[AUTOPATCHER-EXTENDED] Patched mod_auth_mellon to address CVE-2021-3639 (#6103)
* Patch mod_auth_mellon to address CVE-2021-3639 * Lint spec file * Modify prep to use autosetup --------- Co-authored-by: Archana Choudhary <archana1@microsoft.com>
This commit is contained in:
CBL-Mariner-Bot
GitHub
parent
6acc7fa856
commit
b7edc21247
|
|
@ -0,0 +1,44 @@
|
|||
From 42a11261b9dad2e48d70bdff7c53dd57a12db6f5 Mon Sep 17 00:00:00 2001
|
||||
From: AIMOTO Norihito <aimoto@osstech.co.jp>
|
||||
Date: Tue, 6 Jul 2021 22:57:24 +0200
|
||||
Subject: [PATCH] Prevent redirect to URLs that begin with '///'
|
||||
|
||||
Visiting a logout URL like this:
|
||||
https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html
|
||||
would have redirected the user to fishing-site.example.com
|
||||
|
||||
With the patch, this URL would be rejected.
|
||||
|
||||
Fixes: CVE-2021-3639
|
||||
---
|
||||
auth_mellon_util.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
|
||||
index 2f8c9c3..6a686db 100644
|
||||
--- a/auth_mellon_util.c
|
||||
+++ b/auth_mellon_util.c
|
||||
@@ -927,6 +927,10 @@ int am_check_url(request_rec *r, const char *url)
|
||||
{
|
||||
const char *i;
|
||||
|
||||
+ if (url == NULL) {
|
||||
+ return HTTP_BAD_REQUEST;
|
||||
+ }
|
||||
+
|
||||
for (i = url; *i; i++) {
|
||||
if (*i >= 0 && *i < ' ') {
|
||||
/* Deny all control-characters. */
|
||||
@@ -943,6 +947,12 @@ int am_check_url(request_rec *r, const char *url)
|
||||
}
|
||||
}
|
||||
|
||||
+ if (strstr(url, "///") == url) {
|
||||
+ AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
|
||||
+ "URL starts with '///'");
|
||||
+ return HTTP_BAD_REQUEST;
|
||||
+ }
|
||||
+
|
||||
return OK;
|
||||
}
|
||||
|
||||
|
|
@ -1,43 +1,40 @@
|
|||
%bcond_with user_guide
|
||||
|
||||
Summary: A SAML 2.0 authentication module for the Apache Httpd Server
|
||||
Name: mod_auth_mellon
|
||||
Version: 0.16.0
|
||||
Release: 4%{?dist}
|
||||
License: GPLv2+
|
||||
Vendor: Microsoft Corporation
|
||||
Distribution: Mariner
|
||||
Summary: A SAML 2.0 authentication module for the Apache Httpd Server
|
||||
Name: mod_auth_mellon
|
||||
Version: 0.16.0
|
||||
Release: 3%{?dist}
|
||||
Source0: https://github.com/latchset/mod_auth_mellon/releases/download/v0_16_0/mod_auth_mellon-0.16.0.tar.gz
|
||||
Source1: auth_mellon.conf
|
||||
Source2: 10-auth_mellon.conf
|
||||
Source3: mod_auth_mellon.conf
|
||||
Source4: mellon_create_metadata.sh
|
||||
Source5: README.redhat.rst
|
||||
License: GPLv2+
|
||||
URL: https://github.com/latchset/mod_auth_mellon
|
||||
Source0: https://github.com/latchset/mod_auth_mellon/releases/download/v0_16_0/mod_auth_mellon-0.16.0.tar.gz
|
||||
Source1: auth_mellon.conf
|
||||
Source2: 10-auth_mellon.conf
|
||||
Source3: mod_auth_mellon.conf
|
||||
Source4: mellon_create_metadata.sh
|
||||
Source5: README.redhat.rst
|
||||
Patch0: CVE-2021-3639.patch
|
||||
BuildRequires: curl-devel
|
||||
BuildRequires: gcc
|
||||
BuildRequires: curl-devel
|
||||
BuildRequires: glib2-devel
|
||||
BuildRequires: httpd-devel
|
||||
BuildRequires: lasso-devel >= 2.5.1-13
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: xmlsec1-devel
|
||||
BuildRequires: systemd-rpm-macros
|
||||
|
||||
BuildRequires: glib2-devel
|
||||
BuildRequires: httpd-devel
|
||||
BuildRequires: lasso-devel >= 2.5.1-13
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: systemd-rpm-macros
|
||||
BuildRequires: xmlsec1-devel
|
||||
Requires: httpd-mmn
|
||||
Requires: lasso >= 2.5.1-13
|
||||
%if %{with user_guide}
|
||||
BuildRequires: rubygem-asciidoctor
|
||||
BuildRequires: rubygem-asciidoctor
|
||||
%endif
|
||||
|
||||
Requires: httpd-mmn
|
||||
Requires: lasso >= 2.5.1-13
|
||||
Url: https://github.com/latchset/mod_auth_mellon
|
||||
|
||||
|
||||
%description
|
||||
The mod_auth_mellon module is an authentication service that implements the
|
||||
SAML 2.0 federation protocol. It grants access based on the attributes
|
||||
received in assertions generated by a IdP server.
|
||||
|
||||
%prep
|
||||
%setup -q -n %{name}-%{version}
|
||||
%autosetup -p1
|
||||
|
||||
%build
|
||||
export APXS=%{_httpd_apxs}
|
||||
|
|
@ -88,8 +85,8 @@ cp -r doc/user_guide %{buildroot}/%{_pkgdocdir}
|
|||
%endif
|
||||
|
||||
%package diagnostics
|
||||
Summary: Build of mod_auth_mellon with diagnostic logging
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
Summary: Build of mod_auth_mellon with diagnostic logging
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
|
||||
%description diagnostics
|
||||
Build of mod_auth_mellon with diagnostic logging. See README.redhat.rst
|
||||
|
|
@ -113,6 +110,9 @@ in the doc directory for instructions on using the diagnostics build.
|
|||
%dir /run/%{name}/
|
||||
|
||||
%changelog
|
||||
* Wed Aug 30 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 0.16.0-4
|
||||
- Add patch for CVE-2021-3639
|
||||
|
||||
* Tue Mar 15 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.16.0-3
|
||||
- Adding missing BR on 'systemd-rpm-macros'.
|
||||
- License verified.
|
||||
|
|
@ -188,18 +188,13 @@ in the doc directory for instructions on using the diagnostics build.
|
|||
- Update to new upstream 0.12.0
|
||||
- [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to
|
||||
incorrect error handling when reading POST data from client.
|
||||
|
||||
- [CVE-2016-2146] Fix DOS attack (Apache worker process crash /
|
||||
resource exhaustion) due to missing size checks when reading
|
||||
POST data.
|
||||
|
||||
In addition this release contains the following new features and fixes:
|
||||
|
||||
- Add MellonRedirectDomains option to limit the sites that
|
||||
mod_auth_mellon can redirect to. This option is enabled by default.
|
||||
|
||||
- Add support for ECP service options in PAOS requests.
|
||||
|
||||
- Fix AssertionConsumerService lookup for PAOS requests.
|
||||
|
||||
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.0-4
|
||||
|
|
|
|||
Loading…
Reference in New Issue