From d21d4de060707b362618c3256f2fed1fe24dce17 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 21 2020 14:14:37 +0000 Subject: import mod_auth_openidc-2.3.7-4.module+el8.2.0+6919+ac02cfd2.3 --- diff --git a/SOURCES/0002-Backport-of-improve-validation-of-the-post-logout-UR.patch b/SOURCES/0002-Backport-of-improve-validation-of-the-post-logout-UR.patch new file mode 100644 index 0000000..8b68923 --- /dev/null +++ b/SOURCES/0002-Backport-of-improve-validation-of-the-post-logout-UR.patch @@ -0,0 +1,127 @@ +From cb5560f016d4f8bbca40670c59898afafb8d0763 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Sun, 10 May 2020 19:56:53 +0200 +Subject: [PATCH] Backport of improve validation of the post-logout URL + +--- + src/mod_auth_openidc.c | 90 +++++++++++++++++++++++++----------------- + 1 file changed, 53 insertions(+), 37 deletions(-) + +diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +index eaaec3c..e86c61e 100644 +--- a/src/mod_auth_openidc.c ++++ b/src/mod_auth_openidc.c +@@ -2563,6 +2563,52 @@ static int oidc_handle_logout_request(request_rec *r, oidc_cfg *c, + return HTTP_MOVED_TEMPORARILY; + } + ++static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url, char **err_str, char **err_desc) { ++ apr_uri_t uri; ++ const char *c_host = NULL; ++ ++ if (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) { ++ *err_str = apr_pstrdup(r->pool, "Malformed URL"); ++ *err_desc = apr_psprintf(r->pool, "Logout URL malformed: %s", url); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; ++ } ++ ++ c_host = oidc_get_current_url_host(r); ++ if ((uri.hostname != NULL) ++ && ((strstr(c_host, uri.hostname) == NULL) ++ || (strstr(uri.hostname, c_host) == NULL))) { ++ *err_str = apr_pstrdup(r->pool, "Invalid Request"); ++ *err_desc = ++ apr_psprintf(r->pool, ++ "logout value \"%s\" does not match the hostname of the current request \"%s\"", ++ apr_uri_unparse(r->pool, &uri, 0), c_host); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; ++ } else if (strstr(url, "/") != url) { ++ *err_str = apr_pstrdup(r->pool, "Malformed URL"); ++ *err_desc = ++ apr_psprintf(r->pool, ++ "No hostname was parsed and it does not seem to be relative, i.e starting with '/': %s", ++ url); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; ++ } ++ ++ /* validate the URL to prevent HTTP header splitting */ ++ if (((strstr(url, "\n") != NULL) || strstr(url, "\r") != NULL)) { ++ *err_str = apr_pstrdup(r->pool, "Invalid Request"); ++ *err_desc = ++ apr_psprintf(r->pool, ++ "logout value \"%s\" contains illegal \"\n\" or \"\r\" character(s)", ++ url); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; ++ } ++ ++ return TRUE; ++} ++ + /* + * perform (single) logout + */ +@@ -2571,6 +2617,8 @@ static int oidc_handle_logout(request_rec *r, oidc_cfg *c, + + /* pickup the command or URL where the user wants to go after logout */ + char *url = NULL; ++ char *error_str = NULL; ++ char *error_description = NULL; + oidc_util_get_request_parameter(r, OIDC_REDIRECT_URI_REQUEST_LOGOUT, &url); + + oidc_debug(r, "enter (url=%s)", url); +@@ -2587,43 +2635,11 @@ static int oidc_handle_logout(request_rec *r, oidc_cfg *c, + + /* do input validation on the logout parameter value */ + +- const char *error_description = NULL; +- apr_uri_t uri; +- +- if (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) { +- const char *error_description = apr_psprintf(r->pool, +- "Logout URL malformed: %s", url); +- oidc_error(r, "%s", error_description); +- return oidc_util_html_send_error(r, c->error_template, +- "Malformed URL", error_description, +- HTTP_INTERNAL_SERVER_ERROR); +- +- } +- +- const char *c_host = oidc_get_current_url_host(r); +- if ((uri.hostname != NULL) +- && ((strstr(c_host, uri.hostname) == NULL) +- || (strstr(uri.hostname, c_host) == NULL))) { +- error_description = +- apr_psprintf(r->pool, +- "logout value \"%s\" does not match the hostname of the current request \"%s\"", +- apr_uri_unparse(r->pool, &uri, 0), c_host); +- oidc_error(r, "%s", error_description); +- return oidc_util_html_send_error(r, c->error_template, +- "Invalid Request", error_description, +- HTTP_INTERNAL_SERVER_ERROR); +- } +- +- /* validate the URL to prevent HTTP header splitting */ +- if (((strstr(url, "\n") != NULL) || strstr(url, "\r") != NULL)) { +- error_description = +- apr_psprintf(r->pool, +- "logout value \"%s\" contains illegal \"\n\" or \"\r\" character(s)", +- url); +- oidc_error(r, "%s", error_description); +- return oidc_util_html_send_error(r, c->error_template, +- "Invalid Request", error_description, +- HTTP_INTERNAL_SERVER_ERROR); ++ if (oidc_validate_post_logout_url(r, url, &error_str, ++ &error_description) == FALSE) { ++ return oidc_util_html_send_error(r, c->error_template, error_str, ++ error_description, ++ HTTP_BAD_REQUEST); + } + } + +-- +2.21.3 + diff --git a/SOURCES/0003-Backport-of-Fix-open-redirect-starting-with-a-slash.patch b/SOURCES/0003-Backport-of-Fix-open-redirect-starting-with-a-slash.patch new file mode 100644 index 0000000..9d3c3ee --- /dev/null +++ b/SOURCES/0003-Backport-of-Fix-open-redirect-starting-with-a-slash.patch @@ -0,0 +1,31 @@ +From ed041f8b5df58c4e612a0d0cbb920dc0b399b921 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Sun, 10 May 2020 20:00:49 +0200 +Subject: [PATCH 3/3] Backport of Fix open redirect starting with a slash + +--- + src/mod_auth_openidc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +index e86c61e..3c6efb4 100644 +--- a/src/mod_auth_openidc.c ++++ b/src/mod_auth_openidc.c +@@ -2604,6 +2604,14 @@ static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url, + url); + oidc_error(r, "%s: %s", *err_str, *err_desc); + return FALSE; ++ } else if ((uri.hostname == NULL) && (strstr(url, "//") == url)) { ++ *err_str = apr_pstrdup(r->pool, "Malformed URL"); ++ *err_desc = ++ apr_psprintf(r->pool, ++ "No hostname was parsed and starting with '//': %s", ++ url); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; + } + + return TRUE; +-- +2.21.3 + diff --git a/SOURCES/0004-Backport-of-Fix-open-redirect-starting-with-a-slash-.patch b/SOURCES/0004-Backport-of-Fix-open-redirect-starting-with-a-slash-.patch new file mode 100644 index 0000000..dbd64c7 --- /dev/null +++ b/SOURCES/0004-Backport-of-Fix-open-redirect-starting-with-a-slash-.patch @@ -0,0 +1,32 @@ +From c21228a0f170c025d79625207dc94759f480418f Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Sun, 10 May 2020 20:02:23 +0200 +Subject: [PATCH 4/4] Backport of Fix open redirect starting with a slash and a + backslash + +--- + src/mod_auth_openidc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +index 3c6efb4..e16d500 100644 +--- a/src/mod_auth_openidc.c ++++ b/src/mod_auth_openidc.c +@@ -2612,6 +2612,14 @@ static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url, + url); + oidc_error(r, "%s: %s", *err_str, *err_desc); + return FALSE; ++ } else if ((uri.hostname == NULL) && (strstr(url, "/\\") == url)) { ++ *err_str = apr_pstrdup(r->pool, "Malformed URL"); ++ *err_desc = ++ apr_psprintf(r->pool, ++ "No hostname was parsed and starting with '/\\': %s", ++ url); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; + } + + return TRUE; +-- +2.21.3 + diff --git a/SOURCES/0005-Fix-the-previous-backports.patch b/SOURCES/0005-Fix-the-previous-backports.patch new file mode 100644 index 0000000..c3d0e2b --- /dev/null +++ b/SOURCES/0005-Fix-the-previous-backports.patch @@ -0,0 +1,61 @@ +From a5c9f79516fd4097817ac75a37af3b191a3d1448 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Mon, 1 Jun 2020 21:47:28 +0200 +Subject: [PATCH] Fix the previous backports + +--- + src/mod_auth_openidc.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +index e16d500..74f206b 100644 +--- a/src/mod_auth_openidc.c ++++ b/src/mod_auth_openidc.c +@@ -2585,7 +2585,7 @@ static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url, + apr_uri_unparse(r->pool, &uri, 0), c_host); + oidc_error(r, "%s: %s", *err_str, *err_desc); + return FALSE; +- } else if (strstr(url, "/") != url) { ++ } else if ((uri.hostname == NULL) && (strstr(url, "/") != url)) { + *err_str = apr_pstrdup(r->pool, "Malformed URL"); + *err_desc = + apr_psprintf(r->pool, +@@ -2593,17 +2593,6 @@ static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url, + url); + oidc_error(r, "%s: %s", *err_str, *err_desc); + return FALSE; +- } +- +- /* validate the URL to prevent HTTP header splitting */ +- if (((strstr(url, "\n") != NULL) || strstr(url, "\r") != NULL)) { +- *err_str = apr_pstrdup(r->pool, "Invalid Request"); +- *err_desc = +- apr_psprintf(r->pool, +- "logout value \"%s\" contains illegal \"\n\" or \"\r\" character(s)", +- url); +- oidc_error(r, "%s: %s", *err_str, *err_desc); +- return FALSE; + } else if ((uri.hostname == NULL) && (strstr(url, "//") == url)) { + *err_str = apr_pstrdup(r->pool, "Malformed URL"); + *err_desc = +@@ -2622,6 +2611,17 @@ static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url, + return FALSE; + } + ++ /* validate the URL to prevent HTTP header splitting */ ++ if (((strstr(url, "\n") != NULL) || strstr(url, "\r") != NULL)) { ++ *err_str = apr_pstrdup(r->pool, "Invalid Request"); ++ *err_desc = ++ apr_psprintf(r->pool, ++ "logout value \"%s\" contains illegal \"\n\" or \"\r\" character(s)", ++ url); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; ++ } ++ + return TRUE; + } + +-- +2.21.3 + diff --git a/SPECS/mod_auth_openidc.spec b/SPECS/mod_auth_openidc.spec index 43ab2f6..bb612be 100644 --- a/SPECS/mod_auth_openidc.spec +++ b/SPECS/mod_auth_openidc.spec @@ -15,7 +15,7 @@ Name: mod_auth_openidc Version: 2.3.7 -Release: 3%{?dist} +Release: 4%{?dist}.3 Summary: OpenID Connect auth module for Apache HTTP Server Group: System Environment/Daemons @@ -24,6 +24,10 @@ URL: https://github.com/zmartzone/mod_auth_openidc Source0: https://github.com/zmartzone/mod_auth_openidc/releases/download/v%{version}/mod_auth_openidc-%{version}.tar.gz Patch1: test-segfault.patch +Patch2: 0002-Backport-of-improve-validation-of-the-post-logout-UR.patch +Patch3: 0003-Backport-of-Fix-open-redirect-starting-with-a-slash.patch +Patch4: 0004-Backport-of-Fix-open-redirect-starting-with-a-slash-.patch +Patch5: 0005-Fix-the-previous-backports.patch BuildRequires: gcc BuildRequires: httpd-devel @@ -45,6 +49,10 @@ an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. %prep %setup -q %patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 %build # workaround rpm-buildroot-usage @@ -97,6 +105,32 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache %changelog +* Sun May 10 2020 Jakub Hrozek - 2.3.7-4.3 +- Actually apply the previous patch, sigh +- Related: rhbz#1820666 - CVE-2019-14857 mod_auth_openidc:2.3/mod_auth_openidc: + Open redirect in logout url when using URLs with + leading slashes [rhel-8.2.0.z] +- Related: rhbz#1820662 - CVE-2019-20479 mod_auth_openidc:2.3/mod_auth_openidc: + open redirect issue exists in URLs with slash and + backslash [rhel-8.2.0.z] + +* Sun May 10 2020 Jakub Hrozek - 2.3.7-4.2 +- Fix the previous backport +- Related: rhbz#1820666 - CVE-2019-14857 mod_auth_openidc:2.3/mod_auth_openidc: + Open redirect in logout url when using URLs with + leading slashes [rhel-8.2.0.z] +- Related: rhbz#1820662 - CVE-2019-20479 mod_auth_openidc:2.3/mod_auth_openidc: + open redirect issue exists in URLs with slash and + backslash [rhel-8.2.0.z] + +* Sun May 10 2020 Jakub Hrozek - 2.3.7-4.1 +- Resolves: rhbz#1820666 - CVE-2019-14857 mod_auth_openidc:2.3/mod_auth_openidc: + Open redirect in logout url when using URLs with + leading slashes [rhel-8.2.0.z] +- Resolves: rhbz#1820662 - CVE-2019-20479 mod_auth_openidc:2.3/mod_auth_openidc: + open redirect issue exists in URLs with slash and + backslash [rhel-8.2.0.z] + * Thu Aug 16 2018 - 2.3.7-3 - Resolves: rhbz# 1614977 - fix unit test segfault, the problem was not limited exclusively to s390x, but s390x provoked it.