Version in base suite: 2.4.12.3-2+deb12u2 Base version: libapache2-mod-auth-openidc_2.4.12.3-2+deb12u2 Target version: libapache2-mod-auth-openidc_2.4.12.3-2+deb12u3 Base file: /srv/ftp-master.debian.org/ftp/pool/main/liba/libapache2-mod-auth-openidc/libapache2-mod-auth-openidc_2.4.12.3-2+deb12u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/liba/libapache2-mod-auth-openidc/libapache2-mod-auth-openidc_2.4.12.3-2+deb12u3.dsc changelog | 10 + patches/0004-Fix-CVE-2025-31492-protected-content-leakage-when-us.patch | 90 ++++++++++ patches/series | 1 3 files changed, 101 insertions(+) diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/changelog libapache2-mod-auth-openidc-2.4.12.3/debian/changelog --- libapache2-mod-auth-openidc-2.4.12.3/debian/changelog 2024-07-23 08:47:49.000000000 +0000 +++ libapache2-mod-auth-openidc-2.4.12.3/debian/changelog 2025-04-16 08:56:55.000000000 +0000 @@ -1,3 +1,13 @@ +libapache2-mod-auth-openidc (2.4.12.3-2+deb12u3) bookworm-security; urgency=high + + * Fix CVE-2025-31492 + "protected content leakage when using OIDCProviderAuthRequestMethod POST" + Backported applicable portions from upstream fix in + https://github.com/OpenIDC/mod_auth_openidc/commit/b59b8ad63411857090ba1088e23fe414c690c127 + (Closes: #1102413) + + -- Moritz Schlarb Wed, 16 Apr 2025 10:56:55 +0200 + libapache2-mod-auth-openidc (2.4.12.3-2+deb12u2) bookworm; urgency=medium * Add patch for "oidc_check_x_forwarded_hdr check segfaults" diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0004-Fix-CVE-2025-31492-protected-content-leakage-when-us.patch libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0004-Fix-CVE-2025-31492-protected-content-leakage-when-us.patch --- libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0004-Fix-CVE-2025-31492-protected-content-leakage-when-us.patch 1970-01-01 00:00:00.000000000 +0000 +++ libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0004-Fix-CVE-2025-31492-protected-content-leakage-when-us.patch 2025-04-16 08:56:55.000000000 +0000 @@ -0,0 +1,90 @@ +From: Moritz Schlarb +Date: Wed, 16 Apr 2025 10:53:13 +0200 +Subject: Fix CVE-2025-31492 "protected content leakage when using + OIDCProviderAuthRequestMethod POST" + +Backported applicable portions from upstream fix in +https://github.com/OpenIDC/mod_auth_openidc/commit/b59b8ad63411857090ba1088e23fe414c690c127 +--- + src/mod_auth_openidc.c | 6 +++++- + src/mod_auth_openidc.h | 3 ++- + src/proto.c | 14 +++++++++----- + 3 files changed, 16 insertions(+), 7 deletions(-) + +diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +index 63fa99f..9f19b63 100644 +--- a/src/mod_auth_openidc.c ++++ b/src/mod_auth_openidc.c +@@ -4387,7 +4387,11 @@ int oidc_content_handler(request_rec *r) { + + rc = oidc_discovery(r, c); + +- } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN) != NULL) { ++ } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST) != NULL) { ++ ++ rc = OK; ++ ++ } else if (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE) != NULL) { + + rc = OK; + +diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h +index a67bbfb..7c23c94 100644 +--- a/src/mod_auth_openidc.h ++++ b/src/mod_auth_openidc.h +@@ -109,7 +109,8 @@ APLOG_USE_MODULE(auth_openidc); + #define OIDC_REQUEST_STATE_KEY_IDTOKEN "i" + #define OIDC_REQUEST_STATE_KEY_CLAIMS "c" + #define OIDC_REQUEST_STATE_KEY_DISCOVERY "d" +-#define OIDC_REQUEST_STATE_KEY_AUTHN "a" ++#define OIDC_REQUEST_STATE_KEY_AUTHN_POST "a" ++#define OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE "p" + #define OIDC_REQUEST_STATE_KEY_SAVE "s" + + /* parameter name of the callback URL in the discovery response */ +diff --git a/src/proto.c b/src/proto.c +index 470ec7d..afb8ad8 100644 +--- a/src/proto.c ++++ b/src/proto.c +@@ -585,7 +585,7 @@ static int oidc_proto_add_form_post_param(void *rec, const char *key, + /* + * make the browser POST parameters through Javascript auto-submit + */ +-static int oidc_proto_html_post(request_rec *r, const char *url, ++static void oidc_proto_html_post(request_rec *r, const char *url, + apr_table_t *params) { + + oidc_debug(r, "enter"); +@@ -601,7 +601,7 @@ static int oidc_proto_html_post(request_rec *r, const char *url, + html_body = apr_psprintf(r->pool, "%s%s", data.html_body, "

\n" + " \n"); + +- return oidc_util_html_send(r, "Submitting...", NULL, ++ oidc_util_html_send(r, "Submitting...", NULL, + "document.forms[0].submit", html_body, OK); + } + +@@ -733,8 +733,12 @@ int oidc_proto_authorization_request(request_rec *r, + if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_POST) { + + /* construct a HTML POST auto-submit page with the authorization request parameters */ +- rv = oidc_proto_html_post(r, provider->authorization_endpoint_url, +- params); ++ oidc_proto_html_post(r, provider->authorization_endpoint_url, params); ++ ++ /* signal this to the content handler */ ++ oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_POST, ""); ++ r->user = ""; ++ rv = OK; + + } else if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_GET) { + +@@ -756,7 +760,7 @@ int oidc_proto_authorization_request(request_rec *r, + } else { + + /* signal this to the content handler */ +- oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN, ""); ++ oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_AUTHN_PRESERVE, ""); + r->user = ""; + rv = OK; + diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series --- libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series 2024-07-23 08:47:23.000000000 +0000 +++ libapache2-mod-auth-openidc-2.4.12.3/debian/patches/series 2025-04-16 08:56:55.000000000 +0000 @@ -1,3 +1,4 @@ 0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch 0002-fix-DoS-CVE-2024-24814.patch 0003-avoid-crash-when-the-Forwarded-header-is-not-present.patch +0004-Fix-CVE-2025-31492-protected-content-leakage-when-us.patch