rpms / 389-ds-base

Clone
Source Code
GIT

Blame SOURCES/0033-Fix-for-CVE-2014-8105.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-armhfp c7-beta c8-beta-stream-1.4 c8-stream-1.4 c8s-stream-1.4 c8s-stream-ds c9 c9-beta
  1.   f92ce9efedd7e9b37e8ae8a238bdb52b276da01b
  2.   SOURCES
  3.   0033-Fix-for-CVE-2014-8105.patch
Blob History Raw
f92ce9 
From 4b812a1af367ed409e21abe73a77e57092e5a5f3 Mon Sep 17 00:00:00 2001
f92ce9 
From: Mark Reynolds <mreynolds@redhat.com>
f92ce9 
Date: Tue, 16 Dec 2014 16:53:07 -0500
f92ce9 
Subject: [PATCH 33/53] Fix for CVE-2014-8105
f92ce9
f92ce9 
Description:  At server startup check for the Retro Changelog default ACI
f92ce9 
              on cn=changelog, if present delete it.
f92ce9
f92ce9 
Reviewed by: lkrispenz(Thanks!)
f92ce9 
---
f92ce9 
 ldap/servers/plugins/retrocl/retrocl.c        | 67 ++++++++++++++++++++++++++-
f92ce9 
 ldap/servers/plugins/retrocl/retrocl_create.c |  4 --
f92ce9 
 2 files changed, 66 insertions(+), 5 deletions(-)
f92ce9
f92ce9 
diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c
f92ce9 
index 0d2a6dc..8a0f350 100644
f92ce9 
--- a/ldap/servers/plugins/retrocl/retrocl.c
f92ce9 
+++ b/ldap/servers/plugins/retrocl/retrocl.c
f92ce9 
@@ -308,6 +308,68 @@ char *retrocl_get_config_str(const char *attrt)
f92ce9 
     return ma;
f92ce9 
 }
f92ce9
f92ce9 
+static void
f92ce9 
+retrocl_remove_legacy_default_aci(void)
f92ce9 
+{
f92ce9 
+    Slapi_PBlock *pb = NULL;
f92ce9 
+    Slapi_Entry **entries;
f92ce9 
+    char **aci_vals = NULL;
f92ce9 
+    char *attrs[] = {"aci", NULL};
f92ce9 
+    int rc;
f92ce9 
+
f92ce9 
+    pb = slapi_pblock_new();
f92ce9 
+    slapi_search_internal_set_pb(pb, RETROCL_CHANGELOG_DN, LDAP_SCOPE_BASE, "objectclass=*",
f92ce9 
+            attrs, 0, NULL, NULL, g_plg_identity[PLUGIN_RETROCL] , 0);
f92ce9 
+    slapi_search_internal_pb(pb);
f92ce9 
+    slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
f92ce9 
+    if (rc == LDAP_SUCCESS) {
f92ce9 
+        slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
f92ce9 
+        if(entries && entries[0]){
f92ce9 
+            if((aci_vals = slapi_entry_attr_get_charray(entries[0], "aci"))){
f92ce9 
+                if(charray_inlist(aci_vals, RETROCL_ACL)){
f92ce9 
+                    /*
f92ce9 
+                     * Okay, we need to remove the aci
f92ce9 
+                     */
f92ce9 
+                    LDAPMod mod;
f92ce9 
+                    LDAPMod *mods[2];
f92ce9 
+                    char *val[2];
f92ce9 
+                    Slapi_PBlock *mod_pb = 0;
f92ce9 
+
f92ce9 
+                    mod_pb = slapi_pblock_new();
f92ce9 
+                    mods[0] = &mod;
f92ce9 
+                    mods[1] = 0;
f92ce9 
+                    val[0] = RETROCL_ACL;
f92ce9 
+                    val[1] = 0;
f92ce9 
+                    mod.mod_op = LDAP_MOD_DELETE;
f92ce9 
+                    mod.mod_type = "aci";
f92ce9 
+                    mod.mod_values = val;
f92ce9 
+
f92ce9 
+                    slapi_modify_internal_set_pb_ext(mod_pb, slapi_entry_get_sdn(entries[0]),
f92ce9 
+                                                    mods, 0, 0, g_plg_identity[PLUGIN_RETROCL], 0);
f92ce9 
+                    slapi_modify_internal_pb(mod_pb);
f92ce9 
+                    slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
f92ce9 
+                    if(rc == LDAP_SUCCESS){
f92ce9 
+                        slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
f92ce9 
+                                "Successfully removed vulnerable legacy default aci \"%s\".  "
f92ce9 
+                                "If the aci removal was not desired please use a different \"acl "
f92ce9 
+                                "name\" so it is not removed at the next plugin startup.\n",
f92ce9 
+                                RETROCL_ACL);
f92ce9 
+                    } else {
f92ce9 
+                        slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
f92ce9 
+                                "Failed to removed vulnerable legacy default aci (%s) error %d\n",
f92ce9 
+                                RETROCL_ACL, rc);
f92ce9 
+                    }
f92ce9 
+                    slapi_pblock_destroy(mod_pb);
f92ce9 
+                }
f92ce9 
+                slapi_ch_array_free(aci_vals);
f92ce9 
+            }
f92ce9 
+        }
f92ce9 
+    }
f92ce9 
+    slapi_free_search_results_internal(pb);
f92ce9 
+    slapi_pblock_destroy(pb);
f92ce9 
+}
f92ce9 
+
f92ce9 
+
f92ce9 
 /*
f92ce9 
  * Function: retrocl_start
f92ce9 
  *
f92ce9 
@@ -333,7 +395,10 @@ static int retrocl_start (Slapi_PBlock *pb)
f92ce9 
       LDAPDebug1Arg(LDAP_DEBUG_TRACE,"Couldnt find backend, not trimming retro changelog (%d).\n",rc);
f92ce9 
       return rc;
f92ce9 
     }
f92ce9 
-
f92ce9 
+
f92ce9 
+    /* Remove the old default aci as it exposes passwords changes to anonymous users */
f92ce9 
+    retrocl_remove_legacy_default_aci();
f92ce9 
+
f92ce9 
     retrocl_init_trimming();
f92ce9
f92ce9 
     if (slapi_pblock_get(pb, SLAPI_ADD_ENTRY, &e) != 0) {
f92ce9 
diff --git a/ldap/servers/plugins/retrocl/retrocl_create.c b/ldap/servers/plugins/retrocl/retrocl_create.c
f92ce9 
index 1ffdaae..870421c 100644
f92ce9 
--- a/ldap/servers/plugins/retrocl/retrocl_create.c
f92ce9 
+++ b/ldap/servers/plugins/retrocl/retrocl_create.c
f92ce9 
@@ -344,10 +344,6 @@ void retrocl_create_cle (void)
f92ce9 
     val.bv_len = strlen(val.bv_val);
f92ce9 
     slapi_entry_add_values( e, "cn", vals );
f92ce9
f92ce9 
-    val.bv_val = RETROCL_ACL;
f92ce9 
-    val.bv_len = strlen(val.bv_val);
f92ce9 
-    slapi_entry_add_values( e, "aci", vals );
f92ce9 
-
f92ce9 
     pb = slapi_pblock_new ();
f92ce9 
     slapi_add_entry_internal_set_pb( pb, e, NULL /* controls */,
f92ce9 
 				     g_plg_identity[PLUGIN_RETROCL],
f92ce9 
--
f92ce9 
1.9.3
f92ce9

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation