Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: lemonldap...@packages.debian.org
Control: affects -1 + src:lemonldap-ng
[ Reason ]
lemonldap-ng is vulnerable to URL validation bypass
(https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2832).
No CVE, fixed in lemonldap-ng 2.0.16-1
[ Impact ]
Medimu vulnerability: hacker may use a LemonLDAP-NG URL to redirect to their
site.
[ Tests ]
New test included in this patch
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Use URI to test base64 encoded URL instead of custom regex.
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index c276c65c0..b6f666f69 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+lemonldap-ng (2.0.11+ds-4+deb11u3) bullseye; urgency=medium
+
+ * Fix URL validation bypass
+(https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2832)
+
+ -- Yadd Sun, 05 Feb 2023 18:03:16 +0400
+
lemonldap-ng (2.0.11+ds-4+deb11u2) bullseye; urgency=medium
* Add patch to improve session destroy propagation (Closes: CVE-2022-37186)
diff --git a/debian/patches/fix-url-validation-bypass.patch
b/debian/patches/fix-url-validation-bypass.patch
new file mode 100644
index 0..7eb27f79b
--- /dev/null
+++ b/debian/patches/fix-url-validation-bypass.patch
@@ -0,0 +1,66 @@
+Description: Fix URL validation bypass
+ An attacker can forge a redirection on a malicious site using a fake
credentials in URL value.
+ .
+ Example:
+ .
+Portal : https://auth.openid.club
+Allowed application : https://test1.openid.club
+Malicious site : https://google.fr
+Malicious URL : https://test1.openid.club:t...@google.fr
+Malicious URL base 64 :
aHR0cHM6Ly90ZXN0MS5vcGVuaWQuY2x1Yjp0ZXN0QGdvb2dsZS5mcgo=
+Malicious redirection trigger :
https://auth.openid.club/?url=aHR0cHM6Ly90ZXN0MS5vcGVuaWQuY2x1Yjp0ZXN0QGdvb2dsZS5mcgo=
+Author: Maxime Besson
+Origin: upstream, commit:88d3507d commit:e6156db0
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2832
+Forwarded: not-needed
+Applied-Upstream: 2.0.16
+Reviewed-By: Yadd
+Last-Update: 2023-02-05
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
+@@ -8,6 +8,7 @@
+ use MIME::Base64;
+ use POSIX qw(strftime);
+ use Lemonldap::NG::Portal::Main::Constants qw(portalConsts);
++use URI;
+
+ # Main method
+ # ---
+@@ -152,12 +153,19 @@
+ }
+
+ # Unprotected hosts
+-my ( $proto, $vhost, $appuri ) = $tmp =~ m#^(https?://)([^/]*)(.*)#;
+-$vhost =~ s/:\d+$//;
++my ( $proto, $vhost, $appuri );
++if ($tmp) {
++my $u = URI->new($tmp);
++if ( $u->scheme =~ /^https?$/ ) {
++$proto = $u->scheme;
++$vhost = $u->host if $u->can("host");
++$appuri = $u->path_query;
++}
++}
+
+ # Try to resolve alias
+ my $originalVhost = $self->HANDLER->resolveAlias($vhost);
+-$vhost = $proto . $originalVhost;
++$vhost = $proto . '://' . $originalVhost;
+ $self->logger->debug( "Required URL (param: "
+ . ( $req->param('logout') ? 'HTTP Referer' : 'urldc' )
+ . " | value: $tmp | alias: $vhost)" );
+--- a/lemonldap-ng-portal/t/03-XSS-protection.t
b/lemonldap-ng-portal/t/03-XSS-protection.t
+@@ -80,6 +80,11 @@
+ => 0,
+ 'base64 encoded HTML tags',
+
++# Make sure userinfo does not confuse URL parsing (#2832)
++# https://test1.example.com:t...@hacker.com
++'aHR0cHM6Ly90ZXN0MS5leGFtcGxlLmNvbTp0ZXN0QGhhY2tlci5jb20=' => 0,
++'userinfo trick',
++
+ # LOGOUT TESTS
+ 'LOGOUT',
+
diff --git a/debian/patches/series b/debian/patches/series
index 9d8952af0..8b9338fec 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,4 @@ fix-xss-on-register-form.patch
dont-display-totp-secret.patch
CVE-2021-40874.patch
CVE-2022-37186.patch
+fix-url-validation-bypass.patch