From 081105f03ddf6c0394303cd34a72b4c5a4676e92 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 7 Sep 2021 14:26:45 +0000
Subject: [PATCH] import slapi-nis-0.56.6-3.module+el8.5.0+11645+9d3a3007

---
 SOURCES/cve-2021-3480-fix.patch   | 33 ++++++++++++++++++++
 SOURCES/slapi-nis-bz1958909.patch | 41 ++++++++++++++++++++++++
 SOURCES/slapi-nis-bz1978189.patch | 52 +++++++++++++++++++++++++++++++
 SPECS/slapi-nis.spec              | 16 +++++++++-
 4 files changed, 141 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/cve-2021-3480-fix.patch
 create mode 100644 SOURCES/slapi-nis-bz1958909.patch
 create mode 100644 SOURCES/slapi-nis-bz1978189.patch

diff --git a/SOURCES/cve-2021-3480-fix.patch b/SOURCES/cve-2021-3480-fix.patch
new file mode 100644
index 0000000..592c2d3
--- /dev/null
+++ b/SOURCES/cve-2021-3480-fix.patch
@@ -0,0 +1,33 @@
+From 2f2b7ecd9d6a0f5044c24e4f96464942a1d873db Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 7 Apr 2021 14:40:52 +0300
+Subject: [PATCH] CVE-2021-3480: invalid bind DN crash
+
+For certain LDAP bind operations 389-ds would pass unvalidated bind DN
+to bind plugins. A first attempt to normalize the DN would find that out
+and should reject the request.
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ src/back-sch.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/back-sch.c b/src/back-sch.c
+index a5e4c04..d806627 100644
+--- a/src/back-sch.c
++++ b/src/back-sch.c
+@@ -1988,6 +1988,11 @@ backend_locate_cb(const char *group, const char *set, bool_t flag,
+ 		rdn = slapi_rdn_new_sdn(cbdata->target_dn);
+ 		if (rdn != NULL) {
+ 			rdnstr = slapi_rdn_get_nrdn(rdn);
++			if (rdnstr == NULL) {
++				/* normalizing RDN failed, break the search */
++				slapi_rdn_free(&rdn);
++				return FALSE;
++			}
+ 			if (map_match(cbdata->state, group, set, &flag,
+ 				      strlen(rdnstr), rdnstr,
+ 				      &ndnlen, &ndn,
+-- 
+2.31.1
+
diff --git a/SOURCES/slapi-nis-bz1958909.patch b/SOURCES/slapi-nis-bz1958909.patch
new file mode 100644
index 0000000..07c2282
--- /dev/null
+++ b/SOURCES/slapi-nis-bz1958909.patch
@@ -0,0 +1,41 @@
+From d18b1d105c928363eddec87af37fda0757cfb440 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 1 Jul 2021 11:37:38 +0300
+Subject: [PATCH] back-sch: reuse backend_should_descend
+
+When backend_search_find_set_dn_cb() is called, use the same logic as in
+other callbacks -- identify whether we should descend into the group by
+using backend_should_descend().
+
+The issue was introduced in 2015 with ID Views support but was masked
+until 61ea8f6a104da25329e301a8f56944f860de8177 as we always felt through
+to the full scan of the groups anyway. with the latter change the
+fell-through part was removed.
+
+Resolves: rhbz#1958909
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Signed-off-by: Thierry Bordaz <tbordaz@redhat.com>
+---
+ src/back-sch.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/back-sch.c b/src/back-sch.c
+index d806627..0ed06fb 100644
+--- a/src/back-sch.c
++++ b/src/back-sch.c
+@@ -1369,8 +1369,9 @@ backend_search_find_set_dn_cb(const char *group, void *cb_data)
+ 
+ 	/* Check the group itself. */
+ 	group_dn = slapi_sdn_new_dn_byval(group);
+-	if (slapi_sdn_scope_test(group_dn, cbdata->target_dn,
+-				 cbdata->scope) == 1) {
++	if (backend_should_descend(group_dn,
++				   cbdata->target_dn,
++				   cbdata->scope)) {
+ 		cbdata->answer = TRUE;
+ 		slapi_sdn_free(&group_dn);
+ 		return TRUE;
+-- 
+2.31.1
+
diff --git a/SOURCES/slapi-nis-bz1978189.patch b/SOURCES/slapi-nis-bz1978189.patch
new file mode 100644
index 0000000..93762b4
--- /dev/null
+++ b/SOURCES/slapi-nis-bz1978189.patch
@@ -0,0 +1,52 @@
+From 0f700cf71f5531fb6c863990216aa1eb88970dc8 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 16 Jun 2021 11:08:21 +0300
+Subject: [PATCH] back-sch-nss: only loop if asked to try again
+
+slapi-nis uses sss-idmap library to discover user group membership.  Its
+sss_nss_getgrouplist_timeout() function can return timeout errors as
+well which might cause a busy looping.  sss_nss_getgrouplist_timeout()
+will return ERANGE which is translated by slapi-nis to NSS_STATUS_TRYAGAIN.
+
+Fixes: rhbz#1967179
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ src/back-sch-nss.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c
+index df04a96..b595f3b 100644
+--- a/src/back-sch-nss.c
++++ b/src/back-sch-nss.c
+@@ -589,19 +589,22 @@ repeat:
+ 		return NULL;
+ 	}
+ 
+-	do {
++	for(rc = NSS_STATUS_TRYAGAIN; rc == NSS_STATUS_TRYAGAIN;) {
+ 		rc = backend_nss_getgrouplist(ctx, user_name, pwd.pw_gid,
+ 					      grouplist, &ngroups,
+ 					      &lerrno);
+-		if ((rc != NSS_STATUS_SUCCESS)) {
+-			tmp_list = realloc(grouplist, ngroups * sizeof(gid_t));
+-			if (tmp_list == NULL) {
++		if (rc == NSS_STATUS_TRYAGAIN) {
++			tmp_list = NULL;
++			if (lerrno == ERANGE) {
++				tmp_list = realloc(grouplist, ngroups * sizeof(gid_t));
++			}
++			if ((tmp_list == NULL) || (lerrno == ENOMEM)) {
+ 				free(grouplist);
+ 				return NULL;
+ 			}
+ 			grouplist = tmp_list;
+ 		}
+-	} while (rc != NSS_STATUS_SUCCESS);
++	}
+ 
+ 	entries = calloc(ngroups + 1, sizeof(entries[0]));
+ 	if (entries == NULL) {
+-- 
+2.31.1
+
diff --git a/SPECS/slapi-nis.spec b/SPECS/slapi-nis.spec
index 23d7c4f..c0aff9a 100644
--- a/SPECS/slapi-nis.spec
+++ b/SPECS/slapi-nis.spec
@@ -11,13 +11,16 @@
 
 Name:		slapi-nis
 Version:	0.56.6
-Release:	1%{?dist}
+Release:	3%{?dist}
 Summary:	NIS Server and Schema Compatibility plugins for Directory Server
 Group:		System Environment/Daemons
 License:	GPLv2
 URL:		http://pagure.io/slapi-nis/
 Source0:	https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz
 Source1:	https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz.asc
+Patch1: 	cve-2021-3480-fix.patch
+Patch2:         slapi-nis-bz1978189.patch
+Patch3:         slapi-nis-bz1958909.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -56,6 +59,9 @@ for attributes from multiple entries in the tree.
 
 %prep
 %setup -q
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
 
 %build
 autoconf --force
@@ -84,6 +90,14 @@ make check
 %{_sbindir}/nisserver-plugin-defs
 
 %changelog
+* Thu Jul 01 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.6-3
+- Resolves: rhbz#1958909 - fix regression for scoped searches in compat tree
+- Resolves: rhbz#1978189 - better handle error response from libsss_nss_idmap
+
+* Wed Apr 07 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.6-2
+- CVE 2021-3480:  idm:DL1/slapi-nis: NULL dereference (DoS) with specially crafted Binding DN
+- Resolves: rhbz#1944713
+
 * Fri Dec 04 2020 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.6-1
 - Upstream release 0.56.6
 - Resolves rhbz#1891741