Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: lemonldap...@packages.debian.org
Control: affects -1 + src:lemonldap-ng
[ Reason ]
Version 2.17.0 of lemonldap-ng fixes two low-level security issues:
* the "login" security regex wasn't applied when using AuthSlave
* lemonldap-ng portal can be used as open-redirection due to incorrect
escape handling
This proposal includes these 2 patches for Bookworm
[ Impact ]
Low security issues
[ Tests ]
Test updated, passed both with autopkgtest and build
[ Risks ]
No risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
* check if login value respects the config when login comes from
AuthSlave
* Sanitize URLs used in redirections
* Tests
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 8de0d083f..268c0d993 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+lemonldap-ng (2.16.1+ds-deb12u1) UNRELEASED; urgency=medium
+
+ * Apply login control to auth-slave requests
+ * Fix open redirection due to incorrect escape handling
+
+ -- Yadd Fri, 01 Sep 2023 10:11:50 +0400
+
lemonldap-ng (2.16.1+ds-2) unstable; urgency=medium
* Fix incorrect parsing of OP-provided acr
diff --git a/debian/gitlab-ci.yml b/debian/gitlab-ci.yml
index 33c3a640d..756ccd252 100644
--- a/debian/gitlab-ci.yml
+++ b/debian/gitlab-ci.yml
@@ -1,4 +1,6 @@
---
+variables:
+ RELEASE: 'bookworm'
include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
diff --git a/debian/patches/apply-user-control-to-authslave.patch
b/debian/patches/apply-user-control-to-authslave.patch
new file mode 100644
index 0..df0ceca39
--- /dev/null
+++ b/debian/patches/apply-user-control-to-authslave.patch
@@ -0,0 +1,83 @@
+Description: [Security] apply user-control to authSlave
+Author: Christophe Maudoux
+Origin: upstream,
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/351/diffs
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2946
+Forwarded: not-needed
+Applied-Upstream: 2.17.0,
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/351
+Reviewed-By: Yadd
+Last-Update: 2023-09-01
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Slave.pm
b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Slave.pm
+@@ -8,6 +8,7 @@
+ PE_OK
+ PE_FORBIDDENIP
+ PE_USERNOTFOUND
++ PE_MALFORMEDUSER
+ );
+
+ our $VERSION = '2.0.12';
+@@ -37,11 +38,15 @@
+ $user_header = 'HTTP_' . uc($user_header);
+ $user_header =~ s/\-/_/g;
+
+-unless ( $req->{user} = $req->env->{$user_header} ) {
++unless ( $req->env->{$user_header} ) {
+ $self->userLogger->error(
+ "No header " . $self->conf->{slaveUserHeader} . " found" );
+ return PE_USERNOTFOUND;
+ }
++return PE_MALFORMEDUSER
++ unless ( $req->env->{$user_header} =~ /$self->{conf}->{userControl}/o );
++
++$req->{user} = $req->env->{$user_header};
+ return PE_OK;
+ }
+
+--- a/lemonldap-ng-portal/t/25-AuthSlave-with-Credentials.t
b/lemonldap-ng-portal/t/25-AuthSlave-with-Credentials.t
+@@ -2,7 +2,7 @@
+ use Test::More;
+ use strict;
+ use JSON;
+-use Lemonldap::NG::Portal::Main::Constants qw(PE_FORBIDDENIP PE_USERNOTFOUND);
++use Lemonldap::NG::Portal::Main::Constants qw(PE_FORBIDDENIP PE_USERNOTFOUND
PE_MALFORMEDUSER);
+
+ require 't/test-lib.pm';
+
+@@ -17,6 +17,7 @@
+ securedCookie => 3,
+ authentication => 'Slave',
+ userDB => 'Same',
++userControl=> '^\w{4}$',
+ slaveUserHeader=> 'My-Test',
+ slaveHeaderName=> 'Check-Slave',
+ slaveHeaderContent => 'Password',
+@@ -91,6 +92,27 @@
+ or explain( $json, "error => 4" );
+ count(4);
+
++# Good credentials with an unauthorized login
++ok(
++$res = $client->_get(
++'/',
++ip => '127.0.0.1',
++custom => {
++HTTP_MY_TEST => 'dwhoo',
++HTTP_NAME=> 'Dr Who',
++HTTP_CHECK_SLAVE => 'Password',
++}
++
++),
++'Auth query'
++);
++ok( $res->[0] == 401, 'Get 401' ) or explain( $res->[0], 401 );
++ok( $json = eval { from_json( $res->[2]->[0] ) }, 'Response is JSON' )
++ or print STDERR "$@\n" . Dumper($res);
++ok( $json->{error} == PE_MALFORMEDUSER, 'Response is PE_MALFORMEDUSER' )
++ or explain( $json, "error => 40" );
++count(4);
++
+ # Good credentials with acredited IP
+ ok(
+ $res = $client->_get(
diff --git a/debian/patches/fix-open-redirection.patch
b/debian/patches/fix-open-redirection.patch
new file mode 100644
index 0..96850a2a4
