Fix CVE-2021-20718

CVE-2021-20718-pre1.patch

@@ -0,0 +1,43 @@
+From 9793565ade06dcea0626e8c05137725141ef827b Mon Sep 17 00:00:00 2001
+From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
+Date: Fri, 28 Aug 2020 19:05:52 +0200
+Subject: [PATCH] allow Content-Type check on backchannel logout to have postfixes utf-8 etc. ; bump to 2.4.4rc8
+
+Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
+---
+ configure.ac | 2 +-
+ src/util.c   | 7 +++++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index c976c5c..7e8353c 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1,4 +1,4 @@
+-AC_INIT([mod_auth_openidc],[2.4.0.3],[hans.zandbelt@zmartzone.eu])
++AC_INIT([mod_auth_openidc],[2.4.4rc8],[hans.zandbelt@zmartzone.eu])
+ 
+ AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
+ 
+diff --git a/src/util.c b/src/util.c
+index 617136e..ca13512 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -1526,9 +1526,12 @@ apr_byte_t oidc_util_read_post_params(request_rec *r, apr_table_t *table,
+ 	const char *content_type = NULL;
+ 
+ 	content_type = oidc_util_hdr_in_content_type_get(r);
+-	if ((r->method_number != M_POST) || (apr_strnatcmp(content_type,
+-			OIDC_CONTENT_TYPE_FORM_ENCODED) != 0))
++	if ((r->method_number != M_POST) || (strstr(content_type,
++			OIDC_CONTENT_TYPE_FORM_ENCODED) != content_type)) {
++		oidc_debug(r, "required content-type %s not found",
++				OIDC_CONTENT_TYPE_FORM_ENCODED);
+ 		goto end;
++	}
+ 
+ 	if (oidc_util_read(r, &data) != TRUE)
+ 		goto end;
+-- 
+2.23.0
+

CVE-2021-20718.patch

@@ -0,0 +1,42 @@
+From 42a14e1d7a3fff62fc6b20df56f6dc38f086effd Mon Sep 17 00:00:00 2001
+From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
+Date: Fri, 30 Apr 2021 19:33:38 +0200
+Subject: [PATCH] fix potential crash when Content-Type is not set in
+POST requests thanks JPCERT/CC; release 2.4.8
+
+Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
+---
+ configure.ac | 2 +-
+ src/util.c   | 5 ++---
+ 2 files changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 7e8353c..50b555f 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1,4 +1,4 @@
+-AC_INIT([mod_auth_openidc],[2.4.4rc8],[hans.zandbelt@zmartzone.eu])
++AC_INIT([mod_auth_openidc],[2.4.8],[hans.zandbelt@zmartzone.eu])
+ 
+ AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
+ 
+diff --git a/src/util.c b/src/util.c
+index ca13512..2306c3a 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -1526,10 +1526,9 @@ apr_byte_t oidc_util_read_post_params(request_rec *r, apr_table_t *table,
+ 	const char *content_type = NULL;
+ 
+ 	content_type = oidc_util_hdr_in_content_type_get(r);
+-	if ((r->method_number != M_POST) || (strstr(content_type,
++	if ((r->method_number != M_POST) || (content_type == NULL) || (strstr(content_type,
+ 			OIDC_CONTENT_TYPE_FORM_ENCODED) != content_type)) {
+-		oidc_debug(r, "required content-type %s not found",
+-				OIDC_CONTENT_TYPE_FORM_ENCODED);
++		oidc_debug(r, "required content-type %s not found", OIDC_CONTENT_TYPE_FORM_ENCODED);
+ 		goto end;
+ 	}
+ 
+-- 
+2.23.0
+

mod_auth_openidc.spec

@@ -7,12 +7,14 @@
 
 Name:           mod_auth_openidc
 Version:        2.4.0.3
-Release:        3
+Release:        4
 Summary:        OpenID Connect Relying Party module for Apache 2.x HTTP Server
 License:        ASL 2.0
 URL:            https://github.com/zmartzone/mod_auth_openidc
 Source0:        https://github.com/zmartzone/mod_auth_openidc/archive/v%{version}.tar.gz
 Patch0000:      CVE-2019-20479.patch
+Patch0001:      CVE-2021-20718-pre1.patch
+Patch0002:      CVE-2021-20718.patch
 
 BuildRequires:  gcc httpd-devel openssl-devel curl-devel jansson-devel
 BuildRequires:  pcre-devel autoconf automake cjose-devel jq-devel
@@ -59,6 +61,9 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/{metadata,cache}
 %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/{metadata,cache}
 
 %changelog
+* Thu Jun 10 2021 wangyue <wangyue92@huawei.com> 2.4.0.3-4
+- Fix CVE-2021-20718
+
 * Fri Feb 19 2021 wangxiao <wangxiao65@huawei.com> 2.4.0.3-3
 - Fix CVE-2019-20479