Your message dated Sat, 29 Jun 2024 10:46:18 +0000
with message-id <e1snvb0-002be5...@coccia.debian.org>
and subject line Released with 12.6
has caused the Debian Bug report #1069252,
regarding bookworm-pu: package libapache2-mod-auth-openidc/2.4.12.3-2+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1069252: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069252
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libapache2-mod-auth-open...@packages.debian.org,
t...@security.debian.org
Control: affects -1 + src:libapache2-mod-auth-openidc
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
Backported the patch to fix CVE-2024-24814.
Does not require DSA as per #1064183#28.
[ Impact ]
DoS when `OIDCSessionType client-cookie` is set and
a crafted Cookie header is supplied
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-
hxr6-w4gc-7vvv
[ Tests ]
Manually on own infra.
[ Risks ]
Patch has minimal complexity but is from the upstream author
who is generally very knowledgable about his code.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Added upstream commit as patch that fixes oidc_util_get_chunked_cookie
function to properly handle chunked cookies and decline malicious ones.
[ Other info ]
diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/changelog
libapache2-mod-auth-openidc-2.4.12.3/debian/changelog
--- libapache2-mod-auth-openidc-2.4.12.3/debian/changelog 2023-05-02
11:48:09.000000000 +0200
+++ libapache2-mod-auth-openidc-2.4.12.3/debian/changelog 2024-04-18
14:20:00.000000000 +0200
@@ -1,3 +1,16 @@
+libapache2-mod-auth-openidc (2.4.12.3-2+deb12u1) bookworm; urgency=medium
+
+ * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks
+ cookie value made the server vulnerable to a Denial of Service (DoS)
+ attack. If an attacker manipulated the value of the OpenIDC cookie to a
+ very large integer like 99999999, the server struggled with the request for
+ a long time and finally returned a 500 error. Making a few requests of this
+ kind caused servers to become unresponsive, and so attackers could thereby
+ craft requests that would make the server work very hard and/or crash with
+ minimal effort. (Closes: #1064183)
+
+ -- Moritz Schlarb <schla...@uni-mainz.de> Thu, 18 Apr 2024 14:20:00 +0200
+
libapache2-mod-auth-openidc (2.4.12.3-2) unstable; urgency=high
* Add patch to Fix CVE-2023-28625 (Closes: #1033916)
diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/gbp.conf
libapache2-mod-auth-openidc-2.4.12.3/debian/gbp.conf
--- libapache2-mod-auth-openidc-2.4.12.3/debian/gbp.conf 2023-05-02
11:41:28.000000000 +0200
+++ libapache2-mod-auth-openidc-2.4.12.3/debian/gbp.conf 2024-04-18
14:20:00.000000000 +0200
@@ -1,2 +1,3 @@
[DEFAULT]
pristine-tar = True
+debian-branch = bookworm
diff -Nru
libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch
libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch
---
libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch
2023-05-02 11:47:32.000000000 +0200
+++
libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch
2024-04-18 14:20:00.000000000 +0200
@@ -1,9 +1,9 @@
From: Moritz Schlarb <schla...@uni-mainz.de>
Date: Tue, 2 May 2023 11:44:18 +0200
Subject: Fix CVE-2023-28625: segfault DoS when OIDCStripCookies is set
+
Origin: upstream,
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-f5xw-rvfr-24qr
Applied-Upstream: 2.4.13.2,
https://github.com/OpenIDC/mod_auth_openidc/commit/c0e1edac3c4c19988ccdc7713d7aebfce6ff916a
-
---
src/mod_auth_openidc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff -Nru
libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0002-fix-DoS-CVE-2024-24814.patch
libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0002-fix-DoS-CVE-2024-24814.patch
---
libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0002-fix-DoS-CVE-2024-24814.patch
1970-01-01 01:00:00.000000000 +0100
+++
libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0002-fix-DoS-CVE-2024-24814.patch
2024-04-18 14:20:00.000000000 +0200
@@ -0,0 +1,60 @@
+From: Hans Zandbelt <hans.zandb...@openidc.com>
+Date: Tue, 6 Feb 2024 23:45:40 +0100
+Subject: [PATCH] release 2.4.15.2: fix DoS CVE-2024-24814
+
+fix CVE-2024-24814: DoS when 'OIDCSessionType client-cookie' is set and
+a crafted Cookie header is supplied
+https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv
+
+Signed-off-by: Hans Zandbelt <hans.zandb...@openidc.com>
+---
+ src/util.c | 35 +++++++++++++++++------------------
+ 1 file changed, 17 insertions(+), 18 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index e1f0a3a..7a86c24 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -1325,25 +1325,24 @@ static char*
oidc_util_get_chunk_cookie_name(request_rec *r,
+ */
+ char* oidc_util_get_chunked_cookie(request_rec *r, const char *cookieName,
+ int chunkSize) {
+- char *cookieValue = NULL;
+- char *chunkValue = NULL;
+- int i = 0;
+- if (chunkSize == 0) {
+- cookieValue = oidc_util_get_cookie(r, cookieName);
+- } else {
+- int chunkCount = oidc_util_get_chunked_count(r, cookieName);
+- if (chunkCount > 0) {
+- cookieValue = "";
+- for (i = 0; i < chunkCount; i++) {
+- chunkValue = oidc_util_get_cookie(r,
+-
oidc_util_get_chunk_cookie_name(r, cookieName, i));
+- if (chunkValue != NULL)
+- cookieValue = apr_psprintf(r->pool,
"%s%s", cookieValue,
+- chunkValue);
+- }
+- } else {
+- cookieValue = oidc_util_get_cookie(r, cookieName);
++ char *cookieValue = NULL, *chunkValue = NULL;
++ int chunkCount = 0, i = 0;
++ if (chunkSize == 0)
++ return oidc_util_get_cookie(r, cookieName);
++ chunkCount = oidc_util_get_chunked_count(r, cookieName);
++ if (chunkCount == 0)
++ return oidc_util_get_cookie(r, cookieName);
++ if ((chunkCount < 0) || (chunkCount > 99)) {
++ oidc_warn(r, "chunk count out of bounds: %d", chunkCount);
++ return NULL;
++ }
++ for (i = 0; i < chunkCount; i++) {
++ chunkValue = oidc_util_get_cookie(r,
oidc_util_get_chunk_cookie_name(r, cookieName, i));
++ if (chunkValue == NULL) {
++ oidc_warn(r, "could not find chunk %d; aborting", i);
++ break;
+ }
++ cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue ?
cookieValue : "", chunkValue);
+ }
+ return cookieValue;
+ }
diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series
libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series
--- libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series 2023-05-02
11:44:59.000000000 +0200
+++ libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series 2024-04-18
14:20:00.000000000 +0200
@@ -1 +1,2 @@
0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch
+0002-fix-DoS-CVE-2024-24814.patch
--- End Message ---
--- Begin Message ---
Version: 12.6
The upload requested in this bug has been released as part of 12.6.
--- End Message ---
