Bug#1087200: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u4
Yadd
yadd at debian.org
Sat Nov 9 14:54:39 GMT 2024
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: lemonldap-ng at packages.debian.org, yadd at debian.org
Control: affects -1 + src:lemonldap-ng
User: release.debian.org at packages.debian.org
Usertags: pu
[ Reason ]
lemonldap-ng is a Web-SSO. In Bookworm, it is vulnerable to:
- XSS issue into the "Upgrade" plugin that allow user to upgrade their
authentication level into current session (example, use a SSL card
instead of login/password)
- Escalation privilege when "Adaptative auth level" is used: user can
apply the benefit more than one time using the "refresh- session"
mechanism
[ Impact ]
Medium seciruty issues.
[ Tests ]
Test updated, passed
[ Risks ]
Low risk: patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
- don't apply adaptative rules when session is refreshed
- apply the "chackXSS" method on "Upgrade" plugin URLs
[ Other info ]
These 2 issues will have a CVE number soon
Best regards,
Xavier
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index c0bc25b80..8cb311051 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+lemonldap-ng (2.16.1+ds-deb12u4) bookworm; urgency=medium
+
+ * Fix authentication privilege
+ * Fix XSS in "Upgrade" plugin
+
+ -- Yadd <yadd at debian.org> Sat, 09 Nov 2024 18:47:24 +0400
+
lemonldap-ng (2.16.1+ds-deb12u3) bookworm; urgency=medium
* Fix XSS issue (Closes: #1084979, CVE-2024-48933)
diff --git a/debian/patches/fix-auth-level-escalation.patch b/debian/patches/fix-auth-level-escalation.patch
new file mode 100644
index 000000000..f6b213744
--- /dev/null
+++ b/debian/patches/fix-auth-level-escalation.patch
@@ -0,0 +1,72 @@
+Description: Do not run adaptativeAuthenticationLevel during refresh
+Author: Maxime Besson <maxime.besson at worteks.com>
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/5df0f833
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3255
+Forwarded: not-needed
+Applied-Upstream: 2.20.1, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/5df0f833
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2024-11-09
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/AdaptativeAuthenticationLevel.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/AdaptativeAuthenticationLevel.pm
+@@ -35,6 +35,8 @@
+ sub adaptAuthenticationLevel {
+ my ( $self, $sub, $req ) = @_;
+
++ return $sub->($req) if $req->refresh;
++
+ my $userid = $req->sessionInfo->{ $self->conf->{whatToTrace} }
+ || $req->sessionInfo->{uid};
+ $self->logger->debug("Check adaptative authentication rules for $userid");
+--- a/lemonldap-ng-portal/t/61-AdaptativeAuthenticationLevel.t
++++ b/lemonldap-ng-portal/t/61-AdaptativeAuthenticationLevel.t
+@@ -42,20 +42,23 @@
+ count(1);
+ $id = expectCookie($res);
+
++my $session = getSession($id)->data;
++is( $session->{uid}, 'dwho', 'uid found' ) or explain( $json, "uid='dwho'" );
++is( $session->{authenticationLevel}, 3, 'Authentication level upgraded' );
++count(2);
++
+ ok(
+ $res = $client->_get(
+- '/session/my/global', cookie => "lemonldap=$id"
++ '/refresh', cookie => "lemonldap=$id"
+ ),
+ 'Get session'
+ );
+ count(1);
+-$json = expectJSON($res);
+
+-ok( $json->{uid} eq 'dwho', 'uid found' ) or explain( $json, "uid='dwho'" );
+-ok( $json->{authenticationLevel} == 3, 'Authentication level upgraded' );
+-ok( scalar keys %$json == 10, 'Ten exported attributes found' )
+- or explain( scalar keys %$json, Dumper $json );
+-count(3);
++$session = getSession($id)->data;
++is( $session->{uid}, 'dwho', 'uid found' ) or explain( $json, "uid='dwho'" );
++is( $session->{authenticationLevel}, 3, 'Authentication level upgraded' );
++count(2);
+
+ ok( $client->logout($id), 'Logout' );
+ count(1);
+@@ -72,16 +75,8 @@
+ count(1);
+ $id = expectCookie($res);
+
+-ok(
+- $res = $client->_get(
+- '/session/my/global', cookie => "lemonldap=$id"
+- ),
+- 'Get session'
+-);
+-count(1);
+-$json = expectJSON($res);
+-
+-ok( $json->{authenticationLevel} == 5, 'Authentication level upgraded' );
++$session = getSession($id)->data;
++ok( $session->{authenticationLevel} == 5, 'Authentication level upgraded' );
+ count(1);
+
+ ok( $client->logout($id), 'Logout' );
diff --git a/debian/patches/fix-xss-in-upgrade-plugin.patch b/debian/patches/fix-xss-in-upgrade-plugin.patch
new file mode 100644
index 000000000..c4879277d
--- /dev/null
+++ b/debian/patches/fix-xss-in-upgrade-plugin.patch
@@ -0,0 +1,21 @@
+Description: Check XSS in ::Plugins::Upgrade
+Author: Maxime Besson <maxime.besson at worteks.com>
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/614
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3257
+Forwarded: not-needed
+Applied-Upstream: 2.20.1, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/600ba2c0b3d4bb0a4dd2eb9d8b612edcca8805dc
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2024-11-09
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Upgrade.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Upgrade.pm
+@@ -79,6 +79,9 @@
+ $self->logger->debug(" -> Skip confirmation is enabled")
+ if $self->conf->{"skip${action}Confirmation"};
+
++ $url = '' if $self->p->checkXSSAttack('url', $url);
++ $forceUpgrade = '' if $self->p->checkXSSAttack('forceUpgrade', $forceUpgrade);
++
+ # Display form
+ return $self->p->sendHtml(
+ $req,
diff --git a/debian/patches/series b/debian/patches/series
index ff8b2d3b0..d99c28333 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,5 @@ fix-open-redirection.patch
fix-open-redirection-without-OIDC-redirect-uris.patch
SSRF-issue.patch
CVE-2024-48933.patch
+fix-auth-level-escalation.patch
+fix-xss-in-upgrade-plugin.patch
More information about the pkg-perl-maintainers
mailing list