Version in base suite: 2.4.9.4-0+deb11u3

Base version: libapache2-mod-auth-openidc_2.4.9.4-0+deb11u3
Target version: libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4
Base file: /srv/ftp-master.debian.org/ftp/pool/main/liba/libapache2-mod-auth-openidc/libapache2-mod-auth-openidc_2.4.9.4-0+deb11u3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/liba/libapache2-mod-auth-openidc/libapache2-mod-auth-openidc_2.4.9.4-0+deb11u4.dsc

 changelog                                 |   13 ++++++
 patches/0004-fix-DoS-CVE-2024-24814.patch |   60 ++++++++++++++++++++++++++++++
 patches/series                            |    1 
 3 files changed, 74 insertions(+)

diff -Nru libapache2-mod-auth-openidc-2.4.9.4/debian/changelog libapache2-mod-auth-openidc-2.4.9.4/debian/changelog
--- libapache2-mod-auth-openidc-2.4.9.4/debian/changelog	2023-05-02 10:59:57.000000000 +0000
+++ libapache2-mod-auth-openidc-2.4.9.4/debian/changelog	2024-04-18 12:27:26.000000000 +0000
@@ -1,3 +1,16 @@
+libapache2-mod-auth-openidc (2.4.9.4-0+deb11u4) bullseye; urgency=high
+
+  * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks
+    cookie value made the server vulnerable to a Denial of Service (DoS)
+    attack. If an attacker manipulated the value of the OpenIDC cookie to a
+    very large integer like 99999999, the server struggled with the request for
+    a long time and finally returned a 500 error. Making a few requests of this
+    kind caused servers to become unresponsive, and so attackers could thereby
+    craft requests that would make the server work very hard and/or crash with
+    minimal effort. (Closes: #1064183)
+
+ -- Moritz Schlarb <schlarbm@uni-mainz.de>  Thu, 18 Apr 2024 14:27:26 +0200
+
 libapache2-mod-auth-openidc (2.4.9.4-0+deb11u3) bullseye-security; urgency=high
 
   * Add patch to Fix CVE-2023-28625 (Closes: #1033916)
diff -Nru libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0004-fix-DoS-CVE-2024-24814.patch libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0004-fix-DoS-CVE-2024-24814.patch
--- libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0004-fix-DoS-CVE-2024-24814.patch	1970-01-01 00:00:00.000000000 +0000
+++ libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0004-fix-DoS-CVE-2024-24814.patch	2024-04-18 12:25:44.000000000 +0000
@@ -0,0 +1,60 @@
+From: Hans Zandbelt <hans.zandbelt@openidc.com>
+Date: Tue, 6 Feb 2024 23:45:40 +0100
+Subject: [PATCH] release 2.4.15.2: fix DoS CVE-2024-24814
+
+fix CVE-2024-24814: DoS when 'OIDCSessionType client-cookie' is set and
+a crafted Cookie header is supplied
+https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv
+
+Signed-off-by: Hans Zandbelt <hans.zandbelt@openidc.com>
+---
+ src/util.c | 35 +++++++++++++++++------------------
+ 1 file changed, 17 insertions(+), 18 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index c6453d0..6782293 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -1288,25 +1288,24 @@ static char* oidc_util_get_chunk_cookie_name(request_rec *r,
+  */
+ char* oidc_util_get_chunked_cookie(request_rec *r, const char *cookieName,
+ 		int chunkSize) {
+-	char *cookieValue = NULL;
+-	char *chunkValue = NULL;
+-	int i = 0;
+-	if (chunkSize == 0) {
+-		cookieValue = oidc_util_get_cookie(r, cookieName);
+-	} else {
+-		int chunkCount = oidc_util_get_chunked_count(r, cookieName);
+-		if (chunkCount > 0) {
+-			cookieValue = "";
+-			for (i = 0; i < chunkCount; i++) {
+-				chunkValue = oidc_util_get_cookie(r,
+-						oidc_util_get_chunk_cookie_name(r, cookieName, i));
+-				if (chunkValue != NULL)
+-					cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue,
+-							chunkValue);
+-			}
+-		} else {
+-			cookieValue = oidc_util_get_cookie(r, cookieName);
++	char *cookieValue = NULL, *chunkValue = NULL;
++	int chunkCount = 0, i = 0;
++	if (chunkSize == 0)
++		return oidc_util_get_cookie(r, cookieName);
++	chunkCount = oidc_util_get_chunked_count(r, cookieName);
++	if (chunkCount == 0)
++		return oidc_util_get_cookie(r, cookieName);
++	if ((chunkCount < 0) || (chunkCount > 99)) {
++		oidc_warn(r, "chunk count out of bounds: %d", chunkCount);
++		return NULL;
++	}
++	for (i = 0; i < chunkCount; i++) {
++		chunkValue = oidc_util_get_cookie(r, oidc_util_get_chunk_cookie_name(r, cookieName, i));
++		if (chunkValue == NULL) {
++			oidc_warn(r, "could not find chunk %d; aborting", i);
++			break;
+ 		}
++		cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue ? cookieValue : "", chunkValue);
+ 	}
+ 	return cookieValue;
+ }
diff -Nru libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series
--- libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series	2023-05-02 10:59:57.000000000 +0000
+++ libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series	2024-04-18 12:25:19.000000000 +0000
@@ -1,3 +1,4 @@
 fix-parallel-build.patch
 0002-Fix-CVE-2022-23527-prevent-open-redirect.patch
 0003-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch
+0004-fix-DoS-CVE-2024-24814.patch