Re: RFC: php-cas (CVE-2022-39369)

[Yadd <yadd@debian.org>]

Hi,

I am currently traveling in France, with limited network access, so 
please excuse me for the delay.
I uploaded php-cas a while ago to fix an RC, but I don't have real PHP 
skills

On 6/27/23 23:28, Bastien Roucariès wrote:
> Le mardi 27 juin 2023, 18:46:25 UTC Tobias Frost a écrit :
> > Hi,
> >
> > time for an small update:
> >
> > Please note that the packages offered below are WIP status and are intended
> > for testing only.
> >
> > php-cas
> > =======
> >
> > I've verified my patched version of php-cas against the apereo CAS
> > implementation and it looks as if it would work :)
> >
> > The package is availble from here:
> > https://people.debian.org/~tobi/php-cas/
>
> Lack a debian new.
>
>
> > Packaging Repository: https://salsa.debian.org/lts-team/packages/php-cas
> >
> > *I recommend using this package to develop patches for software not in Debian
> > but still affected by the php-cas AOI changes.*
> >
> >
> > fusiondirectory
> > ===============
> >
> > I've backported upstream patches for php-cas with the new API from upstram
> > and tested them locally (again using the apereo CAS server).
> >
> > Packages are available at:
> > https://people.debian.org/~tobi/fusiondirectory
> >
> > Packaging Repository: https://salsa.debian.org/lts-team/packages/fusiondirectory
> >
> > If CAS is enabled in Fusiondirectory, it will *NOT* continue to work without user
> > interaction. Please see this NEWS file for details:
> > https://salsa.debian.org/lts-team/packages/fusiondirectory/-/blob/debian/buster/debian/NEWS
>
> Nice with me this part
> > Abhijith is working on other CVE to fixed in fusiondirectory, and I will coordinate
> > with them accordingly.
> >
> > Outlook
> > ========
> >
> > I will start working on php-cas for ELTS(stretch) and continue working
> > on fixing the reverse dependnices (LTS and ELTS).
> >
> > Once those are ready, to avoid breaking dist-upgrades, I'll
> > also take a look into bullseye and will coordinate the uploads with the
> > security team
>
> Does Yadd answered ?
>
> Bastien
> > > Hi,
> > >
> > > (Adding yadd as suggested on IRC, solicating yadd's input as well)
> > >
> > > Some updates on php-cas:
> > >
> > > I've continued to work on php-cas to better assess
> > > the situation: I've also received information to better
> > > assess the serverity of the CVE and now I think this issue
> > > should be fixed.
> > > (However, I'd like also to hear the opinion of the security team ;-))
> > >
> > > <TL;DR:>
> > >
> > > The test suite make me think my patch is working. I'd appreciate other people
> > > testing them too, though. (On my TODO list is to try with an real CAS Server)
> > >
> > > The reverse dependencies for buster src:fusiondirectory and
> > > src:ocsinventory-server can be fixed quite easily, by adding
> > > configuration options and telling the users what to do.
> > >
> > > For customers using non-packaged software using php-cas,
> > > they *will* need to update it:
> > > The phpCAS client initializer needs an additional $service_base_url
> > > parameter:
> > >
> > > - static function client($server_version, $server_hostname, $server_port, $server_uri, $changeSessionID = true)
> > > + static function client($server_version, $server_hostname, $server_port, $server_uri, $service_base_url, $changeSessionID = true)
> > >
> > > from upstream uppgrading guide:
> > >      PhpCAS now requires an additional service base URL argument when constructing
> > >      the client class, similar to other CAS client's serverName config. It accepts
> > >      any argument of:
> > >
> > >      1. A service base URL string. The service URL discovery will always use this
> > >      server name (protocol, hostname and port number) without using any external
> > >      host names.
> > >      2. An array of service base URL strings. The service URL discovery will check
> > >      against this list before using the auto discovered base URL. If there is no
> > >      match, the first base URL in the array will be used as the default. This
> > >      option is helpful if your PHP website is accessible through multiple domains
> > >      without a canonical name, or through both HTTP and HTTPS.
> > >      3. A class that implements CAS_ServiceBaseUrl_Interface. If you need to
> > >      customize the base URL discovery behavior, you can pass in a class that
> > >      implements the interface.
> > >
> > > </TL;DR>
> > >
> > >
> > >
> > > My more detailed notes:
> > >
> > > Upstream Test suite:
> > > ####################
> > >
> > > The test suite for 1.3.6 is not packaged in the debian package,
> > > but I made a branch including it:
> > > https://salsa.debian.org/lts-team/packages/php-cas/-/tree/debian/buster-with-testsuite
> > >
> > > The test suite is patched as required for CVE-2022-29369, as the CAS_Client class
> > > needs an additional "service" parameter (this is the API breakage)
> > >
> > > Before the patch for the CVE:
> > >      $ phpunit TestSuite.php
> > >      OK, but incomplete, skipped, or risky tests!
> > >      Tests: 79, Assertions: 412, Incomplete: 4, Risky: 2.
> > >
> > > After patch for the CVE: (The patch adds some tests.)
> > >      $ phpunit TestSuite.php
> > >      OK, but incomplete, skipped, or risky tests!
> > >      Tests: 92, Assertions: 425, Incomplete: 4, Risky: 2.
> > >
> > > (When removing the additional tests (file: test/CAS/Tests/ServiceBaseUrlTest.php):
> > >      $ phpunit TestSuite.php
> > >      OK, but incomplete, skipped, or risky tests!
> > >      Tests: 79, Assertions: 412, Incomplete: 4, Risky: 2.)
> > >
> > >
> > > Reverse Dependencies for buster:
> > > ################################
> > >
> > >      php-cas
> > >        Reverse Depends: fusiondirectory (1.0.19-1+deb9u1)
> > >        Reverse Depends: ocsinventory-reports (2.5+dfsg1-1)
> > >
> > > fusiondirectory
> > > ---------------
> > >
> > >      - Use of php-cas is optional, (get_cfg_value('casActivated'))
> > >      - Uses php-cas in core/html/index.php, likely only change required
> > >        is to add the new $service_base_url parameter after core/html/index.php:128
> > >        (upstream has refactored in the meantime, upstream has change at [a], but
> > >         it seems that we don't have the CasClientServiceName config entry in buster,
> > >         probably can be backported.)
> > >       - Possibly users will need to run fusiondirectory-insert-schema and possibly
> > >         reconfigure fusiondirectory and possibly a Debian.NEWS should tell them so.
> > >         (needs to be evaluated once I have patches)
> > >
> > > ocsinventory-reports
> > > --------------------
> > >       ( yadd is Maintainer of this package and probably can better comment on it)
> > >       - Use of php-cas is optional, ($affich_method == 'CAS')
> > >         - not default
> > >         - seems that /usr/share/ocsinventory-reports/backend/AUTH/auth.php needs to be
> > >           edited to make it work. (which is not a conffile.)
> > >       - 3 locations initializes php-cas and will needs updating with $service_base_url
> > >              ocsreports/backend/AUTH/methode/cas.php:$cas = new phpCas();
> > >              ocsreports/update.php:        $cas = new phpCas();
> > >              ocsreports/require/header.php:        $cas = new phpCas();
> > >         - As the auth method is not a conffile, every update will reset user configuration,
> > >           defaulting back to HTML-Form authenticication.
> > >         - Cas confiuration is done in /usr/share/ocsinventory-reports/backend/require/cas.config.php:
> > >           This is a central point where $service_base_url can be configured (it also not a conffile…)
> > >       (- ocsinventory-server is on limited security support, reason given:
> > >         Details: Only supported behind an authenticated HTTP zone)
> > >
> > >
> > >
> > > [a] https://github.com/fusiondirectory/fusiondirectory/blob/919b407cdf5c409b20c500e6eadecf0c62270aac/include/login/class_LoginCAS.inc#L48C16-L48C16
> > >
> > > On Tue, Jun 20, 2023 at 04:14:42PM +0200, Tobias Frost wrote:
> > > > (As suggested, I'm moving the discussion to debian-lts@lists.debian.org, CC'ing
> > > > the security team)
> > > >
> > > > > On 19/06/2023 18:17, Tobias Frost wrote:
> > > > > > Hey,
> > > > > >
> > > > > > As I am currently preparing a fix for php-cas to tackle CVE-2022-39369 [1], and
> > > > > > as the changes required are breaking changes, I'd like to discuss whether the
> > > > > > vulnerability justifies a breaking change, or if the issue should be ignored instead.
> > > > > > (Maybe feedback from interested customers can be collected, so that they can assess
> > > > > > the impact on their side already.)
> > > > > >
> > > > > > I've packaged my backport of the patch and uploaded it to [3] as an (untested) preview.
> > > > > >
> > > > > > The breaking change: users of php-cas needs to perform additional steps when
> > > > > > using the php module, as described in docs/updating of the upstream pull
> > > > > > request fixing the issue: [2]
> > > > > >
> > > > > >       phpCAS now requires an additional service base URL argument when
> > > > > >       constructing the client class, similar to other CAS client's serverName config.
> > > > > >
> > > > > > Upstream asses the situation as [4]
> > > > > >
> > > > > >       This vulnerability may allow an attacker to gain access to a victim's account
> > > > > >       on a vulnerable CASified service without victim's knowledge, when the victim
> > > > > >       visits attacker's website while being logged in to the same CAS server.
> > > >
> > > >
> > > > The patch applied to the package is this commit:
> > > > https://salsa.debian.org/lts-team/packages/php-cas/-/commit/2c2b5f73da55f5c6d9f69e1ac11b3a1ee565d435
> > > > (also debdiff attached.)