Bug#1069253: marked as done (bullseye-pu: package libapache2-mod-auth-openidc/2.4.9.4-0+deb11u4)

Debian Bug Tracking System Sat, 29 Jun 2024 04:01:26 -0700

Your message dated Sat, 29 Jun 2024 10:47:47 +0000
with message-id <e1snvcr-002bro...@coccia.debian.org>
and subject line Released with 11.10
has caused the Debian Bug report #1069253,
regarding bullseye-pu: package libapache2-mod-auth-openidc/2.4.9.4-0+deb11u4
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1069253: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069253
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: libapache2-mod-auth-open...@packages.debian.org, 
t...@security.debian.org
Control: affects -1 + src:libapache2-mod-auth-openidc
User: release.debian....@packages.debian.org
Usertags: pu

[ Reason ]
Backported the patch to fix CVE-2024-24814.
Does not require DSA as per #1064183#28.

[ Impact ]
DoS when `OIDCSessionType client-cookie` is set and
a crafted Cookie header is supplied
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-
hxr6-w4gc-7vvv

[ Tests ]
Manually on own infra.

[ Risks ]
Patch has minimal complexity but is from the upstream author
who is generally very knowledgable about his code.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Added upstream commit as patch that fixes oidc_util_get_chunked_cookie
function to properly handle chunked cookies and decline malicious ones.

[ Other info ]

diff -Nru libapache2-mod-auth-openidc-2.4.9.4/debian/changelog 
libapache2-mod-auth-openidc-2.4.9.4/debian/changelog
--- libapache2-mod-auth-openidc-2.4.9.4/debian/changelog        2023-05-02 
12:59:57.000000000 +0200
+++ libapache2-mod-auth-openidc-2.4.9.4/debian/changelog        2024-04-18 
14:27:26.000000000 +0200
@@ -1,3 +1,16 @@
+libapache2-mod-auth-openidc (2.4.9.4-0+deb11u4) bullseye; urgency=high
+
+  * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks
+    cookie value made the server vulnerable to a Denial of Service (DoS)
+    attack. If an attacker manipulated the value of the OpenIDC cookie to a
+    very large integer like 99999999, the server struggled with the request for
+    a long time and finally returned a 500 error. Making a few requests of this
+    kind caused servers to become unresponsive, and so attackers could thereby
+    craft requests that would make the server work very hard and/or crash with
+    minimal effort. (Closes: #1064183)
+
+ -- Moritz Schlarb <schla...@uni-mainz.de>  Thu, 18 Apr 2024 14:27:26 +0200
+
 libapache2-mod-auth-openidc (2.4.9.4-0+deb11u3) bullseye-security; urgency=high
 
   * Add patch to Fix CVE-2023-28625 (Closes: #1033916)
diff -Nru 
libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0004-fix-DoS-CVE-2024-24814.patch
 
libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0004-fix-DoS-CVE-2024-24814.patch
--- 
libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0004-fix-DoS-CVE-2024-24814.patch
        1970-01-01 01:00:00.000000000 +0100
+++ 
libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0004-fix-DoS-CVE-2024-24814.patch
        2024-04-18 14:25:44.000000000 +0200
@@ -0,0 +1,60 @@
+From: Hans Zandbelt <hans.zandb...@openidc.com>
+Date: Tue, 6 Feb 2024 23:45:40 +0100
+Subject: [PATCH] release 2.4.15.2: fix DoS CVE-2024-24814
+
+fix CVE-2024-24814: DoS when 'OIDCSessionType client-cookie' is set and
+a crafted Cookie header is supplied
+https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv
+
+Signed-off-by: Hans Zandbelt <hans.zandb...@openidc.com>
+---
+ src/util.c | 35 +++++++++++++++++------------------
+ 1 file changed, 17 insertions(+), 18 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index c6453d0..6782293 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -1288,25 +1288,24 @@ static char* 
oidc_util_get_chunk_cookie_name(request_rec *r,
+  */
+ char* oidc_util_get_chunked_cookie(request_rec *r, const char *cookieName,
+               int chunkSize) {
+-      char *cookieValue = NULL;
+-      char *chunkValue = NULL;
+-      int i = 0;
+-      if (chunkSize == 0) {
+-              cookieValue = oidc_util_get_cookie(r, cookieName);
+-      } else {
+-              int chunkCount = oidc_util_get_chunked_count(r, cookieName);
+-              if (chunkCount > 0) {
+-                      cookieValue = "";
+-                      for (i = 0; i < chunkCount; i++) {
+-                              chunkValue = oidc_util_get_cookie(r,
+-                                              
oidc_util_get_chunk_cookie_name(r, cookieName, i));
+-                              if (chunkValue != NULL)
+-                                      cookieValue = apr_psprintf(r->pool, 
"%s%s", cookieValue,
+-                                                      chunkValue);
+-                      }
+-              } else {
+-                      cookieValue = oidc_util_get_cookie(r, cookieName);
++      char *cookieValue = NULL, *chunkValue = NULL;
++      int chunkCount = 0, i = 0;
++      if (chunkSize == 0)
++              return oidc_util_get_cookie(r, cookieName);
++      chunkCount = oidc_util_get_chunked_count(r, cookieName);
++      if (chunkCount == 0)
++              return oidc_util_get_cookie(r, cookieName);
++      if ((chunkCount < 0) || (chunkCount > 99)) {
++              oidc_warn(r, "chunk count out of bounds: %d", chunkCount);
++              return NULL;
++      }
++      for (i = 0; i < chunkCount; i++) {
++              chunkValue = oidc_util_get_cookie(r, 
oidc_util_get_chunk_cookie_name(r, cookieName, i));
++              if (chunkValue == NULL) {
++                      oidc_warn(r, "could not find chunk %d; aborting", i);
++                      break;
+               }
++              cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue ? 
cookieValue : "", chunkValue);
+       }
+       return cookieValue;
+ }
diff -Nru libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series 
libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series
--- libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series   2023-05-02 
12:57:22.000000000 +0200
+++ libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series   2024-04-18 
14:25:19.000000000 +0200
@@ -1,3 +1,4 @@
 fix-parallel-build.patch
 0002-Fix-CVE-2022-23527-prevent-open-redirect.patch
 0003-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch
+0004-fix-DoS-CVE-2024-24814.patch

--- End Message ---

--- Begin Message ---
Version: 11.10

The upload requested in this bug has been released as part of 11.10.
--- End Message ---

Bug#1069253: marked as done (bullseye-pu: package libapache2-mod-auth-openidc/2.4.9.4-0+deb11u4)

Reply via email to