Bug#1069253: bullseye-pu: package libapache2-mod-auth-openidc/2.4.9.4-0+deb11u4

2024-04-22 Thread Jonathan Wiltshire 
Control: tag -1 confirmed

On Thu, Apr 18, 2024 at 09:44:59PM +0200, Moritz Schlarb wrote:
> Backported the patch to fix CVE-2024-24814.
> Does not require DSA as per #1064183#28.

Please go ahead.

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Bug#1069253: bullseye-pu: package libapache2-mod-auth-openidc/2.4.9.4-0+deb11u4

2024-04-18 Thread Moritz Schlarb 
Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: libapache2-mod-auth-open...@packages.debian.org, 
t...@security.debian.org
Control: affects -1 + src:libapache2-mod-auth-openidc
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
Backported the patch to fix CVE-2024-24814.
Does not require DSA as per #1064183#28.

[ Impact ]
DoS when `OIDCSessionType client-cookie` is set and
a crafted Cookie header is supplied
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-
hxr6-w4gc-7vvv

[ Tests ]
Manually on own infra.

[ Risks ]
Patch has minimal complexity but is from the upstream author
who is generally very knowledgable about his code.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Added upstream commit as patch that fixes oidc_util_get_chunked_cookie
function to properly handle chunked cookies and decline malicious ones.

[ Other info ]
diff -Nru libapache2-mod-auth-openidc-2.4.9.4/debian/changelog 
libapache2-mod-auth-openidc-2.4.9.4/debian/changelog
--- libapache2-mod-auth-openidc-2.4.9.4/debian/changelog2023-05-02 
12:59:57.0 +0200
+++ libapache2-mod-auth-openidc-2.4.9.4/debian/changelog2024-04-18 
14:27:26.0 +0200
@@ -1,3 +1,16 @@
+libapache2-mod-auth-openidc (2.4.9.4-0+deb11u4) bullseye; urgency=high
+
+  * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks
+cookie value made the server vulnerable to a Denial of Service (DoS)
+attack. If an attacker manipulated the value of the OpenIDC cookie to a
+very large integer like , the server struggled with the request for
+a long time and finally returned a 500 error. Making a few requests of this
+kind caused servers to become unresponsive, and so attackers could thereby
+craft requests that would make the server work very hard and/or crash with
+minimal effort. (Closes: #1064183)
+
+ -- Moritz Schlarb   Thu, 18 Apr 2024 14:27:26 +0200
+
 libapache2-mod-auth-openidc (2.4.9.4-0+deb11u3) bullseye-security; urgency=high
 
   * Add patch to Fix CVE-2023-28625 (Closes: #1033916)
diff -Nru 
libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0004-fix-DoS-CVE-2024-24814.patch
 
libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0004-fix-DoS-CVE-2024-24814.patch
--- 
libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0004-fix-DoS-CVE-2024-24814.patch
1970-01-01 01:00:00.0 +0100
+++ 
libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0004-fix-DoS-CVE-2024-24814.patch
2024-04-18 14:25:44.0 +0200
@@ -0,0 +1,60 @@
+From: Hans Zandbelt 
+Date: Tue, 6 Feb 2024 23:45:40 +0100
+Subject: [PATCH] release 2.4.15.2: fix DoS CVE-2024-24814
+
+fix CVE-2024-24814: DoS when 'OIDCSessionType client-cookie' is set and
+a crafted Cookie header is supplied
+https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv
+
+Signed-off-by: Hans Zandbelt 
+---
+ src/util.c | 35 +--
+ 1 file changed, 17 insertions(+), 18 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index c6453d0..6782293 100644
+--- a/src/util.c
 b/src/util.c
+@@ -1288,25 +1288,24 @@ static char* 
oidc_util_get_chunk_cookie_name(request_rec *r,
+  */
+ char* oidc_util_get_chunked_cookie(request_rec *r, const char *cookieName,
+   int chunkSize) {
+-  char *cookieValue = NULL;
+-  char *chunkValue = NULL;
+-  int i = 0;
+-  if (chunkSize == 0) {
+-  cookieValue = oidc_util_get_cookie(r, cookieName);
+-  } else {
+-  int chunkCount = oidc_util_get_chunked_count(r, cookieName);
+-  if (chunkCount > 0) {
+-  cookieValue = "";
+-  for (i = 0; i < chunkCount; i++) {
+-  chunkValue = oidc_util_get_cookie(r,
+-  
oidc_util_get_chunk_cookie_name(r, cookieName, i));
+-  if (chunkValue != NULL)
+-  cookieValue = apr_psprintf(r->pool, 
"%s%s", cookieValue,
+-  chunkValue);
+-  }
+-  } else {
+-  cookieValue = oidc_util_get_cookie(r, cookieName);
++  char *cookieValue = NULL, *chunkValue = NULL;
++  int chunkCount = 0, i = 0;
++  if (chunkSize == 0)
++  return oidc_util_get_cookie(r, cookieName);
++  chunkCount = oidc_util_get_chunked_count(r, cookieName);
++  if (chunkCount == 0)
++  return oidc_util_get_cookie(r, cookieName);
++  if ((chunkCount < 0) || (chunkCount > 99)) {
++  oidc_warn(r, "chunk count out of bounds: %d", chunkCount);
++  return NULL;
++  }
++  for (i = 0; i < chunkCoun