[Pkg-fedora-ds-maintainers] 389-ds-base: Changes to 'master'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Mon Mar 9 19:37:28 UTC 2015
debian/changelog | 8 ++
debian/patches/cve-2014-8105.diff | 116 ++++++++++++++++++++++++++++++++++++++
debian/patches/cve-2014-8112.diff | 115 +++++++++++++++++++++++++++++++++++++
debian/patches/series | 3
4 files changed, 242 insertions(+)
New commits:
commit ec8a1512150a3cffe70340f19924fec4293637ad
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Mon Mar 9 15:34:59 2015 +0200
releasing package 389-ds-base version 1.3.3.5-4
diff --git a/debian/changelog b/debian/changelog
index fd2a545..ce6baa0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,10 @@
-389-ds-base (1.3.3.5-4) UNRELEASED; urgency=medium
+389-ds-base (1.3.3.5-4) unstable; urgency=medium
* Security fixes (Closes: #779909)
- cve-2014-8105.diff: Fix for CVE-2014-8105
- cve-2014-8112.diff: Fix for CVE-2014-8112
- -- Timo Aaltonen <tjaalton at debian.org> Mon, 09 Mar 2015 10:49:53 +0200
+ -- Timo Aaltonen <tjaalton at debian.org> Mon, 09 Mar 2015 10:53:03 +0200
389-ds-base (1.3.3.5-3) unstable; urgency=medium
commit 3840a16e3712c596f2d216c860380f7f0ee3577e
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Mon Mar 9 10:52:58 2015 +0200
Security fixes (Closes: #779909)
diff --git a/debian/changelog b/debian/changelog
index f5cdef4..fd2a545 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+389-ds-base (1.3.3.5-4) UNRELEASED; urgency=medium
+
+ * Security fixes (Closes: #779909)
+ - cve-2014-8105.diff: Fix for CVE-2014-8105
+ - cve-2014-8112.diff: Fix for CVE-2014-8112
+
+ -- Timo Aaltonen <tjaalton at debian.org> Mon, 09 Mar 2015 10:49:53 +0200
+
389-ds-base (1.3.3.5-3) unstable; urgency=medium
* use-bash-instead-of-sh.diff: Drop admin_scripts.diff and patch the
diff --git a/debian/patches/cve-2014-8105.diff b/debian/patches/cve-2014-8105.diff
new file mode 100644
index 0000000..3fe13fe
--- /dev/null
+++ b/debian/patches/cve-2014-8105.diff
@@ -0,0 +1,116 @@
+commit 74e80db8380a4606e07672dfb5e3f7d403efe150
+Author: Mark Reynolds <mreynolds at redhat.com>
+Date: Tue Dec 16 16:53:07 2014 -0500
+
+ Bug 1199675 - CVE-2014-8112 CVE-2014-8105 389-ds-base: various flaws [fedora-all]
+
+ Fix for CVE-2014-8105
+
+ Description: At server startup check for the Retro Changelog default ACI
+ on cn=changelog, if present delete it.
+
+ Reviewed by: lkrispenz(Thanks!)
+
+ (cherry picked from commit 4b812a1af367ed409e21abe73a77e57092e5a5f3)
+ (cherry picked from commit 29652118e2ae17ca98c1934af5109f1ac87d94ae)
+
+diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c
+index 0d2a6dc..8a0f350 100644
+--- a/ldap/servers/plugins/retrocl/retrocl.c
++++ b/ldap/servers/plugins/retrocl/retrocl.c
+@@ -308,6 +308,68 @@ char *retrocl_get_config_str(const char *attrt)
+ return ma;
+ }
+
++static void
++retrocl_remove_legacy_default_aci(void)
++{
++ Slapi_PBlock *pb = NULL;
++ Slapi_Entry **entries;
++ char **aci_vals = NULL;
++ char *attrs[] = {"aci", NULL};
++ int rc;
++
++ pb = slapi_pblock_new();
++ slapi_search_internal_set_pb(pb, RETROCL_CHANGELOG_DN, LDAP_SCOPE_BASE, "objectclass=*",
++ attrs, 0, NULL, NULL, g_plg_identity[PLUGIN_RETROCL] , 0);
++ slapi_search_internal_pb(pb);
++ slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
++ if (rc == LDAP_SUCCESS) {
++ slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
++ if(entries && entries[0]){
++ if((aci_vals = slapi_entry_attr_get_charray(entries[0], "aci"))){
++ if(charray_inlist(aci_vals, RETROCL_ACL)){
++ /*
++ * Okay, we need to remove the aci
++ */
++ LDAPMod mod;
++ LDAPMod *mods[2];
++ char *val[2];
++ Slapi_PBlock *mod_pb = 0;
++
++ mod_pb = slapi_pblock_new();
++ mods[0] = &mod;
++ mods[1] = 0;
++ val[0] = RETROCL_ACL;
++ val[1] = 0;
++ mod.mod_op = LDAP_MOD_DELETE;
++ mod.mod_type = "aci";
++ mod.mod_values = val;
++
++ slapi_modify_internal_set_pb_ext(mod_pb, slapi_entry_get_sdn(entries[0]),
++ mods, 0, 0, g_plg_identity[PLUGIN_RETROCL], 0);
++ slapi_modify_internal_pb(mod_pb);
++ slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
++ if(rc == LDAP_SUCCESS){
++ slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
++ "Successfully removed vulnerable legacy default aci \"%s\". "
++ "If the aci removal was not desired please use a different \"acl "
++ "name\" so it is not removed at the next plugin startup.\n",
++ RETROCL_ACL);
++ } else {
++ slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
++ "Failed to removed vulnerable legacy default aci (%s) error %d\n",
++ RETROCL_ACL, rc);
++ }
++ slapi_pblock_destroy(mod_pb);
++ }
++ slapi_ch_array_free(aci_vals);
++ }
++ }
++ }
++ slapi_free_search_results_internal(pb);
++ slapi_pblock_destroy(pb);
++}
++
++
+ /*
+ * Function: retrocl_start
+ *
+@@ -333,7 +395,10 @@ static int retrocl_start (Slapi_PBlock *pb)
+ LDAPDebug1Arg(LDAP_DEBUG_TRACE,"Couldnt find backend, not trimming retro changelog (%d).\n",rc);
+ return rc;
+ }
+-
++
++ /* Remove the old default aci as it exposes passwords changes to anonymous users */
++ retrocl_remove_legacy_default_aci();
++
+ retrocl_init_trimming();
+
+ if (slapi_pblock_get(pb, SLAPI_ADD_ENTRY, &e) != 0) {
+diff --git a/ldap/servers/plugins/retrocl/retrocl_create.c b/ldap/servers/plugins/retrocl/retrocl_create.c
+index 1ffdaae..870421c 100644
+--- a/ldap/servers/plugins/retrocl/retrocl_create.c
++++ b/ldap/servers/plugins/retrocl/retrocl_create.c
+@@ -344,10 +344,6 @@ void retrocl_create_cle (void)
+ val.bv_len = strlen(val.bv_val);
+ slapi_entry_add_values( e, "cn", vals );
+
+- val.bv_val = RETROCL_ACL;
+- val.bv_len = strlen(val.bv_val);
+- slapi_entry_add_values( e, "aci", vals );
+-
+ pb = slapi_pblock_new ();
+ slapi_add_entry_internal_set_pb( pb, e, NULL /* controls */,
+ g_plg_identity[PLUGIN_RETROCL],
diff --git a/debian/patches/cve-2014-8112.diff b/debian/patches/cve-2014-8112.diff
new file mode 100644
index 0000000..34c4624
--- /dev/null
+++ b/debian/patches/cve-2014-8112.diff
@@ -0,0 +1,115 @@
+commit 8603d6533d84009e13a94ce6327abfba7ae73ef4
+Author: Ludwig Krispenz <lkrispen at redhat.com>
+Date: Fri Nov 28 14:23:06 2014 +0100
+
+ Bug 1199675 - CVE-2014-8112 CVE-2014-8105 389-ds-base: various flaws [fedora-all]
+
+ Fix for CVE-2014-8112
+
+ If the unhashed pw switch is set to off this should only
+ prevent the generation of the unhashed#user#password
+ attribute.
+ But encoding of pw values and detiecetion which values have
+ to be deleted needs to stay intact.
+ So the check if the switch is set has to be placed close to
+ the generation of the attribute in different 'if' branches
+
+ Reviewed by Noriko, thanks
+
+ (cherry picked from commit e5de803f4ab1b097c637c269fcc8b567e664c00d)
+ (cherry picked from commit 84b8bfd7d18a0613920dce36f1d3775d75e45a3e)
+
+diff --git a/ldap/servers/plugins/retrocl/retrocl_po.c b/ldap/servers/plugins/retrocl/retrocl_po.c
+index bcf53cd..61f99cf 100644
+--- a/ldap/servers/plugins/retrocl/retrocl_po.c
++++ b/ldap/servers/plugins/retrocl/retrocl_po.c
+@@ -101,6 +101,12 @@ static lenstr *make_changes_string(LDAPMod **ldm, const char **includeattrs)
+ continue;
+ }
+ }
++ if (SLAPD_UNHASHED_PW_NOLOG == slapi_config_get_unhashed_pw_switch()) {
++ if (0 == strcasecmp(ldm[ i ]->mod_type, PSEUDO_ATTR_UNHASHEDUSERPASSWORD)) {
++ /* If nsslapd-unhashed-pw-switch == nolog, skip writing it to cl. */
++ continue;
++ }
++ }
+ switch ( ldm[ i ]->mod_op & ~LDAP_MOD_BVALUES ) {
+ case LDAP_MOD_ADD:
+ addlenstr( l, "add: " );
+diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
+index 9b2f42d..ab12f56 100644
+--- a/ldap/servers/slapd/modify.c
++++ b/ldap/servers/slapd/modify.c
+@@ -836,8 +836,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
+ * before calling the preop plugins
+ */
+
+- if (pw_change && !repl_op &&
+- (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch())) {
++ if (pw_change && !repl_op ) {
+ Slapi_Value **va = NULL;
+
+ unhashed_pw_attr = slapi_attr_syntax_normalize(PSEUDO_ATTR_UNHASHEDUSERPASSWORD);
+@@ -907,13 +906,15 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
+ * Finally, delete the unhashed userpassword
+ * (this will update the password entry extension)
+ */
+- bval.bv_val = password;
+- bval.bv_len = strlen(password);
+- bv[0] = &bval;
+- bv[1] = NULL;
+- valuearray_init_bervalarray(bv, &va);
+- slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
+- valuearray_free(&va);
++ if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
++ bval.bv_val = password;
++ bval.bv_len = strlen(password);
++ bv[0] = &bval;
++ bv[1] = NULL;
++ valuearray_init_bervalarray(bv, &va);
++ slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
++ valuearray_free(&va);
++ }
+ } else {
+ /*
+ * Password is encoded, try and find a matching unhashed_password to delete
+@@ -945,19 +946,23 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
+ if(strcmp(unhashed_pwsp->pws_name, "CLEAR") == 0){
+ if((*(pwsp->pws_cmp))((char *)unhashed_pwd , valpwd) == 0 ){
+ /* match, add the delete mod for this particular unhashed userpassword */
+- valuearray_init_bervalarray(bv, &va);
+- slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
+- valuearray_free(&va);
+- free_pw_scheme( unhashed_pwsp );
++ if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
++ valuearray_init_bervalarray(bv, &va);
++ slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
++ valuearray_free(&va);
++ free_pw_scheme( unhashed_pwsp );
++ }
+ break;
+ }
+ } else {
+ /*
+ * We have a hashed unhashed_userpassword! We must delete it.
+ */
+- valuearray_init_bervalarray(bv, &va);
+- slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
+- valuearray_free(&va);
++ if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
++ valuearray_init_bervalarray(bv, &va);
++ slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
++ valuearray_free(&va);
++ }
+ }
+ free_pw_scheme( unhashed_pwsp );
+ }
+@@ -972,7 +977,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
+ if (remove_unhashed_pw && !slapi_entry_attr_find(e, unhashed_pw_attr, &a)){
+ slapi_mods_add_mod_values(&smods, pw_mod->mod_op,unhashed_pw_attr, va);
+ }
+- } else {
++ } else if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
+ /* add pseudo password attribute */
+ valuearray_init_bervalarray_unhashed_only(pw_mod->mod_bvalues, &va);
+ if(va && va[0]){
diff --git a/debian/patches/series b/debian/patches/series
index 1e33765..331a449 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,6 @@ fix-bsd.patch
support-kfreebsd.patch
fix-obsolete-target.diff
fix-saslpath.diff
+
+cve-2014-8112.diff
+cve-2014-8105.diff
More information about the Pkg-fedora-ds-maintainers
mailing list