From ceb31709f5d2533dd667c9c958acb48edae497d3 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 25 Oct 2022 03:30:08 -0400 Subject: [PATCH] import 389-ds-base-1.4.3.28-8.module+el8.6.0+16880+945f9b53 --- ...repl-may-crash-while-managing-invali.patch | 110 ++++++++++++++++++ SPECS/389-ds-base.spec | 7 +- 2 files changed, 116 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0020-Issue-5418-Sync_repl-may-crash-while-managing-invali.patch diff --git a/SOURCES/0020-Issue-5418-Sync_repl-may-crash-while-managing-invali.patch b/SOURCES/0020-Issue-5418-Sync_repl-may-crash-while-managing-invali.patch new file mode 100644 index 0000000..0ee9710 --- /dev/null +++ b/SOURCES/0020-Issue-5418-Sync_repl-may-crash-while-managing-invali.patch @@ -0,0 +1,110 @@ +From 2310b48089755fb5b8e3dedf12e8a786b9819c19 Mon Sep 17 00:00:00 2001 +From: tbordaz +Date: Thu, 18 Aug 2022 11:17:30 +0200 +Subject: [PATCH] Issue 5418 - Sync_repl may crash while managing invalid + cookie (#5420) + +Bug description: + If the servers receives an invalid cookie without separator '#', + it parses it into an empty cookie (Sync_Cookie) instead of a NULL + cookie (failure). + Later it sigsegv when using the empty cookie. + +Fix description: + If the parsing fails return NULL + +relates: #5418 + +Reviewed by: Viktor Ashirov, Mark Reynolds, William Brown, Simon + Pichugin (thanks !) +--- + .../suites/syncrepl_plugin/basic_test.py | 76 +++++++++++++++++++ + 1 file changed, 76 insertions(+) + +diff --git a/dirsrvtests/tests/suites/syncrepl_plugin/basic_test.py b/dirsrvtests/tests/suites/syncrepl_plugin/basic_test.py +index 533460e8f..375517693 100644 +--- a/dirsrvtests/tests/suites/syncrepl_plugin/basic_test.py ++++ b/dirsrvtests/tests/suites/syncrepl_plugin/basic_test.py +@@ -594,3 +594,79 @@ def test_sync_repl_cenotaph(topo_m2, request): + pass + + request.addfinalizer(fin) ++ ++def test_sync_repl_invalid_cookie(topology, request): ++ """Test sync_repl with invalid cookie ++ ++ :id: 8fa4a8f8-acf4-42a5-90f1-6ba1d8080e46 ++ :setup: install a standalone instance ++ :steps: ++ 1. reset instance to standard (no retroCL, no sync_repl, no dynamic plugin) ++ 2. Enable retroCL/content_sync ++ 3. Establish a sync_repl connection ++ 4. Tests servers results to search with invalid cookie ++ 5. Add/delete an user entry to check the server is up and running ++ :expectedresults: ++ 1. Should succeeds ++ 2. Should succeeds ++ 3. Should succeeds ++ 4. Should succeeds ++ 5. Should succeeds ++ """ ++ ++ # Reset the instance in a default config ++ # Disable content sync plugin ++ topology.standalone.restart() ++ topology.standalone.plugins.disable(name=PLUGIN_REPL_SYNC) ++ ++ # Disable retro changelog ++ topology.standalone.plugins.disable(name=PLUGIN_RETRO_CHANGELOG) ++ ++ # Disable dynamic plugins ++ topology.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'nsslapd-dynamic-plugins', b'off')]) ++ topology.standalone.restart() ++ ++ # Enable retro changelog ++ topology.standalone.plugins.enable(name=PLUGIN_RETRO_CHANGELOG) ++ ++ # Enbale content sync plugin ++ topology.standalone.plugins.enable(name=PLUGIN_REPL_SYNC) ++ topology.standalone.restart() ++ ++ # Setup the syncer ++ sync = ISyncRepl(topology.standalone) ++ ++ # Test invalid cookies ++ cookies = ('#', '##', 'a#a#a', 'a#a#1', 'foo') ++ for invalid_cookie in cookies: ++ log.info('Testing cookie: %s' % invalid_cookie) ++ try: ++ ldap_search = sync.syncrepl_search(base=DEFAULT_SUFFIX, ++ scope=ldap.SCOPE_SUBTREE, ++ attrlist=['objectclass', 'cn', 'homedirectory', 'sn','uid'], ++ filterstr='(|(objectClass=groupofnames)(objectClass=person))', ++ mode='refreshOnly', ++ cookie=invalid_cookie) ++ poll_result = sync.syncrepl_poll(all=1) ++ ++ log.fatal('Invalid cookie accepted!') ++ assert False ++ except Exception as e: ++ log.info('Invalid cookie correctly rejected: {}'.format(e.args[0]['info'])) ++ pass ++ ++ # check that the server is still up and running ++ users = UserAccounts(topology.standalone, DEFAULT_SUFFIX) ++ user = users.create_test_user(uid=1000) ++ ++ # Success ++ log.info('Test complete') ++ ++ def fin(): ++ topology.standalone.restart() ++ try: ++ user.delete() ++ except: ++ pass ++ ++ request.addfinalizer(fin) +-- +2.37.3 + diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec index c3d1ed3..1aa1f64 100644 --- a/SPECS/389-ds-base.spec +++ b/SPECS/389-ds-base.spec @@ -48,7 +48,7 @@ ExcludeArch: i686 Summary: 389 Directory Server (base) Name: 389-ds-base Version: 1.4.3.28 -Release: %{?relprefix}7%{?prerel}%{?dist} +Release: %{?relprefix}8%{?prerel}%{?dist} License: GPLv3+ URL: https://www.port389.org Group: System Environment/Daemons @@ -268,6 +268,7 @@ Patch16: 0016-Issue-4775-Add-entryuuid-CLI-and-Fixup-4776.patch Patch17: 0017-Issue-4775-Fix-cherry-pick-error.patch Patch18: 0018-Issue-5221-User-with-expired-password-can-still-logi.patch Patch19: 0019-Issue-5242-Craft-message-may-crash-the-server-5243.patch +Patch20: 0020-Issue-5418-Sync_repl-may-crash-while-managing-invali.patch %description 389 Directory Server is an LDAPv3 compliant server. The base package includes @@ -887,6 +888,10 @@ exit 0 %doc README.md %changelog +* Tue Oct 11 2022 Mark Reynolds - 1.4.3.28-8 +- Bump version to 1.4.3.28-8 +- Resolves: Bug 2131743 - SIGSEGV in sync_repl + * Thu May 19 2022 Thierry Bordaz - 1.4.3.28-7 - Bump version to 1.4.3.28-7 - Resolves: Bug 2081008 - CVE-2022-0996 389-ds:1.4/389-ds-base: expired password was still allowed to access the database