commit cc55d839c183c057cd38c7719efcef936a5875b4 Author: CentOS Sources Date: Tue Nov 15 01:49:41 2022 -0500 import mod_auth_mellon-0.17.0-7.el9 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b3f44ac --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/mod_auth_mellon-0.17.0.tar.gz diff --git a/.mod_auth_mellon.metadata b/.mod_auth_mellon.metadata new file mode 100644 index 0000000..05fd034 --- /dev/null +++ b/.mod_auth_mellon.metadata @@ -0,0 +1 @@ +df4039cca9d706b10c49ea3435af0382da2b959a SOURCES/mod_auth_mellon-0.17.0.tar.gz diff --git a/SOURCES/0001-Prevent-redirect-to-URLs-that-begin-with.patch b/SOURCES/0001-Prevent-redirect-to-URLs-that-begin-with.patch new file mode 100644 index 0000000..2c93c96 --- /dev/null +++ b/SOURCES/0001-Prevent-redirect-to-URLs-that-begin-with.patch @@ -0,0 +1,47 @@ +From 42a11261b9dad2e48d70bdff7c53dd57a12db6f5 Mon Sep 17 00:00:00 2001 +From: AIMOTO Norihito +Date: Tue, 6 Jul 2021 22:57:24 +0200 +Subject: [PATCH] Prevent redirect to URLs that begin with '///' + +Visiting a logout URL like this: + https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html +would have redirected the user to fishing-site.example.com + +With the patch, this URL would be rejected. + +Fixes: CVE-2021-3639 +--- + auth_mellon_util.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/auth_mellon_util.c b/auth_mellon_util.c +index 2f8c9c3..6a686db 100644 +--- a/auth_mellon_util.c ++++ b/auth_mellon_util.c +@@ -927,6 +927,10 @@ int am_check_url(request_rec *r, const char *url) + { + const char *i; + ++ if (url == NULL) { ++ return HTTP_BAD_REQUEST; ++ } ++ + for (i = url; *i; i++) { + if (*i >= 0 && *i < ' ') { + /* Deny all control-characters. */ +@@ -943,6 +947,12 @@ int am_check_url(request_rec *r, const char *url) + } + } + ++ if (strstr(url, "///") == url) { ++ AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r, ++ "URL starts with '///'"); ++ return HTTP_BAD_REQUEST; ++ } ++ + return OK; + } + +-- +2.26.3 + diff --git a/SOURCES/10-auth_mellon.conf b/SOURCES/10-auth_mellon.conf new file mode 100644 index 0000000..b605132 --- /dev/null +++ b/SOURCES/10-auth_mellon.conf @@ -0,0 +1 @@ +LoadModule auth_mellon_module modules/mod_auth_mellon.so diff --git a/SOURCES/README.redhat.rst b/SOURCES/README.redhat.rst new file mode 100644 index 0000000..a834aae --- /dev/null +++ b/SOURCES/README.redhat.rst @@ -0,0 +1,83 @@ +Red Hat Specific mod_auth_mellon Information +============================================ + +This README contains information specific to Red Hat's distribution of +``mod_auth_mellon``. + +Diagnostic Logging +------------------ + +Diagnostic logging can be used to collect run time information to help +diagnose problems with your ``mod_auth_mellon`` deployment. Please see +the "Mellon Diagnostics" section in the Mellon User Guide for more +details. + +How to enable diagnostic logging on Red Hat systems +``````````````````````````````````````````````````` + +Diagnostic logging adds overhead to the execution of +``mod_auth_mellon``. The code to emit diagnostic logging must be +compiled into ``mod_auth_mellon`` at build time. In addition the +diagnostic log file may contain security sensitive information which +should not normally be written to a log file. If you have a +version of ``mod_auth_mellon`` which was built with diagnostics you +can disable diagnostic logging via the ``MellonDiagnosticsEnable`` +configuration directive. However given human nature the potential to +enable diagnostic logging while resolving a problem and then forget to +disable it is not a situation that should exist by default. Therefore +given the overhead consideration and the desire to avoid enabling +diagnostic logging by mistake the Red Hat ``mod_auth_mellon`` RPM's +ship with two versions of the ``mod_auth_mellon`` Apache module. + +1. The ``mod_auth_mellon`` RPM contains the normal Apache module + ``/usr/lib*/httpd/modules/mod_auth_mellon.so`` + +2. The ``mod_auth_mellon-diagnostics`` RPM contains the diagnostic + version of the Apache module + ``/usr/lib*/httpd/modules/mod_auth_mellon-diagnostics.so`` + +Because each version of the module has a different name both the +normal and diagnostic modules can be installed simultaneously without +conflict. But Apache will only load one of the two modules. Which +module is loaded is controlled by the +``/etc/httpd/conf.modules.d/10-auth_mellon.conf`` config file which +has a line in it which looks like this:: + + LoadModule auth_mellon_module modules/mod_auth_mellon.so + +To load the diagnostics version of the module you need to change the +module name so it looks like this:: + + LoadModule auth_mellon_module modules/mod_auth_mellon-diagnostics.so + +**Don't forget to change it back again when you're done debugging.** + +You'll also need to enable the collection of diagnostic information, +do this by adding this directive at the top of your Mellon conf.d +config file or inside your virtual host config (diagnostics are per +server instance):: + + MellonDiagnosticsEnable On + +.. NOTE:: + Some versions of the Mellon User Guide have a typo in the name of + this directive, it incorrectly uses ``MellonDiagnosticEnable`` + instead of ``MellonDiagnosticsEnable``. The difference is + Diagnostics is plural. + +The Apache ``error_log`` will contain a message indicating how it +processed the ``MellonDiagnosticsEnable`` directive. If you loaded the +standard module without diagnostics you'll see a message like this:: + + MellonDiagnosticsEnable has no effect because Mellon was not + compiled with diagnostics enabled, use + ./configure --enable-diagnostics at build time to turn this + feature on. + +If you've loaded the diagnostics version of the module you'll see a +message in the ``error_log`` like this:: + + mellon diagnostics enabled for virtual server *:443 + (/etc/httpd/conf.d/my_server.conf:7) + ServerName=https://my_server.example.com:443, diagnostics + filename=logs/mellon_diagnostics diff --git a/SOURCES/auth_mellon.conf b/SOURCES/auth_mellon.conf new file mode 100644 index 0000000..ad86d39 --- /dev/null +++ b/SOURCES/auth_mellon.conf @@ -0,0 +1,2 @@ +MellonCacheSize 100 +MellonLockFile "/run/mod_auth_mellon/lock" diff --git a/SOURCES/mellon_create_metadata.sh b/SOURCES/mellon_create_metadata.sh new file mode 100644 index 0000000..9c587a6 --- /dev/null +++ b/SOURCES/mellon_create_metadata.sh @@ -0,0 +1,126 @@ +#!/usr/bin/env bash +set -e + +PROG="$(basename "$0")" + +printUsage() { + echo "Usage: $PROG ENTITY-ID ENDPOINT-URL" + echo "" + echo "Example:" + echo " $PROG urn:someservice https://sp.example.org/mellon" + echo "" +} + +if [ "$#" -lt 2 ]; then + printUsage + exit 1 +fi + +ENTITYID="$1" +if [ -z "$ENTITYID" ]; then + echo "$PROG: An entity ID is required." >&2 + exit 1 +fi + +BASEURL="$2" +if [ -z "$BASEURL" ]; then + echo "$PROG: The URL to the MellonEndpointPath is required." >&2 + exit 1 +fi + +if ! echo "$BASEURL" | grep -q '^https\?://'; then + echo "$PROG: The URL must start with \"http://\" or \"https://\"." >&2 + exit 1 +fi + +HOST="$(echo "$BASEURL" | sed 's#^[a-z]*://\([^/]*\).*#\1#')" +BASEURL="$(echo "$BASEURL" | sed 's#/$##')" + +OUTFILE="$(echo "$ENTITYID" | sed 's/[^0-9A-Za-z.]/_/g' | sed 's/__*/_/g')" +echo "Output files:" +echo "Private key: $OUTFILE.key" +echo "Certificate: $OUTFILE.cert" +echo "Metadata: $OUTFILE.xml" +echo "Host: $HOST" +echo +echo "Endpoints:" +echo "SingleLogoutService (SOAP): $BASEURL/logout" +echo "SingleLogoutService (HTTP-Redirect): $BASEURL/logout" +echo "AssertionConsumerService (HTTP-POST): $BASEURL/postResponse" +echo "AssertionConsumerService (HTTP-Artifact): $BASEURL/artifactResponse" +echo "AssertionConsumerService (PAOS): $BASEURL/paosResponse" +echo + +# No files should not be readable by the rest of the world. +umask 0077 + +TEMPLATEFILE="$(mktemp -t mellon_create_sp.XXXXXXXXXX)" + +cat >"$TEMPLATEFILE" </dev/null + +rm -f "$TEMPLATEFILE" + +CERT="$(grep -v '^-----' "$OUTFILE.cert")" + +cat >"$OUTFILE.xml" < + + + + + + $CERT + + + + + + + $CERT + + + + + + urn:oasis:names:tc:SAML:2.0:nameid-format:transient + + + + + +EOF + +umask 0777 +chmod go+r "$OUTFILE.xml" +chmod go+r "$OUTFILE.cert" diff --git a/SOURCES/mod_auth_mellon.conf b/SOURCES/mod_auth_mellon.conf new file mode 100644 index 0000000..5e653bc --- /dev/null +++ b/SOURCES/mod_auth_mellon.conf @@ -0,0 +1,2 @@ +# mod_auth_mellon lock file is created in this directory +d /run/mod_auth_mellon 0755 apache apache diff --git a/SPECS/mod_auth_mellon.spec b/SPECS/mod_auth_mellon.spec new file mode 100644 index 0000000..666e1f9 --- /dev/null +++ b/SPECS/mod_auth_mellon.spec @@ -0,0 +1,266 @@ +Summary: A SAML 2.0 authentication module for the Apache Httpd Server +Name: mod_auth_mellon +Version: 0.17.0 +Release: 7%{?dist} +Source0: https://github.com/latchset/mod_auth_mellon/releases/download/v0.17.0/mod_auth_mellon-0.17.0.tar.gz +Source1: auth_mellon.conf +Source2: 10-auth_mellon.conf +Source3: mod_auth_mellon.conf +Source4: mellon_create_metadata.sh +Source5: README.redhat.rst +License: GPLv2+ +BuildRequires: make +BuildRequires: gcc +BuildRequires: curl-devel +BuildRequires: glib2-devel +BuildRequires: httpd-devel +BuildRequires: lasso-devel >= 2.5.1-13 +BuildRequires: openssl-devel +BuildRequires: xmlsec1-devel +BuildRequires: rubygem-asciidoctor +Requires: httpd-mmn = %{_httpd_mmn} +Requires: lasso >= 2.5.1-13 +Url: https://github.com/latchset/mod_auth_mellon + +Patch0001: 0001-Prevent-redirect-to-URLs-that-begin-with.patch + +%description +The mod_auth_mellon module is an authentication service that implements the +SAML 2.0 federation protocol. It grants access based on the attributes +received in assertions generated by a IdP server. + +%prep +%autosetup -n %{name}-%{version} + +%build +export APXS=%{_httpd_apxs} +%configure --enable-diagnostics +make clean +%{make_build} +cp .libs/%{name}.so %{name}-diagnostics.so + +%configure +make clean +%{make_build} +pushd doc/user_guide +asciidoctor -a data-uri mellon_user_guide.adoc +popd + +%install +# install module +mkdir -p %{buildroot}%{_httpd_moddir} +install -m 755 .libs/%{name}.so %{buildroot}%{_httpd_moddir} +install -m 755 %{name}-diagnostics.so %{buildroot}%{_httpd_moddir} + +# install module configuration +mkdir -p %{buildroot}%{_httpd_confdir} +install -m 644 %{SOURCE1} %{buildroot}%{_httpd_confdir} +mkdir -p %{buildroot}%{_httpd_modconfdir} +install -m 644 %{SOURCE2} %{buildroot}%{_httpd_modconfdir} + +mkdir -p %{buildroot}%{_tmpfilesdir} +install -m 644 %{SOURCE3} %{buildroot}%{_tmpfilesdir} +mkdir -p %{buildroot}/run/%{name} + +# install script to generate metadata +mkdir -p %{buildroot}/%{_libexecdir}/%{name} +install -m 755 %{SOURCE4} %{buildroot}/%{_libexecdir}/%{name} + +#install documentation +mkdir -p %{buildroot}/%{_pkgdocdir} + +# install Red Hat README +install %{SOURCE5} %{buildroot}/%{_pkgdocdir} + +# install user guide +cp -r doc/user_guide %{buildroot}/%{_pkgdocdir} + +%package diagnostics +Summary: Build of mod_auth_mellon with diagnostic logging +Requires: %{name} = %{version}-%{release} + +%description diagnostics +Build of mod_auth_mellon with diagnostic logging. See README.redhat.rst +in the doc directory for instructions on using the diagnostics build. + +%files diagnostics +%{_httpd_moddir}/%{name}-diagnostics.so + +%files +%if 0%{?rhel} && 0%{?rhel} < 7 +%doc COPYING +%else +%license COPYING +%endif +%doc README.md NEWS ECP.rst +%doc %{_pkgdocdir}/README.redhat.rst +%doc %{_pkgdocdir}/user_guide +%config(noreplace) %{_httpd_modconfdir}/10-auth_mellon.conf +%config(noreplace) %{_httpd_confdir}/auth_mellon.conf +%{_httpd_moddir}/mod_auth_mellon.so +%{_tmpfilesdir}/mod_auth_mellon.conf +%{_libexecdir}/%{name} +%dir %attr(-, apache, apache) /run/%{name}/ + +%changelog +* Tue Jul 26 2022 Tomas Halman - 0.17.0-7 +- bad user/group ownership for /run/mod_auth_mellon + Resolves: rhbz#2047948 + +* Fri Jul 30 2021 Jakub Hrozek - 0.17.0-6 +- Related: rhbz#1986806 - CVE-2021-3639 mod_auth_mellon: Open Redirect + vulnerability in logout URLs + +* Mon Aug 09 2021 Mohan Boddu - 0.17.0-5 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jun 16 2021 Mohan Boddu - 0.17.0-4 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + Related: rhbz#1971065 + +* Fri Apr 16 2021 Mohan Boddu - 0.17.0-3 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Tue Jan 26 2021 Fedora Release Engineering - 0.17.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Sep 16 2020 Jakub Hrozek - 0.17.0-1 +- New upstream version 0.17.0 + +* Tue Jul 28 2020 Fedora Release Engineering - 0.16.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Thu Feb 13 2020 Tom Stellard - 0.16.0-2 +- Use make_build macro instead of just make +- https://docs.fedoraproject.org/en-US/packaging-guidelines/#_parallel_make + +* Mon Feb 3 2020 Jakub Hrozek - 0.16.0-1 +- New upstream version 0.16.0 + +* Wed Jan 29 2020 Fedora Release Engineering - 0.15.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Nov 19 2019 Jakub Hrozek - 0.15.0-1 +- New upstream version 0.15.0 +- Resolves: rhbz#1725742 - CVE-2019-13038 mod_auth_mellon: an Open Redirect + via the login?ReturnTo= substring which could + facilitate information theft [fedora-all] + +* Thu Jul 25 2019 Fedora Release Engineering - 0.14.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Mar 22 2019 Jakub Hrozek - 0.14.2-1 +- Upgrade to 0.14.2 +- Related: rhbz#1691771 - CVE-2019-3877 mod_auth_mellon: open redirect in + logout url when using URLs with backslashes +- Related: rhbz#1691136 - CVE-2019-3878 mod_auth_mellon: authentication + bypass in ECP flow + +* Fri Feb 01 2019 Fedora Release Engineering - 0.14.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jul 13 2018 Fedora Release Engineering - 0.14.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed May 2 2018 John Dennis - 0.14.0-3 +- update lasso version dependency + +* Tue May 1 2018 John Dennis - 0.14.0-2 +- clean diagnostics build prior to normal build + +* Thu Apr 19 2018 John Dennis - 0.14.0-1 +- Upgrade to new upstream release +- Add README.redhat.rst doc explaining packaging of this module. + +* Thu Feb 08 2018 Fedora Release Engineering - 0.13.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sun Oct 1 2017 John Dennis - 0.13.1-1 +- upgrade to new upstream release + +* Thu Aug 03 2017 Fedora Release Engineering - 0.12.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 0.12.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 0.12.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Jan 17 2017 John Dennis - 0.12.0-4 +- Resolves: bug #1414019 Incorrect PAOS Content-Type header + +* Mon Jan 9 2017 John Dennis - 0.12.0-3 +- bump release for rebuild + +* Tue May 3 2016 John Dennis - 0.12.0-2 +- Resolves: bug #1332729, mellon conflicts with mod_auth_openidc +- am_check_uid() should be no-op if mellon not enabled + +* Wed Mar 9 2016 John Dennis - 0.12.0-1 +- Update to new upstream 0.12.0 +- [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to + incorrect error handling when reading POST data from client. + +- [CVE-2016-2146] Fix DOS attack (Apache worker process crash / + resource exhaustion) due to missing size checks when reading + POST data. + +In addition this release contains the following new features and fixes: + +- Add MellonRedirectDomains option to limit the sites that + mod_auth_mellon can redirect to. This option is enabled by default. + +- Add support for ECP service options in PAOS requests. + +- Fix AssertionConsumerService lookup for PAOS requests. + +* Thu Feb 04 2016 Fedora Release Engineering - 0.11.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Dec 23 2015 John Dennis - 0.11.0-3 +- Fix the following warning that appears in the Apache log + lasso-CRITICAL **: lasso_provider_get_metadata_list_for_role: assertion '_lasso_provider_get_role_index(role)' failed + +* Fri Sep 18 2015 John Dennis - 0.11.0-2 +- Add lasso 2.5.0 version dependency + +* Fri Sep 18 2015 John Dennis - 0.11.0-1 +- Upgrade to upstream 0.11.0 release. +- Includes ECP support, see NEWS for all changes. +- Update mellon_create_metadata.sh to match internally generated metadata, + includes AssertionConsumerService for postResponse, artifactResponse & + paosResponse. + +* Wed Jun 17 2015 Fedora Release Engineering - 0.10.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Jan 7 2015 Simo Sorce 0.10.0-1 +- New upstream release + +* Tue Sep 2 2014 Simo Sorce 0.9.1-1 +- New upstream release + +* Sun Aug 17 2014 Fedora Release Engineering - 0.8.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Tue Jun 24 2014 Simo Sorce 0.8.0-1 +- New upstream realease version 0.8.0 +- Upstream moved to github +- Drops patches as they have been all included upstream + +* Fri Jun 20 2014 Simo Sorce 0.7.0-3 +- Backport of useful patches from upstream + - Better handling of IDP reported errors + - Better handling of session data storage size + +* Sat Jun 07 2014 Fedora Release Engineering - 0.7.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue Dec 10 2013 Simo Sorce 0.7.0-1 +- Fix ownership of /run files + +* Wed Nov 27 2013 Simo Sorce 0.7.0-0 +- Initial Fedora release based on version 0.7.0 +- Based on an old spec file by Jean-Marc Liger