Bug#1076429: libapache2-mod-auth-openidc: oidc_check_x_forwarded_hdr check segfaults

Tue, 16 Jul 2024 02:21:17 -0700 

Package: libapache2-mod-auth-openidc                                  
Version: 2.4.12.3-2+deb12u1
Severity: normal                                                      
Tags: upstream
                                               
Dear Maintainer,

when a request is processed by libapache2-mod-auth-openidc where the
set *forwarded* headers are not as configured in OIDCXForwardedHeaders,
a warning is printed, like:

> oidc_check_x_forwarded_hdr: OIDCXForwardedHeaders configured for
header Forwarded but not found in request

Such a situation cannot be avoided in all environments - e.g. because
requests are forwarded by different proxies, or only part of the
requests are forwarded while some are from localhost - so this
situation cannot be circumvented IMHO.

A bug in the implementation results in a segfault in the version
currently shipped in bookworm.

> oidc_check_x_forwarded_hdr: OIDCXForwardedHeaders configured for
header Forwarded but not found in request
> AH00051: child pid 19 exit signal Segmentation fault (11), possible
coredump in /etc/apache2

As confirmed by upstream, this issue has been fixed in version
2.4.15.3, and a patch is available here:
https://github.com/OpenIDC/mod_auth_openidc/commit/c2f200fb246f546e07c91f04e82345793af0c7c0

Would it be possible to apply this patch to bookworm?

Upstream discussion:
https://github.com/OpenIDC/mod_auth_openidc/discussions/1233 

Thanks a lot.

Greetings,
Philipp


-- System Information:
Debian Release: 12.6
Architecture: amd64 (x86_64)

Kernel: Linux 6.9.7-arch1-1 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect

Versions of packages libapache2-mod-auth-openidc depends on:
ii  apache2-bin [apache2-api-20120211]  2.4.59-1~deb12u1
ii  libapr1                             1.7.2-3 
ii  libaprutil1                         1.6.3-1 
ii  libc6                               2.36-9+deb12u7
ii  libcjose0                           0.6.2.1-1+deb12u1
ii  libcurl4                            7.88.1-10+deb12u6
ii  libhiredis0.14                      0.14.1-3
ii  libjansson4                         2.14-2
ii  libpcre2-8-0                        10.42-1 
ii  libssl3                             3.0.13-1~deb12u1

libapache2-mod-auth-openidc recommends no packages.

libapache2-mod-auth-openidc suggests no packages.

-- Configuration Files:
/etc/apache2/mods-available/auth_openidc.conf changed [not included]

-- no debconf information
Report will be sent to Debian Bug Tracking System
<sub...@bugs.debian.org>

Reply via email to