diff --git a/.gitignore b/.gitignore index b639f1b..d55de07 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ sssd-1.2.91.tar.gz +/sssd-1.3.0.tar.gz diff --git a/0001-Treat-a-zero-length-password-as-a-failure.patch b/0001-Treat-a-zero-length-password-as-a-failure.patch new file mode 100644 index 0000000..24c1570 --- /dev/null +++ b/0001-Treat-a-zero-length-password-as-a-failure.patch @@ -0,0 +1,32 @@ +From 8eeb47279a5a4559d9d7f911250d6164ab120897 Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Wed, 18 Aug 2010 12:57:43 -0400 +Subject: [PATCH 9/9] Treat a zero-length password as a failure + +Some LDAP servers allow binding with blank passwords. We should +not allow a blank password to authenticate the SSSD. +--- + src/providers/ldap/ldap_auth.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c +index b05e3075ce117fad17b87ffde257c80fc035b8c4..1a959d4cc45980fe5dd12db3460cc23f341466fd 100644 +--- a/src/providers/ldap/ldap_auth.c ++++ b/src/providers/ldap/ldap_auth.c +@@ -557,6 +557,13 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx, + req = tevent_req_create(memctx, &state, struct auth_state); + if (!req) return NULL; + ++ /* Treat a zero-length password as a failure */ ++ if (password.length == 0) { ++ state->result = SDAP_AUTH_FAILED; ++ tevent_req_done(req); ++ return tevent_req_post(req, ev); ++ } ++ + state->ev = ev; + state->ctx = ctx; + state->username = username; +-- +1.7.2.1 + diff --git a/sources b/sources index 7427f97..d80996e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -1bbdc5e9f61f3a83adc145d761fab83d sssd-1.2.91.tar.gz +444b46e1b3900692b73652f168b9ad79 sssd-1.3.0.tar.gz diff --git a/sssd.spec b/sssd.spec index f1c0d74..29ef311 100644 --- a/sssd.spec +++ b/sssd.spec @@ -4,10 +4,10 @@ %endif Name: sssd -Version: 1.2.91 +Version: 1.3.0 #Never reset the Release, always increment it #Otherwise we can have issues if library versions do not change -Release: 21%{?dist} +Release: 30%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -22,7 +22,7 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) %global refarray_version 0.1.0 ### Patches ### - +Patch0001: 0001-Treat-a-zero-length-password-as-a-failure.patch ### Dependencies ### @@ -202,6 +202,7 @@ A dynamically-growing, reference-counted array %prep %setup -q +%patch0001 -p1 %build %configure \ @@ -459,6 +460,10 @@ fi %postun -n libref_array -p /sbin/ldconfig %changelog +* Tue Aug 24 2010 Stephen Gallagher - 1.3.0-30 +- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate +- against LDAP + * Thu Jul 22 2010 David Malcolm - 1.2.91-21 - Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild