zrhoffman / rpms / 389-ds-base

Forked from rpms/389-ds-base 3 years ago
Clone

Blame SOURCES/0028-Bug-1347760-CVE-2016-4992-389-ds-base-Information-di.patch

7c7f29
From 0f22cc8a2ab2a968b5ff0878b81bb5d39fa5a35e Mon Sep 17 00:00:00 2001
7c7f29
From: Noriko Hosoi <nhosoi@redhat.com>
7c7f29
Date: Tue, 26 Jul 2016 18:08:38 -0700
7c7f29
Subject: [PATCH 28/29] Bug 1347760 - CVE-2016-4992 389-ds-base: Information
7c7f29
 disclosure via repeated use of LDAP ADD operation, etc.
7c7f29
7c7f29
Description:
7c7f29
1. When an account is inactivated, the error UNWILLING_TO_PERFORM with
7c7f29
   the inactivated message should be returned only when the bind is
7c7f29
   successful.
7c7f29
2. When SASL bind fails, instead of returning the cause of the failure
7c7f29
   directly to the client, but logging it in the access log.
7c7f29
7c7f29
https://bugzilla.redhat.com/show_bug.cgi?id=1347760
7c7f29
7c7f29
Reviewed by wibrown@redhat.com (Thank you, William!)
7c7f29
7c7f29
(cherry picked from commit b8767d510d11c7cbfede24daaae3348b9f028f47)
7c7f29
---
7c7f29
 ldap/servers/slapd/bind.c     | 49 ++++++++++++++++++++-----------------------
7c7f29
 ldap/servers/slapd/saslbind.c |  4 ++--
7c7f29
 2 files changed, 25 insertions(+), 28 deletions(-)
7c7f29
7c7f29
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
7c7f29
index 702d4c2..c271577 100644
7c7f29
--- a/ldap/servers/slapd/bind.c
7c7f29
+++ b/ldap/servers/slapd/bind.c
7c7f29
@@ -720,25 +720,6 @@ do_bind( Slapi_PBlock *pb )
7c7f29
                     }
7c7f29
                 }
7c7f29
             }
7c7f29
-
7c7f29
-            /*
7c7f29
-             * Is this account locked ?
7c7f29
-             *	could be locked through the account inactivation
7c7f29
-             *	or by the password policy
7c7f29
-             *
7c7f29
-             * rc=0: account not locked
7c7f29
-             * rc=1: account locked, can not bind, result has been sent
7c7f29
-             * rc!=0 and rc!=1: error. Result was not sent, lets be_bind
7c7f29
-             * 		deal with it.
7c7f29
-             *
7c7f29
-             */
7c7f29
-
7c7f29
-            /* get the entry now, so that we can give it to slapi_check_account_lock and reslimit_update_from_dn */
7c7f29
-            if (! slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) {
7c7f29
-                bind_target_entry = get_entry(pb,  slapi_sdn_get_ndn(sdn));
7c7f29
-                rc = slapi_check_account_lock ( pb, bind_target_entry, pw_response_requested, 1, 1);
7c7f29
-            }
7c7f29
-
7c7f29
             slapi_pblock_set( pb, SLAPI_PLUGIN, be->be_database );
7c7f29
             set_db_default_result_handlers(pb);
7c7f29
             if ( (rc != 1) && 
7c7f29
@@ -777,6 +758,28 @@ do_bind( Slapi_PBlock *pb )
7c7f29
 
7c7f29
                 if ( rc == SLAPI_BIND_SUCCESS ) {
7c7f29
                     int myrc = 0;
7c7f29
+                    /* 
7c7f29
+                     * The bind is successful.
7c7f29
+                     * We can give it to slapi_check_account_lock and reslimit_update_from_dn.
7c7f29
+                     */
7c7f29
+                    /*
7c7f29
+                     * Is this account locked ?
7c7f29
+                     *	could be locked through the account inactivation
7c7f29
+                     *	or by the password policy
7c7f29
+                     *
7c7f29
+                     * rc=0: account not locked
7c7f29
+                     * rc=1: account locked, can not bind, result has been sent
7c7f29
+                     * rc!=0 and rc!=1: error. Result was not sent, lets be_bind
7c7f29
+                     * 		deal with it.
7c7f29
+                     *
7c7f29
+                     */
7c7f29
+                    if (!slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) {
7c7f29
+                        bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn));
7c7f29
+                        rc = slapi_check_account_lock(pb, bind_target_entry, pw_response_requested, 1, 1);
7c7f29
+                        if (1 == rc) { /* account is locked */
7c7f29
+                            goto account_locked;
7c7f29
+                        }
7c7f29
+                    }
7c7f29
                     if (!auto_bind) {
7c7f29
                         /* 
7c7f29
                          * There could be a race that bind_target_entry was not added 
7c7f29
@@ -787,13 +790,7 @@ do_bind( Slapi_PBlock *pb )
7c7f29
                         if (!slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA) && 
7c7f29
                             !bind_target_entry) {
7c7f29
                             bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn));
7c7f29
-                            if (bind_target_entry) {
7c7f29
-                                myrc = slapi_check_account_lock(pb, bind_target_entry,
7c7f29
-                                                              pw_response_requested, 1, 1);
7c7f29
-                                if (1 == myrc) { /* account is locked */
7c7f29
-                                    goto account_locked;
7c7f29
-                                }
7c7f29
-                            } else {
7c7f29
+                            if (!bind_target_entry) {
7c7f29
                                 slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "No such entry");
7c7f29
                                 send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, "", 0, NULL);
7c7f29
                                 goto free_and_return;
7c7f29
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
7c7f29
index 37175f4..742987e 100644
7c7f29
--- a/ldap/servers/slapd/saslbind.c
7c7f29
+++ b/ldap/servers/slapd/saslbind.c
7c7f29
@@ -1051,8 +1051,8 @@ sasl_check_result:
7c7f29
         errstr = sasl_errdetail(sasl_conn);
7c7f29
 
7c7f29
         PR_ExitMonitor(pb->pb_conn->c_mutex); /* BIG LOCK */
7c7f29
-        send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL,
7c7f29
-                         (char*)errstr, 0, NULL);
7c7f29
+        slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, (void *)errstr);
7c7f29
+        send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
7c7f29
         break;
7c7f29
     }
7c7f29
 
7c7f29
-- 
7c7f29
2.4.11
7c7f29