Bug#1025646: bullseye-pu: package libapache2-mod-auth-mellon/0.17.0-1+deb11u1

2022-12-06 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Tue, 2022-12-06 at 21:11 +0100, Thijs Kinkhorst wrote:
> I propose this upload to bullseye to fix a relatively minor security
> issue
> (open redirect) in libapache2-mod-auth-mellon.
> 

Please go ahead.

Regards,

Adam

Bug#1025646: bullseye-pu: package libapache2-mod-auth-mellon/0.17.0-1+deb11u1

2022-12-06 Thread Thijs Kinkhorst 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I propose this upload to bullseye to fix a relatively minor security issue
(open redirect) in libapache2-mod-auth-mellon.

The changes are already in sid and bookworm for a longer time.


Cheers,
Thijs
diff -Nru libapache2-mod-auth-mellon-0.17.0/debian/changelog 
libapache2-mod-auth-mellon-0.17.0/debian/changelog
--- libapache2-mod-auth-mellon-0.17.0/debian/changelog  2020-09-08 
12:56:41.0 +0200
+++ libapache2-mod-auth-mellon-0.17.0/debian/changelog  2022-12-06 
20:12:37.0 +0100
@@ -1,3 +1,10 @@
+libapache2-mod-auth-mellon (0.17.0-1+deb11u1) bullseye; urgency=medium
+
+  * Upload to fix security issue:
+- Open redirect in logout endpoint (CVE-2021-3639)
+
+ -- Thijs Kinkhorst   Tue, 06 Dec 2022 20:12:37 +0100
+
 libapache2-mod-auth-mellon (0.17.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru libapache2-mod-auth-mellon-0.17.0/debian/patches/CVE-2021-3639.patch 
libapache2-mod-auth-mellon-0.17.0/debian/patches/CVE-2021-3639.patch
--- libapache2-mod-auth-mellon-0.17.0/debian/patches/CVE-2021-3639.patch
1970-01-01 01:00:00.0 +0100
+++ libapache2-mod-auth-mellon-0.17.0/debian/patches/CVE-2021-3639.patch
2022-12-06 20:12:37.0 +0100
@@ -0,0 +1,44 @@
+From 42a11261b9dad2e48d70bdff7c53dd57a12db6f5 Mon Sep 17 00:00:00 2001
+From: AIMOTO Norihito 
+Date: Tue, 6 Jul 2021 22:57:24 +0200
+Subject: [PATCH] Prevent redirect to URLs that begin with '///'
+
+Visiting a logout URL like this:
+
https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html
+would have redirected the user to fishing-site.example.com
+
+With the patch, this URL would be rejected.
+
+Fixes: CVE-2021-3639
+---
+ auth_mellon_util.c | 10 ++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/auth_mellon_util.c b/auth_mellon_util.c
+index 2f8c9c3..6a686db 100644
+--- a/auth_mellon_util.c
 b/auth_mellon_util.c
+@@ -927,6 +927,10 @@ int am_check_url(request_rec *r, const char *url)
+ {
+ const char *i;
+ 
++if (url == NULL) {
++return HTTP_BAD_REQUEST;
++}
++
+ for (i = url; *i; i++) {
+ if (*i >= 0 && *i < ' ') {
+ /* Deny all control-characters. */
+@@ -943,6 +947,12 @@ int am_check_url(request_rec *r, const char *url)
+ }
+ }
+ 
++if (strstr(url, "///") == url) {
++AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
++  "URL starts with '///'");
++return HTTP_BAD_REQUEST;
++}
++
+ return OK;
+ }
+ 
diff -Nru libapache2-mod-auth-mellon-0.17.0/debian/patches/series 
libapache2-mod-auth-mellon-0.17.0/debian/patches/series
--- libapache2-mod-auth-mellon-0.17.0/debian/patches/series 2020-01-27 
14:32:39.0 +0100
+++ libapache2-mod-auth-mellon-0.17.0/debian/patches/series 2022-12-06 
20:12:37.0 +0100
@@ -0,0 +1 @@
+CVE-2021-3639.patch