packages/three-eight-nine-ds-base
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:b648316f225fb96b1b84de957bf02aff02d5898f
Branches Tags
packages:main
...
compare: packages:4784aff5a799c0b5f6f63eba7e7e5844b207355a
Branches Tags
packages:main

10 Commits
b648316f22 ... 4784aff5a7

Author SHA1 Message Date
openeuler-ci-bot
4784aff5a7
!120 [sync] PR-119: Fix CVE-2024-8445 
From: @openeuler-sync-bot 
Reviewed-by: @starlet-dx 
Signed-off-by: @starlet-dx
 2025-02-13 09:20:11 +00:00
starlet-dx
71aa1e1fae Fix CVE-2024-8445 
(cherry picked from commit f6c41e79673553128e44635d28e256eaa51b4da8)
 2025-02-13 17:03:20 +08:00
openeuler-ci-bot
9ce9007b14
!111 [sync] PR-106: Fix some issues 
From: @openeuler-sync-bot 
Reviewed-by: @wk333 
Signed-off-by: @wk333
 2024-11-29 06:15:37 +00:00
wk333
43c4fe3d7b Fix some issues 
Fix dsidm role subtree-status fails with TypeError
Fix name cockpit_present is not defined.
Fix typo
Fix DirSrv has no attribute userid

(cherry picked from commit 3cd6c638f27dd1fbb7d76e7cf6fa1383be0561ee)
 2024-11-29 11:30:22 +08:00
openeuler-ci-bot
f29d5af74f
!95 [sync] PR-93: Fix CVE-2022-1949,CVE-2024-5953 
From: @openeuler-sync-bot 
Reviewed-by: @starlet-dx 
Signed-off-by: @starlet-dx
 2024-09-12 11:52:22 +00:00
wk333
16493bb7e9 Fix CVE-2022-1949,CVE-2024-5953 
(cherry picked from commit 12831843a312861cb7a9025e118955c5904afc61)
 2024-09-12 16:53:36 +08:00
openeuler-ci-bot
5de01dc8cc
!80 [sync] PR-76: Fix CVE-2024-2199 and CVE-2024-3657 
From: @openeuler-sync-bot 
Reviewed-by: @wk333 
Signed-off-by: @wk333
 2024-06-05 08:18:07 +00:00
wk333
9155aa1810 Fix CVE-2024-2199 and CVE-2024-3657 
(cherry picked from commit 7c1e65aa87707d1425cd5dca370d0f9b7b46e7fa)
 2024-06-05 15:15:36 +08:00
openeuler-ci-bot
1d22b4ce70
!65 Fix CVE-2024-1062 
From: @wk333 
Reviewed-by: @starlet-dx 
Signed-off-by: @starlet-dx
 2024-02-05 06:21:54 +00:00
wk333
2cf6e672d5 Fix CVE-2024-1062 2024-02-05 10:34:28 +08:00
12 changed files with 793 additions and 1 deletions
Show Stats Expand all files Collapse all files

31
389-ds-base.spec
View File

@ -6,7 +6,7 @@ ExcludeArch: i686
Name: 389-ds-base
Summary: Base 389 Directory Server
Version: 1.4.3.36
Release: 4
Release: 9
License: GPLv3+
URL: https://www.port389.org
Source0: https://github.com/389ds/389-ds-base/archive/refs/tags/389-ds-base-%{version}.tar.gz
@ -16,6 +16,17 @@ Source3: https://github.com/jemalloc/jemalloc/releases/download/5.2.1/jema
# Refer: https://github.com/389ds/389-ds-base/pull/5374
Patch0: fix-dsidm-posixgroup-get_dn-fails-with-search_ext.patch
Patch1: fix-dn2rdn-get-args-error.patch
Patch2: CVE-2024-1062-1.patch
Patch3: CVE-2024-1062-2.patch
Patch4: CVE-2024-2199.patch
Patch5: CVE-2024-3657.patch
Patch6: CVE-2022-1949-Fix-ACI-bypass-in-shortcut-filter-condition.patch
Patch7: CVE-2024-5953.patch
Patch8: remove-where-cockpit_present-is-called.patch
Patch9: fix-dsidm-role-subtree-status-fails-with-TypeError.patch
Patch10: fix-typo.patch
Patch11: backport-Issue-5142-CLI-dsctl-dbgen-is-broken.patch
Patch12: CVE-2024-8445.patch
BuildRequires: nspr-devel nss-devel >= 3.34 perl-generators openldap-devel libdb-devel cyrus-sasl-devel icu
BuildRequires: libicu-devel pcre-devel cracklib-devel gcc-c++ net-snmp-devel lm_sensors-devel bzip2-devel
@ -378,6 +389,24 @@ exit 0
%{_mandir}/*/*
%changelog
* Thu Feb 13 2025 yaoxin <1024769339@qq.com> - 1.4.3.36-9
- Fix CVE-2024-8445
* Wed Nov 27 2024 wangkai <13474090681@163.com> - 1.4.3.36-8
- Fix dsidm role subtree-status fails with TypeError
- Fix name cockpit_present is not defined.
- Fix typo
- Fix DirSrv has no attribute userid
* Thu Sep 12 2024 wangkai <13474090681@163.com> - 1.4.3.36-7
- Fix CVE-2022-1949,CVE-2024-5953
* Wed Jun 05 2024 wangkai <13474090681@163.com> - 1.4.3.36-6
- Fix CVE-2024-2199 and CVE-2024-3657
* Mon Feb 05 2024 wangkai <13474090681@163.com> - 1.4.3.36-5
- Fix CVE-2024-1062
* Sun Feb 4 2024 liyanan <liyanan61@h-partners.com> - 1.4.3.36-4
- Add requires 389-ds-base-legacy-tools

26
CVE-2022-1949-Fix-ACI-bypass-in-shortcut-filter-condition.patch Normal file
View File

@ -0,0 +1,26 @@
Origin: https://build.opensuse.org/projects/SUSE:SLE-15-SP2:Update/packages/389-ds/files/0001-Fix-ACI-bypass-in-shortcut-filter-condition.patch?expand=1
From 21629670b92260c64c0355d656cd106ff8b84732 Mon Sep 17 00:00:00 2001
From: William Brown <william@blackhats.net.au>
Date: Tue, 31 May 2022 10:26:00 +1000
Subject: [PATCH] Fix ACI bypass in shortcut filter condition
---
ldap/servers/slapd/back-ldbm/back-ldbm.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ldap/servers/slapd/back-ldbm/back-ldbm.h b/ldap/servers/slapd/back-ldbm/back-ldbm.h
index 9d78ad778..7fb85f0f6 100644
--- a/ldap/servers/slapd/back-ldbm/back-ldbm.h
+++ b/ldap/servers/slapd/back-ldbm/back-ldbm.h
@@ -194,7 +194,7 @@ extern int ldbm_warn_if_no_db;
* The candidate list size at which it is cheaper to apply the filter test
* to the whole list than to continue ANDing in IDLs.
*/
-#define FILTER_TEST_THRESHOLD (NIDS)10
+#define FILTER_TEST_THRESHOLD (NIDS)0
/* flags to indicate what kind of startup the dblayer should do */
#define DBLAYER_IMPORT_MODE 0x1
--
2.36.1

116
CVE-2024-1062-1.patch Normal file
View File

@ -0,0 +1,116 @@
From dddb14210b402f317e566b6387c76a8e659bf7fa Mon Sep 17 00:00:00 2001
From: progier389 <progier@redhat.com>
Date: Tue, 14 Feb 2023 13:34:10 +0100
Subject: [PATCH] issue 5647 - covscan: memory leak in audit log when adding
entries (#5650)
covscan reported an issue about "vals" variable in auditlog.c:231 and indeed a charray_free is missing.
Issue: 5647
Reviewed by: @mreynolds389, @droideck
---
ldap/servers/slapd/auditlog.c | 71 +++++++++++++++++++----------------
1 file changed, 38 insertions(+), 33 deletions(-)
diff --git a/ldap/servers/slapd/auditlog.c b/ldap/servers/slapd/auditlog.c
index 68cbc674dc..3128e04974 100644
--- a/ldap/servers/slapd/auditlog.c
+++ b/ldap/servers/slapd/auditlog.c
@@ -177,6 +177,40 @@ write_auditfail_log_entry(Slapi_PBlock *pb)
slapi_ch_free_string(&audit_config);
}
+/*
+ * Write the attribute values to the audit log as "comments"
+ *
+ * Slapi_Attr *entry - the attribute begin logged.
+ * char *attrname - the attribute name.
+ * lenstr *l - the audit log buffer
+ *
+ * Resulting output in the log:
+ *
+ * #ATTR: VALUE
+ * #ATTR: VALUE
+ */
+static void
+log_entry_attr(Slapi_Attr *entry_attr, char *attrname, lenstr *l)
+{
+ Slapi_Value **vals = attr_get_present_values(entry_attr);
+ for(size_t i = 0; vals && vals[i]; i++) {
+ char log_val[256] = "";
+ const struct berval *bv = slapi_value_get_berval(vals[i]);
+ if (bv->bv_len >= 256) {
+ strncpy(log_val, bv->bv_val, 252);
+ strcpy(log_val+252, "...");
+ } else {
+ strncpy(log_val, bv->bv_val, bv->bv_len);
+ log_val[bv->bv_len] = 0;
+ }
+ addlenstr(l, "#");
+ addlenstr(l, attrname);
+ addlenstr(l, ": ");
+ addlenstr(l, log_val);
+ addlenstr(l, "\n");
+ }
+}
+
/*
* Write "requested" attributes from the entry to the audit log as "comments"
*
@@ -212,21 +246,9 @@ add_entry_attrs(Slapi_Entry *entry, lenstr *l)
for (req_attr = ldap_utf8strtok_r(display_attrs, ", ", &last); req_attr;
req_attr = ldap_utf8strtok_r(NULL, ", ", &last))
{
- char **vals = slapi_entry_attr_get_charray(entry, req_attr);
- for(size_t i = 0; vals && vals[i]; i++) {
- char log_val[256] = {0};
-
- if (strlen(vals[i]) > 256) {
- strncpy(log_val, vals[i], 252);
- strcat(log_val, "...");
- } else {
- strcpy(log_val, vals[i]);
- }
- addlenstr(l, "#");
- addlenstr(l, req_attr);
- addlenstr(l, ": ");
- addlenstr(l, log_val);
- addlenstr(l, "\n");
+ slapi_entry_attr_find(entry, req_attr, &entry_attr);
+ if (entry_attr) {
+ log_entry_attr(entry_attr, req_attr, l);
}
}
} else {
@@ -234,7 +256,6 @@ add_entry_attrs(Slapi_Entry *entry, lenstr *l)
for (; entry_attr; entry_attr = entry_attr->a_next) {
Slapi_Value **vals = attr_get_present_values(entry_attr);
char *attr = NULL;
- const char *val = NULL;
slapi_attr_get_type(entry_attr, &attr);
if (strcmp(attr, PSEUDO_ATTR_UNHASHEDUSERPASSWORD) == 0) {
@@ -251,23 +272,7 @@ add_entry_attrs(Slapi_Entry *entry, lenstr *l)
addlenstr(l, ": ****************************\n");
continue;
}
-
- for(size_t i = 0; vals && vals[i]; i++) {
- char log_val[256] = {0};
-
- val = slapi_value_get_string(vals[i]);
- if (strlen(val) > 256) {
- strncpy(log_val, val, 252);
- strcat(log_val, "...");
- } else {
- strcpy(log_val, val);
- }
- addlenstr(l, "#");
- addlenstr(l, attr);
- addlenstr(l, ": ");
- addlenstr(l, log_val);
- addlenstr(l, "\n");
- }
+ log_entry_attr(entry_attr, attr, l);
}
}
slapi_ch_free_string(&display_attrs);

24
CVE-2024-1062-2.patch Normal file
View File

@ -0,0 +1,24 @@
From be7c2b82958e91ce08775bf6b5da3c311d3b00e5 Mon Sep 17 00:00:00 2001
From: progier389 <progier@redhat.com>
Date: Mon, 20 Feb 2023 16:14:05 +0100
Subject: [PATCH] Issue 5647 - Fix unused variable warning from previous commit
(#5670)
* issue 5647 - memory leak in audit log when adding entries
* Issue 5647 - Fix unused variable warning from previous commit
---
ldap/servers/slapd/auditlog.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/ldap/servers/slapd/auditlog.c b/ldap/servers/slapd/auditlog.c
index 3128e04974..0597ecc6f1 100644
--- a/ldap/servers/slapd/auditlog.c
+++ b/ldap/servers/slapd/auditlog.c
@@ -254,7 +254,6 @@ add_entry_attrs(Slapi_Entry *entry, lenstr *l)
} else {
/* Return all attributes */
for (; entry_attr; entry_attr = entry_attr->a_next) {
- Slapi_Value **vals = attr_get_present_values(entry_attr);
char *attr = NULL;
slapi_attr_get_type(entry_attr, &attr);

110
CVE-2024-2199.patch Normal file
View File

@ -0,0 +1,110 @@
Origin: https://git.centos.org/rpms/389-ds-base/raw/bdd565525ec24ecfb7b354f73b602209e570aee5/f/SOURCES/0048-CVE-2024-2199.patch
From 23956cfb86a312318667fb9376322574fa8ec7f4 Mon Sep 17 00:00:00 2001
From: James Chapman <jachapma@redhat.com>
Date: Wed, 1 May 2024 15:01:33 +0100
Subject: [PATCH] CVE-2024-2199
---
.../tests/suites/password/password_test.py | 56 +++++++++++++++++++
ldap/servers/slapd/modify.c | 8 ++-
2 files changed, 62 insertions(+), 2 deletions(-)
diff --git a/dirsrvtests/tests/suites/password/password_test.py b/dirsrvtests/tests/suites/password/password_test.py
index 1245feb31..e4abd9907 100644
--- a/dirsrvtests/tests/suites/password/password_test.py
+++ b/dirsrvtests/tests/suites/password/password_test.py
@@ -63,6 +63,62 @@ def test_password_delete_specific_password(topology_st):
log.info('test_password_delete_specific_password: PASSED')
+def test_password_modify_non_utf8(topology_st):
+ """Attempt a modify of the userPassword attribute with
+ an invalid non utf8 value
+
+ :id: a31af9d5-d665-42b9-8d6e-fea3d0837d36
+ :setup: Standalone instance
+ :steps:
+ 1. Add a user if it doesnt exist and set its password
+ 2. Verify password with a bind
+ 3. Modify userPassword attr with invalid value
+ 4. Attempt a bind with invalid password value
+ 5. Verify original password with a bind
+ :expectedresults:
+ 1. The user with userPassword should be added successfully
+ 2. Operation should be successful
+ 3. Server returns ldap.UNWILLING_TO_PERFORM
+ 4. Server returns ldap.INVALID_CREDENTIALS
+ 5. Operation should be successful
+ """
+
+ log.info('Running test_password_modify_non_utf8...')
+
+ # Create user and set password
+ standalone = topology_st.standalone
+ users = UserAccounts(standalone, DEFAULT_SUFFIX)
+ if not users.exists(TEST_USER_PROPERTIES['uid'][0]):
+ user = users.create(properties=TEST_USER_PROPERTIES)
+ else:
+ user = users.get(TEST_USER_PROPERTIES['uid'][0])
+ user.set('userpassword', PASSWORD)
+
+ # Verify password
+ try:
+ user.bind(PASSWORD)
+ except ldap.LDAPError as e:
+ log.fatal('Failed to bind as {}, error: '.format(user.dn) + e.args[0]['desc'])
+ assert False
+
+ # Modify userPassword with an invalid value
+ password = b'tes\x82t-password' # A non UTF-8 encoded password
+ with pytest.raises(ldap.UNWILLING_TO_PERFORM):
+ user.replace('userpassword', password)
+
+ # Verify a bind fails with invalid pasword
+ with pytest.raises(ldap.INVALID_CREDENTIALS):
+ user.bind(password)
+
+ # Verify we can still bind with original password
+ try:
+ user.bind(PASSWORD)
+ except ldap.LDAPError as e:
+ log.fatal('Failed to bind as {}, error: '.format(user.dn) + e.args[0]['desc'])
+ assert False
+
+ log.info('test_password_modify_non_utf8: PASSED')
+
if __name__ == '__main__':
# Run isolated
# -s for DEBUG mode
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
index a20984e0b..fb65d58b3 100644
--- a/ldap/servers/slapd/modify.c
+++ b/ldap/servers/slapd/modify.c
@@ -762,8 +762,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
* flagged - leave mod attributes alone */
if (!repl_op && !skip_modified_attrs && lastmod) {
modify_update_last_modified_attr(pb, &smods);
+ slapi_pblock_set(pb, SLAPI_MODIFY_MODS, slapi_mods_get_ldapmods_byref(&smods));
}
+
if (0 == slapi_mods_get_num_mods(&smods)) {
/* nothing to do - no mods - this is not an error - just
send back LDAP_SUCCESS */
@@ -930,8 +932,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
/* encode password */
if (pw_encodevals_ext(pb, sdn, va)) {
- slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s.\n", slapi_entry_get_dn_const(e));
- send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to store attribute \"userPassword\" correctly\n", 0, NULL);
+ slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s, "
+ "check value is utf8 string.\n", slapi_entry_get_dn_const(e));
+ send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to hash \"userPassword\" attribute, "
+ "check value is utf8 string.\n", 0, NULL);
valuearray_free(&va);
goto free_and_return;
}
--
2.41.0

150
CVE-2024-3657.patch Normal file
View File

@ -0,0 +1,150 @@
Origin: https://git.centos.org/rpms/389-ds-base/blob/bdd565525ec24ecfb7b354f73b602209e570aee5/f/SOURCES/0049-CVE-2024-3657-7.9.patch
From 7f5ac2097be424a55248e391c6b40635d01b1fa6 Mon Sep 17 00:00:00 2001
From: Pierre Rogier <progier@redhat.com>
Date: Wed, 17 Apr 2024 18:18:04 +0200
Subject: [PATCH] CVE-2024-3657-7.9
---
ldap/servers/slapd/back-ldbm/index.c | 111 ++++++++++++++-------------
1 file changed, 59 insertions(+), 52 deletions(-)
diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c
index f0b969ff4..53a041ad1 100644
--- a/ldap/servers/slapd/back-ldbm/index.c
+++ b/ldap/servers/slapd/back-ldbm/index.c
@@ -71,6 +71,32 @@ typedef struct _index_buffer_handle index_buffer_handle;
#define INDEX_BUFFER_FLAG_SERIALIZE 1
#define INDEX_BUFFER_FLAG_STATS 2
+/*
+ * space needed to encode a byte:
+ * 0x00-0x31 and 0x7f-0xff requires 3 bytes: \xx
+ * 0x22 and 0x5C requires 2 bytes: \" and \\
+ * other requires 1 byte: c
+ */
+static char encode_size[] = {
+ /* 0x00 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+ /* 0x10 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+ /* 0x20 */ 1, 1, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
+ /* 0x30 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
+ /* 0x40 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
+ /* 0x50 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 1, 1, 1,
+ /* 0x60 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
+ /* 0x70 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3,
+ /* 0x80 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+ /* 0x90 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+ /* 0xA0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+ /* 0xB0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+ /* 0xC0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+ /* 0xD0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+ /* 0xE0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+ /* 0xF0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+};
+
+
/* Index buffering functions */
static int
@@ -800,65 +826,46 @@ index_add_mods(
/*
* Convert a 'struct berval' into a displayable ASCII string
+ * returns the printable string
*/
-
-#define SPECIAL(c) (c < 32 || c > 126 || c == '\\' || c == '"')
-
const char *
encode(const struct berval *data, char buf[BUFSIZ])
{
- char *s;
- char *last;
- if (data == NULL || data->bv_len == 0)
- return "";
- last = data->bv_val + data->bv_len - 1;
- for (s = data->bv_val; s < last; ++s) {
- if (SPECIAL(*s)) {
- char *first = data->bv_val;
- char *bufNext = buf;
- size_t bufSpace = BUFSIZ - 4;
- while (1) {
- /* printf ("%lu bytes ASCII\n", (unsigned long)(s - first)); */
- if (bufSpace < (size_t)(s - first))
- s = first + bufSpace - 1;
- if (s != first) {
- memcpy(bufNext, first, s - first);
- bufNext += (s - first);
- bufSpace -= (s - first);
- }
- do {
- if (bufSpace) {
- *bufNext++ = '\\';
- --bufSpace;
- }
- if (bufSpace < 2) {
- memcpy(bufNext, "..", 2);
- bufNext += 2;
- goto bail;
- }
- if (*s == '\\' || *s == '"') {
- *bufNext++ = *s;
- --bufSpace;
- } else {
- sprintf(bufNext, "%02x", (unsigned)*(unsigned char *)s);
- bufNext += 2;
- bufSpace -= 2;
- }
- } while (++s <= last && SPECIAL(*s));
- if (s > last)
- break;
- first = s;
- while (!SPECIAL(*s) && s <= last)
- ++s;
- }
- bail:
- *bufNext = '\0';
- /* printf ("%lu chars in buffer\n", (unsigned long)(bufNext - buf)); */
+ if (!data || !data->bv_val) {
+ strcpy(buf, "<NULL>");
+ return buf;
+ }
+ char *endbuff = &buf[BUFSIZ-4]; /* Reserve space to append "...\0" */
+ char *ptout = buf;
+ unsigned char *ptin = (unsigned char*) data->bv_val;
+ unsigned char *endptin = ptin+data->bv_len;
+
+ while (ptin < endptin) {
+ if (ptout >= endbuff) {
+ /*
+ * BUFSIZ(8K) > SLAPI_LOG_BUFSIZ(2K) so the error log message will be
+ * truncated anyway. So there is no real interrest to test if the original
+ * data contains no special characters and return it as is.
+ */
+ strcpy(endbuff, "...");
return buf;
}
+ switch (encode_size[*ptin]) {
+ case 1:
+ *ptout++ = *ptin++;
+ break;
+ case 2:
+ *ptout++ = '\\';
+ *ptout++ = *ptin++;
+ break;
+ case 3:
+ sprintf(ptout, "\\%02x", *ptin++);
+ ptout += 3;
+ break;
+ }
}
- /* printf ("%lu bytes, all ASCII\n", (unsigned long)(s - data->bv_val)); */
- return data->bv_val;
+ *ptout = 0;
+ return buf;
}
static const char *
--
2.41.0

167
CVE-2024-5953.patch Normal file
View File

@ -0,0 +1,167 @@
Origin:
https://github.com/389ds/389-ds-base/commit/e269182d7a5d6d23abba86dbfe0cbadce2ea3147
https://git.almalinux.org/rpms/389-ds-base/src/commit/4a9b4e4bb82f35452e19999ed6a946d412e82619/SOURCES/0012-Security-fix-for-CVE-2024-5953.patch
From 57051154bafaf50b83fc27dadbd89a49fd1c8c36 Mon Sep 17 00:00:00 2001
From: Pierre Rogier <progier@redhat.com>
Date: Fri, 14 Jun 2024 13:27:10 +0200
Subject: [PATCH] Security fix for CVE-2024-5953
Description:
A denial of service vulnerability was found in the 389 Directory Server.
This issue may allow an authenticated user to cause a server denial
of service while attempting to log in with a user with a malformed hash
in their password.
Fix Description:
To prevent buffer overflow when a bind request is processed, the bind fails
if the hash size is not coherent without even attempting to process further
the hashed password.
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-5953
- https://access.redhat.com/security/cve/CVE-2024-5953
- https://bugzilla.redhat.com/show_bug.cgi?id=2292104
---
.../tests/suites/password/regression_test.py | 54 ++++++++++++++++++-
ldap/servers/plugins/pwdstorage/md5_pwd.c | 9 +++-
ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c | 6 +++
3 files changed, 66 insertions(+), 3 deletions(-)
diff --git a/dirsrvtests/tests/suites/password/regression_test.py b/dirsrvtests/tests/suites/password/regression_test.py
index 8f1facb6d..1fa581643 100644
--- a/dirsrvtests/tests/suites/password/regression_test.py
+++ b/dirsrvtests/tests/suites/password/regression_test.py
@@ -7,12 +7,14 @@
#
import pytest
import time
+import glob
+import base64
from lib389._constants import PASSWORD, DN_DM, DEFAULT_SUFFIX
from lib389._constants import SUFFIX, PASSWORD, DN_DM, DN_CONFIG, PLUGIN_RETRO_CHANGELOG, DEFAULT_SUFFIX, DEFAULT_CHANGELOG_DB
from lib389 import Entry
from lib389.topologies import topology_m1 as topo_supplier
-from lib389.idm.user import UserAccounts
-from lib389.utils import ldap, os, logging, ensure_bytes, ds_is_newer
+from lib389.idm.user import UserAccounts, UserAccount
+from lib389.utils import ldap, os, logging, ensure_bytes, ds_is_newer, ds_supports_new_changelog
from lib389.topologies import topology_st as topo
from lib389.idm.organizationalunit import OrganizationalUnits
@@ -39,6 +41,13 @@ TEST_PASSWORDS += ['CNpwtest1ZZZZ', 'ZZZZZCNpwtest1',
TEST_PASSWORDS2 = (
'CN12pwtest31', 'SN3pwtest231', 'UID1pwtest123', 'MAIL2pwtest12@redhat.com', '2GN1pwtest123', 'People123')
+SUPPORTED_SCHEMES = (
+ "{SHA}", "{SSHA}", "{SHA256}", "{SSHA256}",
+ "{SHA384}", "{SSHA384}", "{SHA512}", "{SSHA512}",
+ "{crypt}", "{NS-MTA-MD5}", "{clear}", "{MD5}",
+ "{SMD5}", "{PBKDF2_SHA256}", "{PBKDF2_SHA512}",
+ "{GOST_YESCRYPT}", "{PBKDF2-SHA256}", "{PBKDF2-SHA512}" )
+
def _check_unhashed_userpw(inst, user_dn, is_present=False):
"""Check if unhashed#user#password attribute is present or not in the changelog"""
unhashed_pwd_attribute = 'unhashed#user#password'
@@ -319,6 +328,47 @@ def test_unhashed_pw_switch(topo_supplier):
# Add debugging steps(if any)...
pass
+@pytest.mark.parametrize("scheme", SUPPORTED_SCHEMES )
+def test_long_hashed_password(topo, create_user, scheme):
+ """Check that hashed password with very long value does not cause trouble
+
+ :id: 252a1f76-114b-11ef-8a7a-482ae39447e5
+ :setup: standalone Instance
+ :parametrized: yes
+ :steps:
+ 1. Add a test user user
+ 2. Set a long password with requested scheme
+ 3. Bind on that user using a wrong password
+ 4. Check that instance is still alive
+ 5. Remove the added user
+ :expectedresults:
+ 1. Success
+ 2. Success
+ 3. Should get ldap.INVALID_CREDENTIALS exception
+ 4. Success
+ 5. Success
+ """
+ inst = topo.standalone
+ inst.simple_bind_s(DN_DM, PASSWORD)
+ users = UserAccounts(inst, DEFAULT_SUFFIX)
+ # Make sure that server is started as this test may crash it
+ inst.start()
+ # Adding Test user (It may already exists if previous test failed)
+ user2 = UserAccount(inst, dn='uid=test_user_1002,ou=People,dc=example,dc=com')
+ if not user2.exists():
+ user2 = users.create_test_user(uid=1002, gid=2002)
+ # Setting hashed password
+ passwd = 'A'*4000
+ hashed_passwd = scheme.encode('utf-8') + base64.b64encode(passwd.encode('utf-8'))
+ user2.replace('userpassword', hashed_passwd)
+ # Bind on that user using a wrong password
+ with pytest.raises(ldap.INVALID_CREDENTIALS):
+ conn = user2.bind(PASSWORD)
+ # Check that instance is still alive
+ assert inst.status()
+ # Remove the added user
+ user2.delete()
+
if __name__ == '__main__':
# Run isolated
diff --git a/ldap/servers/plugins/pwdstorage/md5_pwd.c b/ldap/servers/plugins/pwdstorage/md5_pwd.c
index 1e2cf58e7..b9a48d5ca 100644
--- a/ldap/servers/plugins/pwdstorage/md5_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/md5_pwd.c
@@ -37,6 +37,7 @@ md5_pw_cmp(const char *userpwd, const char *dbpwd)
unsigned char hash_out[MD5_HASH_LEN];
unsigned char b2a_out[MD5_HASH_LEN * 2]; /* conservative */
SECItem binary_item;
+ size_t dbpwd_len = strlen(dbpwd);
ctx = PK11_CreateDigestContext(SEC_OID_MD5);
if (ctx == NULL) {
@@ -45,6 +46,12 @@ md5_pw_cmp(const char *userpwd, const char *dbpwd)
goto loser;
}
+ if (dbpwd_len >= sizeof b2a_out) {
+ slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
+ "The hashed password stored in the user entry is longer than any valid md5 hash");
+ goto loser;
+ }
+
/* create the hash */
PK11_DigestBegin(ctx);
PK11_DigestOp(ctx, (const unsigned char *)userpwd, strlen(userpwd));
@@ -57,7 +64,7 @@ md5_pw_cmp(const char *userpwd, const char *dbpwd)
bver = NSSBase64_EncodeItem(NULL, (char *)b2a_out, sizeof b2a_out, &binary_item);
/* bver points to b2a_out upon success */
if (bver) {
- rc = slapi_ct_memcmp(bver, dbpwd, strlen(dbpwd));
+ rc = slapi_ct_memcmp(bver, dbpwd, dbpwd_len);
} else {
slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
"Could not base64 encode hashed value for password compare");
diff --git a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
index dcac4fcdd..82b8c9501 100644
--- a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
@@ -255,6 +255,12 @@ pbkdf2_sha256_pw_cmp(const char *userpwd, const char *dbpwd)
passItem.data = (unsigned char *)userpwd;
passItem.len = strlen(userpwd);
+ if (pwdstorage_base64_decode_len(dbpwd, dbpwd_len) > sizeof dbhash) {
+ /* Hashed value is too long and cannot match any value generated by pbkdf2_sha256_hash */
+ slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to base64 decode dbpwd value. (hashed value is too long)\n");
+ return result;
+ }
+
/* Decode the DBpwd to bytes from b64 */
if (PL_Base64Decode(dbpwd, dbpwd_len, dbhash) == NULL) {
slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to base64 decode dbpwd value\n");
--
2.46.0

34
CVE-2024-8445.patch Normal file
View File

@ -0,0 +1,34 @@
From 1d3fddaac336f84e87ba399388f85734d79ebb95 Mon Sep 17 00:00:00 2001
From: Pierre Rogier <progier@redhat.com>
Date: Mon, 23 Sep 2024 19:18:52 +0200
Subject: [PATCH] Security fix for CVE-2024-8445
Description:
The fix for CVE-2024-2199 in 389-ds-base was insufficient to cover all
scenarios. In certain product versions, this issue may allow
an authenticated user to cause a server crash while modifying
`userPassword` using malformed input.
References:
- https://access.redhat.com/security/cve/CVE-2024-8445
- https://nvd.nist.gov/vuln/detail/cve-2024-8445
- https://bugzilla.redhat.com/show_bug.cgi?id=2310110
- https://nvd.nist.gov/vuln/detail/CVE-2024-2199
- https://access.redhat.com/security/cve/CVE-2024-2199
- https://bugzilla.redhat.com/show_bug.cgi?id=2267976
---
ldap/servers/slapd/modify.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
index 669bb104ca..2fab346ec3 100644
--- a/ldap/servers/slapd/modify.c
+++ b/ldap/servers/slapd/modify.c
@@ -940,6 +940,7 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to hash \"userPassword\" attribute, "
"check value is utf8 string.\n", 0, NULL);
valuearray_free(&va);
+ slapi_pblock_set(pb, SLAPI_MODIFY_MODS, (void *)slapi_mods_get_ldapmods_passout(&smods));
goto free_and_return;
}

40
backport-Issue-5142-CLI-dsctl-dbgen-is-broken.patch Normal file
View File

@ -0,0 +1,40 @@
From ba7ad9a4f7d1509fa201d39099af342bbaf67aaf Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Thu, 3 Feb 2022 16:06:07 -0500
Subject: [PATCH] Issue 5142 - CLI - dsctl dbgen is broken
Description:
Changes to dsctl broke dbgen which requires instance.userid to
set the permissions of the ldif file. It occurred when we added:
local_simple_allocate(). The fix is add userid in this allocate
function.
relates: https://github.com/389ds/389-ds-base/issues/5142
Reviewed by: progier(Thanks!)
---
src/lib389/lib389/__init__.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/lib389/lib389/__init__.py b/src/lib389/lib389/__init__.py
index 78430d720e..b8ca7685f5 100644
--- a/src/lib389/lib389/__init__.py
+++ b/src/lib389/lib389/__init__.py
@@ -446,6 +446,7 @@ def local_simple_allocate(self, serverid, ldapuri=None, binddn='cn=Directory Man
self.isLocal = True
self.ds_paths = Paths(serverid, instance=self, local=self.isLocal)
self.serverid = serverid
+ self.userid = self.ds_paths.user
# Do we have ldapi settings?
self.ldapi_enabled = None
@@ -547,7 +548,7 @@ def allocate(self, args):
self.host = ldapuri_parsed.hostname
try:
self.port = ldapuri_parsed.port
- except ValueError as e:
+ except ValueError:
self.port = DEFAULT_PORT
else:
self.host = args.get(SER_HOST, socket.gethostname())

11
fix-dsidm-role-subtree-status-fails-with-TypeError.patch Normal file
View File

@ -0,0 +1,11 @@
--- 389-ds-base-3.1.1/src/lib389/lib389/cli_idm/role.py 2024-11-26 14:12:42.805280521 +0800
+++ 389-ds-base-3.1.1/src/lib389/lib389/cli_idm/role.py 2024-11-26 14:13:08.157340335 +0800
@@ -109,7 +109,7 @@
filter = ""
scope = ldap.SCOPE_SUBTREE
- role_list = Roles(inst, basedn).filter(filter, scope)
+ role_list = Roles(inst, basedn).filter(filter, scope=scope)
if not role_list:
raise ValueError(f"No entries were found under {basedn} or the user doesn't have an access")

38
fix-typo.patch Normal file
View File

@ -0,0 +1,38 @@
diff --git a/src/lib389/lib389/cli_conf/backend.py b/src/lib389/lib389/cli_conf/backend.py
index 5bcc098..1a02e20 100644
--- a/src/lib389/lib389/cli_conf/backend.py
+++ b/src/lib389/lib389/cli_conf/backend.py
@@ -217,7 +217,7 @@ def backend_create(inst, basedn, log, args):
# Unsupported rdn
raise ValueError("Suffix RDN is not supported for creating suffix object. Only 'dc', 'o', 'ou', and 'cn' are supported.")
- log.info("The database was sucessfully created")
+ log.info("The database was successfully created")
def _recursively_del_backends(be):
@@ -244,7 +244,7 @@ def backend_delete(inst, basedn, log, args, warn=True):
_recursively_del_backends(be)
be.delete()
- log.info("The database, and any sub-suffixes, were sucessfully deleted")
+ log.info("The database, and any sub-suffixes, were successfully deleted")
def backend_import(inst, basedn, log, args):
diff --git a/src/lib389/lib389/config.py b/src/lib389/lib389/config.py
index 00d3846..91b1cf5 100644
--- a/src/lib389/lib389/config.py
+++ b/src/lib389/lib389/config.py
@@ -291,7 +291,7 @@ class Encryption(DSLdapObject):
:type ciphers: list of str
"""
self.set('nsSSL3Ciphers', ','.join(ciphers))
- self._log.info('Remeber to restart the server to apply the new cipher set.')
+ self._log.info('Remember to restart the server to apply the new cipher set.')
self._log.info('Some ciphers may be disabled anyway due to allowWeakCipher attribute.')
def _get_listed_ciphers(self, attr):
--
2.33.0

47
remove-where-cockpit_present-is-called.patch Normal file
View File

@ -0,0 +1,47 @@
From d1f5ab91be74f0c599e619d2ffbf5aa59d389e7c Mon Sep 17 00:00:00 2001
From: cherry530 <707078654@qq.com>
Date: Mon, 25 Nov 2024 15:38:27 +0800
Subject: [PATCH] Remove where cockpit_present is called
Signed-off-by: cherry530 <707078654@qq.com>
---
src/lib389/lib389/cli_ctl/cockpit.py | 9 ---------
1 file changed, 9 deletions(-)
diff --git a/src/lib389/lib389/cli_ctl/cockpit.py b/src/lib389/lib389/cli_ctl/cockpit.py
index afc7247..13a3eae 100644
--- a/src/lib389/lib389/cli_ctl/cockpit.py
+++ b/src/lib389/lib389/cli_ctl/cockpit.py
@@ -27,9 +27,6 @@ def open_firewall(inst, log, args):
"""
Open the firewall for Cockpit service
"""
- if not cockpit_present():
- raise ValueError("The 'cockpit' package is not installed on this system")
-
OPEN_CMD = ['sudo', 'firewall-cmd', '--add-service=cockpit', '--permanent']
if args.zone is not None:
OPEN_CMD.append(f' --zone={args.zone}')
@@ -43,9 +40,6 @@ def disable_cockpit(inst, log, args):
"""
Disable Cockpit socket
"""
- if not cockpit_present():
- raise ValueError("The 'cockpit' package is not installed on this system")
-
DISABLE_CMD = ['sudo', 'systemctl', 'disable', '--now', 'cockpit.socket']
try:
subprocess.run(DISABLE_CMD)
@@ -57,9 +51,6 @@ def close_firewall(inst, log, args):
"""
Close firewall for Cockpit service
"""
- if not cockpit_present():
- raise ValueError("The 'cockpit' package is not installed on this system")
-
CLOSE_CMD = ['sudo', 'firewall-cmd', '--remove-service=cockpit', '--permanent']
try:
subprocess.run(CLOSE_CMD)
--
2.43.0