Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: libapache2-mod-auth-open...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:libapache2-mod-auth-openidc User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] Backported the patch to fix CVE-2024-24814. Does not require DSA as per #1064183#28. [ Impact ] DoS when `OIDCSessionType client-cookie` is set and a crafted Cookie header is supplied https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA- hxr6-w4gc-7vvv [ Tests ] Manually on own infra. [ Risks ] Patch has minimal complexity but is from the upstream author who is generally very knowledgable about his code. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Added upstream commit as patch that fixes oidc_util_get_chunked_cookie function to properly handle chunked cookies and decline malicious ones. [ Other info ]
diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/changelog libapache2-mod-auth-openidc-2.4.12.3/debian/changelog --- libapache2-mod-auth-openidc-2.4.12.3/debian/changelog 2023-05-02 11:48:09.000000000 +0200 +++ libapache2-mod-auth-openidc-2.4.12.3/debian/changelog 2024-04-18 14:20:00.000000000 +0200 @@ -1,3 +1,16 @@ +libapache2-mod-auth-openidc (2.4.12.3-2+deb12u1) bookworm; urgency=medium + + * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks + cookie value made the server vulnerable to a Denial of Service (DoS) + attack. If an attacker manipulated the value of the OpenIDC cookie to a + very large integer like 99999999, the server struggled with the request for + a long time and finally returned a 500 error. Making a few requests of this + kind caused servers to become unresponsive, and so attackers could thereby + craft requests that would make the server work very hard and/or crash with + minimal effort. (Closes: #1064183) + + -- Moritz Schlarb <schla...@uni-mainz.de> Thu, 18 Apr 2024 14:20:00 +0200 + libapache2-mod-auth-openidc (2.4.12.3-2) unstable; urgency=high * Add patch to Fix CVE-2023-28625 (Closes: #1033916) diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/gbp.conf libapache2-mod-auth-openidc-2.4.12.3/debian/gbp.conf --- libapache2-mod-auth-openidc-2.4.12.3/debian/gbp.conf 2023-05-02 11:41:28.000000000 +0200 +++ libapache2-mod-auth-openidc-2.4.12.3/debian/gbp.conf 2024-04-18 14:20:00.000000000 +0200 @@ -1,2 +1,3 @@ [DEFAULT] pristine-tar = True +debian-branch = bookworm diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch --- libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch 2023-05-02 11:47:32.000000000 +0200 +++ libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch 2024-04-18 14:20:00.000000000 +0200 @@ -1,9 +1,9 @@ From: Moritz Schlarb <schla...@uni-mainz.de> Date: Tue, 2 May 2023 11:44:18 +0200 Subject: Fix CVE-2023-28625: segfault DoS when OIDCStripCookies is set + Origin: upstream, https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-f5xw-rvfr-24qr Applied-Upstream: 2.4.13.2, https://github.com/OpenIDC/mod_auth_openidc/commit/c0e1edac3c4c19988ccdc7713d7aebfce6ff916a - --- src/mod_auth_openidc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0002-fix-DoS-CVE-2024-24814.patch libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0002-fix-DoS-CVE-2024-24814.patch --- libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0002-fix-DoS-CVE-2024-24814.patch 1970-01-01 01:00:00.000000000 +0100 +++ libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0002-fix-DoS-CVE-2024-24814.patch 2024-04-18 14:20:00.000000000 +0200 @@ -0,0 +1,60 @@ +From: Hans Zandbelt <hans.zandb...@openidc.com> +Date: Tue, 6 Feb 2024 23:45:40 +0100 +Subject: [PATCH] release 2.4.15.2: fix DoS CVE-2024-24814 + +fix CVE-2024-24814: DoS when 'OIDCSessionType client-cookie' is set and +a crafted Cookie header is supplied +https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv + +Signed-off-by: Hans Zandbelt <hans.zandb...@openidc.com> +--- + src/util.c | 35 +++++++++++++++++------------------ + 1 file changed, 17 insertions(+), 18 deletions(-) + +diff --git a/src/util.c b/src/util.c +index e1f0a3a..7a86c24 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -1325,25 +1325,24 @@ static char* oidc_util_get_chunk_cookie_name(request_rec *r, + */ + char* oidc_util_get_chunked_cookie(request_rec *r, const char *cookieName, + int chunkSize) { +- char *cookieValue = NULL; +- char *chunkValue = NULL; +- int i = 0; +- if (chunkSize == 0) { +- cookieValue = oidc_util_get_cookie(r, cookieName); +- } else { +- int chunkCount = oidc_util_get_chunked_count(r, cookieName); +- if (chunkCount > 0) { +- cookieValue = ""; +- for (i = 0; i < chunkCount; i++) { +- chunkValue = oidc_util_get_cookie(r, +- oidc_util_get_chunk_cookie_name(r, cookieName, i)); +- if (chunkValue != NULL) +- cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue, +- chunkValue); +- } +- } else { +- cookieValue = oidc_util_get_cookie(r, cookieName); ++ char *cookieValue = NULL, *chunkValue = NULL; ++ int chunkCount = 0, i = 0; ++ if (chunkSize == 0) ++ return oidc_util_get_cookie(r, cookieName); ++ chunkCount = oidc_util_get_chunked_count(r, cookieName); ++ if (chunkCount == 0) ++ return oidc_util_get_cookie(r, cookieName); ++ if ((chunkCount < 0) || (chunkCount > 99)) { ++ oidc_warn(r, "chunk count out of bounds: %d", chunkCount); ++ return NULL; ++ } ++ for (i = 0; i < chunkCount; i++) { ++ chunkValue = oidc_util_get_cookie(r, oidc_util_get_chunk_cookie_name(r, cookieName, i)); ++ if (chunkValue == NULL) { ++ oidc_warn(r, "could not find chunk %d; aborting", i); ++ break; + } ++ cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue ? cookieValue : "", chunkValue); + } + return cookieValue; + } diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series --- libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series 2023-05-02 11:44:59.000000000 +0200 +++ libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series 2024-04-18 14:20:00.000000000 +0200 @@ -1 +1,2 @@ 0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch +0002-fix-DoS-CVE-2024-24814.patch
