From bae6508ce57f1bd3fa34340141f1664b6c417c88 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 12 Nov 2024 10:19:20 +0000 Subject: [PATCH] import UBI mod_auth_openidc-2.4.10-1.el9 --- .gitignore | 2 +- .mod_auth_openidc.metadata | 2 +- SOURCES/0000-destdir.patch | 15 +++++ SOURCES/0001-CVE-2022-23527.patch | 40 +++++-------- SOURCES/0002-CVE-2023-28625.patch | 20 ++----- SOURCES/0003-CVE-2024-24814.patch | 46 +++++++++++++++ SOURCES/0004-race-condition.patch | 95 +++++++++++++++++++++++++++++++ SPECS/mod_auth_openidc.spec | 24 +++++--- 8 files changed, 192 insertions(+), 52 deletions(-) create mode 100644 SOURCES/0000-destdir.patch create mode 100644 SOURCES/0003-CVE-2024-24814.patch create mode 100644 SOURCES/0004-race-condition.patch diff --git a/.gitignore b/.gitignore index fa44962..20a96bc 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/v2.4.9.4.tar.gz +SOURCES/mod_auth_openidc-2.4.10.tar.gz diff --git a/.mod_auth_openidc.metadata b/.mod_auth_openidc.metadata index 8489896..deb1542 100644 --- a/.mod_auth_openidc.metadata +++ b/.mod_auth_openidc.metadata @@ -1 +1 @@ -47f8b949552c3d32f019c5cf785c4672dc0f8aae SOURCES/v2.4.9.4.tar.gz +d909f783d719ffd86b3d919ca6590b0eed4d8a51 SOURCES/mod_auth_openidc-2.4.10.tar.gz diff --git a/SOURCES/0000-destdir.patch b/SOURCES/0000-destdir.patch new file mode 100644 index 0000000..a0d4c8a --- /dev/null +++ b/SOURCES/0000-destdir.patch @@ -0,0 +1,15 @@ +diff --git a/Makefile.am b/Makefile.am +index e5d0a4d..e5bfa67 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -69,8 +69,8 @@ mod_auth_openidc.la: libauth_openidc.la + ${APXS} -c -o $@ $< ${AM_CFLAGS} ${LIBADD} + + install-exec-local: +- @APXS@ -i -a -n auth_openidc mod_auth_openidc.la +-# ${INSTALL} -p -m 755 -D .libs/mod_auth_openidc.so @APACHE_MODULEDIR@/mod_auth_openidc.so ++# @APXS@ -i -a -n auth_openidc mod_auth_openidc.la ++ ${INSTALL} -p -m 755 -D .libs/mod_auth_openidc.so $(DESTDIR)@APACHE_MODULEDIR@/mod_auth_openidc.so + + LDADD = libauth_openidc.la ${LIBADD} + diff --git a/SOURCES/0001-CVE-2022-23527.patch b/SOURCES/0001-CVE-2022-23527.patch index 5c3440c..2ac39f1 100644 --- a/SOURCES/0001-CVE-2022-23527.patch +++ b/SOURCES/0001-CVE-2022-23527.patch @@ -1,19 +1,7 @@ -commit 4c494e4a59a15580e3226dcd6c02b24076b73421 -Author: Tomas Halman -Date: Mon Feb 27 13:18:55 2023 +0100 - - Backport of fixes for CVE-2022-23527 - - CVE-2022-23527 prevent open redirect in default setup - - This patch is based on 87119f44, f38af0e2, 1a394a86 and - 1c808c58 updates. - -diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c -index b36f6c1..099c716 100644 ---- a/src/mod_auth_openidc.c -+++ b/src/mod_auth_openidc.c -@@ -2543,6 +2543,20 @@ static apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c, +diff -up mod_auth_openidc-2.4.10/src/mod_auth_openidc.c.orig mod_auth_openidc-2.4.10/src/mod_auth_openidc.c +--- mod_auth_openidc-2.4.10/src/mod_auth_openidc.c.orig 2021-11-05 11:55:03.000000000 +0100 ++++ mod_auth_openidc-2.4.10/src/mod_auth_openidc.c 2024-04-15 17:53:49.601539683 +0200 +@@ -2537,6 +2537,20 @@ static apr_byte_t oidc_validate_redirect oidc_error(r, "%s: %s", *err_str, *err_desc); return FALSE; } @@ -34,23 +22,21 @@ index b36f6c1..099c716 100644 return TRUE; } -diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h -index 2218d76..8757411 100644 ---- a/src/mod_auth_openidc.h -+++ b/src/mod_auth_openidc.h -@@ -800,6 +800,7 @@ char *oidc_util_http_query_encoded_url(request_rec *r, const char *url, const ap +diff -up mod_auth_openidc-2.4.10/src/mod_auth_openidc.h.orig mod_auth_openidc-2.4.10/src/mod_auth_openidc.h +--- mod_auth_openidc-2.4.10/src/mod_auth_openidc.h.orig 2021-11-09 10:00:40.000000000 +0100 ++++ mod_auth_openidc-2.4.10/src/mod_auth_openidc.h 2024-04-15 17:53:49.601539683 +0200 +@@ -819,6 +819,7 @@ char *oidc_util_http_query_encoded_url(r char *oidc_util_get_full_path(apr_pool_t *pool, const char *abs_or_rel_filename); apr_byte_t oidc_enabled(request_rec *r); char *oidc_util_http_form_encoded_data(request_rec *r, const apr_table_t *params); +char* oidc_util_strcasestr(const char *s1, const char *s2); /* HTTP header constants */ - #define OIDC_HTTP_HDR_COOKIE "Cookie" -diff --git a/src/util.c b/src/util.c -index 4c46156..c6453d0 100644 ---- a/src/util.c -+++ b/src/util.c -@@ -446,6 +446,24 @@ char* oidc_util_javascript_escape(apr_pool_t *pool, const char *s) { + #define OIDC_HTTP_HDR_COOKIE "Cookie" +diff -up mod_auth_openidc-2.4.10/src/util.c.orig mod_auth_openidc-2.4.10/src/util.c +--- mod_auth_openidc-2.4.10/src/util.c.orig 2021-11-05 11:55:03.000000000 +0100 ++++ mod_auth_openidc-2.4.10/src/util.c 2024-04-15 17:53:49.602539684 +0200 +@@ -435,6 +435,24 @@ char* oidc_util_javascript_escape(apr_po return output; } diff --git a/SOURCES/0002-CVE-2023-28625.patch b/SOURCES/0002-CVE-2023-28625.patch index 98e78dd..cf5ee0d 100644 --- a/SOURCES/0002-CVE-2023-28625.patch +++ b/SOURCES/0002-CVE-2023-28625.patch @@ -1,19 +1,7 @@ -commit 1a24e08ce506c2c19dd92a1bc9c2b9a1d9354934 -Author: Tomas Halman -Date: Tue Apr 11 11:39:55 2023 +0200 - - Backport fixe of CVE-2023-28625 - - CVE-2023-28625 mod_auth_openidc: NULL pointer dereference when - OIDCStripCookies is set and a crafted Cookie header is supplied - - This patch is based on commit c0e1edac3c4c19988ccdc7713d7aebfce6ff916a - -diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c -index 099c716..51eb53e 100644 ---- a/src/mod_auth_openidc.c -+++ b/src/mod_auth_openidc.c -@@ -191,6 +191,8 @@ void oidc_strip_cookies(request_rec *r) { +diff -up mod_auth_openidc-2.4.10/src/mod_auth_openidc.c.orig mod_auth_openidc-2.4.10/src/mod_auth_openidc.c +--- mod_auth_openidc-2.4.10/src/mod_auth_openidc.c.orig 2024-04-15 17:56:53.022820648 +0200 ++++ mod_auth_openidc-2.4.10/src/mod_auth_openidc.c 2024-04-15 17:57:23.325867066 +0200 +@@ -175,6 +175,8 @@ void oidc_strip_cookies(request_rec *r) do { while (cookie != NULL && *cookie == OIDC_CHAR_SPACE) cookie++; diff --git a/SOURCES/0003-CVE-2024-24814.patch b/SOURCES/0003-CVE-2024-24814.patch new file mode 100644 index 0000000..eeadcb9 --- /dev/null +++ b/SOURCES/0003-CVE-2024-24814.patch @@ -0,0 +1,46 @@ +diff -up mod_auth_openidc-2.4.9.4/src/util.c.orig mod_auth_openidc-2.4.9.4/src/util.c +--- mod_auth_openidc-2.4.9.4/src/util.c.orig 2024-02-29 17:54:55.939797412 +0100 ++++ mod_auth_openidc-2.4.9.4/src/util.c 2024-02-29 18:01:12.042842605 +0100 +@@ -1270,25 +1270,24 @@ static char* oidc_util_get_chunk_cookie_ + */ + char* oidc_util_get_chunked_cookie(request_rec *r, const char *cookieName, + int chunkSize) { +- char *cookieValue = NULL; +- char *chunkValue = NULL; +- int i = 0; +- if (chunkSize == 0) { +- cookieValue = oidc_util_get_cookie(r, cookieName); +- } else { +- int chunkCount = oidc_util_get_chunked_count(r, cookieName); +- if (chunkCount > 0) { +- cookieValue = ""; +- for (i = 0; i < chunkCount; i++) { +- chunkValue = oidc_util_get_cookie(r, +- oidc_util_get_chunk_cookie_name(r, cookieName, i)); +- if (chunkValue != NULL) +- cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue, +- chunkValue); +- } +- } else { +- cookieValue = oidc_util_get_cookie(r, cookieName); ++ char *cookieValue = NULL, *chunkValue = NULL; ++ int chunkCount = 0, i = 0; ++ if (chunkSize == 0) ++ return oidc_util_get_cookie(r, cookieName); ++ chunkCount = oidc_util_get_chunked_count(r, cookieName); ++ if (chunkCount == 0) ++ return oidc_util_get_cookie(r, cookieName); ++ if ((chunkCount < 0) || (chunkCount > 99)) { ++ oidc_warn(r, "chunk count out of bounds: %d", chunkCount); ++ return NULL; ++ } ++ for (i = 0; i < chunkCount; i++) { ++ chunkValue = oidc_util_get_cookie(r, oidc_util_get_chunk_cookie_name(r, cookieName, i)); ++ if (chunkValue == NULL) { ++ oidc_warn(r, "could not find chunk %d; aborting", i); ++ break; + } ++ cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue ? cookieValue : "", chunkValue); + } + return cookieValue; + } diff --git a/SOURCES/0004-race-condition.patch b/SOURCES/0004-race-condition.patch new file mode 100644 index 0000000..c93f0a3 --- /dev/null +++ b/SOURCES/0004-race-condition.patch @@ -0,0 +1,95 @@ +diff -up mod_auth_openidc-2.4.10/src/cache/file.c.orig mod_auth_openidc-2.4.10/src/cache/file.c +--- mod_auth_openidc-2.4.10/src/cache/file.c.orig 2024-04-16 11:12:38.942552103 +0200 ++++ mod_auth_openidc-2.4.10/src/cache/file.c 2024-04-16 11:13:09.890588209 +0200 +@@ -329,8 +329,10 @@ static apr_status_t oidc_cache_file_clea + } + + /* read the header with cache metadata info */ ++ apr_file_lock(fd, APR_FLOCK_EXCLUSIVE); + rc = oidc_cache_file_read(r, path, fd, &info, + sizeof(oidc_cache_file_info_t)); ++ apr_file_unlock(fd); + apr_file_close(fd); + + if (rc == APR_SUCCESS) { +@@ -372,14 +374,15 @@ static apr_status_t oidc_cache_file_clea + /* + * write a value for the specified key to the cache + */ +-static apr_byte_t oidc_cache_file_set(request_rec *r, const char *section, +- const char *key, const char *value, apr_time_t expiry) { ++static apr_byte_t oidc_cache_file_set(request_rec *r, const char *section, const char *key, ++ const char *value, apr_time_t expiry) { + apr_file_t *fd = NULL; + apr_status_t rc = APR_SUCCESS; + char s_err[128]; + + /* get the fully qualified path to the cache file based on the key name */ +- const char *path = oidc_cache_file_path(r, section, key); ++ const char *target = oidc_cache_file_path(r, section, key); ++ const char *path = apr_psprintf(r->pool, "%s.tmp", target); + + /* only on writes (not on reads) we clean the cache first (if not done recently) */ + oidc_cache_file_clean(r); +@@ -387,24 +390,22 @@ static apr_byte_t oidc_cache_file_set(re + /* just remove cache file if value is NULL */ + if (value == NULL) { + if ((rc = apr_file_remove(path, r->pool)) != APR_SUCCESS) { +- oidc_error(r, "could not delete cache file \"%s\" (%s)", path, +- apr_strerror(rc, s_err, sizeof(s_err))); ++ oidc_error(r, "could not delete cache file \"%s\" (%s)", path, apr_strerror(rc, s_err, sizeof(s_err))); + } + return TRUE; + } + + /* try to open the cache file for writing, creating it if it does not exist */ +- if ((rc = apr_file_open(&fd, path, +- (APR_FOPEN_WRITE | APR_FOPEN_CREATE | APR_FOPEN_TRUNCATE), +- APR_OS_DEFAULT, r->pool)) != APR_SUCCESS) { +- oidc_error(r, "cache file \"%s\" could not be opened (%s)", path, +- apr_strerror(rc, s_err, sizeof(s_err))); ++ if ((rc = apr_file_open(&fd, path, (APR_FOPEN_WRITE | APR_FOPEN_CREATE), ++ APR_OS_DEFAULT, r->pool)) != APR_SUCCESS) { ++ oidc_error(r, "cache file \"%s\" could not be opened (%s)", path, apr_strerror(rc, s_err, sizeof(s_err))); + return FALSE; + } + + /* lock the file and move the write pointer to the start of it */ + apr_file_lock(fd, APR_FLOCK_EXCLUSIVE); + apr_off_t begin = 0; ++ apr_file_trunc(fd, begin); + apr_file_seek(fd, APR_SET, &begin); + + /* construct the metadata for this cache entry in the header info */ +@@ -413,22 +414,24 @@ static apr_byte_t oidc_cache_file_set(re + info.len = strlen(value) + 1; + + /* write the header */ +- if ((rc = oidc_cache_file_write(r, path, fd, &info, +- sizeof(oidc_cache_file_info_t))) != APR_SUCCESS) ++ if ((rc = oidc_cache_file_write(r, path, fd, &info, sizeof(oidc_cache_file_info_t))) ++ != APR_SUCCESS) + return FALSE; + + /* next write the value */ +- rc = oidc_cache_file_write(r, path, fd, (void *) value, info.len); ++ rc = oidc_cache_file_write(r, path, fd, (void*) value, info.len); + + /* unlock and close the written file */ + apr_file_unlock(fd); + apr_file_close(fd); + ++ if (rename(path, target) != 0) { ++ oidc_error(r, "cache file: %s could not be renamed to: %s", path, target); ++ return FALSE; ++ } ++ + /* log our success/failure */ +- oidc_debug(r, +- "%s entry for key \"%s\" in file of %" APR_SIZE_T_FMT " bytes", +- (rc == APR_SUCCESS) ? "successfully stored" : "could not store", +- key, info.len); ++ oidc_debug(r, "%s entry for key \"%s\" in file of %" APR_SIZE_T_FMT " bytes", (rc == APR_SUCCESS) ? "successfully stored" : "could not store", key, info.len); + + return (rc == APR_SUCCESS); + } diff --git a/SPECS/mod_auth_openidc.spec b/SPECS/mod_auth_openidc.spec index 7aba426..0b743bf 100644 --- a/SPECS/mod_auth_openidc.spec +++ b/SPECS/mod_auth_openidc.spec @@ -14,15 +14,18 @@ %global httpd_pkg_cache_dir /var/cache/httpd/mod_auth_openidc Name: mod_auth_openidc -Version: 2.4.9.4 -Release: 4%{?dist} +Version: 2.4.10 +Release: 1%{?dist} Summary: OpenID Connect auth module for Apache HTTP Server License: ASL 2.0 -URL: https://github.com/zmartzone/mod_auth_openidc -Source0: https://github.com/zmartzone/mod_auth_openidc/archive/v%{version}.tar.gz -Patch0: 0001-CVE-2022-23527.patch -Patch1: 0002-CVE-2023-28625.patch +URL: https://github.com/OpenIDC/mod_auth_openidc +Source0: https://github.com/OpenIDC/mod_auth_openidc/releases/download/v%{version}/mod_auth_openidc-%{version}.tar.gz +Patch0: 0000-destdir.patch +Patch1: 0001-CVE-2022-23527.patch +Patch2: 0002-CVE-2023-28625.patch +Patch3: 0003-CVE-2024-24814.patch +Patch4: 0004-race-condition.patch BuildRequires: gcc BuildRequires: httpd-devel @@ -64,7 +67,7 @@ make test %install mkdir -p $RPM_BUILD_ROOT%{_httpd_moddir} -make install MODULES_DIR=$RPM_BUILD_ROOT%{_httpd_moddir} +make DESTDIR=$RPM_BUILD_ROOT MODULES_DIR=%{_httpd_moddir} install install -m 755 -d $RPM_BUILD_ROOT%{_httpd_modconfdir} echo 'LoadModule auth_openidc_module modules/mod_auth_openidc.so' > \ @@ -96,6 +99,13 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache %changelog +* Fri Apr 12 2024 Tomas Halman - 2.4.10-1 + Rebase to 2.4.10 version improves `state cookies piling up` problem + Resolves: RHEL-32450 Race condition in mod_auth_openidc filecache + Resolves: RHEL-25422 mod_auth_openidc: DoS when using + `OIDCSessionType client-cookie` and manipulating cookies + (CVE-2024-24814) + * Mon Apr 24 2023 Tomas Halman - 2.4.9.4-4 Resolves: rhbz#2189268 - auth_openidc.conf mode 0640 by default