import slapi-nis-0.56.6-3.module+el8.5.0+11645+9d3a3007

2021-10-05 07:13:01 -04:00 · 2021-10-05 07:13:01 -04:00 · cc94b227a8
commit cc94b227a8
parent 836b184911
4 changed files with 141 additions and 1 deletions
--- a/SOURCES/cve-2021-3480-fix.patch
+++ b/SOURCES/cve-2021-3480-fix.patch
@ -0,0 +1,33 @@
+From 2f2b7ecd9d6a0f5044c24e4f96464942a1d873db Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 7 Apr 2021 14:40:52 +0300
+Subject: [PATCH] CVE-2021-3480: invalid bind DN crash
+
+For certain LDAP bind operations 389-ds would pass unvalidated bind DN
+to bind plugins. A first attempt to normalize the DN would find that out
+and should reject the request.
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ src/back-sch.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/back-sch.c b/src/back-sch.c
+index a5e4c04..d806627 100644
+--- a/src/back-sch.c
+++ b/src/back-sch.c
+@@ -1988,6 +1988,11 @@ backend_locate_cb(const char *group, const char *set, bool_t flag,
+ 		rdn = slapi_rdn_new_sdn(cbdata->target_dn);
+ 		if (rdn != NULL) {
+ 			rdnstr = slapi_rdn_get_nrdn(rdn);
+			if (rdnstr == NULL) {
+				/* normalizing RDN failed, break the search */
+				slapi_rdn_free(&rdn);
+				return FALSE;
+			}
+ 			if (map_match(cbdata->state, group, set, &flag,
+ 				      strlen(rdnstr), rdnstr,
+ 				      &ndnlen, &ndn,
+-- 
+2.31.1
+
--- a/SOURCES/slapi-nis-bz1958909.patch
+++ b/SOURCES/slapi-nis-bz1958909.patch
@ -0,0 +1,41 @@
+From d18b1d105c928363eddec87af37fda0757cfb440 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 1 Jul 2021 11:37:38 +0300
+Subject: [PATCH] back-sch: reuse backend_should_descend
+
+When backend_search_find_set_dn_cb() is called, use the same logic as in
+other callbacks -- identify whether we should descend into the group by
+using backend_should_descend().
+
+The issue was introduced in 2015 with ID Views support but was masked
+until 61ea8f6a104da25329e301a8f56944f860de8177 as we always felt through
+to the full scan of the groups anyway. with the latter change the
+fell-through part was removed.
+
+Resolves: rhbz#1958909
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Signed-off-by: Thierry Bordaz <tbordaz@redhat.com>
+---
+ src/back-sch.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/back-sch.c b/src/back-sch.c
+index d806627..0ed06fb 100644
+--- a/src/back-sch.c
+++ b/src/back-sch.c
+@@ -1369,8 +1369,9 @@ backend_search_find_set_dn_cb(const char *group, void *cb_data)
+ 
+ 	/* Check the group itself. */
+ 	group_dn = slapi_sdn_new_dn_byval(group);
+-	if (slapi_sdn_scope_test(group_dn, cbdata->target_dn,
+-				 cbdata->scope) == 1) {
+	if (backend_should_descend(group_dn,
+				   cbdata->target_dn,
+				   cbdata->scope)) {
+ 		cbdata->answer = TRUE;
+ 		slapi_sdn_free(&group_dn);
+ 		return TRUE;
+-- 
+2.31.1
+
--- a/SOURCES/slapi-nis-bz1978189.patch
+++ b/SOURCES/slapi-nis-bz1978189.patch
@ -0,0 +1,52 @@
+From 0f700cf71f5531fb6c863990216aa1eb88970dc8 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 16 Jun 2021 11:08:21 +0300
+Subject: [PATCH] back-sch-nss: only loop if asked to try again
+
+slapi-nis uses sss-idmap library to discover user group membership.  Its
+sss_nss_getgrouplist_timeout() function can return timeout errors as
+well which might cause a busy looping.  sss_nss_getgrouplist_timeout()
+will return ERANGE which is translated by slapi-nis to NSS_STATUS_TRYAGAIN.
+
+Fixes: rhbz#1967179
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ src/back-sch-nss.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c
+index df04a96..b595f3b 100644
+--- a/src/back-sch-nss.c
+++ b/src/back-sch-nss.c
+@@ -589,19 +589,22 @@ repeat:
+ 		return NULL;
+ 	}
+ 
+-	do {
+	for(rc = NSS_STATUS_TRYAGAIN; rc == NSS_STATUS_TRYAGAIN;) {
+ 		rc = backend_nss_getgrouplist(ctx, user_name, pwd.pw_gid,
+ 					      grouplist, &ngroups,
+ 					      &lerrno);
+-		if ((rc != NSS_STATUS_SUCCESS)) {
+-			tmp_list = realloc(grouplist, ngroups * sizeof(gid_t));
+-			if (tmp_list == NULL) {
+		if (rc == NSS_STATUS_TRYAGAIN) {
+			tmp_list = NULL;
+			if (lerrno == ERANGE) {
+				tmp_list = realloc(grouplist, ngroups * sizeof(gid_t));
+			}
+			if ((tmp_list == NULL) || (lerrno == ENOMEM)) {
+ 				free(grouplist);
+ 				return NULL;
+ 			}
+ 			grouplist = tmp_list;
+ 		}
+-	} while (rc != NSS_STATUS_SUCCESS);
+	}
+ 
+ 	entries = calloc(ngroups + 1, sizeof(entries[0]));
+ 	if (entries == NULL) {
+-- 
+2.31.1
+
--- a/SPECS/slapi-nis.spec
+++ b/SPECS/slapi-nis.spec
@ -11,13 +11,16 @@

 Name:		slapi-nis
 Version:	0.56.6
-Release:	1%{?dist}
+Release:	3%{?dist}
 Summary:	NIS Server and Schema Compatibility plugins for Directory Server
 Group:		System Environment/Daemons
 License:	GPLv2
 URL:		http://pagure.io/slapi-nis/
 Source0:	https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz
 Source1:	https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz.asc
+Patch1: 	cve-2021-3480-fix.patch
+Patch2:         slapi-nis-bz1978189.patch
+Patch3:         slapi-nis-bz1958909.patch

 BuildRequires:  autoconf
 BuildRequires:  automake
@ -56,6 +59,9 @@ for attributes from multiple entries in the tree.

 %prep
 %setup -q
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1

 %build
 autoconf --force
@ -84,6 +90,14 @@ make check
 %{_sbindir}/nisserver-plugin-defs

 %changelog
+* Thu Jul 01 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.6-3
+- Resolves: rhbz#1958909 - fix regression for scoped searches in compat tree
+- Resolves: rhbz#1978189 - better handle error response from libsss_nss_idmap
+
+* Wed Apr 07 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.6-2
+- CVE 2021-3480:  idm:DL1/slapi-nis: NULL dereference (DoS) with specially crafted Binding DN
+- Resolves: rhbz#1944713
+
 * Fri Dec 04 2020 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.6-1
 - Upstream release 0.56.6
 - Resolves rhbz#1891741