File fix-CVE-2021-32785.patch of Package apache2-mod_auth_openidc.28532
From 75cff8a3c9c555019bb6ce7026800704ea2592fd Mon Sep 17 00:00:00 2001
From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Date: Thu, 22 Jul 2021 15:29:47 +0200
Subject: [PATCH] use redisvCommand to avoid crash with crafted key when using
Redis without encryption
---
ChangeLog | 3 +++
Dockerfile | 2 +-
openidc.conf | 3 +++
src/cache/redis.c | 24 ++++++++++++------------
4 files changed, 19 insertions(+), 13 deletions(-)
Index: mod_auth_openidc-2.3.8/src/cache/redis.c
===================================================================
--- mod_auth_openidc-2.3.8.orig/src/cache/redis.c
+++ mod_auth_openidc-2.3.8/src/cache/redis.c
@@ -211,10 +211,12 @@ static void oidc_cache_redis_reply_free(
* execute Redis command and deal with return value
*/
static redisReply* oidc_cache_redis_command(request_rec *r,
- oidc_cache_cfg_redis_t *context, const char *command) {
+ oidc_cache_cfg_redis_t *context, const char *format, ...) {
redisReply *reply = NULL;
int i = 0;
+ va_list ap;
+ va_start(ap, format);
/* try to execute a command at max 2 times while reconnecting */
for (i = 0; i < OIDC_REDIS_MAX_TRIES; i++) {
@@ -237,7 +239,7 @@ static redisReply* oidc_cache_redis_comm
}
/* execute the actual command */
- reply = redisCommand(context->ctx, command);
+ reply = redisvCommand(context->ctx, format, ap);
/* check for errors, need to return error replies for cache miss case REDIS_REPLY_NIL */
if ((reply != NULL) && (reply->type != REDIS_REPLY_ERROR))
@@ -257,6 +259,8 @@ static redisReply* oidc_cache_redis_comm
oidc_cache_redis_free(context);
}
+ va_end(ap);
+
return reply;
}
@@ -277,9 +281,8 @@ static apr_byte_t oidc_cache_redis_get(r
return FALSE;
/* get */
- reply = oidc_cache_redis_command(r, context,
- apr_psprintf(r->pool, "GET %s",
- oidc_cache_redis_get_key(r->pool, section, key)));
+ reply =
+ oidc_cache_redis_command(r, context, "GET %s", oidc_cache_redis_get_key(r->pool, section, key));
if (reply == NULL)
goto end;
@@ -336,9 +339,8 @@ static apr_byte_t oidc_cache_redis_set(r
if (value == NULL) {
/* delete it */
- reply = oidc_cache_redis_command(r, context,
- apr_psprintf(r->pool, "DEL %s",
- oidc_cache_redis_get_key(r->pool, section, key)));
+ reply =
+ oidc_cache_redis_command(r, context, "DEL %s", oidc_cache_redis_get_key(r->pool, section, key));
} else {
@@ -346,10 +348,8 @@ static apr_byte_t oidc_cache_redis_set(r
timeout = apr_time_sec(expiry - apr_time_now());
/* store it */
- reply = oidc_cache_redis_command(r, context,
- apr_psprintf(r->pool, "SETEX %s %d %s",
- oidc_cache_redis_get_key(r->pool, section, key),
- timeout, value));
+ reply =
+ oidc_cache_redis_command(r, context, "SETEX %s %d %s", oidc_cache_redis_get_key(r->pool, section, key), timeout, value);
}