2.4.13.2: prevent DoS core dump with OIDCStripCookies; CVE-2023-28625

GHSA-f5xw-rvfr-24qr Signed-off-by: Hans Zandbelt <hans.zandbelt@openidc.com>
make-all · Feb 5, 2024 · 794567f · 794567f
1 parent fa609ae
commit 794567f
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 1 deletion.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,8 @@
+03/28/2023
+- CVE-2023-28625: prevent core dump when OIDCStripCookies is set and a crafted Cookie header is supplied
+  https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-f5xw-rvfr-24qr
+- cherrypicked from release 2.4.13.2
+
 12/13/2022
 - CVE-2022-23527: prevent open redirect in default setup when OIDCRedirectURLsAllowed is not configured
   see: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53

diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.11.1_patch1],[jasonrumney@gmail.com])
+AC_INIT([mod_auth_openidc],[2.4.11.1_patch2],[jasonrumney@gmail.com])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
@@ -175,6 +175,8 @@ void oidc_strip_cookies(request_rec *r) {
 		do {
 			while (cookie != NULL && *cookie == OIDC_CHAR_SPACE)
 				cookie++;
+                        if (cookie == NULL)
+                          break:
 
 			for (i = 0; i < strip->nelts; i++) {
 				name = ((const char**) strip->elts)[i];