OIDCProviderAuthRequestMethod POST leaks protected data

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Thanks Peter, I will take a look at your debdiff and also checking the other releases if they are affect by it too.
I'm hoping we will have this released by next week.

Hi,

I am certain they will be affected. It looks like the bug has existed since upstream v2.3.1 (July 2017), which is when the feature was added.

Peter

________________________________
From: <email address hidden> <email address hidden> on behalf of Eduardo Barretto <email address hidden>
Sent: 09 April 2025 12:59
To: Peter Benie <email address hidden>
Subject: [Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data

Thanks Peter, I will take a look at your debdiff and also checking the other releases if they are affect by it too.
I'm hoping we will have this released by next week.

--
You received this bug notification because you are subscribed to the bug
report.
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.launchpad.net%2Fbugs%2F2106320&data=05%7C02%7Cpjb1008%40universityofcambridgecloud.onmicrosoft.com%7C52e2cb3070a846f1aa2b08dd775edc98%7C49a50445bdfa4b79ade3547b4f3986e9%7C1%7C0%7C638797971518952678%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=kwIRYf5OR5Pk0sq5gIjVH%2Fs4hDirlVNbYM%2B4O5wZ1xM%3D&reserved=0<https://bugs.launchpad.net/bugs/2106320>

Title:
  OIDCProviderAuthRequestMethod POST leaks protected data

Status in libapache2-mod-auth-openidc package in Ubuntu:
  New

Bug description:
  Versions up to and including 2.4.16.10
  CVE-2025-31492

  When doing authentication, and when configured with
  OIDCProviderAuthRequestMethod POST, the protected resource is appended
  to the normal http response. This exposes protected data to people who
  have not been authenticated/authorised.

  https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FOpenIDC%2Fmod_auth_openidc%2Fsecurity%2Fadvisories%2FGHSA-59jp-&data=05%7C02%7Cpjb1008%40universityofcambridgecloud.onmicrosoft.com%7C52e2cb3070a846f1aa2b08dd775edc98%7C49a50445bdfa4b79ade3547b4f3986e9%7C1%7C0%7C638797971518975412%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=UA0z1t5GnpIcYhAf2I%2BnGgOPOgptX5fEiPAv7OYXFvA%3D&reserved=0<https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-59jp->
  rwph-878r

To manage notifications about this bug go to:
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.launchpad.net%2Fubuntu%2F%2Bsource%2Flibapache2-mod-auth-openidc%2F%2Bbug%2F2106320%2F%2Bsubscriptions&data=05%7C02%7Cpjb1008%40universityofcambridgecloud.onmicrosoft.com%7C52e2cb3070a846f1aa2b08dd775edc98%7C49a50445bdfa4b79ade3547b4f3986e9%7C1%7C0%7C638797971518992600%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=6CfLsxn%2Bt1Cw37%2FgiKBrUpCi2wbCn9Tl8vB2joXaCDI%3D&reserved=0<https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions>

Hi Peter,

I've uploaded from Jammy to Plucky into our security-proposed ppa:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=libapache&field.status_filter=published&field.series_filter=

If you could run some tests that everything looks good, I would appreciate.

Focal and bionic I'm still unsure if they are truly vulnerable to it. I will update the bug accordingly when I finalize my thoughts.

Hi,

I ran my exploit code against the jammy version, and am pleased to say that all looks good.

I also ran it against focal, and that does have the bug.

I don’t run other Ubuntu versions so I can’t comment on those.

Peter

The attachment "auth-fix.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

This bug was fixed in the package libapache2-mod-auth-openidc - 2.4.16.10-1ubuntu1

---------------
libapache2-mod-auth-openidc (2.4.16.10-1ubuntu1) plucky-security; urgency=medium

  * SECURITY UPDATE: Data leak (LP: #2106320)
    - debian/patches/CVE-2025-31492.patch: fix OIDCProviderAuthRequestMethod
    POST
    - CVE-2025-31492

 -- Eduardo Barretto <email address hidden> Mon, 14 Apr 2025 13:52:48 +0200

This bug was fixed in the package libapache2-mod-auth-openidc - 2.4.15.7-2ubuntu0.1

---------------
libapache2-mod-auth-openidc (2.4.15.7-2ubuntu0.1) oracular-security; urgency=medium

  * SECURITY UPDATE: Data leak (LP: #2106320)
    - debian/patches/CVE-2025-31492.patch: fix OIDCProviderAuthRequestMethod
    POST
    - CVE-2025-31492

 -- Eduardo Barretto <email address hidden> Mon, 14 Apr 2025 17:54:52 +0200

This bug was fixed in the package libapache2-mod-auth-openidc - 2.4.15.1-1ubuntu0.1

---------------
libapache2-mod-auth-openidc (2.4.15.1-1ubuntu0.1) noble-security; urgency=medium

  * SECURITY UPDATE: Data leak (LP: #2106320)
    - debian/patches/CVE-2025-31492.patch: fix OIDCProviderAuthRequestMethod
    POST
    - CVE-2025-31492

 -- Eduardo Barretto <email address hidden> Mon, 14 Apr 2025 19:23:44 +0200

This bug was fixed in the package libapache2-mod-auth-openidc - 2.4.11-1ubuntu0.1

---------------
libapache2-mod-auth-openidc (2.4.11-1ubuntu0.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Data leak (LP: #2106320)
    - debian/patches/CVE-2025-31492.patch: fix OIDCProviderAuthRequestMethod
    POST
    - CVE-2025-31492

 -- Peter Benie <email address hidden> Tue, 08 Apr 2025 09:46:49 +0100

Thanks again Peter for providing the debdiff.
We published a security notice for it: https://ubuntu.com/security/notices/USN-7446-1
Also thanks for confirming that focal is affected, I will continue working on it and whenever it is ready we will do a -2 USN for it.

Are Focal and Bionic affected? If not, please do mark them as "Invalid" in the tracking table.