From 07ea6178fd210d28665e1c8daf3f2cc1359e6a27 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 02 2022 07:09:04 +0000 Subject: import 389-ds-base-1.4.3.28-7.module+el8.6.0+15293+4900ec12 --- diff --git a/SOURCES/0018-Issue-5221-User-with-expired-password-can-still-logi.patch b/SOURCES/0018-Issue-5221-User-with-expired-password-can-still-logi.patch new file mode 100644 index 0000000..7b2f4ba --- /dev/null +++ b/SOURCES/0018-Issue-5221-User-with-expired-password-can-still-logi.patch @@ -0,0 +1,108 @@ +From ad7573252147770c66ff3761add0f04fc8fa6f6c Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Thu, 3 Mar 2022 16:29:41 -0500 +Subject: [PATCH 1/2] Issue 5221 - User with expired password can still login + with full privledges + +Bug Description: + +A user with an expired password can still login and perform operations +with its typical access perimssions. But an expired password means the +account should be considered anonymous. + +Fix Description: + +Clear the bind credentials if the password is expired + +relates: https://github.com/389ds/389-ds-base/issues/5221 + +Reviewed by: progier(Thanks!) +--- + .../suites/password/pw_expired_access_test.py | 62 +++++++++++++++++++ + ldap/servers/slapd/pw_mgmt.c | 1 + + 2 files changed, 63 insertions(+) + create mode 100644 dirsrvtests/tests/suites/password/pw_expired_access_test.py + +diff --git a/dirsrvtests/tests/suites/password/pw_expired_access_test.py b/dirsrvtests/tests/suites/password/pw_expired_access_test.py +new file mode 100644 +index 000000000..fb0afb190 +--- /dev/null ++++ b/dirsrvtests/tests/suites/password/pw_expired_access_test.py +@@ -0,0 +1,62 @@ ++import ldap ++import logging ++import pytest ++import os ++import time ++from lib389._constants import DEFAULT_SUFFIX, PASSWORD ++from lib389.idm.domain import Domain ++from lib389.idm.user import UserAccounts ++from lib389.topologies import topology_st as topo ++ ++log = logging.getLogger(__name__) ++ ++def test_expired_user_has_no_privledge(topo): ++ """Specify a test case purpose or name here ++ ++ :id: 3df86b45-9929-414b-9bf6-06c25301d207 ++ :setup: Standalone Instance ++ :steps: ++ 1. Set short password expiration time ++ 2. Add user and wait for expiration time to run out ++ 3. Set one aci that allows authenticated users full access ++ 4. Bind as user (password should be expired) ++ 5. Attempt modify ++ :expectedresults: ++ 1. Success ++ 2. Success ++ 3. Success ++ 4. Success ++ 5. Success ++ """ ++ ++ # Configured password epxiration ++ topo.standalone.config.replace_many(('passwordexp', 'on'), ('passwordmaxage', '1')) ++ ++ # Set aci ++ suffix = Domain(topo.standalone, DEFAULT_SUFFIX) ++ ACI_TEXT = '(targetattr="*")(version 3.0; acl "test aci"; allow (all) (userdn="ldap:///all");)' ++ suffix.replace('aci', ACI_TEXT) ++ ++ # Add user ++ user = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None).create_test_user() ++ user.replace('userpassword', PASSWORD) ++ time.sleep(2) ++ ++ # Bind as user with expired password. Need to use raw ldap calls because ++ # lib389 will close the connection when an error 49 is encountered. ++ ldap_object = ldap.initialize(topo.standalone.toLDAPURL()) ++ with pytest.raises(ldap.INVALID_CREDENTIALS): ++ res_type, res_data, res_msgid, res_ctrls = ldap_object.simple_bind_s( ++ user.dn, PASSWORD) ++ ++ # Try modify ++ with pytest.raises(ldap.INSUFFICIENT_ACCESS): ++ modlist = [ (ldap.MOD_REPLACE, 'description', b'Should not work!') ] ++ ldap_object.modify_ext_s(DEFAULT_SUFFIX, modlist) ++ ++ ++if __name__ == '__main__': ++ # Run isolated ++ # -s for DEBUG mode ++ CURRENT_FILE = os.path.realpath(__file__) ++ pytest.main(["-s", CURRENT_FILE]) +diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c +index 59b90dfa6..b67c2c8c0 100644 +--- a/ldap/servers/slapd/pw_mgmt.c ++++ b/ldap/servers/slapd/pw_mgmt.c +@@ -208,6 +208,7 @@ skip: + slapi_pwpolicy_make_response_control(pb, -1, -1, LDAP_PWPOLICY_PWDEXPIRED); + } + slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRED, 0); ++ bind_credentials_clear(pb_conn, PR_FALSE, PR_TRUE); + slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, + "password expired!", 0, NULL); + +-- +2.31.1 + diff --git a/SOURCES/0019-Issue-5242-Craft-message-may-crash-the-server-5243.patch b/SOURCES/0019-Issue-5242-Craft-message-may-crash-the-server-5243.patch new file mode 100644 index 0000000..cca43d1 --- /dev/null +++ b/SOURCES/0019-Issue-5242-Craft-message-may-crash-the-server-5243.patch @@ -0,0 +1,45 @@ +From c7f4542fade3d06c8725d0c2976d81f5206719c4 Mon Sep 17 00:00:00 2001 +From: tbordaz +Date: Wed, 30 Mar 2022 18:07:23 +0200 +Subject: [PATCH 2/2] Issue 5242- Craft message may crash the server (#5243) + +Bug description: + A craft request can result in DoS + +Fix description: + If the server fails to decode the ber value + then return an Error + +relates: 5242 + +Reviewed by: Pierre Rogier, Mark Reynolds (thanks !) + +Platforms tested: F34 +--- + ldap/servers/slapd/filter.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/ldap/servers/slapd/filter.c b/ldap/servers/slapd/filter.c +index d671c87ff..52fd95750 100644 +--- a/ldap/servers/slapd/filter.c ++++ b/ldap/servers/slapd/filter.c +@@ -647,8 +647,14 @@ get_extensible_filter(BerElement *ber, mr_filter_t *mrf) + } + } + +- if ((tag != LBER_ERROR) && (len != -1)) { +- goto parsing_error; ++ if (tag == LBER_ERROR) { ++ if (len == -1) { ++ /* means that the ber sequence ended without LBER_END_OF_SEQORSET tag ++ * and it is considered as valid to ensure compatibility with open ldap. ++ */ ++ } else { ++ goto parsing_error; ++ } + } + + slapi_log_err(SLAPI_LOG_FILTER, "get_extensible_filter", "<= %i\n", rc); +-- +2.31.1 + diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec index 3180aed..c3d1ed3 100644 --- a/SPECS/389-ds-base.spec +++ b/SPECS/389-ds-base.spec @@ -48,7 +48,7 @@ ExcludeArch: i686 Summary: 389 Directory Server (base) Name: 389-ds-base Version: 1.4.3.28 -Release: %{?relprefix}6%{?prerel}%{?dist} +Release: %{?relprefix}7%{?prerel}%{?dist} License: GPLv3+ URL: https://www.port389.org Group: System Environment/Daemons @@ -266,6 +266,8 @@ Patch14: 0014-Issue-5127-run-restorecon-on-dev-shm-at-server-start.patc Patch15: 0015-Issue-5127-ds_selinux_restorecon.sh-always-exit-0.patch Patch16: 0016-Issue-4775-Add-entryuuid-CLI-and-Fixup-4776.patch Patch17: 0017-Issue-4775-Fix-cherry-pick-error.patch +Patch18: 0018-Issue-5221-User-with-expired-password-can-still-logi.patch +Patch19: 0019-Issue-5242-Craft-message-may-crash-the-server-5243.patch %description 389 Directory Server is an LDAPv3 compliant server. The base package includes @@ -885,6 +887,11 @@ exit 0 %doc README.md %changelog +* Thu May 19 2022 Thierry Bordaz - 1.4.3.28-7 +- Bump version to 1.4.3.28-7 +- Resolves: Bug 2081008 - CVE-2022-0996 389-ds:1.4/389-ds-base: expired password was still allowed to access the database +- Resolves: Bug 2081014 - CVE-2022-0918 389-ds:1.4/389-ds-base: sending crafted message could result in DoS + * Thu Feb 3 2022 Mark Reynolds - 1.4.3.28-6 - Bump version to 1.4.3.28-6 - Resolves: Bug 2047171 - Based on 1944494 (RFC 4530 entryUUID attribute) - plugin entryuuid failing