zrhoffman / rpms / 389-ds-base

Forked from rpms/389-ds-base 3 years ago
Clone

Blame SOURCES/0034-CVE-deref-plugin-displays-restricted-attributes.patch

e79480
From 816175c782e708de8ae47d3788dba3a6ed0fe3d8 Mon Sep 17 00:00:00 2001
e79480
From: Mark Reynolds <mreynolds@redhat.com>
e79480
Date: Mon, 28 Oct 2019 11:01:33 -0400
e79480
Subject: [PATCH] CVE - deref plugin displays restricted attributes
e79480
e79480
Bug Description:  If there is an ACI that allows "search" access to an attribute,
e79480
                  the deref plugin access control checks sees this is a "read"
e79480
                  privilege and returns the attribute's value.
e79480
e79480
Fix description:  For deref plugin we are only concerned with "read" access, not
e79480
                  "search" access.  Removed the SLAPI_ACL_SEARCH right flag when
e79480
                  checking access for an attribute.
e79480
e79480
Reviewed by: lkrispen
e79480
---
e79480
 ldap/servers/plugins/deref/deref.c | 6 +++---
e79480
 1 file changed, 3 insertions(+), 3 deletions(-)
e79480
e79480
diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c
e79480
index cb5ebb830..ec1884ba3 100644
e79480
--- a/ldap/servers/plugins/deref/deref.c
e79480
+++ b/ldap/servers/plugins/deref/deref.c
e79480
@@ -573,7 +573,7 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
e79480
     Slapi_Entry **entries = NULL;
e79480
     int rc;
e79480
 
e79480
-    /*  If the access check on the attributes is done without retrieveing the entry
e79480
+    /*  If the access check on the attributes is done without retrieving the entry
e79480
  *  it cannot handle acis which need teh entry, eg to apply a targetfilter rule
e79480
  *  So the determination of attrs which can be dereferenced is delayed
e79480
  */
e79480
@@ -596,7 +596,7 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
e79480
                 int ii;
e79480
                 int needattrvals = 1; /* need attrvals sequence? */
e79480
                 if (deref_check_access(pb, entries[0], derefdn, attrs, &retattrs,
e79480
-                                       (SLAPI_ACL_SEARCH | SLAPI_ACL_READ))) {
e79480
+                                       SLAPI_ACL_READ)) {
e79480
                     slapi_log_err(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM,
e79480
                                   "deref_do_deref_attr - The client does not have permission to read the requested "
e79480
                                   "attributes in entry %s\n",
e79480
@@ -714,7 +714,7 @@ deref_pre_entry(Slapi_PBlock *pb)
e79480
         attrs[1] = NULL;
e79480
 
e79480
         if (deref_check_access(pb, ent, NULL, attrs, &retattrs,
e79480
-                               (SLAPI_ACL_SEARCH | SLAPI_ACL_READ))) {
e79480
+                               SLAPI_ACL_READ)) {
e79480
             slapi_log_err(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM,
e79480
                           "deref_pre_entry - The client does not have permission to read attribute %s in entry %s\n",
e79480
                           spec->derefattr, slapi_entry_get_dn_const(ent));
e79480
-- 
e79480
2.21.0
e79480