Version in base suite: 2.4.12.3-2 Base version: libapache2-mod-auth-openidc_2.4.12.3-2 Target version: libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/liba/libapache2-mod-auth-openidc/libapache2-mod-auth-openidc_2.4.12.3-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/liba/libapache2-mod-auth-openidc/libapache2-mod-auth-openidc_2.4.12.3-2+deb12u1.dsc changelog | 13 ++ gbp.conf | 1 patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch | 2 patches/0002-fix-DoS-CVE-2024-24814.patch | 60 ++++++++++ patches/series | 1 5 files changed, 76 insertions(+), 1 deletion(-) diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/changelog libapache2-mod-auth-openidc-2.4.12.3/debian/changelog --- libapache2-mod-auth-openidc-2.4.12.3/debian/changelog 2023-05-02 09:48:09.000000000 +0000 +++ libapache2-mod-auth-openidc-2.4.12.3/debian/changelog 2024-04-18 12:20:00.000000000 +0000 @@ -1,3 +1,16 @@ +libapache2-mod-auth-openidc (2.4.12.3-2+deb12u1) bookworm; urgency=medium + + * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks + cookie value made the server vulnerable to a Denial of Service (DoS) + attack. If an attacker manipulated the value of the OpenIDC cookie to a + very large integer like 99999999, the server struggled with the request for + a long time and finally returned a 500 error. Making a few requests of this + kind caused servers to become unresponsive, and so attackers could thereby + craft requests that would make the server work very hard and/or crash with + minimal effort. (Closes: #1064183) + + -- Moritz Schlarb Thu, 18 Apr 2024 14:20:00 +0200 + libapache2-mod-auth-openidc (2.4.12.3-2) unstable; urgency=high * Add patch to Fix CVE-2023-28625 (Closes: #1033916) diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/gbp.conf libapache2-mod-auth-openidc-2.4.12.3/debian/gbp.conf --- libapache2-mod-auth-openidc-2.4.12.3/debian/gbp.conf 2023-05-02 09:41:28.000000000 +0000 +++ libapache2-mod-auth-openidc-2.4.12.3/debian/gbp.conf 2024-04-18 12:20:00.000000000 +0000 @@ -1,2 +1,3 @@ [DEFAULT] pristine-tar = True +debian-branch = bookworm diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch --- libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch 2023-05-02 09:47:32.000000000 +0000 +++ libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch 2024-04-18 12:20:00.000000000 +0000 @@ -1,9 +1,9 @@ From: Moritz Schlarb Date: Tue, 2 May 2023 11:44:18 +0200 Subject: Fix CVE-2023-28625: segfault DoS when OIDCStripCookies is set + Origin: upstream, https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-f5xw-rvfr-24qr Applied-Upstream: 2.4.13.2, https://github.com/OpenIDC/mod_auth_openidc/commit/c0e1edac3c4c19988ccdc7713d7aebfce6ff916a - --- src/mod_auth_openidc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0002-fix-DoS-CVE-2024-24814.patch libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0002-fix-DoS-CVE-2024-24814.patch --- libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0002-fix-DoS-CVE-2024-24814.patch 1970-01-01 00:00:00.000000000 +0000 +++ libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0002-fix-DoS-CVE-2024-24814.patch 2024-04-18 12:20:00.000000000 +0000 @@ -0,0 +1,60 @@ +From: Hans Zandbelt +Date: Tue, 6 Feb 2024 23:45:40 +0100 +Subject: [PATCH] release 2.4.15.2: fix DoS CVE-2024-24814 + +fix CVE-2024-24814: DoS when 'OIDCSessionType client-cookie' is set and +a crafted Cookie header is supplied +https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv + +Signed-off-by: Hans Zandbelt +--- + src/util.c | 35 +++++++++++++++++------------------ + 1 file changed, 17 insertions(+), 18 deletions(-) + +diff --git a/src/util.c b/src/util.c +index e1f0a3a..7a86c24 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -1325,25 +1325,24 @@ static char* oidc_util_get_chunk_cookie_name(request_rec *r, + */ + char* oidc_util_get_chunked_cookie(request_rec *r, const char *cookieName, + int chunkSize) { +- char *cookieValue = NULL; +- char *chunkValue = NULL; +- int i = 0; +- if (chunkSize == 0) { +- cookieValue = oidc_util_get_cookie(r, cookieName); +- } else { +- int chunkCount = oidc_util_get_chunked_count(r, cookieName); +- if (chunkCount > 0) { +- cookieValue = ""; +- for (i = 0; i < chunkCount; i++) { +- chunkValue = oidc_util_get_cookie(r, +- oidc_util_get_chunk_cookie_name(r, cookieName, i)); +- if (chunkValue != NULL) +- cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue, +- chunkValue); +- } +- } else { +- cookieValue = oidc_util_get_cookie(r, cookieName); ++ char *cookieValue = NULL, *chunkValue = NULL; ++ int chunkCount = 0, i = 0; ++ if (chunkSize == 0) ++ return oidc_util_get_cookie(r, cookieName); ++ chunkCount = oidc_util_get_chunked_count(r, cookieName); ++ if (chunkCount == 0) ++ return oidc_util_get_cookie(r, cookieName); ++ if ((chunkCount < 0) || (chunkCount > 99)) { ++ oidc_warn(r, "chunk count out of bounds: %d", chunkCount); ++ return NULL; ++ } ++ for (i = 0; i < chunkCount; i++) { ++ chunkValue = oidc_util_get_cookie(r, oidc_util_get_chunk_cookie_name(r, cookieName, i)); ++ if (chunkValue == NULL) { ++ oidc_warn(r, "could not find chunk %d; aborting", i); ++ break; + } ++ cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue ? cookieValue : "", chunkValue); + } + return cookieValue; + } diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series --- libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series 2023-05-02 09:44:59.000000000 +0000 +++ libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series 2024-04-18 12:20:00.000000000 +0000 @@ -1 +1,2 @@ 0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch +0002-fix-DoS-CVE-2024-24814.patch