Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: libapache2-mod-auth-open...@packages.debian.org,
t...@security.debian.org
Control: affects -1 + src:libapache2-mod-auth-openidc
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
Backported the patch to fix CVE-2024-24814.
Does not require DSA as per #1064183#28.
[ Impact ]
DoS when `OIDCSessionType client-cookie` is set and
a crafted Cookie header is supplied
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-
hxr6-w4gc-7vvv
[ Tests ]
Manually on own infra.
[ Risks ]
Patch has minimal complexity but is from the upstream author
who is generally very knowledgable about his code.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Added upstream commit as patch that fixes oidc_util_get_chunked_cookie
function to properly handle chunked cookies and decline malicious ones.
[ Other info ]
diff -Nru libapache2-mod-auth-openidc-2.4.9.4/debian/changelog
libapache2-mod-auth-openidc-2.4.9.4/debian/changelog
--- libapache2-mod-auth-openidc-2.4.9.4/debian/changelog 2023-05-02
12:59:57.000000000 +0200
+++ libapache2-mod-auth-openidc-2.4.9.4/debian/changelog 2024-04-18
14:27:26.000000000 +0200
@@ -1,3 +1,16 @@
+libapache2-mod-auth-openidc (2.4.9.4-0+deb11u4) bullseye; urgency=high
+
+ * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks
+ cookie value made the server vulnerable to a Denial of Service (DoS)
+ attack. If an attacker manipulated the value of the OpenIDC cookie to a
+ very large integer like 99999999, the server struggled with the request for
+ a long time and finally returned a 500 error. Making a few requests of this
+ kind caused servers to become unresponsive, and so attackers could thereby
+ craft requests that would make the server work very hard and/or crash with
+ minimal effort. (Closes: #1064183)
+
+ -- Moritz Schlarb <schla...@uni-mainz.de> Thu, 18 Apr 2024 14:27:26 +0200
+
libapache2-mod-auth-openidc (2.4.9.4-0+deb11u3) bullseye-security; urgency=high
* Add patch to Fix CVE-2023-28625 (Closes: #1033916)
diff -Nru
libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0004-fix-DoS-CVE-2024-24814.patch
libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0004-fix-DoS-CVE-2024-24814.patch
---
libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0004-fix-DoS-CVE-2024-24814.patch
1970-01-01 01:00:00.000000000 +0100
+++
libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0004-fix-DoS-CVE-2024-24814.patch
2024-04-18 14:25:44.000000000 +0200
@@ -0,0 +1,60 @@
+From: Hans Zandbelt <hans.zandb...@openidc.com>
+Date: Tue, 6 Feb 2024 23:45:40 +0100
+Subject: [PATCH] release 2.4.15.2: fix DoS CVE-2024-24814
+
+fix CVE-2024-24814: DoS when 'OIDCSessionType client-cookie' is set and
+a crafted Cookie header is supplied
+https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv
+
+Signed-off-by: Hans Zandbelt <hans.zandb...@openidc.com>
+---
+ src/util.c | 35 +++++++++++++++++------------------
+ 1 file changed, 17 insertions(+), 18 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index c6453d0..6782293 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -1288,25 +1288,24 @@ static char*
oidc_util_get_chunk_cookie_name(request_rec *r,
+ */
+ char* oidc_util_get_chunked_cookie(request_rec *r, const char *cookieName,
+ int chunkSize) {
+- char *cookieValue = NULL;
+- char *chunkValue = NULL;
+- int i = 0;
+- if (chunkSize == 0) {
+- cookieValue = oidc_util_get_cookie(r, cookieName);
+- } else {
+- int chunkCount = oidc_util_get_chunked_count(r, cookieName);
+- if (chunkCount > 0) {
+- cookieValue = "";
+- for (i = 0; i < chunkCount; i++) {
+- chunkValue = oidc_util_get_cookie(r,
+-
oidc_util_get_chunk_cookie_name(r, cookieName, i));
+- if (chunkValue != NULL)
+- cookieValue = apr_psprintf(r->pool,
"%s%s", cookieValue,
+- chunkValue);
+- }
+- } else {
+- cookieValue = oidc_util_get_cookie(r, cookieName);
++ char *cookieValue = NULL, *chunkValue = NULL;
++ int chunkCount = 0, i = 0;
++ if (chunkSize == 0)
++ return oidc_util_get_cookie(r, cookieName);
++ chunkCount = oidc_util_get_chunked_count(r, cookieName);
++ if (chunkCount == 0)
++ return oidc_util_get_cookie(r, cookieName);
++ if ((chunkCount < 0) || (chunkCount > 99)) {
++ oidc_warn(r, "chunk count out of bounds: %d", chunkCount);
++ return NULL;
++ }
++ for (i = 0; i < chunkCount; i++) {
++ chunkValue = oidc_util_get_cookie(r,
oidc_util_get_chunk_cookie_name(r, cookieName, i));
++ if (chunkValue == NULL) {
++ oidc_warn(r, "could not find chunk %d; aborting", i);
++ break;
+ }
++ cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue ?
cookieValue : "", chunkValue);
+ }
+ return cookieValue;
+ }
diff -Nru libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series
libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series
--- libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series 2023-05-02
12:57:22.000000000 +0200
+++ libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series 2024-04-18
14:25:19.000000000 +0200
@@ -1,3 +1,4 @@
fix-parallel-build.patch
0002-Fix-CVE-2022-23527-prevent-open-redirect.patch
0003-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch
+0004-fix-DoS-CVE-2024-24814.patch
