Bug#1085176: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u3

Yadd yadd at debian.org
Tue Oct 15 20:02:49 BST 2024 

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: lemonldap-ng at packages.debian.org, yadd at debian.org
Control: affects -1 + src:lemonldap-ng
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]
Lemonldap-ng <2.20.0 is vulnerable to a XSS injection (#1084979,
CVE-2024-48933)

[ Impact ]
Low security issue unless admin change default regex for logins

[ Tests ]
Passed

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Add HTML escapes and change autofocus

Cheers,
Xavier
-------------- next part --------------
diff --git a/debian/NEWS b/debian/NEWS
index 0bb3cc914..0b5732a86 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,16 @@
+lemonldap-ng (2.16.1+ds-deb12u3) UNRELEASED; urgency=medium
+
+  Custom templates maybe vulnerable to XSS injection when default allowed
+  characters have been changed. To fix this, replace every
+  
+    <TMPL_VAR NAME="LOGIN">
+  
+  by
+  
+    <TMPL_VAR NAME="LOGIN" ESCAPE=HTML>
+
+ -- Yadd <yadd at debian.org>  Tue, 15 Oct 2024 19:27:47 +0200
+
 lemonldap-ng (2.16.1+ds-deb12u2) bookworm; urgency=medium
 
   A feature of OIDC allows the OpenID Provider to fetch the Authorization
diff --git a/debian/changelog b/debian/changelog
index 148164a94..c0bc25b80 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+lemonldap-ng (2.16.1+ds-deb12u3) bookworm; urgency=medium
+
+  * Fix XSS issue (Closes: #1084979, CVE-2024-48933)
+
+ -- Yadd <yadd at debian.org>  Tue, 15 Oct 2024 20:59:06 +0200
+
 lemonldap-ng (2.16.1+ds-deb12u2) bookworm; urgency=medium
 
   * Fix open redirection when OIDC RP has no redirect uris
diff --git a/debian/patches/CVE-2024-48933.patch b/debian/patches/CVE-2024-48933.patch
new file mode 100644
index 000000000..eb666a0dd
--- /dev/null
+++ b/debian/patches/CVE-2024-48933.patch
@@ -0,0 +1,117 @@
+Description: Fix XSS vulnerability
+ A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.19.3
+ allows remote attackers to inject arbitrary web script or HTML into the
+ login page via a username if userControl has been set to a non-default
+ value that allows special HTML characters.
+Author: Maxime Besson
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3232
+Bug-Debian: https://bugs.debian.org/1084979
+Forwarded: not-needed
+Applied-Upstream: 2.20.0, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/606
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2024-10-15
+
+--- a/lemonldap-ng-portal/site/coffee/portal.coffee
++++ b/lemonldap-ng-portal/site/coffee/portal.coffee
+@@ -295,12 +295,9 @@
+ 	if datas['choicetab']
+ 		authMenuTabs.tabs "option", "active", $('#authMenu a[href="#' + datas['choicetab'] + '"]').parent().index()
+ 
+-	if datas['login']
+-		$("input[type=password]:first").focus()
+-	else
+-		# If there are no auto-focused fields, focus on first visible input
+-		if $("input[autofocus]").length == 0
+-			$("input[type!=hidden]:first").focus();
++	# If there are no auto-focused fields, focus on first visible input
++	if $("input[autofocus]").length == 0
++		$("input[type!=hidden]:first").focus()
+ 
+ 	# Open links in new windows if required
+ 	if datas['newwindow']
+--- a/lemonldap-ng-portal/site/templates/bootstrap/checkuser.tpl
++++ b/lemonldap-ng-portal/site/templates/bootstrap/checkuser.tpl
+@@ -11,7 +11,7 @@
+         <div class="input-group-prepend">
+           <span class="input-group-text"><label for="userfield" class="mb-0"><i class="fa fa-user"></i></label></span>
+         </div>
+-        <input id="userfield" name="user" type="text" class="form-control" value="<TMPL_VAR NAME="LOGIN">" trplaceholder="user" aria-required="true"/>
++        <input id="userfield" name="user" type="text" class="form-control" value="<TMPL_VAR NAME="LOGIN" ESCAPE=HTML>" trplaceholder="user" aria-required="true"/>
+       </div>
+       <div class="input-group mb-3">
+         <div class="input-group-prepend">
+--- a/lemonldap-ng-portal/site/templates/bootstrap/globallogout.tpl
++++ b/lemonldap-ng-portal/site/templates/bootstrap/globallogout.tpl
+@@ -6,7 +6,7 @@
+   <div class="row">
+     <TMPL_IF NAME="SESSIONS">
+     <div class="card col border-secondary">
+-      <div class="text-center bg-light text-dark"><b><span trspan="activeSessions">ACTIVE SSO SESSIONS</span>: <u><TMPL_VAR NAME="LOGIN"></u></b></div>
++      <div class="text-center bg-light text-dark"><b><span trspan="activeSessions">ACTIVE SSO SESSIONS</span>: <u><TMPL_VAR NAME="LOGIN" ESCAPE=HTML></u></b></div>
+       <table class="table table-sm table-hover text-center">
+         <thead>
+           <tr>
+--- a/lemonldap-ng-portal/site/templates/bootstrap/gpgform.tpl
++++ b/lemonldap-ng-portal/site/templates/bootstrap/gpgform.tpl
+@@ -5,7 +5,7 @@
+     <div class="input-group-prepend">
+       <span class="input-group-text"><label for="userfield" class="mb-0"><i class="fa fa-user"></i></label></span>
+     </div>
+-    <input id="userfield" name="user" type="text" class="form-control" value="<TMPL_VAR NAME="LOGIN">" trplaceholder="mail" required aria-required="true" />
++    <input id="userfield" name="user" type="text" class="form-control" value="<TMPL_VAR NAME="LOGIN" ESCAPE=HTML>" trplaceholder="mail" required aria-required="true" />
+   </div>
+ 
+   <div class="input-group mb-3">
+--- a/lemonldap-ng-portal/site/templates/bootstrap/password.tpl
++++ b/lemonldap-ng-portal/site/templates/bootstrap/password.tpl
+@@ -17,11 +17,11 @@
+ 
+     <TMPL_IF NAME="LOGIN">
+     <div class="input-group mb-3">
+-      <input name="user" type="hidden" value="<TMPL_VAR NAME=LOGIN>" />
++      <input name="user" type="hidden" value="<TMPL_VAR NAME=LOGIN ESCAPE=HTML>" />
+       <div class="input-group-prepend">
+         <span class="input-group-text"><label for="staticUser" class="mb-0"><i class="fa fa-user"></i></label></span>
+       </div>
+-      <input id="staticUser" type="text" readonly class="form-control" value="<TMPL_VAR NAME=LOGIN>" />
++      <input id="staticUser" type="text" readonly class="form-control" value="<TMPL_VAR NAME=LOGIN ESCAPE=HTML>" />
+     </div>
+     </TMPL_IF>
+ 
+--- a/lemonldap-ng-portal/site/templates/bootstrap/standardform.tpl
++++ b/lemonldap-ng-portal/site/templates/bootstrap/standardform.tpl
+@@ -10,21 +10,21 @@
+     <div class="input-group-prepend">
+       <span class="input-group-text"><label for="userfield" class="mb-0"><i class="fa fa-user"></i></label></span>
+     </div>
+-    <input id="userfield" name="user" type="text" class="form-control" value="<TMPL_VAR NAME="LOGIN">" trplaceholder="login" required aria-required="true"/>
++    <input id="userfield" name="user" type="text" class="form-control" value="<TMPL_VAR NAME="LOGIN" ESCAPE=HTML>" trplaceholder="login" required aria-required="true" <TMPL_UNLESS NAME="LOGIN">autofocus</TMPL_UNLESS> />
+   </div>
+   <div class="input-group mb-3">
+     <div class="input-group-prepend">
+       <span class="input-group-text"><label for="passwordfield" class="mb-0"><i class="fa fa-lock"></i></label></span>
+     </div>
+     <TMPL_IF NAME="DONT_STORE_PASSWORD">
+-      <input id="passwordfield" name="password" type="text" class="form-control" trplaceholder="password" autocomplete="off" required aria-required="true" aria-hidden="true"/>
++      <input id="passwordfield" name="password" type="text" class="form-control" trplaceholder="password" autocomplete="off" required aria-required="true" aria-hidden="true" <TMPL_IF NAME="LOGIN">autofocus</TMPL_IF> />
+       <TMPL_IF NAME="ENABLE_PASSWORD_DISPLAY">
+         <div class="input-group-append">
+           <span class="input-group-text"><i id="toggle_password" class="fa fa-eye-slash toggle-password"></i></span>
+         </div>
+       </TMPL_IF>
+     <TMPL_ELSE>
+-      <input id="passwordfield" name="password" type="password" class="form-control" trplaceholder="password" required aria-required="true"/>
++      <input id="passwordfield" name="password" type="password" class="form-control" trplaceholder="password" required aria-required="true" <TMPL_IF NAME="LOGIN">autofocus</TMPL_IF> />
+       <TMPL_IF NAME="ENABLE_PASSWORD_DISPLAY">
+         <div class="input-group-append">
+           <span class="input-group-text"><i id="toggle_password" class="fa fa-eye-slash toggle-password"></i></span>
+--- a/lemonldap-ng-portal/site/templates/common/script.tpl
++++ b/lemonldap-ng-portal/site/templates/common/script.tpl
+@@ -20,7 +20,6 @@
+  {
+  "displaytab":"<TMPL_VAR NAME="DISPLAY_TAB">",
+  "choicetab":"<TMPL_VAR NAME="CHOICE_VALUE">",
+- "login":"<TMPL_VAR NAME="LOGIN">",
+  "newwindow":<TMPL_VAR NAME="NEWWINDOW" DEFAULT="0">,
+  "appslistorder":"<TMPL_VAR NAME="APPSLIST_ORDER">",
+  "activeTimer":<TMPL_VAR NAME="ACTIVE_TIMER" DEFAULT="0">,
diff --git a/debian/patches/series b/debian/patches/series
index e4acf948c..ff8b2d3b0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@ apply-user-control-to-authslave.patch
 fix-open-redirection.patch
 fix-open-redirection-without-OIDC-redirect-uris.patch
 SSRF-issue.patch
+CVE-2024-48933.patch

More information about the pkg-perl-maintainers mailing list