rpms/mod_auth_openidc
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Import from CS git

Browse Source
This commit is contained in:
eabdullin 2025-04-18 11:34:57 +00:00
parent 2cebd30639
commit cc1d0aad42
2 changed files with 89 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
SOURCES/0005-CVE-2024-24814.patch Normal file
View File

@ -0,0 +1,83 @@
diff -up mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.c.orig mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.c
--- mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.c.orig 2025-04-11 10:49:32.095915197 +0200
+++ mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.c 2025-04-11 10:51:12.493949688 +0200
@@ -4258,7 +4258,11 @@ int oidc_content_handler(request_rec *r)
rc = oidc_discovery(r, c);
- } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN) != NULL) {
+ } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST) != NULL) {
+
+ rc = OK;
+
+ } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE) != NULL) {
rc = OK;
diff -up mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.h.orig mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.h
--- mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.h.orig 2025-04-11 10:49:32.081518446 +0200
+++ mod_auth_openidc-2.4.9.4/src/mod_auth_openidc.h 2025-04-11 10:51:12.495521138 +0200
@@ -88,7 +88,8 @@ APLOG_USE_MODULE(auth_openidc);
#define OIDC_REQUEST_STATE_KEY_IDTOKEN "i"
#define OIDC_REQUEST_STATE_KEY_CLAIMS "c"
#define OIDC_REQUEST_STATE_KEY_DISCOVERY "d"
-#define OIDC_REQUEST_STATE_KEY_AUTHN "a"
+#define OIDC_REQUEST_STATE_KEY_AUTHN_POST "a"
+#define OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE "p"
/* parameter name of the callback URL in the discovery response */
#define OIDC_DISC_CB_PARAM "oidc_callback"
diff -up mod_auth_openidc-2.4.9.4/src/proto.c.orig mod_auth_openidc-2.4.9.4/src/proto.c
--- mod_auth_openidc-2.4.9.4/src/proto.c.orig 2021-09-03 10:41:21.000000000 +0200
+++ mod_auth_openidc-2.4.9.4/src/proto.c 2025-04-11 10:51:12.495927318 +0200
@@ -591,7 +591,7 @@ static int oidc_proto_add_form_post_para
/*
* make the browser POST parameters through Javascript auto-submit
*/
-static int oidc_proto_html_post(request_rec *r, const char *url,
+static void oidc_proto_html_post(request_rec *r, const char *url,
apr_table_t *params) {
oidc_debug(r, "enter");
@@ -607,8 +607,7 @@ static int oidc_proto_html_post(request_
html_body = apr_psprintf(r->pool, "%s%s", data.html_body, " </p>\n"
" </form>\n");
- return oidc_util_html_send(r, "Submitting...", NULL,
- "document.forms[0].submit", html_body, OK);
+ oidc_util_html_send(r, "Submitting...", NULL, "document.forms[0].submit", html_body, OK);
}
void add_auth_request_params(request_rec *r, apr_table_t *params,
@@ -739,8 +738,12 @@ int oidc_proto_authorization_request(req
if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_POST) {
/* construct a HTML POST auto-submit page with the authorization request parameters */
- rv = oidc_proto_html_post(r, provider->authorization_endpoint_url,
- params);
+ oidc_proto_html_post(r, provider->authorization_endpoint_url, params);
+
+ /* signal this to the content handler */
+ oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST, "");
+ r->user = "";
+ rv = OK;
} else if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_GET) {
@@ -748,7 +751,6 @@ int oidc_proto_authorization_request(req
authorization_request = oidc_util_http_query_encoded_url(r,
provider->authorization_endpoint_url, params);
- // TODO: should also enable this when using the POST binding for the auth request
/* see if we need to preserve POST parameters through Javascript/HTML5 storage */
if (oidc_post_preserve_javascript(r, authorization_request, NULL,
NULL) == FALSE) {
@@ -762,7 +764,7 @@ int oidc_proto_authorization_request(req
} else {
/* signal this to the content handler */
- oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN, "");
+ oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE, "");
r->user = "";
rv = OK;

7
SPECS/mod_auth_openidc.spec
View File

@ -15,7 +15,7 @@
Name: mod_auth_openidc Name: mod_auth_openidc
Version: 2.4.9.4 Version: 2.4.9.4
Release: 6%{?dist} Release: 7%{?dist}
Summary: OpenID Connect auth module for Apache HTTP Server Summary: OpenID Connect auth module for Apache HTTP Server
License: ASL 2.0 License: ASL 2.0
@ -25,6 +25,7 @@ Patch1: 0001-CVE-2022-23527.patch
Patch2: 0002-CVE-2023-28625.patch Patch2: 0002-CVE-2023-28625.patch
Patch3: 0003-CVE-2024-24814.patch Patch3: 0003-CVE-2024-24814.patch
Patch4: 0004-race-condition.patch Patch4: 0004-race-condition.patch
Patch5: 0005-CVE-2024-24814.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: httpd-devel BuildRequires: httpd-devel
@ -100,6 +101,10 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache
%dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache
%changelog %changelog
* Fri Apr 11 2025 Tomas Halman <thalman@redhat.com> - 2.4.9.4-7
- Resolves: RHEL-86218 - mod_auth_openidc allows OIDCProviderAuthRequestMethod
POSTs to leak protected data (CVE-2025-31492)
* Fri Apr 12 2024 Tomas Halman <thalman@redhat.com> - 2.4.9.4-6 * Fri Apr 12 2024 Tomas Halman <thalman@redhat.com> - 2.4.9.4-6
- Resolves: RHEL-36492 Race condition in mod_auth_openidc filecache - Resolves: RHEL-36492 Race condition in mod_auth_openidc filecache
- Resolves: RHEL-25421 mod_auth_openidc: DoS when using - Resolves: RHEL-25421 mod_auth_openidc: DoS when using