Version in base suite: 5.5.0-2 Base version: ruby-doorkeeper_5.5.0-2 Target version: ruby-doorkeeper_5.5.0-2+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/ruby-doorkeeper/ruby-doorkeeper_5.5.0-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/r/ruby-doorkeeper/ruby-doorkeeper_5.5.0-2+deb12u1.dsc changelog | 7 ++ patches/0001-Block-public-clients-automatic-authorization-skip.patch | 31 ++++++++++ patches/series | 1 3 files changed, 39 insertions(+) diff -Nru ruby-doorkeeper-5.5.0/debian/changelog ruby-doorkeeper-5.5.0/debian/changelog --- ruby-doorkeeper-5.5.0/debian/changelog 2021-08-27 11:15:52.000000000 +0000 +++ ruby-doorkeeper-5.5.0/debian/changelog 2024-12-08 21:42:11.000000000 +0000 @@ -1,3 +1,10 @@ +ruby-doorkeeper (5.5.0-2+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * CVE-2023-34246: Improper Authentication (Closes: #1038950) + + -- Adrian Bunk Sun, 08 Dec 2024 23:42:11 +0200 + ruby-doorkeeper (5.5.0-2) unstable; urgency=medium [ Debian Janitor ] diff -Nru ruby-doorkeeper-5.5.0/debian/patches/0001-Block-public-clients-automatic-authorization-skip.patch ruby-doorkeeper-5.5.0/debian/patches/0001-Block-public-clients-automatic-authorization-skip.patch --- ruby-doorkeeper-5.5.0/debian/patches/0001-Block-public-clients-automatic-authorization-skip.patch 1970-01-01 00:00:00.000000000 +0000 +++ ruby-doorkeeper-5.5.0/debian/patches/0001-Block-public-clients-automatic-authorization-skip.patch 2024-12-08 21:41:54.000000000 +0000 @@ -0,0 +1,31 @@ +From 992ead90a17e368129bed6750da2f90e9e720e80 Mon Sep 17 00:00:00 2001 +From: Adam Heath +Date: Fri, 17 Mar 2023 16:41:30 +0800 +Subject: Block public clients automatic authorization skip + +Non-confidential applications should not be able to skip the authorization stop, even if they have an existing matching_token. + +From the [issue](https://github.com/doorkeeper-gem/doorkeeper/issues/1589): +> According to RFC 8252 section 8.6, the authentication server should re-prompt for user consent, since the client's identity cannot be assured simply from the client_id parameter + +Fixes https://github.com/doorkeeper-gem/doorkeeper/issues/1589 +--- + app/controllers/doorkeeper/authorizations_controller.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/app/controllers/doorkeeper/authorizations_controller.rb b/app/controllers/doorkeeper/authorizations_controller.rb +index 71dce31c..81445875 100644 +--- a/app/controllers/doorkeeper/authorizations_controller.rb ++++ b/app/controllers/doorkeeper/authorizations_controller.rb +@@ -23,7 +23,7 @@ module Doorkeeper + private + + def render_success +- if skip_authorization? || matching_token? ++ if skip_authorization? || (matching_token? && pre_auth.client.application.confidential?) + redirect_or_render authorize_response + elsif Doorkeeper.configuration.api_only + render json: pre_auth +-- +2.30.2 + diff -Nru ruby-doorkeeper-5.5.0/debian/patches/series ruby-doorkeeper-5.5.0/debian/patches/series --- ruby-doorkeeper-5.5.0/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ ruby-doorkeeper-5.5.0/debian/patches/series 2024-12-08 21:42:10.000000000 +0000 @@ -0,0 +1 @@ +0001-Block-public-clients-automatic-authorization-skip.patch