Bug#1006377: buster-pu: package lemonldap-ng/2.0.2+ds-7+deb10u7

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1006377: buster-pu: package lemonldap-ng/2.0.2+ds-7+deb10u7
From: Yadd <yadd@debian.org>
Date: Thu, 24 Feb 2022 16:36:08 +0100
Message-id: <[🔎] 164571696857.1688484.16382953843023531153.reportbug@debian007.xnr.fr>
Reply-to: Yadd <yadd@debian.org>, 1006377@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
lemonldap-ng is vulnerable to password bypass (impact critical) in a very
unlikely setup (probability very low). CVE-2021-40874

[ Impact ]
In such configuration, a remote lemonldap-ng system that queries the
main lemonldap-ng system using internal lemonldap-ng protocol instead of
SAML/OpenID-Connect, accepts user with _wrong password; if and only if_
main lemonldap-ng system is configured to use both Kerberos and LDAP
authentication.

[ Tests ]
Tests passed, upstream new tests are excluded from this patch because
they need a major test framework update

[ Risks ]
Moderate risk, test coverage proves that package isn't broken with such
change

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Instead of setting login/password into result variables ($req->user),
RESTServer stores them in form and launch the whole authentication
process ($self->p->authProcess) instead of selected steps.
Same change is applied to CheckState plugin (no major risk here, this
plugin is reserved to LLNG administrators).

diff --git a/debian/changelog b/debian/changelog
index 4b8979ff9..bd7a21c44 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,13 @@
+lemonldap-ng (2.0.2+ds-7+deb10u7) buster; urgency=medium
+
+  * Add gsfonts in recommended dependencies (Closes: #982534)
+  * Fix auth process in password-testing plugins (Closes: CVE-2021-20874)
+
+ -- Yadd <yadd@debian.org>  Thu, 24 Feb 2022 16:31:07 +0100
+
 lemonldap-ng (2.0.2+ds-7+deb10u6) buster-security; urgency=medium
 
-  * Fix session cache corruption (Closes: CVE-2021-06-25)
+  * Fix session cache corruption (Closes: CVE-2021-35472)
   * Fix trusted domain wildcard
   * Fix trusted domain regexp
   * Don't display TOTP secret to owner, neither in debug logs
diff --git a/debian/control b/debian/control
index be46d2783..48d4819b4 100644
--- a/debian/control
+++ b/debian/control
@@ -283,7 +283,8 @@ Depends: ${misc:Depends},
          libjs-jquery-ui,
          libjs-jquery-cookie,
          libregexp-assemble-perl
-Recommends: libcrypt-openssl-bignum-perl,
+Recommends: gsfonts,
+            libcrypt-openssl-bignum-perl,
             libconvert-base32-perl,
             libemail-sender-perl (>=1.300027) | libemail-sender-transport-smtps-perl,
             libipc-run-perl,
diff --git a/debian/gitlab-ci.yml b/debian/gitlab-ci.yml
index ee13a665a..f1f5897e0 100644
--- a/debian/gitlab-ci.yml
+++ b/debian/gitlab-ci.yml
@@ -1,17 +1,7 @@
-include: https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-
-build:
-    extends: .build-unstable
-
-reprotest:
-    extends: .test-reprotest
-
-lintian:
-    extends: .test-lintian
-
-autopkgtest:
-    extends: .test-autopkgtest
-
-piuparts:
-    extends: .test-piuparts
+---
+variables:
+  RELEASE: 'buster'
 
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
diff --git a/debian/patches/CVE-2021-40874.patch b/debian/patches/CVE-2021-40874.patch
new file mode 100644
index 000000000..2914135ed
--- /dev/null
+++ b/debian/patches/CVE-2021-40874.patch
@@ -0,0 +1,72 @@
+Description: Fix auth process in password-testing plugins (#2611)
+Author: Maxime Besson <maxime.besson@worteks.com>
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/66946e8
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2612
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-02-24
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/_WebForm.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/_WebForm.pm
+@@ -68,7 +68,10 @@
+     my $res            = PE_OK;
+ 
+     # 1. No user defined at all -> first access
+-    unless ( $defUser and $req->method =~ /^POST$/i ) {
++    # _pwdCheck is a workaround to make CheckUser work while using a GET
++    unless ( $defUser
++        and ( uc( $req->method ) eq "POST" or $req->data->{_pwdCheck} ) )
++    {
+         $res = PE_FIRSTACCESS;
+     }
+ 
+@@ -162,6 +165,7 @@
+ 
+ sub setSecurity {
+     my ( $self, $req ) = @_;
++    return if $req->data->{skipToken};
+ 
+     # If captcha is enable, prepare it
+     if ( $self->captcha ) {
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckState.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckState.pm
+@@ -41,15 +41,18 @@
+     }
+     if ( my $user = $req->param('user') and my $pwd = $req->param('password') )
+     {
+-        $req->user($user);
+-        $req->data->{password} = $pwd;
++        $req->parameters->{user}     = ($user);
++        $req->parameters->{password} = $pwd;
++        $req->data->{skipToken}      = 1;
++
++        # This makes Auth::Choice use authChoiceAuthBasic if defined
++        $req->data->{_pwdCheck} = 1;
+ 
+         # Not launched methods:
+         #  - "extractFormInfo" due to "token"
+         #  - "buildCookie" useless here
+         $req->steps( [
+-                'getUser',
+-                'authenticate',
++                @{ $self->p->beforeAuth }, $self->p->authProcess,
+                 @{ $self->p->betweenAuthAndData },
+                 qw( setAuthSessionInfo setSessionInfo setMacros setGroups
+                   setPersistentSessionInfo setLocalGroups store secondFactor),
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm
+@@ -229,11 +229,11 @@
+     }
+     $req->{id}    = $id;
+     $req->{force} = 1;
+-    $req->user( $req->param('user') );
+-    $req->data->{password} = $req->param('password');
++    $req->parameters->{user}     = $req->param('user');
++    $req->parameters->{password} = $req->param('password');
+     $req->steps( [
+             @{ $self->p->beforeAuth },
+-            qw(getUser authenticate setAuthSessionInfo),
++            @{ $self->p->authProcess },
+             @{ $self->p->betweenAuthAndData },
+             $self->p->sessionData,
+             @{ $self->p->afterData },
diff --git a/debian/patches/series b/debian/patches/series
index 805ab4670..8d9090246 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,4 @@ CVE-2021-35472.patch
 fix-trusted-domain-wildcard.patch
 fix-trusted-domain-regex.patch
 dont-display-totp-secret.patch
+CVE-2021-40874.patch

Reply to:

Prev by Date: Bug#1006371: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u1
Next by Date: Bug#1003484: bullseye-pu: package openssl/1.1.1m-0+deb11u1
Previous by thread: Bug#1006371: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u1
Next by thread: Bug#1006402: bullseye-pu: package debian-ports-archive-keyring/2022.02.15~deb11u1
Index(es):
- Date
- Thread