Bug#1006377: buster-pu: package lemonldap-ng/2.0.2+ds-7+deb10u7
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
lemonldap-ng is vulnerable to password bypass (impact critical) in a very
unlikely setup (probability very low). CVE-2021-40874
[ Impact ]
In such configuration, a remote lemonldap-ng system that queries the
main lemonldap-ng system using internal lemonldap-ng protocol instead of
SAML/OpenID-Connect, accepts user with _wrong password; if and only if_
main lemonldap-ng system is configured to use both Kerberos and LDAP
authentication.
[ Tests ]
Tests passed, upstream new tests are excluded from this patch because
they need a major test framework update
[ Risks ]
Moderate risk, test coverage proves that package isn't broken with such
change
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Instead of setting login/password into result variables ($req->user),
RESTServer stores them in form and launch the whole authentication
process ($self->p->authProcess) instead of selected steps.
Same change is applied to CheckState plugin (no major risk here, this
plugin is reserved to LLNG administrators).
diff --git a/debian/changelog b/debian/changelog
index 4b8979ff9..bd7a21c44 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,13 @@
+lemonldap-ng (2.0.2+ds-7+deb10u7) buster; urgency=medium
+
+ * Add gsfonts in recommended dependencies (Closes: #982534)
+ * Fix auth process in password-testing plugins (Closes: CVE-2021-20874)
+
+ -- Yadd <yadd@debian.org> Thu, 24 Feb 2022 16:31:07 +0100
+
lemonldap-ng (2.0.2+ds-7+deb10u6) buster-security; urgency=medium
- * Fix session cache corruption (Closes: CVE-2021-06-25)
+ * Fix session cache corruption (Closes: CVE-2021-35472)
* Fix trusted domain wildcard
* Fix trusted domain regexp
* Don't display TOTP secret to owner, neither in debug logs
diff --git a/debian/control b/debian/control
index be46d2783..48d4819b4 100644
--- a/debian/control
+++ b/debian/control
@@ -283,7 +283,8 @@ Depends: ${misc:Depends},
libjs-jquery-ui,
libjs-jquery-cookie,
libregexp-assemble-perl
-Recommends: libcrypt-openssl-bignum-perl,
+Recommends: gsfonts,
+ libcrypt-openssl-bignum-perl,
libconvert-base32-perl,
libemail-sender-perl (>=1.300027) | libemail-sender-transport-smtps-perl,
libipc-run-perl,
diff --git a/debian/gitlab-ci.yml b/debian/gitlab-ci.yml
index ee13a665a..f1f5897e0 100644
--- a/debian/gitlab-ci.yml
+++ b/debian/gitlab-ci.yml
@@ -1,17 +1,7 @@
-include: https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-
-build:
- extends: .build-unstable
-
-reprotest:
- extends: .test-reprotest
-
-lintian:
- extends: .test-lintian
-
-autopkgtest:
- extends: .test-autopkgtest
-
-piuparts:
- extends: .test-piuparts
+---
+variables:
+ RELEASE: 'buster'
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
diff --git a/debian/patches/CVE-2021-40874.patch b/debian/patches/CVE-2021-40874.patch
new file mode 100644
index 000000000..2914135ed
--- /dev/null
+++ b/debian/patches/CVE-2021-40874.patch
@@ -0,0 +1,72 @@
+Description: Fix auth process in password-testing plugins (#2611)
+Author: Maxime Besson <maxime.besson@worteks.com>
+Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/66946e8
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2612
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-02-24
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/_WebForm.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/_WebForm.pm
+@@ -68,7 +68,10 @@
+ my $res = PE_OK;
+
+ # 1. No user defined at all -> first access
+- unless ( $defUser and $req->method =~ /^POST$/i ) {
++ # _pwdCheck is a workaround to make CheckUser work while using a GET
++ unless ( $defUser
++ and ( uc( $req->method ) eq "POST" or $req->data->{_pwdCheck} ) )
++ {
+ $res = PE_FIRSTACCESS;
+ }
+
+@@ -162,6 +165,7 @@
+
+ sub setSecurity {
+ my ( $self, $req ) = @_;
++ return if $req->data->{skipToken};
+
+ # If captcha is enable, prepare it
+ if ( $self->captcha ) {
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckState.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckState.pm
+@@ -41,15 +41,18 @@
+ }
+ if ( my $user = $req->param('user') and my $pwd = $req->param('password') )
+ {
+- $req->user($user);
+- $req->data->{password} = $pwd;
++ $req->parameters->{user} = ($user);
++ $req->parameters->{password} = $pwd;
++ $req->data->{skipToken} = 1;
++
++ # This makes Auth::Choice use authChoiceAuthBasic if defined
++ $req->data->{_pwdCheck} = 1;
+
+ # Not launched methods:
+ # - "extractFormInfo" due to "token"
+ # - "buildCookie" useless here
+ $req->steps( [
+- 'getUser',
+- 'authenticate',
++ @{ $self->p->beforeAuth }, $self->p->authProcess,
+ @{ $self->p->betweenAuthAndData },
+ qw( setAuthSessionInfo setSessionInfo setMacros setGroups
+ setPersistentSessionInfo setLocalGroups store secondFactor),
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm
+@@ -229,11 +229,11 @@
+ }
+ $req->{id} = $id;
+ $req->{force} = 1;
+- $req->user( $req->param('user') );
+- $req->data->{password} = $req->param('password');
++ $req->parameters->{user} = $req->param('user');
++ $req->parameters->{password} = $req->param('password');
+ $req->steps( [
+ @{ $self->p->beforeAuth },
+- qw(getUser authenticate setAuthSessionInfo),
++ @{ $self->p->authProcess },
+ @{ $self->p->betweenAuthAndData },
+ $self->p->sessionData,
+ @{ $self->p->afterData },
diff --git a/debian/patches/series b/debian/patches/series
index 805ab4670..8d9090246 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,4 @@ CVE-2021-35472.patch
fix-trusted-domain-wildcard.patch
fix-trusted-domain-regex.patch
dont-display-totp-secret.patch
+CVE-2021-40874.patch
Reply to: