Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi, I propose this upload to buster to fix a relatively minor security issue (open redirect) in libapache2-mod-auth-mellon. The changes are already in sid and bookworm for a longer time, and in bullseye for the first part. Cheers, Thijs
diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/changelog libapache2-mod-auth-mellon-0.14.2/debian/changelog --- libapache2-mod-auth-mellon-0.14.2/debian/changelog 2019-03-22 12:10:11.000000000 +0000 +++ libapache2-mod-auth-mellon-0.14.2/debian/changelog 2022-12-06 15:39:13.000000000 +0000 @@ -1,3 +1,10 @@ +libapache2-mod-auth-mellon (0.14.2-1+deb10u1) buster; urgency=high + + * Upload to fix security issues: + - Open redirect in logout endpoint (CVE-2019-13038 CVE-2021-3639) + + -- Thijs Kinkhorst <th...@debian.org> Tue, 06 Dec 2022 15:39:13 +0000 + libapache2-mod-auth-mellon (0.14.2-1) unstable; urgency=high * New upstream security release. (closes: #925197) diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2019-13038.patch libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2019-13038.patch --- libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2019-13038.patch 1970-01-01 00:00:00.000000000 +0000 +++ libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2019-13038.patch 2022-12-06 15:36:36.000000000 +0000 @@ -0,0 +1,29 @@ +From a52645391d08739a6a96df21e2506d3e57b888dc Mon Sep 17 00:00:00 2001 +From: Valentin <awaken...@users.noreply.github.com> +Date: Fri, 6 Sep 2019 13:30:36 +0300 +Subject: [PATCH] Fix open redirect CVE-2019-13038 + +Resolves: + https://github.com/latchset/mod_auth_mellon/issues/2 + +The original reported redirect attack was: + https://application.com/mellon/login?ReturnTo=http:www.malicious.com +--- + auth_mellon_util.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/auth_mellon_util.c b/auth_mellon_util.c +index fd442f9..e53a98f 100644 +--- a/auth_mellon_util.c ++++ b/auth_mellon_util.c +@@ -116,6 +116,10 @@ int am_validate_redirect_url(request_rec *r, const char *url) + + /* Sanity check of the scheme of the domain. We only allow http and https. */ + if (uri.scheme) { ++ /* http and https schemes without hostname are invalid. */ ++ if (!uri.hostname) { ++ return HTTP_BAD_REQUEST; ++ } + if (strcasecmp(uri.scheme, "http") + && strcasecmp(uri.scheme, "https")) { + AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r, diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2021-3639.patch libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2021-3639.patch --- libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2021-3639.patch 1970-01-01 00:00:00.000000000 +0000 +++ libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2021-3639.patch 2022-12-06 15:38:26.000000000 +0000 @@ -0,0 +1,44 @@ +From 42a11261b9dad2e48d70bdff7c53dd57a12db6f5 Mon Sep 17 00:00:00 2001 +From: AIMOTO Norihito <aim...@osstech.co.jp> +Date: Tue, 6 Jul 2021 22:57:24 +0200 +Subject: [PATCH] Prevent redirect to URLs that begin with '///' + +Visiting a logout URL like this: + https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html +would have redirected the user to fishing-site.example.com + +With the patch, this URL would be rejected. + +Fixes: CVE-2021-3639 +--- + auth_mellon_util.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/auth_mellon_util.c b/auth_mellon_util.c +index 2f8c9c3..6a686db 100644 +--- a/auth_mellon_util.c ++++ b/auth_mellon_util.c +@@ -927,6 +927,10 @@ int am_check_url(request_rec *r, const char *url) + { + const char *i; + ++ if (url == NULL) { ++ return HTTP_BAD_REQUEST; ++ } ++ + for (i = url; *i; i++) { + if (*i >= 0 && *i < ' ') { + /* Deny all control-characters. */ +@@ -943,6 +947,12 @@ int am_check_url(request_rec *r, const char *url) + } + } + ++ if (strstr(url, "///") == url) { ++ AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r, ++ "URL starts with '///'"); ++ return HTTP_BAD_REQUEST; ++ } ++ + return OK; + } + diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/patches/series libapache2-mod-auth-mellon-0.14.2/debian/patches/series --- libapache2-mod-auth-mellon-0.14.2/debian/patches/series 2018-01-06 12:58:18.000000000 +0000 +++ libapache2-mod-auth-mellon-0.14.2/debian/patches/series 2022-12-06 15:39:01.000000000 +0000 @@ -0,0 +1,2 @@ +CVE-2019-13038.patch +CVE-2021-3639.patch