Fix CVE-2022-1949,CVE-2024-5953

(cherry picked from commit 12831843a312861cb7a9025e118955c5904afc61)
2024-09-12 15:57:23 +08:00 · 2024-09-12 15:57:23 +08:00 · 16493bb7e9
commit 16493bb7e9
parent 5de01dc8cc
3 changed files with 199 additions and 1 deletions
--- a/389-ds-base.spec
+++ b/389-ds-base.spec
@ -6,7 +6,7 @@ ExcludeArch:   i686
 Name:          389-ds-base
 Summary:       Base 389 Directory Server
 Version:       1.4.3.36
-Release:       6
+Release:       7
 License:       GPLv3+
 URL:           https://www.port389.org
 Source0:       https://github.com/389ds/389-ds-base/archive/refs/tags/389-ds-base-%{version}.tar.gz
@ -20,6 +20,8 @@ Patch2:        CVE-2024-1062-1.patch
 Patch3:        CVE-2024-1062-2.patch
 Patch4:        CVE-2024-2199.patch
 Patch5:        CVE-2024-3657.patch
+Patch6:        CVE-2022-1949-Fix-ACI-bypass-in-shortcut-filter-condition.patch
+Patch7:        CVE-2024-5953.patch

 BuildRequires: nspr-devel nss-devel >= 3.34 perl-generators openldap-devel libdb-devel cyrus-sasl-devel icu
 BuildRequires: libicu-devel pcre-devel cracklib-devel gcc-c++ net-snmp-devel lm_sensors-devel bzip2-devel
@ -382,6 +384,9 @@ exit 0
 %{_mandir}/*/*

 %changelog
+* Thu Sep 12 2024 wangkai <13474090681@163.com> - 1.4.3.36-7
+- Fix CVE-2022-1949,CVE-2024-5953
+
 * Wed Jun 05 2024 wangkai <13474090681@163.com> - 1.4.3.36-6
 - Fix CVE-2024-2199 and CVE-2024-3657

--- a/CVE-2022-1949-Fix-ACI-bypass-in-shortcut-filter-condition.patch
+++ b/CVE-2022-1949-Fix-ACI-bypass-in-shortcut-filter-condition.patch
@ -0,0 +1,26 @@
+Origin: https://build.opensuse.org/projects/SUSE:SLE-15-SP2:Update/packages/389-ds/files/0001-Fix-ACI-bypass-in-shortcut-filter-condition.patch?expand=1
+
+From 21629670b92260c64c0355d656cd106ff8b84732 Mon Sep 17 00:00:00 2001
+From: William Brown <william@blackhats.net.au>
+Date: Tue, 31 May 2022 10:26:00 +1000
+Subject: [PATCH] Fix ACI bypass in shortcut filter condition
+
+---
+ ldap/servers/slapd/back-ldbm/back-ldbm.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ldap/servers/slapd/back-ldbm/back-ldbm.h b/ldap/servers/slapd/back-ldbm/back-ldbm.h
+index 9d78ad778..7fb85f0f6 100644
+--- a/ldap/servers/slapd/back-ldbm/back-ldbm.h
+++ b/ldap/servers/slapd/back-ldbm/back-ldbm.h
+@@ -194,7 +194,7 @@ extern int ldbm_warn_if_no_db;
+  * The candidate list size at which it is cheaper to apply the filter test
+  * to the whole list than to continue ANDing in IDLs.
+  */
+-#define FILTER_TEST_THRESHOLD (NIDS)10
+#define FILTER_TEST_THRESHOLD (NIDS)0
+
+ /* flags to indicate what kind of startup the dblayer should do */
+ #define DBLAYER_IMPORT_MODE                 0x1
+--
+2.36.1
--- a/CVE-2024-5953.patch
+++ b/CVE-2024-5953.patch
@ -0,0 +1,167 @@
+Origin:
+https://github.com/389ds/389-ds-base/commit/e269182d7a5d6d23abba86dbfe0cbadce2ea3147
+https://git.almalinux.org/rpms/389-ds-base/src/commit/4a9b4e4bb82f35452e19999ed6a946d412e82619/SOURCES/0012-Security-fix-for-CVE-2024-5953.patch
+
+From 57051154bafaf50b83fc27dadbd89a49fd1c8c36 Mon Sep 17 00:00:00 2001
+From: Pierre Rogier <progier@redhat.com>
+Date: Fri, 14 Jun 2024 13:27:10 +0200
+Subject: [PATCH] Security fix for CVE-2024-5953
+
+Description:
+A denial of service vulnerability was found in the 389 Directory Server.
+This issue may allow an authenticated user to cause a server denial
+of service while attempting to log in with a user with a malformed hash
+in their password.
+
+Fix Description:
+To prevent buffer overflow when a bind request is processed, the bind fails
+if the hash size is not coherent without even attempting to process further
+the hashed password.
+
+References:
+- https://nvd.nist.gov/vuln/detail/CVE-2024-5953
+- https://access.redhat.com/security/cve/CVE-2024-5953
+- https://bugzilla.redhat.com/show_bug.cgi?id=2292104
+---
+ .../tests/suites/password/regression_test.py  | 54 ++++++++++++++++++-
+ ldap/servers/plugins/pwdstorage/md5_pwd.c     |  9 +++-
+ ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c  |  6 +++
+ 3 files changed, 66 insertions(+), 3 deletions(-)
+
+diff --git a/dirsrvtests/tests/suites/password/regression_test.py b/dirsrvtests/tests/suites/password/regression_test.py
+index 8f1facb6d..1fa581643 100644
+--- a/dirsrvtests/tests/suites/password/regression_test.py
+++ b/dirsrvtests/tests/suites/password/regression_test.py
+@@ -7,12 +7,14 @@
+ #
+ import pytest
+ import time
+import glob
+import base64
+ from lib389._constants import PASSWORD, DN_DM, DEFAULT_SUFFIX
+ from lib389._constants import SUFFIX, PASSWORD, DN_DM, DN_CONFIG, PLUGIN_RETRO_CHANGELOG, DEFAULT_SUFFIX, DEFAULT_CHANGELOG_DB
+ from lib389 import Entry
+ from lib389.topologies import topology_m1 as topo_supplier
+-from lib389.idm.user import UserAccounts
+-from lib389.utils import ldap, os, logging, ensure_bytes, ds_is_newer
+from lib389.idm.user import UserAccounts, UserAccount
+from lib389.utils import ldap, os, logging, ensure_bytes, ds_is_newer, ds_supports_new_changelog
+ from lib389.topologies import topology_st as topo
+ from lib389.idm.organizationalunit import OrganizationalUnits
+ 
+@@ -39,6 +41,13 @@ TEST_PASSWORDS += ['CNpwtest1ZZZZ', 'ZZZZZCNpwtest1',
+ TEST_PASSWORDS2 = (
+     'CN12pwtest31', 'SN3pwtest231', 'UID1pwtest123', 'MAIL2pwtest12@redhat.com', '2GN1pwtest123', 'People123')
+ 
+SUPPORTED_SCHEMES = (
+    "{SHA}", "{SSHA}", "{SHA256}", "{SSHA256}",
+    "{SHA384}", "{SSHA384}", "{SHA512}", "{SSHA512}",
+    "{crypt}", "{NS-MTA-MD5}", "{clear}", "{MD5}",
+    "{SMD5}", "{PBKDF2_SHA256}", "{PBKDF2_SHA512}",
+    "{GOST_YESCRYPT}", "{PBKDF2-SHA256}", "{PBKDF2-SHA512}" )
+
+ def _check_unhashed_userpw(inst, user_dn, is_present=False):
+     """Check if unhashed#user#password attribute is present or not in the changelog"""
+     unhashed_pwd_attribute = 'unhashed#user#password'
+@@ -319,6 +328,47 @@ def test_unhashed_pw_switch(topo_supplier):
+         # Add debugging steps(if any)...
+         pass
+ 
+@pytest.mark.parametrize("scheme", SUPPORTED_SCHEMES )
+def test_long_hashed_password(topo, create_user, scheme):
+    """Check that hashed password with very long value does not cause trouble
+
+    :id: 252a1f76-114b-11ef-8a7a-482ae39447e5
+    :setup: standalone Instance
+    :parametrized: yes
+    :steps:
+        1. Add a test user user
+        2. Set a long password with requested scheme
+        3. Bind on that user using a wrong password
+        4. Check that instance is still alive
+        5. Remove the added user
+    :expectedresults:
+        1. Success
+        2. Success
+        3. Should get ldap.INVALID_CREDENTIALS exception
+        4. Success
+        5. Success
+    """
+    inst = topo.standalone
+    inst.simple_bind_s(DN_DM, PASSWORD)
+    users = UserAccounts(inst, DEFAULT_SUFFIX)
+    # Make sure that server is started as this test may crash it
+    inst.start()
+    # Adding Test user (It may already exists if previous test failed)
+    user2 = UserAccount(inst, dn='uid=test_user_1002,ou=People,dc=example,dc=com')
+    if not user2.exists():
+        user2 = users.create_test_user(uid=1002, gid=2002)
+    # Setting hashed password
+    passwd = 'A'*4000
+    hashed_passwd = scheme.encode('utf-8') + base64.b64encode(passwd.encode('utf-8'))
+    user2.replace('userpassword', hashed_passwd)
+    # Bind on that user using a wrong password
+    with pytest.raises(ldap.INVALID_CREDENTIALS):
+        conn = user2.bind(PASSWORD)
+    # Check that instance is still alive
+    assert inst.status()
+    # Remove the added user
+    user2.delete()
+
+ 
+ if __name__ == '__main__':
+     # Run isolated
+diff --git a/ldap/servers/plugins/pwdstorage/md5_pwd.c b/ldap/servers/plugins/pwdstorage/md5_pwd.c
+index 1e2cf58e7..b9a48d5ca 100644
+--- a/ldap/servers/plugins/pwdstorage/md5_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/md5_pwd.c
+@@ -37,6 +37,7 @@ md5_pw_cmp(const char *userpwd, const char *dbpwd)
+     unsigned char hash_out[MD5_HASH_LEN];
+     unsigned char b2a_out[MD5_HASH_LEN * 2]; /* conservative */
+     SECItem binary_item;
+    size_t dbpwd_len = strlen(dbpwd);
+ 
+     ctx = PK11_CreateDigestContext(SEC_OID_MD5);
+     if (ctx == NULL) {
+@@ -45,6 +46,12 @@ md5_pw_cmp(const char *userpwd, const char *dbpwd)
+         goto loser;
+     }
+ 
+    if (dbpwd_len >= sizeof b2a_out) {
+        slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
+                      "The hashed password stored in the user entry is longer than any valid md5 hash");
+        goto loser;
+    }
+
+     /* create the hash */
+     PK11_DigestBegin(ctx);
+     PK11_DigestOp(ctx, (const unsigned char *)userpwd, strlen(userpwd));
+@@ -57,7 +64,7 @@ md5_pw_cmp(const char *userpwd, const char *dbpwd)
+     bver = NSSBase64_EncodeItem(NULL, (char *)b2a_out, sizeof b2a_out, &binary_item);
+     /* bver points to b2a_out upon success */
+     if (bver) {
+-        rc = slapi_ct_memcmp(bver, dbpwd, strlen(dbpwd));
+        rc = slapi_ct_memcmp(bver, dbpwd, dbpwd_len);
+     } else {
+         slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
+                       "Could not base64 encode hashed value for password compare");
+diff --git a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
+index dcac4fcdd..82b8c9501 100644
+--- a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
+@@ -255,6 +255,12 @@ pbkdf2_sha256_pw_cmp(const char *userpwd, const char *dbpwd)
+     passItem.data = (unsigned char *)userpwd;
+     passItem.len = strlen(userpwd);
+ 
+    if (pwdstorage_base64_decode_len(dbpwd, dbpwd_len) > sizeof dbhash) {
+        /* Hashed value is too long and cannot match any value generated by pbkdf2_sha256_hash */
+        slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to base64 decode dbpwd value. (hashed value is too long)\n");
+        return result;
+    }
+
+     /* Decode the DBpwd to bytes from b64 */
+     if (PL_Base64Decode(dbpwd, dbpwd_len, dbhash) == NULL) {
+         slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to base64 decode dbpwd value\n");
+-- 
+2.46.0
+