From 9e244c9344a73af93cc79dd1176ce78971747027 Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Tue, 3 Sep 2019 14:53:09 -0400 Subject: [PATCH] CVE-2019-14824 (BZ#1748201) - deref plugin displays restricted attributes Bug Description: If there is an ACI that allows "search" access to an attribute, the deref plugin access control checks sees this is a "read" privilege and returns the attribute's value. Fix description: For deref plugin we are only concerned with "read" access, not "search" access. Removed the SLAPI_ACL_SEARCH right flag when checking access for an attribute. Reviewed by: lkrispen & tbordaz(Thanks!) --- ldap/servers/plugins/deref/deref.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c index cb5ebb830..ec1884ba3 100644 --- a/ldap/servers/plugins/deref/deref.c +++ b/ldap/servers/plugins/deref/deref.c @@ -573,7 +573,7 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn, Slapi_Entry **entries = NULL; int rc; - /* If the access check on the attributes is done without retrieveing the entry + /* If the access check on the attributes is done without retrieving the entry * it cannot handle acis which need teh entry, eg to apply a targetfilter rule * So the determination of attrs which can be dereferenced is delayed */ @@ -596,7 +596,7 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn, int ii; int needattrvals = 1; /* need attrvals sequence? */ if (deref_check_access(pb, entries[0], derefdn, attrs, &retattrs, - (SLAPI_ACL_SEARCH | SLAPI_ACL_READ))) { + SLAPI_ACL_READ)) { slapi_log_err(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM, "deref_do_deref_attr - The client does not have permission to read the requested " "attributes in entry %s\n", @@ -714,7 +714,7 @@ deref_pre_entry(Slapi_PBlock *pb) attrs[1] = NULL; if (deref_check_access(pb, ent, NULL, attrs, &retattrs, - (SLAPI_ACL_SEARCH | SLAPI_ACL_READ))) { + SLAPI_ACL_READ)) { slapi_log_err(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM, "deref_pre_entry - The client does not have permission to read attribute %s in entry %s\n", spec->derefattr, slapi_entry_get_dn_const(ent)); -- 2.21.0