From 0462b34a07fb95640d99d77bbf2838f6fb0f9307 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 06 2019 10:02:45 +0000 Subject: import mod_auth_openidc-1.8.8-5.el7 --- diff --git a/SOURCES/0001-don-t-echo-query-params-on-invalid-requests-to-redir.patch b/SOURCES/0001-don-t-echo-query-params-on-invalid-requests-to-redir.patch new file mode 100644 index 0000000..3e9e0fe --- /dev/null +++ b/SOURCES/0001-don-t-echo-query-params-on-invalid-requests-to-redir.patch @@ -0,0 +1,32 @@ +From d3973074a984f78af2267006625a11e672574dff Mon Sep 17 00:00:00 2001 +From: Hans Zandbelt +Date: Thu, 19 Jan 2017 00:03:37 +0100 +Subject: [PATCH 1000/1002] don't echo query params on invalid requests to + redirect URI; closes #212 + +thanks @LukasReschke; I'm sure there's some OWASP guideline that warns +against this + +(cherry picked from commit 612e309bfffd6f9b8ad7cdccda3019fc0865f3b4) +--- + src/mod_auth_openidc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +index 2db6108..a494238 100644 +--- a/src/mod_auth_openidc.c ++++ b/src/mod_auth_openidc.c +@@ -2493,8 +2493,8 @@ int oidc_handle_redirect_uri_request(request_rec *r, oidc_cfg *c, + /* something went wrong */ + return oidc_util_html_send_error(r, c->error_template, "Invalid Request", + apr_psprintf(r->pool, +- "The OpenID Connect callback URL received an invalid request: %s", +- r->args), HTTP_INTERNAL_SERVER_ERROR); ++ "The OpenID Connect callback URL received an invalid request"), ++ HTTP_INTERNAL_SERVER_ERROR); + } + + /* +-- +2.19.2 + diff --git a/SOURCES/0002-Backport-security-fix-scrub-headers-on-OIDCUnAuthAct.patch b/SOURCES/0002-Backport-security-fix-scrub-headers-on-OIDCUnAuthAct.patch new file mode 100644 index 0000000..3a41e67 --- /dev/null +++ b/SOURCES/0002-Backport-security-fix-scrub-headers-on-OIDCUnAuthAct.patch @@ -0,0 +1,84 @@ +From f1e8dec3e749eea3a54553e07b7a1994a4aaf5b9 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Fri, 23 Nov 2018 15:38:42 +0100 +Subject: [PATCH 1001/1002] Backport security fix: scrub headers on + OIDCUnAuthAction pass; closes #222 + +--- + src/mod_auth_openidc.c | 46 ++++++++++++++++++++++++++++-------------- + 1 file changed, 31 insertions(+), 15 deletions(-) + +diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +index a494238..f00280f 100644 +--- a/src/mod_auth_openidc.c ++++ b/src/mod_auth_openidc.c +@@ -133,6 +133,29 @@ static void oidc_scrub_request_headers(request_rec *r, const char *claim_prefix, + r->headers_in = clean_headers; + } + ++static void oidc_scrub_headers(request_rec *r) { ++ oidc_cfg *cfg = ap_get_module_config(r->server->module_config, ++ &auth_openidc_module); ++ ++ /* get a handle to the directory config */ ++ oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config, ++ &auth_openidc_module); ++ ++ if (cfg->scrub_request_headers != 0) { ++ /* scrub all headers starting with OIDC_ first */ ++ oidc_scrub_request_headers(r, OIDC_DEFAULT_HEADER_PREFIX, ++ dir_cfg->authn_header); ++ /* ++ * then see if the claim headers need to be removed on top of that ++ * (i.e. the prefix does not start with the default OIDC_) ++ */ ++ if ((strstr(cfg->claim_prefix, OIDC_DEFAULT_HEADER_PREFIX) ++ != cfg->claim_prefix)) { ++ oidc_scrub_request_headers(r, cfg->claim_prefix, NULL); ++ } ++ } ++} ++ + #define OIDC_SHA1_LEN 20 + + /* +@@ -988,21 +1011,7 @@ static int oidc_handle_existing_session(request_rec *r, oidc_cfg *cfg, + * we're going to pass the information that we have to the application, + * but first we need to scrub the headers that we're going to use for security reasons + */ +- if (cfg->scrub_request_headers != 0) { +- +- /* scrub all headers starting with OIDC_ first */ +- oidc_scrub_request_headers(r, OIDC_DEFAULT_HEADER_PREFIX, +- dir_cfg->authn_header); +- +- /* +- * then see if the claim headers need to be removed on top of that +- * (i.e. the prefix does not start with the default OIDC_) +- */ +- if ((strstr(cfg->claim_prefix, OIDC_DEFAULT_HEADER_PREFIX) +- != cfg->claim_prefix)) { +- oidc_scrub_request_headers(r, cfg->claim_prefix, NULL); +- } +- } ++ oidc_scrub_headers(r); + + /* set the user authentication HTTP header if set and required */ + if ((r->user != NULL) && (dir_cfg->authn_header != NULL)) +@@ -2560,6 +2569,13 @@ static int oidc_check_userid_openidc(request_rec *r, oidc_cfg *c) { + case RETURN401: + return HTTP_UNAUTHORIZED; + case PASS: ++ /* ++ * we're not going to pass information about ++ * an authenticated user to the application, * ++ * but we do need to scrub the headers that ++ * mod_auth_openidc would set for security reasons ++ */ ++ oidc_scrub_headers(r); + return OK; + case AUTHENTICATE: + /* if this is a Javascript path we won't redirect the user and create a state cookie */ +-- +2.19.2 + diff --git a/SOURCES/0003-Backport-security-fix-scrub-headers-for-AuthType-oau.patch b/SOURCES/0003-Backport-security-fix-scrub-headers-for-AuthType-oau.patch new file mode 100644 index 0000000..d984042 --- /dev/null +++ b/SOURCES/0003-Backport-security-fix-scrub-headers-for-AuthType-oau.patch @@ -0,0 +1,58 @@ +From 53bc62391d71418130edc0cb706f1aa5b0844c3a Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Fri, 23 Nov 2018 16:41:18 +0100 +Subject: [PATCH 1002/1002] Backport security fix: scrub headers for "AuthType + oauth20" + +--- + src/mod_auth_openidc.c | 2 +- + src/mod_auth_openidc.h | 2 ++ + src/oauth.c | 6 ++++++ + 3 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +index f00280f..b504ecb 100644 +--- a/src/mod_auth_openidc.c ++++ b/src/mod_auth_openidc.c +@@ -133,7 +133,7 @@ static void oidc_scrub_request_headers(request_rec *r, const char *claim_prefix, + r->headers_in = clean_headers; + } + +-static void oidc_scrub_headers(request_rec *r) { ++void oidc_scrub_headers(request_rec *r) { + oidc_cfg *cfg = ap_get_module_config(r->server->module_config, + &auth_openidc_module); + +diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h +index a92b81f..6f6bd92 100644 +--- a/src/mod_auth_openidc.h ++++ b/src/mod_auth_openidc.h +@@ -373,6 +373,8 @@ void oidc_request_state_set(request_rec *r, const char *key, const char *value); + const char*oidc_request_state_get(request_rec *r, const char *key); + int oidc_handle_jwks(request_rec *r, oidc_cfg *c); + ++void oidc_scrub_headers(request_rec *r); ++ + // oidc_oauth + int oidc_oauth_check_userid(request_rec *r, oidc_cfg *c); + +diff --git a/src/oauth.c b/src/oauth.c +index 218112b..279ee74 100644 +--- a/src/oauth.c ++++ b/src/oauth.c +@@ -572,6 +572,12 @@ int oidc_oauth_check_userid(request_rec *r, oidc_cfg *c) { + oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config, + &auth_openidc_module); + ++ /* ++ * we're going to pass the information that we have to the application, ++ * but first we need to scrub the headers that we're going to use for security reasons ++ */ ++ oidc_scrub_headers(r); ++ + /* set the user authentication HTTP header if set and required */ + if ((r->user != NULL) && (dir_cfg->authn_header != NULL)) { + oidc_debug(r, "setting authn header (%s) to: %s", dir_cfg->authn_header, +-- +2.19.2 + diff --git a/SPECS/mod_auth_openidc.spec b/SPECS/mod_auth_openidc.spec index dd140ef..2c83c33 100644 --- a/SPECS/mod_auth_openidc.spec +++ b/SPECS/mod_auth_openidc.spec @@ -15,7 +15,7 @@ Name: mod_auth_openidc Version: 1.8.8 -Release: 3%{?dist} +Release: 5%{?dist} Summary: OpenID Connect auth module for Apache HTTP Server Group: System Environment/Daemons @@ -24,6 +24,9 @@ URL: https://github.com/pingidentity/mod_auth_openidc Source0: https://github.com/pingidentity/mod_auth_openidc/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Patch0: decrypt_aesgcm.patch +Patch1: 0001-don-t-echo-query-params-on-invalid-requests-to-redir.patch +Patch2: 0002-Backport-security-fix-scrub-headers-on-OIDCUnAuthAct.patch +Patch3: 0003-Backport-security-fix-scrub-headers-for-AuthType-oau.patch BuildRequires: httpd-devel BuildRequires: openssl-devel @@ -42,6 +45,9 @@ an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. %prep %setup -q %patch0 -p1 -b decrypt_aesgcm +%patch1 -p1 -b echo_req +%patch2 -p1 -b scrub_headers +%patch3 -p1 -b scrub_headers_oauth %build # workaround rpm-buildroot-usage @@ -93,6 +99,15 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache %changelog +* Tue Jan 29 2019 Jakub Hrozek - 1.8.8-5 +- Resolves: rhbz#1626297 - CVE-2017-6413 mod_auth_openidc: OIDC_CLAIM and + OIDCAuthNHeader not skipped in an "AuthType oauth20" + configuration [rhel-7] + +* Tue Jan 29 2019 Jakub Hrozek - 1.8.8-4 +- Resolves: rhbz#1626299 - CVE-2017-6059 mod_auth_openidc: Shows + user-supplied content on error pages [rhel-7] + * Thu Mar 31 2016 John Dennis - 1.8.8-3 - fix unit test failure caused by apr_jwe_decrypt_content_aesgcm() failing to null terminate decrypted string