Bug#925345: unblock: libapache2-mod-auth-mellon/0.14.2-1

Thijs Kinkhorst Sat, 23 Mar 2019 07:12:47 -0700

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock


Please unblock package libapache2-mod-auth-mellon

The upload contains fixes for two security issues, it is a new
upstream that only contains these fixes.

unblock libapache2-mod-auth-mellon/0.14.2-1

Thanks,
Thijs

diff -Nru libapache2-mod-auth-mellon-0.14.1/auth_mellon_util.c 
libapache2-mod-auth-mellon-0.14.2/auth_mellon_util.c
--- libapache2-mod-auth-mellon-0.14.1/auth_mellon_util.c        2018-07-25 
10:19:25.000000000 +0000
+++ libapache2-mod-auth-mellon-0.14.2/auth_mellon_util.c        2019-03-20 
07:29:16.000000000 +0000
@@ -927,6 +927,13 @@
                           "Control character detected in URL.");
             return HTTP_BAD_REQUEST;
         }
+        if (*i == '\\') {
+            /* Reject backslash character, as it can be used to bypass
+             * redirect URL validation. */
+            AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
+                          "Backslash character detected in URL.");
+            return HTTP_BAD_REQUEST;
+        }
     }
 
     return OK;
diff -Nru libapache2-mod-auth-mellon-0.14.1/configure 
libapache2-mod-auth-mellon-0.14.2/configure
--- libapache2-mod-auth-mellon-0.14.1/configure 2019-02-11 07:40:35.000000000 
+0000
+++ libapache2-mod-auth-mellon-0.14.2/configure 2019-03-21 13:58:52.000000000 
+0000
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for mod_auth_mellon 0.14.1.
+# Generated by GNU Autoconf 2.69 for mod_auth_mellon 0.14.2.
 #
 # Report bugs to <olav.mor...@uninett.no>.
 #
@@ -580,8 +580,8 @@
 # Identity of this package.
 PACKAGE_NAME='mod_auth_mellon'
 PACKAGE_TARNAME='mod_auth_mellon'
-PACKAGE_VERSION='0.14.1'
-PACKAGE_STRING='mod_auth_mellon 0.14.1'
+PACKAGE_VERSION='0.14.2'
+PACKAGE_STRING='mod_auth_mellon 0.14.2'
 PACKAGE_BUGREPORT='olav.mor...@uninett.no'
 PACKAGE_URL=''
 
@@ -1262,7 +1262,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures mod_auth_mellon 0.14.1 to adapt to many kinds of 
systems.
+\`configure' configures mod_auth_mellon 0.14.2 to adapt to many kinds of 
systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1324,7 +1324,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of mod_auth_mellon 0.14.1:";;
+     short | recursive ) echo "Configuration of mod_auth_mellon 0.14.2:";;
    esac
   cat <<\_ACEOF
 
@@ -1431,7 +1431,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-mod_auth_mellon configure 0.14.1
+mod_auth_mellon configure 0.14.2
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1779,7 +1779,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by mod_auth_mellon $as_me 0.14.1, which was
+It was created by mod_auth_mellon $as_me 0.14.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3098,7 +3098,7 @@
 
 
 
-NAMEVER=mod_auth_mellon-0.14.1
+NAMEVER=mod_auth_mellon-0.14.2
 
 
 
@@ -4879,7 +4879,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by mod_auth_mellon $as_me 0.14.1, which was
+This file was extended by mod_auth_mellon $as_me 0.14.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4941,7 +4941,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; 
s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-mod_auth_mellon config.status 0.14.1
+mod_auth_mellon config.status 0.14.2
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -Nru libapache2-mod-auth-mellon-0.14.1/configure.ac 
libapache2-mod-auth-mellon-0.14.2/configure.ac
--- libapache2-mod-auth-mellon-0.14.1/configure.ac      2019-02-11 
07:26:49.000000000 +0000
+++ libapache2-mod-auth-mellon-0.14.2/configure.ac      2019-03-21 
13:58:35.000000000 +0000
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_mellon],[0.14.1],[olav.mor...@uninett.no])
+AC_INIT([mod_auth_mellon],[0.14.2],[olav.mor...@uninett.no])
 AC_CONFIG_HEADERS([config.h])
 
 # We require support for C99.
diff -Nru libapache2-mod-auth-mellon-0.14.1/debian/changelog 
libapache2-mod-auth-mellon-0.14.2/debian/changelog
--- libapache2-mod-auth-mellon-0.14.1/debian/changelog  2019-02-11 
08:44:03.000000000 +0000
+++ libapache2-mod-auth-mellon-0.14.2/debian/changelog  2019-03-22 
12:10:11.000000000 +0000
@@ -1,3 +1,11 @@
+libapache2-mod-auth-mellon (0.14.2-1) unstable; urgency=high
+
+  * New upstream security release. (closes: #925197)
+    - Auth bypass when used with reverse proxy [CVE-2019-3878]
+    - Open redirect vulnerability in logout [CVE-2019-3877]
+
+ -- Thijs Kinkhorst <th...@debian.org>  Fri, 22 Mar 2019 12:10:11 +0000
+
 libapache2-mod-auth-mellon (0.14.1-1) unstable; urgency=medium
 
   [ Thijs Kinkhorst ]
diff -Nru libapache2-mod-auth-mellon-0.14.1/mod_auth_mellon.c 
libapache2-mod-auth-mellon-0.14.2/mod_auth_mellon.c
--- libapache2-mod-auth-mellon-0.14.1/mod_auth_mellon.c 2018-01-18 
17:32:59.000000000 +0000
+++ libapache2-mod-auth-mellon-0.14.2/mod_auth_mellon.c 2019-03-20 
07:29:50.000000000 +0000
@@ -207,6 +207,12 @@
 
 static void register_hooks(apr_pool_t *p)
 {
+    /* Our handler needs to run before mod_proxy so that it can properly
+     * return ECP AuthnRequest messages when running as a reverse proxy.
+     * See: https://github.com/Uninett/mod_auth_mellon/pull/196
+     */
+    static const char * const run_handler_before[]={ "mod_proxy.c", NULL };
+
     ap_hook_access_checker(am_auth_mellon_user, NULL, NULL, APR_HOOK_MIDDLE);
     ap_hook_check_user_id(am_check_uid, NULL, NULL, APR_HOOK_MIDDLE);
     ap_hook_post_config(am_global_init, NULL, NULL, APR_HOOK_MIDDLE);
@@ -222,7 +228,7 @@
      * Therefore this hook must run before any handler that may check
      * r->handler and decide that it is the only handler for this URL.
      */
-    ap_hook_handler(am_handler, NULL, NULL, APR_HOOK_FIRST);
+    ap_hook_handler(am_handler, NULL, run_handler_before, APR_HOOK_FIRST);
 
 #ifdef ENABLE_DIAGNOSTICS
     ap_hook_open_logs(am_diag_log_init,NULL,NULL,APR_HOOK_MIDDLE);
diff -Nru libapache2-mod-auth-mellon-0.14.1/NEWS 
libapache2-mod-auth-mellon-0.14.2/NEWS
--- libapache2-mod-auth-mellon-0.14.1/NEWS      2019-02-11 07:26:04.000000000 
+0000
+++ libapache2-mod-auth-mellon-0.14.2/NEWS      2019-03-21 13:58:27.000000000 
+0000
@@ -1,3 +1,48 @@
+Version 0.14.2
+---------------------------------------------------------------------------
+
+Security fixes:
+
+* [CVE-2019-3878] Authentication bypass when Apache is used as a
+  reverse proxy
+
+  If Apache is configured as a reverse proxy with mod_auth_mellon for
+  authentication, the authentication can be bypassed by adding SAML
+  2.0 ECP headers to the request.
+
+  This vulnerability affects mod_auth_mellon 0.11.0 and newer.
+
+  This vulnerability is due to both mod_auth_mellon and mod_proxy
+  registering as handlers for the requests, with the same
+  priority. When mod_auth_mellon handles the request first, it will
+  trigger a ECP authentication request. If mod_proxy handles it first,
+  it will forward it to the backend server.
+
+  Which module handles it first depends on the order modules are
+  loaded by Apache.
+
+  This vulnerability is fixes by specifically registering that the
+  mod_auth_mellon handler should run before mod_proxy.
+
+  Thanks to Jakub Hrozek and John Dennis at RedHat for fixing this
+  vulnerability.
+
+* [CVE-2019-3877] Redirect URL validation bypass
+
+  Version 0.14.1 and older of mod_auth_mellon allows the redirect URL
+  validation to be bypassed by specifying an URL with backslashes
+  instead of forward slashes. Browsers silently convert backslashes to
+  forward slashes, which allows an attacker to bypass the redirect URL
+  validation by using `%5c` in the ReturnTo-parameter. E.g.:
+
+    
https://sp.example.org/mellon/logout?ReturnTo=https:%5c%5cmalicious.example.org/
+
+  This version fixes that issue by rejecting all URLs with
+  backslashes.
+
+  Thanks to Eric Chamberland for discovering this vulnerability.
+
+
 Version 0.14.1
 ---------------------------------------------------------------------------

Bug#925345: unblock: libapache2-mod-auth-mellon/0.14.2-1

Reply via email to