[Secure-testing-team] libpam-ldap DSA-785 fixed CAN-2005-2069 w/o mentioning it

Moritz Muehlenhoff jmm at inutil.org
Wed Sep 14 22:34:14 UTC 2005 

Dear Joey/security team,
when preparing a patch for #316972 in sid I noticed that the sid
version (which is identical to the Sarge version from DSA-785)
already contained the required patch. But it isn't mentioned
neither in the changelog nor in the DSA-785. Can you please fix
it in the web version of the DSA?
I've attached an interdiff between 178-1 and 178-1sarge1 for easy
review. The first two chunks relate to CAN-2005-2069.

Cheers,
        Moritz
-------------- next part --------------
diff -u libpam-ldap-178/pam_ldap.c libpam-ldap-178/pam_ldap.c
--- libpam-ldap-178/pam_ldap.c
+++ libpam-ldap-178/pam_ldap.c
@@ -1587,6 +1587,7 @@
   pam_ldap_session_t *session = global_session;
 #endif
   char *who, *cred;
+  int rc;
 
   if (session->info != NULL && session->info->bound_as_user == 1)
     {
@@ -1607,6 +1608,17 @@
 	}
     }
 
+  if (session->conf->ssl_on == SSL_START_TLS)
+    {
+      rc = ldap_start_tls_s (session->ld, NULL, NULL);
+      if (rc != LDAP_SUCCESS)
+	{
+	  syslog (LOG_ERR, "pam_ldap: ldap_starttls_s: %s",
+		  ldap_err2string (rc));
+          return PAM_SERVICE_ERR;
+	}
+    }
+
   return ldap_simple_bind_s (ld, who, cred);
 }
 #else
@@ -2042,8 +2054,24 @@
 	    }
 	  else if (!strcmp ((*ctlp)->ldctl_oid, LDAP_CONTROL_PASSWORDPOLICYRESPONSE))
 	    {
-	      rc = _get_password_policy_response_value (&(*ctlp)->ldctl_value,
-							session);
+	      int rc2;
+
+	      rc2 = _get_password_policy_response_value (&(*ctlp)->ldctl_value,
+							 session);
+
+	      if (rc2 != LDAP_SUCCESS ||
+		  session->info->policy_error != POLICY_ERROR_SUCCESS)
+		{
+		  /*
+		   * If decoding policy control failed, return the error.
+		   *
+		   * If decoding policy control succeeded, and there is a
+		   * policy error, return LDAP_SUCCESS so that the error
+		   * will be handled in the account management step (see
+		   * above).
+		   */
+		  rc = rc2;
+		}
 	    }
 	}
       ldap_controls_free (controls);
diff -u libpam-ldap-178/debian/changelog libpam-ldap-178/debian/changelog
--- libpam-ldap-178/debian/changelog
+++ libpam-ldap-178/debian/changelog
@@ -1,3 +1,11 @@
+libpam-ldap (178-1sarge1) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team
+  * Applied upstream patch to fix authentication bypass [pam_ldap.c,
+    VU#778916, CAN-2005-2641]
+
+ -- Martin Schulze <joey at infodrom.org>  Sat, 20 Aug 2005 13:39:14 +0200
+
 libpam-ldap (178-1) unstable; urgency=low
 
   * New upstream release

More information about the Secure-testing-team mailing list