Import from CS git

2025-04-18 11:34:57 +00:00 · 2025-04-18 11:34:57 +00:00 · cc1d0aad42
commit cc1d0aad42
parent 2cebd30639
2 changed files with 89 additions and 1 deletions
--- a/SOURCES/0005-CVE-2024-24814.patch
+++ b/SOURCES/0005-CVE-2024-24814.patch
@ -0,0 +1,83 @@
+diff -up mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.c.orig mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.c
+--- mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.c.orig	2025-04-11 10:49:32.095915197 +0200
+++ mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.c	2025-04-11 10:51:12.493949688 +0200
+@@ -4258,7 +4258,11 @@ int oidc_content_handler(request_rec *r)
+ 
+ 			rc = oidc_discovery(r, c);
+ 
+-		} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN) != NULL) {
+		} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST) != NULL) {
+
+			rc = OK;
+
+		} else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE) != NULL) {
+ 
+ 			rc = OK;
+ 
+diff -up mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.h.orig mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.h
+--- mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.h.orig	2025-04-11 10:49:32.081518446 +0200
+++ mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.h	2025-04-11 10:51:12.495521138 +0200
+@@ -88,7 +88,8 @@ APLOG_USE_MODULE(auth_openidc);
+ #define OIDC_REQUEST_STATE_KEY_IDTOKEN "i"
+ #define OIDC_REQUEST_STATE_KEY_CLAIMS  "c"
+ #define OIDC_REQUEST_STATE_KEY_DISCOVERY  "d"
+-#define OIDC_REQUEST_STATE_KEY_AUTHN  "a"
+#define OIDC_REQUEST_STATE_KEY_AUTHN_POST  "a"
+#define OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE  "p"
+ 
+ /* parameter name of the callback URL in the discovery response */
+ #define OIDC_DISC_CB_PARAM "oidc_callback"
+diff -up mod_auth_openidc-2.4.9.4/src/proto.c.orig mod_auth_openidc-2.4.9.4/src/proto.c
+--- mod_auth_openidc-2.4.9.4/src/proto.c.orig	2021-09-03 10:41:21.000000000 +0200
+++ mod_auth_openidc-2.4.9.4/src/proto.c	2025-04-11 10:51:12.495927318 +0200
+@@ -591,7 +591,7 @@ static int oidc_proto_add_form_post_para
+ /*
+  * make the browser POST parameters through Javascript auto-submit
+  */
+-static int oidc_proto_html_post(request_rec *r, const char *url,
+static void oidc_proto_html_post(request_rec *r, const char *url,
+ 		apr_table_t *params) {
+ 
+ 	oidc_debug(r, "enter");
+@@ -607,8 +607,7 @@ static int oidc_proto_html_post(request_
+ 	html_body = apr_psprintf(r->pool, "%s%s", data.html_body, "      </p>\n"
+ 			"    </form>\n");
+ 
+-	return oidc_util_html_send(r, "Submitting...", NULL,
+-			"document.forms[0].submit", html_body, OK);
+	oidc_util_html_send(r, "Submitting...", NULL, "document.forms[0].submit", html_body, OK);
+ }
+ 
+ void add_auth_request_params(request_rec *r, apr_table_t *params,
+@@ -739,8 +738,12 @@ int oidc_proto_authorization_request(req
+ 	if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_POST) {
+ 
+ 		/* construct a HTML POST auto-submit page with the authorization request parameters */
+-		rv = oidc_proto_html_post(r, provider->authorization_endpoint_url,
+-				params);
+		oidc_proto_html_post(r, provider->authorization_endpoint_url, params);
+
+		/* signal this to the content handler */
+		oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST, "");
+		r->user = "";
+		rv = OK;
+ 
+ 	} else if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_GET) {
+ 
+@@ -748,7 +751,6 @@ int oidc_proto_authorization_request(req
+ 		authorization_request = oidc_util_http_query_encoded_url(r,
+ 				provider->authorization_endpoint_url, params);
+ 
+-		// TODO: should also enable this when using the POST binding for the auth request
+ 		/* see if we need to preserve POST parameters through Javascript/HTML5 storage */
+ 		if (oidc_post_preserve_javascript(r, authorization_request, NULL,
+ 				NULL) == FALSE) {
+@@ -762,7 +764,7 @@ int oidc_proto_authorization_request(req
+ 		} else {
+ 
+ 			/* signal this to the content handler */
+-			oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN, "");
+			oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE, "");
+ 			r->user = "";
+ 			rv = OK;
+ 
--- a/SPECS/mod_auth_openidc.spec
+++ b/SPECS/mod_auth_openidc.spec
@ -15,7 +15,7 @@

 Name:		mod_auth_openidc
 Version:	2.4.9.4
-Release:	6%{?dist}
+Release:	7%{?dist}
 Summary:	OpenID Connect auth module for Apache HTTP Server

 License:	ASL 2.0
@ -25,6 +25,7 @@ Patch1:		0001-CVE-2022-23527.patch
 Patch2:		0002-CVE-2023-28625.patch
 Patch3:		0003-CVE-2024-24814.patch
 Patch4:		0004-race-condition.patch
+Patch5:		0005-CVE-2024-24814.patch

 BuildRequires:  gcc
 BuildRequires:	httpd-devel
@ -100,6 +101,10 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache
 %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache

 %changelog
+* Fri Apr 11 2025 Tomas Halman <thalman@redhat.com> - 2.4.9.4-7
+- Resolves: RHEL-86218 - mod_auth_openidc allows OIDCProviderAuthRequestMethod
+            POSTs to leak protected data (CVE-2025-31492)
+
 * Fri Apr 12 2024 Tomas Halman <thalman@redhat.com> - 2.4.9.4-6
 - Resolves: RHEL-36492 Race condition in mod_auth_openidc filecache
 - Resolves: RHEL-25421 mod_auth_openidc: DoS when using