rpms/389-ds-base
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import 389-ds-base-1.4.3.28-7.module+el8.6.0+15293+4900ec12

Browse Source
This commit is contained in:
CentOS Sources 2022-08-02 03:09:04 -04:00 committed by Stepan Oksanichenko
parent 67d485ccf9
commit 58ecfd4248
3 changed files with 161 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
SOURCES/0018-Issue-5221-User-with-expired-password-can-still-logi.patch Normal file
View File

@ -0,0 +1,108 @@
From ad7573252147770c66ff3761add0f04fc8fa6f6c Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Thu, 3 Mar 2022 16:29:41 -0500
Subject: [PATCH 1/2] Issue 5221 - User with expired password can still login
with full privledges
Bug Description:
A user with an expired password can still login and perform operations
with its typical access perimssions. But an expired password means the
account should be considered anonymous.
Fix Description:
Clear the bind credentials if the password is expired
relates: https://github.com/389ds/389-ds-base/issues/5221
Reviewed by: progier(Thanks!)
---
.../suites/password/pw_expired_access_test.py | 62 +++++++++++++++++++
ldap/servers/slapd/pw_mgmt.c | 1 +
2 files changed, 63 insertions(+)
create mode 100644 dirsrvtests/tests/suites/password/pw_expired_access_test.py
diff --git a/dirsrvtests/tests/suites/password/pw_expired_access_test.py b/dirsrvtests/tests/suites/password/pw_expired_access_test.py
new file mode 100644
index 000000000..fb0afb190
--- /dev/null
+++ b/dirsrvtests/tests/suites/password/pw_expired_access_test.py
@@ -0,0 +1,62 @@
+import ldap
+import logging
+import pytest
+import os
+import time
+from lib389._constants import DEFAULT_SUFFIX, PASSWORD
+from lib389.idm.domain import Domain
+from lib389.idm.user import UserAccounts
+from lib389.topologies import topology_st as topo
+
+log = logging.getLogger(__name__)
+
+def test_expired_user_has_no_privledge(topo):
+ """Specify a test case purpose or name here
+
+ :id: 3df86b45-9929-414b-9bf6-06c25301d207
+ :setup: Standalone Instance
+ :steps:
+ 1. Set short password expiration time
+ 2. Add user and wait for expiration time to run out
+ 3. Set one aci that allows authenticated users full access
+ 4. Bind as user (password should be expired)
+ 5. Attempt modify
+ :expectedresults:
+ 1. Success
+ 2. Success
+ 3. Success
+ 4. Success
+ 5. Success
+ """
+
+ # Configured password epxiration
+ topo.standalone.config.replace_many(('passwordexp', 'on'), ('passwordmaxage', '1'))
+
+ # Set aci
+ suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
+ ACI_TEXT = '(targetattr="*")(version 3.0; acl "test aci"; allow (all) (userdn="ldap:///all");)'
+ suffix.replace('aci', ACI_TEXT)
+
+ # Add user
+ user = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None).create_test_user()
+ user.replace('userpassword', PASSWORD)
+ time.sleep(2)
+
+ # Bind as user with expired password. Need to use raw ldap calls because
+ # lib389 will close the connection when an error 49 is encountered.
+ ldap_object = ldap.initialize(topo.standalone.toLDAPURL())
+ with pytest.raises(ldap.INVALID_CREDENTIALS):
+ res_type, res_data, res_msgid, res_ctrls = ldap_object.simple_bind_s(
+ user.dn, PASSWORD)
+
+ # Try modify
+ with pytest.raises(ldap.INSUFFICIENT_ACCESS):
+ modlist = [ (ldap.MOD_REPLACE, 'description', b'Should not work!') ]
+ ldap_object.modify_ext_s(DEFAULT_SUFFIX, modlist)
+
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main(["-s", CURRENT_FILE])
diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c
index 59b90dfa6..b67c2c8c0 100644
--- a/ldap/servers/slapd/pw_mgmt.c
+++ b/ldap/servers/slapd/pw_mgmt.c
@@ -208,6 +208,7 @@ skip:
slapi_pwpolicy_make_response_control(pb, -1, -1, LDAP_PWPOLICY_PWDEXPIRED);
}
slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRED, 0);
+ bind_credentials_clear(pb_conn, PR_FALSE, PR_TRUE);
slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL,
"password expired!", 0, NULL);
--
2.31.1

45
SOURCES/0019-Issue-5242-Craft-message-may-crash-the-server-5243.patch Normal file
View File

@ -0,0 +1,45 @@
From c7f4542fade3d06c8725d0c2976d81f5206719c4 Mon Sep 17 00:00:00 2001
From: tbordaz <tbordaz@redhat.com>
Date: Wed, 30 Mar 2022 18:07:23 +0200
Subject: [PATCH 2/2] Issue 5242- Craft message may crash the server (#5243)
Bug description:
A craft request can result in DoS
Fix description:
If the server fails to decode the ber value
then return an Error
relates: 5242
Reviewed by: Pierre Rogier, Mark Reynolds (thanks !)
Platforms tested: F34
---
ldap/servers/slapd/filter.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/ldap/servers/slapd/filter.c b/ldap/servers/slapd/filter.c
index d671c87ff..52fd95750 100644
--- a/ldap/servers/slapd/filter.c
+++ b/ldap/servers/slapd/filter.c
@@ -647,8 +647,14 @@ get_extensible_filter(BerElement *ber, mr_filter_t *mrf)
}
}
- if ((tag != LBER_ERROR) && (len != -1)) {
- goto parsing_error;
+ if (tag == LBER_ERROR) {
+ if (len == -1) {
+ /* means that the ber sequence ended without LBER_END_OF_SEQORSET tag
+ * and it is considered as valid to ensure compatibility with open ldap.
+ */
+ } else {
+ goto parsing_error;
+ }
}
slapi_log_err(SLAPI_LOG_FILTER, "get_extensible_filter", "<= %i\n", rc);
--
2.31.1

9
SPECS/389-ds-base.spec
View File

@ -48,7 +48,7 @@ ExcludeArch: i686
Summary: 389 Directory Server (base) Summary: 389 Directory Server (base)
Name: 389-ds-base Name: 389-ds-base
Version: 1.4.3.28 Version: 1.4.3.28
Release: %{?relprefix}6%{?prerel}%{?dist} Release: %{?relprefix}7%{?prerel}%{?dist}
License: GPLv3+ License: GPLv3+
URL: https://www.port389.org URL: https://www.port389.org
Group: System Environment/Daemons Group: System Environment/Daemons
@ -266,6 +266,8 @@ Patch14: 0014-Issue-5127-run-restorecon-on-dev-shm-at-server-start.patc
Patch15: 0015-Issue-5127-ds_selinux_restorecon.sh-always-exit-0.patch Patch15: 0015-Issue-5127-ds_selinux_restorecon.sh-always-exit-0.patch
Patch16: 0016-Issue-4775-Add-entryuuid-CLI-and-Fixup-4776.patch Patch16: 0016-Issue-4775-Add-entryuuid-CLI-and-Fixup-4776.patch
Patch17: 0017-Issue-4775-Fix-cherry-pick-error.patch Patch17: 0017-Issue-4775-Fix-cherry-pick-error.patch
Patch18: 0018-Issue-5221-User-with-expired-password-can-still-logi.patch
Patch19: 0019-Issue-5242-Craft-message-may-crash-the-server-5243.patch
%description %description
389 Directory Server is an LDAPv3 compliant server. The base package includes 389 Directory Server is an LDAPv3 compliant server. The base package includes
@ -885,6 +887,11 @@ exit 0
%doc README.md %doc README.md
%changelog %changelog
* Thu May 19 2022 Thierry Bordaz <tbordaz@redhat.com> - 1.4.3.28-7
- Bump version to 1.4.3.28-7
- Resolves: Bug 2081008 - CVE-2022-0996 389-ds:1.4/389-ds-base: expired password was still allowed to access the database
- Resolves: Bug 2081014 - CVE-2022-0918 389-ds:1.4/389-ds-base: sending crafted message could result in DoS
* Thu Feb 3 2022 Mark Reynolds <mreynolds@redhat.com> - 1.4.3.28-6 * Thu Feb 3 2022 Mark Reynolds <mreynolds@redhat.com> - 1.4.3.28-6
- Bump version to 1.4.3.28-6 - Bump version to 1.4.3.28-6
- Resolves: Bug 2047171 - Based on 1944494 (RFC 4530 entryUUID attribute) - plugin entryuuid failing - Resolves: Bug 2047171 - Based on 1944494 (RFC 4530 entryUUID attribute) - plugin entryuuid failing