Version in base suite: 2.4.9.4-0+deb11u2 Base version: libapache2-mod-auth-openidc_2.4.9.4-0+deb11u2 Target version: libapache2-mod-auth-openidc_2.4.9.4-0+deb11u3 Base file: /srv/ftp-master.debian.org/ftp/pool/main/liba/libapache2-mod-auth-openidc/libapache2-mod-auth-openidc_2.4.9.4-0+deb11u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/liba/libapache2-mod-auth-openidc/libapache2-mod-auth-openidc_2.4.9.4-0+deb11u3.dsc changelog | 8 +++ patches/0003-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch | 25 ++++++++++ patches/series | 1 3 files changed, 34 insertions(+) diff -Nru libapache2-mod-auth-openidc-2.4.9.4/debian/changelog libapache2-mod-auth-openidc-2.4.9.4/debian/changelog --- libapache2-mod-auth-openidc-2.4.9.4/debian/changelog 2022-12-20 11:20:52.000000000 +0000 +++ libapache2-mod-auth-openidc-2.4.9.4/debian/changelog 2023-05-02 10:59:57.000000000 +0000 @@ -1,3 +1,11 @@ +libapache2-mod-auth-openidc (2.4.9.4-0+deb11u3) bullseye-security; urgency=high + + * Add patch to Fix CVE-2023-28625 (Closes: #1033916) + segfault DoS when OIDCStripCookies is set + https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-f5xw-rvfr-24qr + + -- Moritz Schlarb Tue, 02 May 2023 12:59:57 +0200 + libapache2-mod-auth-openidc (2.4.9.4-0+deb11u2) bullseye; urgency=medium * Backport fix for CVE-2022-23527: prevent open redirect in default setup diff -Nru libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0003-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0003-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch --- libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0003-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch 1970-01-01 00:00:00.000000000 +0000 +++ libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0003-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch 2023-05-02 10:59:57.000000000 +0000 @@ -0,0 +1,25 @@ +From: Moritz Schlarb +Date: Tue, 2 May 2023 11:44:18 +0200 +Subject: Fix CVE-2023-28625: segfault DoS when OIDCStripCookies is set +Author: Hans Zandbelt +Origin: upstream, https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-f5xw-rvfr-24qr +Applied-Upstream: 2.4.13.2, https://github.com/OpenIDC/mod_auth_openidc/commit/c0e1edac3c4c19988ccdc7713d7aebfce6ff916a + +--- + src/mod_auth_openidc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +index 099c716..3e9147b 100644 +--- a/src/mod_auth_openidc.c ++++ b/src/mod_auth_openidc.c +@@ -191,7 +191,8 @@ void oidc_strip_cookies(request_rec *r) { + do { + while (cookie != NULL && *cookie == OIDC_CHAR_SPACE) + cookie++; +- ++ if (cookie == NULL) ++ break; + for (i = 0; i < strip->nelts; i++) { + name = ((const char**) strip->elts)[i]; + if ((strncmp(cookie, name, strlen(name)) == 0) diff -Nru libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series --- libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series 2022-12-20 11:14:25.000000000 +0000 +++ libapache2-mod-auth-openidc-2.4.9.4/debian/patches/series 2023-05-02 10:59:57.000000000 +0000 @@ -1,2 +1,3 @@ fix-parallel-build.patch 0002-Fix-CVE-2022-23527-prevent-open-redirect.patch +0003-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch