|
 |
7c7f29 |
From 0f22cc8a2ab2a968b5ff0878b81bb5d39fa5a35e Mon Sep 17 00:00:00 2001
|
|
|
7c7f29 |
From: Noriko Hosoi <nhosoi@redhat.com>
|
|
|
7c7f29 |
Date: Tue, 26 Jul 2016 18:08:38 -0700
|
|
|
7c7f29 |
Subject: [PATCH 28/29] Bug 1347760 - CVE-2016-4992 389-ds-base: Information
|
|
|
7c7f29 |
disclosure via repeated use of LDAP ADD operation, etc.
|
|
|
7c7f29 |
|
|
|
7c7f29 |
Description:
|
|
|
7c7f29 |
1. When an account is inactivated, the error UNWILLING_TO_PERFORM with
|
|
|
7c7f29 |
the inactivated message should be returned only when the bind is
|
|
|
7c7f29 |
successful.
|
|
|
7c7f29 |
2. When SASL bind fails, instead of returning the cause of the failure
|
|
|
7c7f29 |
directly to the client, but logging it in the access log.
|
|
|
7c7f29 |
|
|
|
7c7f29 |
https://bugzilla.redhat.com/show_bug.cgi?id=1347760
|
|
|
7c7f29 |
|
|
|
7c7f29 |
Reviewed by wibrown@redhat.com (Thank you, William!)
|
|
|
7c7f29 |
|
|
|
7c7f29 |
(cherry picked from commit b8767d510d11c7cbfede24daaae3348b9f028f47)
|
|
|
7c7f29 |
---
|
|
|
7c7f29 |
ldap/servers/slapd/bind.c | 49 ++++++++++++++++++++-----------------------
|
|
|
7c7f29 |
ldap/servers/slapd/saslbind.c | 4 ++--
|
|
|
7c7f29 |
2 files changed, 25 insertions(+), 28 deletions(-)
|
|
|
7c7f29 |
|
|
|
7c7f29 |
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
|
|
|
7c7f29 |
index 702d4c2..c271577 100644
|
|
|
7c7f29 |
--- a/ldap/servers/slapd/bind.c
|
|
|
7c7f29 |
+++ b/ldap/servers/slapd/bind.c
|
|
|
7c7f29 |
@@ -720,25 +720,6 @@ do_bind( Slapi_PBlock *pb )
|
|
|
7c7f29 |
}
|
|
|
7c7f29 |
}
|
|
|
7c7f29 |
}
|
|
|
7c7f29 |
-
|
|
|
7c7f29 |
- /*
|
|
|
7c7f29 |
- * Is this account locked ?
|
|
|
7c7f29 |
- * could be locked through the account inactivation
|
|
|
7c7f29 |
- * or by the password policy
|
|
|
7c7f29 |
- *
|
|
|
7c7f29 |
- * rc=0: account not locked
|
|
|
7c7f29 |
- * rc=1: account locked, can not bind, result has been sent
|
|
|
7c7f29 |
- * rc!=0 and rc!=1: error. Result was not sent, lets be_bind
|
|
|
7c7f29 |
- * deal with it.
|
|
|
7c7f29 |
- *
|
|
|
7c7f29 |
- */
|
|
|
7c7f29 |
-
|
|
|
7c7f29 |
- /* get the entry now, so that we can give it to slapi_check_account_lock and reslimit_update_from_dn */
|
|
|
7c7f29 |
- if (! slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) {
|
|
|
7c7f29 |
- bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn));
|
|
|
7c7f29 |
- rc = slapi_check_account_lock ( pb, bind_target_entry, pw_response_requested, 1, 1);
|
|
|
7c7f29 |
- }
|
|
|
7c7f29 |
-
|
|
|
7c7f29 |
slapi_pblock_set( pb, SLAPI_PLUGIN, be->be_database );
|
|
|
7c7f29 |
set_db_default_result_handlers(pb);
|
|
|
7c7f29 |
if ( (rc != 1) &&
|
|
|
7c7f29 |
@@ -777,6 +758,28 @@ do_bind( Slapi_PBlock *pb )
|
|
|
7c7f29 |
|
|
|
7c7f29 |
if ( rc == SLAPI_BIND_SUCCESS ) {
|
|
|
7c7f29 |
int myrc = 0;
|
|
|
7c7f29 |
+ /*
|
|
|
7c7f29 |
+ * The bind is successful.
|
|
|
7c7f29 |
+ * We can give it to slapi_check_account_lock and reslimit_update_from_dn.
|
|
|
7c7f29 |
+ */
|
|
|
7c7f29 |
+ /*
|
|
|
7c7f29 |
+ * Is this account locked ?
|
|
|
7c7f29 |
+ * could be locked through the account inactivation
|
|
|
7c7f29 |
+ * or by the password policy
|
|
|
7c7f29 |
+ *
|
|
|
7c7f29 |
+ * rc=0: account not locked
|
|
|
7c7f29 |
+ * rc=1: account locked, can not bind, result has been sent
|
|
|
7c7f29 |
+ * rc!=0 and rc!=1: error. Result was not sent, lets be_bind
|
|
|
7c7f29 |
+ * deal with it.
|
|
|
7c7f29 |
+ *
|
|
|
7c7f29 |
+ */
|
|
|
7c7f29 |
+ if (!slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) {
|
|
|
7c7f29 |
+ bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn));
|
|
|
7c7f29 |
+ rc = slapi_check_account_lock(pb, bind_target_entry, pw_response_requested, 1, 1);
|
|
|
7c7f29 |
+ if (1 == rc) { /* account is locked */
|
|
|
7c7f29 |
+ goto account_locked;
|
|
|
7c7f29 |
+ }
|
|
|
7c7f29 |
+ }
|
|
|
7c7f29 |
if (!auto_bind) {
|
|
|
7c7f29 |
/*
|
|
|
7c7f29 |
* There could be a race that bind_target_entry was not added
|
|
|
7c7f29 |
@@ -787,13 +790,7 @@ do_bind( Slapi_PBlock *pb )
|
|
|
7c7f29 |
if (!slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA) &&
|
|
|
7c7f29 |
!bind_target_entry) {
|
|
|
7c7f29 |
bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn));
|
|
|
7c7f29 |
- if (bind_target_entry) {
|
|
|
7c7f29 |
- myrc = slapi_check_account_lock(pb, bind_target_entry,
|
|
|
7c7f29 |
- pw_response_requested, 1, 1);
|
|
|
7c7f29 |
- if (1 == myrc) { /* account is locked */
|
|
|
7c7f29 |
- goto account_locked;
|
|
|
7c7f29 |
- }
|
|
|
7c7f29 |
- } else {
|
|
|
7c7f29 |
+ if (!bind_target_entry) {
|
|
|
7c7f29 |
slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "No such entry");
|
|
|
7c7f29 |
send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, "", 0, NULL);
|
|
|
7c7f29 |
goto free_and_return;
|
|
|
7c7f29 |
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
|
|
|
7c7f29 |
index 37175f4..742987e 100644
|
|
|
7c7f29 |
--- a/ldap/servers/slapd/saslbind.c
|
|
|
7c7f29 |
+++ b/ldap/servers/slapd/saslbind.c
|
|
|
7c7f29 |
@@ -1051,8 +1051,8 @@ sasl_check_result:
|
|
|
7c7f29 |
errstr = sasl_errdetail(sasl_conn);
|
|
|
7c7f29 |
|
|
|
7c7f29 |
PR_ExitMonitor(pb->pb_conn->c_mutex); /* BIG LOCK */
|
|
|
7c7f29 |
- send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL,
|
|
|
7c7f29 |
- (char*)errstr, 0, NULL);
|
|
|
7c7f29 |
+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, (void *)errstr);
|
|
|
7c7f29 |
+ send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
|
|
|
7c7f29 |
break;
|
|
|
7c7f29 |
}
|
|
|
7c7f29 |
|
|
|
7c7f29 |
--
|
|
|
7c7f29 |
2.4.11
|
|
|
7c7f29 |
|