f019c5cf785c4672dc0f8aae SOURCES/v2.4.9.4.tar.gz
+d909f783d719ffd86b3d919ca6590b0eed4d8a51 SOURCES/mod_auth_openidc-2.4.10.tar.gz
--- a/SOURCES/0000-destdir.patch
+++ b/SOURCES/0000-destdir.patch
@ -0,0 +1,15 @@
+diff --git a/Makefile.am b/Makefile.am
+index e5d0a4d..e5bfa67 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -69,8 +69,8 @@ mod_auth_openidc.la: libauth_openidc.la
+ 	${APXS} -c -o $@ $< ${AM_CFLAGS} ${LIBADD}
+ 
+ install-exec-local:
+-	@APXS@ -i -a -n auth_openidc mod_auth_openidc.la
+-#	${INSTALL} -p -m 755 -D .libs/mod_auth_openidc.so @APACHE_MODULEDIR@/mod_auth_openidc.so
+#	@APXS@ -i -a -n auth_openidc mod_auth_openidc.la
+	${INSTALL} -p -m 755 -D .libs/mod_auth_openidc.so $(DESTDIR)@APACHE_MODULEDIR@/mod_auth_openidc.so
+ 
+ LDADD = libauth_openidc.la ${LIBADD}
+ 
--- a/SOURCES/0001-CVE-2022-23527.patch
+++ b/SOURCES/0001-CVE-2022-23527.patch
@ -1,19 +1,7 @@
-commit 4c494e4a59a15580e3226dcd6c02b24076b73421
-Author: Tomas Halman <thalman@redhat.com>
-Date:   Mon Feb 27 13:18:55 2023 +0100
-
-    Backport of fixes for CVE-2022-23527
-    
-    CVE-2022-23527 prevent open redirect in default setup
-    
-    This patch is based on 87119f44, f38af0e2, 1a394a86 and
-    1c808c58 updates.
-
-diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
-index b36f6c1..099c716 100644
--- a/src/mod_auth_openidc.c
-+++ b/src/mod_auth_openidc.c
-@@ -2543,6 +2543,20 @@ static apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c,
+diff -up mod_auth_openidc-2.4.10/src/mod_auth_openidc.c.orig mod_auth_openidc-2.4.10/src/mod_auth_openidc.c
+--- mod_auth_openidc-2.4.10/src/mod_auth_openidc.c.orig	2021-11-05 11:55:03.000000000 +0100
+++ mod_auth_openidc-2.4.10/src/mod_auth_openidc.c	2024-04-15 17:53:49.601539683 +0200
+@@ -2537,6 +2537,20 @@ static apr_byte_t oidc_validate_redirect
 		oidc_error(r, "%s: %s", *err_str, *err_desc);
 		return FALSE;
 	}
@ -34,23 +22,21 @@ index b36f6c1..099c716 100644
 
 	return TRUE;
 }
-diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
-index 2218d76..8757411 100644
--- a/src/mod_auth_openidc.h
-+++ b/src/mod_auth_openidc.h
-@@ -800,6 +800,7 @@ char *oidc_util_http_query_encoded_url(request_rec *r, const char *url, const ap
+diff -up mod_auth_openidc-2.4.10/src/mod_auth_openidc.h.orig mod_auth_openidc-2.4.10/src/mod_auth_openidc.h
+--- mod_auth_openidc-2.4.10/src/mod_auth_openidc.h.orig	2021-11-09 10:00:40.000000000 +0100
+++ mod_auth_openidc-2.4.10/src/mod_auth_openidc.h	2024-04-15 17:53:49.601539683 +0200
+@@ -819,6 +819,7 @@ char *oidc_util_http_query_encoded_url(r
 char *oidc_util_get_full_path(apr_pool_t *pool, const char *abs_or_rel_filename);
 apr_byte_t oidc_enabled(request_rec *r);
 char *oidc_util_http_form_encoded_data(request_rec *r, const apr_table_t *params);
 +char* oidc_util_strcasestr(const char *s1, const char *s2);
 
 /* HTTP header constants */
- #define OIDC_HTTP_HDR_COOKIE							"Cookie"
-diff --git a/src/util.c b/src/util.c
-index 4c46156..c6453d0 100644
--- a/src/util.c
-+++ b/src/util.c
-@@ -446,6 +446,24 @@ char* oidc_util_javascript_escape(apr_pool_t *pool, const char *s) {
+ #define OIDC_HTTP_HDR_COOKIE                            "Cookie"
+diff -up mod_auth_openidc-2.4.10/src/util.c.orig mod_auth_openidc-2.4.10/src/util.c
+--- mod_auth_openidc-2.4.10/src/util.c.orig	2021-11-05 11:55:03.000000000 +0100
+++ mod_auth_openidc-2.4.10/src/util.c	2024-04-15 17:53:49.602539684 +0200
+@@ -435,6 +435,24 @@ char* oidc_util_javascript_escape(apr_po
     return output;
 }
 
--- a/SOURCES/0002-CVE-2023-28625.patch
+++ b/SOURCES/0002-CVE-2023-28625.patch
@ -1,19 +1,7 @@
-commit 1a24e08ce506c2c19dd92a1bc9c2b9a1d9354934
-Author: Tomas Halman <thalman@redhat.com>
-Date:   Tue Apr 11 11:39:55 2023 +0200
-
-    Backport fixe of CVE-2023-28625
-    
-    CVE-2023-28625 mod_auth_openidc: NULL pointer dereference when
-    OIDCStripCookies is set and a crafted Cookie header is supplied
-    
-    This patch is based on commit c0e1edac3c4c19988ccdc7713d7aebfce6ff916a
-
-diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
-index 099c716..51eb53e 100644
--- a/src/mod_auth_openidc.c
-+++ b/src/mod_auth_openidc.c
-@@ -191,6 +191,8 @@ void oidc_strip_cookies(request_rec *r) {
+diff -up mod_auth_openidc-2.4.10/src/mod_auth_openidc.c.orig mod_auth_openidc-2.4.10/src/mod_auth_openidc.c
+--- mod_auth_openidc-2.4.10/src/mod_auth_openidc.c.orig	2024-04-15 17:56:53.022820648 +0200
+++ mod_auth_openidc-2.4.10/src/mod_auth_openidc.c	2024-04-15 17:57:23.325867066 +0200
+@@ -175,6 +175,8 @@ void oidc_strip_cookies(request_rec *r)
 		do {
 			while (cookie != NULL && *cookie == OIDC_CHAR_SPACE)
 				cookie++;
--- a/SOURCES/0003-CVE-2024-24814.patch
+++ b/SOURCES/0003-CVE-2024-24814.patch
@ -0,0 +1,46 @@
+diff -up mod_auth_openidc-2.4.9.4/src/util.c.orig mod_auth_openidc-2.4.9.4/src/util.c
+--- mod_auth_openidc-2.4.9.4/src/util.c.orig	2024-02-29 17:54:55.939797412 +0100
+++ mod_auth_openidc-2.4.9.4/src/util.c	2024-02-29 18:01:12.042842605 +0100
+@@ -1270,25 +1270,24 @@ static char* oidc_util_get_chunk_cookie_
+  */
+ char* oidc_util_get_chunked_cookie(request_rec *r, const char *cookieName,
+ 		int chunkSize) {
+-	char *cookieValue = NULL;
+-	char *chunkValue = NULL;
+-	int i = 0;
+-	if (chunkSize == 0) {
+-		cookieValue = oidc_util_get_cookie(r, cookieName);
+-	} else {
+-		int chunkCount = oidc_util_get_chunked_count(r, cookieName);
+-		if (chunkCount > 0) {
+-			cookieValue = "";
+-			for (i = 0; i < chunkCount; i++) {
+-				chunkValue = oidc_util_get_cookie(r,
+-						oidc_util_get_chunk_cookie_name(r, cookieName, i));
+-				if (chunkValue != NULL)
+-					cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue,
+-							chunkValue);
+-			}
+-		} else {
+-			cookieValue = oidc_util_get_cookie(r, cookieName);
+	char *cookieValue = NULL, *chunkValue = NULL;
+	int chunkCount = 0, i = 0;
+	if (chunkSize == 0)
+		return oidc_util_get_cookie(r, cookieName);
+	chunkCount = oidc_util_get_chunked_count(r, cookieName);
+	if (chunkCount == 0)
+		return oidc_util_get_cookie(r, cookieName);
+	if ((chunkCount < 0) || (chunkCount > 99)) {
+		oidc_warn(r, "chunk count out of bounds: %d", chunkCount);
+		return NULL;
+	}
+	for (i = 0; i < chunkCount; i++) {
+		chunkValue = oidc_util_get_cookie(r, oidc_util_get_chunk_cookie_name(r, cookieName, i));
+		if (chunkValue == NULL) {
+			oidc_warn(r, "could not find chunk %d; aborting", i);
+			break;
+ 		}
+		cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue ? cookieValue : "", chunkValue);
+ 	}
+ 	return cookieValue;
+ }
--- a/SOURCES/0004-race-condition.patch
+++ b/SOURCES/0004-race-condition.patch
@ -0,0 +1,95 @@
+diff -up mod_auth_openidc-2.4.10/src/cache/file.c.orig mod_auth_openidc-2.4.10/src/cache/file.c
+--- mod_auth_openidc-2.4.10/src/cache/file.c.orig	2024-04-16 11:12:38.942552103 +0200
+++ mod_auth_openidc-2.4.10/src/cache/file.c	2024-04-16 11:13:09.890588209 +0200
+@@ -329,8 +329,10 @@ static apr_status_t oidc_cache_file_clea
+ 			}
+ 
+ 			/* read the header with cache metadata info */
+			apr_file_lock(fd, APR_FLOCK_EXCLUSIVE);
+ 			rc = oidc_cache_file_read(r, path, fd, &info,
+ 					sizeof(oidc_cache_file_info_t));
+			apr_file_unlock(fd);
+ 			apr_file_close(fd);
+ 
+ 			if (rc == APR_SUCCESS) {
+@@ -372,14 +374,15 @@ static apr_status_t oidc_cache_file_clea
+ /*
+  * write a value for the specified key to the cache
+  */
+-static apr_byte_t oidc_cache_file_set(request_rec *r, const char *section,
+-		const char *key, const char *value, apr_time_t expiry) {
+static apr_byte_t oidc_cache_file_set(request_rec *r, const char *section, const char *key,
+		const char *value, apr_time_t expiry) {
+ 	apr_file_t *fd = NULL;
+ 	apr_status_t rc = APR_SUCCESS;
+ 	char s_err[128];
+ 
+ 	/* get the fully qualified path to the cache file based on the key name */
+-	const char *path = oidc_cache_file_path(r, section, key);
+	const char *target = oidc_cache_file_path(r, section, key);
+	const char *path = apr_psprintf(r->pool, "%s.tmp", target);
+ 
+ 	/* only on writes (not on reads) we clean the cache first (if not done recently) */
+ 	oidc_cache_file_clean(r);
+@@ -387,24 +390,22 @@ static apr_byte_t oidc_cache_file_set(re
+ 	/* just remove cache file if value is NULL */
+ 	if (value == NULL) {
+ 		if ((rc = apr_file_remove(path, r->pool)) != APR_SUCCESS) {
+-			oidc_error(r, "could not delete cache file \"%s\" (%s)", path,
+-					apr_strerror(rc, s_err, sizeof(s_err)));
+			oidc_error(r, "could not delete cache file \"%s\" (%s)", path, apr_strerror(rc, s_err, sizeof(s_err)));
+ 		}
+ 		return TRUE;
+ 	}
+ 
+ 	/* try to open the cache file for writing, creating it if it does not exist */
+-	if ((rc = apr_file_open(&fd, path,
+-			(APR_FOPEN_WRITE | APR_FOPEN_CREATE | APR_FOPEN_TRUNCATE),
+-			APR_OS_DEFAULT, r->pool)) != APR_SUCCESS) {
+-		oidc_error(r, "cache file \"%s\" could not be opened (%s)", path,
+-				apr_strerror(rc, s_err, sizeof(s_err)));
+	if ((rc = apr_file_open(&fd, path, (APR_FOPEN_WRITE | APR_FOPEN_CREATE),
+							APR_OS_DEFAULT, r->pool)) != APR_SUCCESS) {
+		oidc_error(r, "cache file \"%s\" could not be opened (%s)", path, apr_strerror(rc, s_err, sizeof(s_err)));
+ 		return FALSE;
+ 	}
+ 
+ 	/* lock the file and move the write pointer to the start of it */
+ 	apr_file_lock(fd, APR_FLOCK_EXCLUSIVE);
+ 	apr_off_t begin = 0;
+	apr_file_trunc(fd, begin);
+ 	apr_file_seek(fd, APR_SET, &begin);
+ 
+ 	/* construct the metadata for this cache entry in the header info */
+@@ -413,22 +414,24 @@ static apr_byte_t oidc_cache_file_set(re
+ 	info.len = strlen(value) + 1;
+ 
+ 	/* write the header */
+-	if ((rc = oidc_cache_file_write(r, path, fd, &info,
+-			sizeof(oidc_cache_file_info_t))) != APR_SUCCESS)
+	if ((rc = oidc_cache_file_write(r, path, fd, &info, sizeof(oidc_cache_file_info_t)))
+			!= APR_SUCCESS)
+ 		return FALSE;
+ 
+ 	/* next write the value */
+-	rc = oidc_cache_file_write(r, path, fd, (void *) value, info.len);
+	rc = oidc_cache_file_write(r, path, fd, (void*) value, info.len);
+ 
+ 	/* unlock and close the written file */
+ 	apr_file_unlock(fd);
+ 	apr_file_close(fd);
+ 
+	if (rename(path, target) != 0) {
+		oidc_error(r, "cache file: %s could not be renamed to: %s", path, target);
+		return FALSE;
+	}
+
+ 	/* log our success/failure */
+-	oidc_debug(r,
+-			"%s entry for key \"%s\" in file of %" APR_SIZE_T_FMT " bytes",
+-			(rc == APR_SUCCESS) ? "successfully stored" : "could not store",
+-					key, info.len);
+	oidc_debug(r, "%s entry for key \"%s\" in file of %" APR_SIZE_T_FMT " bytes", (rc == APR_SUCCESS) ? "successfully stored" : "could not store", key, info.len);
+ 
+ 	return (rc == APR_SUCCESS);
+ }
--- a/SPECS/mod_auth_openidc.spec
+++ b/SPECS/mod_auth_openidc.spec
@ -14,15 +14,18 @@
 %global httpd_pkg_cache_dir /var/cache/httpd/mod_auth_openidc

 Name:		mod_auth_openidc
-Version:	2.4.9.4
-Release:	4%{?dist}
+Version:	2.4.10
+Release:	1%{?dist}
 Summary:	OpenID Connect auth module for Apache HTTP Server

 License:	ASL 2.0
-URL:		https://github.com/zmartzone/mod_auth_openidc
-Source0:	https://github.com/zmartzone/mod_auth_openidc/archive/v%{version}.tar.gz
-Patch0:		0001-CVE-2022-23527.patch
-Patch1:		0002-CVE-2023-28625.patch
+URL:		https://github.com/OpenIDC/mod_auth_openidc
+Source0:	https://github.com/OpenIDC/mod_auth_openidc/releases/download/v%{version}/mod_auth_openidc-%{version}.tar.gz
+Patch0:		0000-destdir.patch
+Patch1:		0001-CVE-2022-23527.patch
+Patch2:		0002-CVE-2023-28625.patch
+Patch3:		0003-CVE-2024-24814.patch
+Patch4:		0004-race-condition.patch

 BuildRequires:  gcc
 BuildRequires:	httpd-devel
@ -64,7 +67,7 @@ make test

 %install
 mkdir -p $RPM_BUILD_ROOT%{_httpd_moddir}
-make install MODULES_DIR=$RPM_BUILD_ROOT%{_httpd_moddir}
+make DESTDIR=$RPM_BUILD_ROOT MODULES_DIR=%{_httpd_moddir} install

 install -m 755 -d $RPM_BUILD_ROOT%{_httpd_modconfdir}
 echo 'LoadModule auth_openidc_module modules/mod_auth_openidc.so' > \
@ -96,6 +99,13 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache
 %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache

 %changelog
+* Fri Apr 12 2024 Tomas Halman <thalman@redhat.com> - 2.4.10-1
+  Rebase to 2.4.10 version improves `state cookies piling up` problem
+  Resolves: RHEL-32450 Race condition in mod_auth_openidc filecache
+  Resolves: RHEL-25422 mod_auth_openidc: DoS when using
+            `OIDCSessionType client-cookie` and manipulating cookies
+            (CVE-2024-24814)
+
 * Mon Apr 24 2023 Tomas Halman <thalman@redhat.com> - 2.4.9.4-4
  Resolves: rhbz#2189268 - auth_openidc.conf mode 0640 by default