Bug#1030598: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u3

Yadd yadd at debian.org
Sun Feb 5 14:08:26 GMT 2023 

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: lemonldap-ng at packages.debian.org
Control: affects -1 + src:lemonldap-ng

[ Reason ]
lemonldap-ng is vulnerable to URL validation bypass
(https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2832).
No CVE, fixed in lemonldap-ng 2.0.16-1

[ Impact ]
Medimu vulnerability: hacker may use a LemonLDAP-NG URL to redirect to their
site.

[ Tests ]
New test included in this patch

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Use URI to test base64 encoded URL instead of custom regex.

Cheers,
Yadd
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index c276c65c0..b6f666f69 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+lemonldap-ng (2.0.11+ds-4+deb11u3) bullseye; urgency=medium
+
+  * Fix URL validation bypass
+    (https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2832)
+
+ -- Yadd <yadd at debian.org>  Sun, 05 Feb 2023 18:03:16 +0400
+
 lemonldap-ng (2.0.11+ds-4+deb11u2) bullseye; urgency=medium
 
   * Add patch to improve session destroy propagation (Closes: CVE-2022-37186)
diff --git a/debian/patches/fix-url-validation-bypass.patch b/debian/patches/fix-url-validation-bypass.patch
new file mode 100644
index 000000000..7eb27f79b
--- /dev/null
+++ b/debian/patches/fix-url-validation-bypass.patch
@@ -0,0 +1,66 @@
+Description: Fix URL validation bypass
+ An attacker can forge a redirection on a malicious site using a fake credentials in URL value.
+ .
+ Example:
+ .
+    Portal : https://auth.openid.club
+    Allowed application : https://test1.openid.club
+    Malicious site : https://google.fr
+    Malicious URL : https://test1.openid.club:test@google.fr
+    Malicious URL base 64 : aHR0cHM6Ly90ZXN0MS5vcGVuaWQuY2x1Yjp0ZXN0QGdvb2dsZS5mcgo=
+    Malicious redirection trigger : https://auth.openid.club/?url=aHR0cHM6Ly90ZXN0MS5vcGVuaWQuY2x1Yjp0ZXN0QGdvb2dsZS5mcgo=
+Author: Maxime Besson <maxime.besson at worteks.com>
+Origin: upstream, commit:88d3507d commit:e6156db0
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2832
+Forwarded: not-needed
+Applied-Upstream: 2.0.16
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2023-02-05
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
+@@ -8,6 +8,7 @@
+ use MIME::Base64;
+ use POSIX qw(strftime);
+ use Lemonldap::NG::Portal::Main::Constants qw(portalConsts);
++use URI;
+ 
+ # Main method
+ # -----------
+@@ -152,12 +153,19 @@
+         }
+ 
+         # Unprotected hosts
+-        my ( $proto, $vhost, $appuri ) = $tmp =~ m#^(https?://)([^/]*)(.*)#;
+-        $vhost =~ s/:\d+$//;
++        my ( $proto, $vhost, $appuri );
++        if ($tmp) {
++            my $u = URI->new($tmp);
++            if ( $u->scheme =~ /^https?$/ ) {
++                $proto  = $u->scheme;
++                $vhost  = $u->host if $u->can("host");
++                $appuri = $u->path_query;
++            }
++        }
+ 
+         # Try to resolve alias
+         my $originalVhost = $self->HANDLER->resolveAlias($vhost);
+-        $vhost = $proto . $originalVhost;
++        $vhost = $proto . '://' . $originalVhost;
+         $self->logger->debug( "Required URL (param: "
+               . ( $req->param('logout') ? 'HTTP Referer' : 'urldc' )
+               . " | value: $tmp | alias: $vhost)" );
+--- a/lemonldap-ng-portal/t/03-XSS-protection.t
++++ b/lemonldap-ng-portal/t/03-XSS-protection.t
+@@ -80,6 +80,11 @@
+       => 0,
+     'base64 encoded HTML tags',
+ 
++    # Make sure userinfo does not confuse URL parsing (#2832)
++    # https://test1.example.com:test@hacker.com
++    'aHR0cHM6Ly90ZXN0MS5leGFtcGxlLmNvbTp0ZXN0QGhhY2tlci5jb20=' => 0,
++    'userinfo trick',
++
+     # LOGOUT TESTS
+     'LOGOUT',
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 9d8952af0..8b9338fec 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,4 @@ fix-xss-on-register-form.patch
 dont-display-totp-secret.patch
 CVE-2021-40874.patch
 CVE-2022-37186.patch
+fix-url-validation-bypass.patch

More information about the pkg-perl-maintainers mailing list