Bug#1019539: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u2

Sun Sep 11 14:13:43 BST 2022

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-perl-maintainers at alioth-lists.debian.net

[ Reason ]
lemonldap-ng before version 2.0.15 has an issue that may maintain
a session active on a Lemonldap::NG's handler if user has a continuous
activity on this handler after session expiration or deletion
(CVE-2022-37186), if and only if user activity is tracked by handlers
(disabled by defaut)

[ Impact ]
Medium vulnerability

[ Tests ]
Test passed, non new tested backported here

[ Risks ]
No risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Handler's calls to session API now have a "nocache" option for writing.

Cheers,
Yadd
-------------- next part --------------

diff --git a/debian/changelog b/debian/changelog
index f6be653a8..c276c65c0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+lemonldap-ng (2.0.11+ds-4+deb11u2) bullseye; urgency=medium
+
+  * Add patch to improve session destroy propagation (Closes: CVE-2022-37186)
+
+ -- Yadd <yadd at debian.org>  Sun, 11 Sep 2022 09:28:30 +0200
+
 lemonldap-ng (2.0.11+ds-4+deb11u1) bullseye; urgency=medium
 
   * Fix auth process in password-testing plugins (Closes: CVE-2021-20874)
diff --git a/debian/patches/CVE-2022-37186.patch b/debian/patches/CVE-2022-37186.patch
new file mode 100644
index 000000000..12e80c4d7
--- /dev/null
+++ b/debian/patches/CVE-2022-37186.patch
@@ -0,0 +1,31 @@
+Description: Improve session destroy propagation
+Author: Yadd <yadd at debian.org>
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/59c781b3
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2758
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2022-09-11
+
+--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Store.pm
++++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Store.pm
+@@ -56,7 +56,7 @@
+ 
+     # Get session from cache
+     my $id = $session->{data}->{_session_id};
+-    if ( $self->cache->get($id) ) {
++    if ( !$self->{args}->{noCache} and $self->cache->get($id) ) {
+         $session->{serialized} = $self->cache->get($id);
+         return;
+     }
+--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Session.pm
++++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Session.pm
+@@ -213,7 +213,8 @@
+         return 0;
+     }
+ 
+-    my $data = $self->_tie_session($tieOptions);
++    my $data = $self->_tie_session(
++        { ( $tieOptions ? %$tieOptions : () ), noCache => 1 } );
+ 
+     if ($data) {
+         foreach ( keys %$infos ) {
diff --git a/debian/patches/series b/debian/patches/series
index 644277be7..9d8952af0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@ fix-trusted-domain-regex.patch
 fix-xss-on-register-form.patch
 dont-display-totp-secret.patch
 CVE-2021-40874.patch
+CVE-2022-37186.patch
