Remove a revert of the fix for Issue 4609

- CVE - info disclosure when authenticating(breaks Dogtag) - Dogtag has fixed own code that failed in the presence of the fix for Issue 4609
2021-02-26 21:19:47 +02:00 · 2021-02-26 21:19:47 +02:00 · d593e73a4a
commit d593e73a4a
parent cbe869776a
2 changed files with 5 additions and 145 deletions
--- a/0001-Revert-Issue-4609-CVE-info-disclosure-when-authentic.patch
+++ b/0001-Revert-Issue-4609-CVE-info-disclosure-when-authentic.patch
@ -1,143 +0,0 @@
-From 9cb892cb2e36f62275257f3d43e938e2182c793c Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Fri, 19 Feb 2021 12:40:56 -0500
-Subject: [PATCH] Revert "Issue 4609 - CVE - info disclosure when
- authenticating"
-
-This reverts commit b6aae4d8e7c8a6ddd21646f94fef1bf7f22c3f32.
---
- dirsrvtests/tests/suites/basic/basic_test.py | 51 ++++----------------
- ldap/servers/slapd/back-ldbm/ldbm_bind.c     |  4 +-
- ldap/servers/slapd/dse.c                     |  7 +--
- 3 files changed, 13 insertions(+), 49 deletions(-)
-
-diff --git a/dirsrvtests/tests/suites/basic/basic_test.py b/dirsrvtests/tests/suites/basic/basic_test.py
-index a206bdb38..a43001ab6 100644
--- a/dirsrvtests/tests/suites/basic/basic_test.py
-+++ b/dirsrvtests/tests/suites/basic/basic_test.py
-@@ -9,7 +9,7 @@
- 
- from subprocess import check_output, PIPE, run
- from lib389 import DirSrv
-from lib389.idm.user import UserAccount, UserAccounts
-+from lib389.idm.user import UserAccounts
- import pytest
- from lib389.tasks import *
- from lib389.utils import *
-@@ -1148,14 +1148,18 @@ def test_bind_invalid_entry(topology_st):
-     """Test the failing bind does not return information about the entry
- 
-     :id: 5cd9b083-eea6-426b-84ca-83c26fc49a6f
-+
-     :customerscenario: True
-+
-     :setup: Standalone instance
-+
-     :steps:
-        1: bind as non existing entry
-        2: check that bind info does not report 'No such entry'
-+    1: bind as non existing entry
-+    2: check that bind info does not report 'No such entry'
-+
-     :expectedresults:
-        1: pass
-        2: pass
-+    1: pass
-+    2: pass
-     """
- 
-     topology_st.standalone.restart()
-@@ -1177,43 +1181,6 @@ def test_bind_invalid_entry(topology_st):
-     topology_st.standalone.simple_bind_s(DN_DM, PW_DM)
- 
- 
-def test_bind_entry_missing_passwd(topology_st):
-    """
-    :id: af209149-8fb8-48cb-93ea-3e82dd7119d2
-    :setup: Standalone Instance
-    :steps:
-        1. Bind as database entry that does not have userpassword set
-        2. Bind as database entry that does not exist
-        1. Bind as cn=config entry that does not have userpassword set
-        2. Bind as cn=config entry that does not exist
-    :expectedresults:
-        1. Fails with error 49
-        2. Fails with error 49
-        3. Fails with error 49
-        4. Fails with error 49
-    """
-    user = UserAccount(topology_st.standalone, DEFAULT_SUFFIX)
-    with pytest.raises(ldap.INVALID_CREDENTIALS):
-        # Bind as the suffix root entry which does not have a userpassword
-        user.bind("some_password")
-
-    user = UserAccount(topology_st.standalone, "cn=not here," + DEFAULT_SUFFIX)
-    with pytest.raises(ldap.INVALID_CREDENTIALS):
-        # Bind as the entry which does not exist
-        user.bind("some_password")
-
-    # Test cn=config since it has its own code path
-    user = UserAccount(topology_st.standalone, "cn=config")
-    with pytest.raises(ldap.INVALID_CREDENTIALS):
-        # Bind as the config entry which does not have a userpassword
-        user.bind("some_password")
-
-    user = UserAccount(topology_st.standalone, "cn=does not exist,cn=config")
-    with pytest.raises(ldap.INVALID_CREDENTIALS):
-        # Bind as an entry under cn=config that does not exist
-        user.bind("some_password")
-
-
- @pytest.mark.bz1044135
- @pytest.mark.ds47319
- def test_connection_buffer_size(topology_st):
-diff --git a/ldap/servers/slapd/back-ldbm/ldbm_bind.c b/ldap/servers/slapd/back-ldbm/ldbm_bind.c
-index 38d115a32..fa450ecd5 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_bind.c
-+++ b/ldap/servers/slapd/back-ldbm/ldbm_bind.c
-@@ -76,8 +76,8 @@ ldbm_back_bind(Slapi_PBlock *pb)
-     case LDAP_AUTH_SIMPLE: {
-         Slapi_Value cv;
-         if (slapi_entry_attr_find(e->ep_entry, "userpassword", &attr) != 0) {
-            slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not have userpassword set");
-            slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
-+            slapi_send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL,
-+                                   NULL, 0, NULL);
-             CACHE_RETURN(&inst->inst_cache, &e);
-             rc = SLAPI_BIND_FAIL;
-             goto bail;
-diff --git a/ldap/servers/slapd/dse.c b/ldap/servers/slapd/dse.c
-index f2741aeb4..f5572d78d 100644
--- a/ldap/servers/slapd/dse.c
-+++ b/ldap/servers/slapd/dse.c
-@@ -1446,8 +1446,7 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this
- 
-     ec = dse_get_entry_copy(pdse, sdn, DSE_USE_LOCK);
-     if (ec == NULL) {
-        slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not exist");
-        slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
-+        slapi_send_ldap_result(pb, LDAP_NO_SUCH_OBJECT, NULL, NULL, 0, NULL);
-         return (SLAPI_BIND_FAIL);
-     }
- 
-@@ -1455,8 +1454,7 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this
-     case LDAP_AUTH_SIMPLE: {
-         Slapi_Value cv;
-         if (slapi_entry_attr_find(ec, "userpassword", &attr) != 0) {
-            slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not have userpassword set");
-            slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
-+            slapi_send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL, NULL, 0, NULL);
-             slapi_entry_free(ec);
-             return SLAPI_BIND_FAIL;
-         }
-@@ -1464,7 +1462,6 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this
- 
-         slapi_value_init_berval(&cv, cred);
-         if (slapi_pw_find_sv(bvals, &cv) != 0) {
-            slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Invalid credentials");
-             slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
-             slapi_entry_free(ec);
-             value_done(&cv);
-- 
-2.26.2
-
--- a/389-ds-base.spec
+++ b/389-ds-base.spec
@ -47,7 +47,7 @@ ExcludeArch: i686
 Summary:          389 Directory Server (base)
 Name:             389-ds-base
 Version:          2.0.3
-Release:          %{?relprefix}2%{?prerel}%{?dist}
+Release:          %{?relprefix}3%{?prerel}%{?dist}
 License:          GPLv3+
 URL:              https://www.port389.org
 Conflicts:        selinux-policy-base < 3.9.8
@ -170,7 +170,6 @@ Source2:          %{name}-devel.README
 %if %{bundle_jemalloc}
 Source3:          https://github.com/jemalloc/%{jemalloc_name}/releases/download/%{jemalloc_ver}/%{jemalloc_name}-%{jemalloc_ver}.tar.bz2
 %endif
-Patch01:          0001-Revert-Issue-4609-CVE-info-disclosure-when-authentic.patch

 %description
 389 Directory Server is an LDAPv3 compliant server.  The base package includes
@ -615,6 +614,10 @@ exit 0
 %endif

 %changelog
+* Fri Feb 26 2021 Alexander Bokovoy <abokovoy@redhat.com> - 2.0.3-3
+- Remove a revert of the fix for Issue 4609 - CVE - info disclosure when authenticating(breaks Dogtag)
+- Dogtag has fixed own code that failed in the presence of the fix for Issue 4609
+
 * Fri Feb 19 2021 Mark Reynolds <mreynolds@redhat.com> - 2.0.3-2
 - Bump version to 2.0.3-2
 - Revert Issue 4609 - CVE - info disclosure when authenticating(breaks DogTag)