VERSION.sh | 2
ldap/servers/plugins/retrocl/retrocl.c | 67 +++++++++++++++++++++++++-
ldap/servers/plugins/retrocl/retrocl_create.c | 4 -
ldap/servers/plugins/retrocl/retrocl_po.c | 6 ++
ldap/servers/slapd/modify.c | 39 ++++++++-------
5 files changed, 95 insertions(+), 23 deletions(-)
New commits:
commit 0e31f704590eefa6a575c0b70febe4ea5451e5d5
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Fri Mar 6 17:10:54 2015 -0800
Bump version to 1.3.2.27
diff --git a/VERSION.sh b/VERSION.sh
index afd7328..33fa2c4 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -10,7 +10,7 @@ vendor="389 Project"
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=3
-VERSION_MAINT=2.26
+VERSION_MAINT=2.27
# if this is a PRERELEASE, set VERSION_PREREL
# otherwise, comment it out
# be sure to include the dot prefix in the prerel
commit 1bd16db632ea8c64470ddf295a7f28d8a012412a
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Tue Dec 16 16:53:07 2014 -0500
Bug 1199675 - CVE-2014-8112 CVE-2014-8105 389-ds-base: various flaws [fedora-all]
Fix for CVE-2014-8105
Description: At server startup check for the Retro Changelog default ACI
on cn=changelog, if present delete it.
Reviewed by: lkrispenz(Thanks!)
(cherry picked from commit 4b812a1af367ed409e21abe73a77e57092e5a5f3)
(cherry picked from commit 29652118e2ae17ca98c1934af5109f1ac87d94ae)
(cherry picked from commit 74e80db8380a4606e07672dfb5e3f7d403efe150)
diff --git a/ldap/servers/plugins/retrocl/retrocl.c
b/ldap/servers/plugins/retrocl/retrocl.c
index d21b085..2ced2d5 100644
--- a/ldap/servers/plugins/retrocl/retrocl.c
+++ b/ldap/servers/plugins/retrocl/retrocl.c
@@ -307,6 +307,68 @@ char *retrocl_get_config_str(const char *attrt)
return ma;
}
+static void
+retrocl_remove_legacy_default_aci(void)
+{
+ Slapi_PBlock *pb = NULL;
+ Slapi_Entry **entries;
+ char **aci_vals = NULL;
+ char *attrs[] = {"aci", NULL};
+ int rc;
+
+ pb = slapi_pblock_new();
+ slapi_search_internal_set_pb(pb, RETROCL_CHANGELOG_DN, LDAP_SCOPE_BASE,
"objectclass=*",
+ attrs, 0, NULL, NULL, g_plg_identity[PLUGIN_RETROCL] , 0);
+ slapi_search_internal_pb(pb);
+ slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
+ if (rc == LDAP_SUCCESS) {
+ slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
+ if(entries && entries[0]){
+ if((aci_vals = slapi_entry_attr_get_charray(entries[0], "aci"))){
+ if(charray_inlist(aci_vals, RETROCL_ACL)){
+ /*
+ * Okay, we need to remove the aci
+ */
+ LDAPMod mod;
+ LDAPMod *mods[2];
+ char *val[2];
+ Slapi_PBlock *mod_pb = 0;
+
+ mod_pb = slapi_pblock_new();
+ mods[0] = &mod;
+ mods[1] = 0;
+ val[0] = RETROCL_ACL;
+ val[1] = 0;
+ mod.mod_op = LDAP_MOD_DELETE;
+ mod.mod_type = "aci";
+ mod.mod_values = val;
+
+ slapi_modify_internal_set_pb_ext(mod_pb,
slapi_entry_get_sdn(entries[0]),
+ mods, 0, 0,
g_plg_identity[PLUGIN_RETROCL], 0);
+ slapi_modify_internal_pb(mod_pb);
+ slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
+ if(rc == LDAP_SUCCESS){
+ slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
+ "Successfully removed vulnerable legacy default aci
\"%s\". "
+ "If the aci removal was not desired please use a
different \"acl "
+ "name\" so it is not removed at the next plugin
startup.\n",
+ RETROCL_ACL);
+ } else {
+ slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
+ "Failed to removed vulnerable legacy default aci
(%s) error %d\n",
+ RETROCL_ACL, rc);
+ }
+ slapi_pblock_destroy(mod_pb);
+ }
+ slapi_ch_array_free(aci_vals);
+ }
+ }
+ }
+ slapi_free_search_results_internal(pb);
+ slapi_pblock_destroy(pb);
+}
+
+
/*
* Function: retrocl_start
*
@@ -337,7 +399,10 @@ static int retrocl_start (Slapi_PBlock *pb)
LDAPDebug1Arg(LDAP_DEBUG_TRACE,"Couldnt find backend, not trimming retro
changelog (%d).\n",rc);
return rc;
}
-
+
+ /* Remove the old default aci as it exposes passwords changes to anonymous users */
+ retrocl_remove_legacy_default_aci();
+
retrocl_init_trimming();
if (slapi_pblock_get(pb, SLAPI_ADD_ENTRY, &e) != 0) {
diff --git a/ldap/servers/plugins/retrocl/retrocl_create.c
b/ldap/servers/plugins/retrocl/retrocl_create.c
index 1ffdaae..870421c 100644
--- a/ldap/servers/plugins/retrocl/retrocl_create.c
+++ b/ldap/servers/plugins/retrocl/retrocl_create.c
@@ -344,10 +344,6 @@ void retrocl_create_cle (void)
val.bv_len = strlen(val.bv_val);
slapi_entry_add_values( e, "cn", vals );
- val.bv_val = RETROCL_ACL;
- val.bv_len = strlen(val.bv_val);
- slapi_entry_add_values( e, "aci", vals );
-
pb = slapi_pblock_new ();
slapi_add_entry_internal_set_pb( pb, e, NULL /* controls */,
g_plg_identity[PLUGIN_RETROCL],
commit 7c5cc6c06f976f5240cb1135de5971f502b82be7
Author: Ludwig Krispenz <lkrispen(a)redhat.com>
Date: Fri Nov 28 14:23:06 2014 +0100
Bug 1199675 - CVE-2014-8112 CVE-2014-8105 389-ds-base: various flaws [fedora-all]
Fix for CVE-2014-8112
If the unhashed pw switch is set to off this should only
prevent the generation of the unhashed#user#password
attribute.
But encoding of pw values and detiecetion which values have
to be deleted needs to stay intact.
So the check if the switch is set has to be placed close to
the generation of the attribute in different 'if' branches
Reviewed by Noriko, thanks
(cherry picked from commit e5de803f4ab1b097c637c269fcc8b567e664c00d)
(cherry picked from commit 84b8bfd7d18a0613920dce36f1d3775d75e45a3e)
(cherry picked from commit 8603d6533d84009e13a94ce6327abfba7ae73ef4)
diff --git a/ldap/servers/plugins/retrocl/retrocl_po.c
b/ldap/servers/plugins/retrocl/retrocl_po.c
index 8758487..a1d28e3 100644
--- a/ldap/servers/plugins/retrocl/retrocl_po.c
+++ b/ldap/servers/plugins/retrocl/retrocl_po.c
@@ -101,6 +101,12 @@ static lenstr *make_changes_string(LDAPMod **ldm, const char
**includeattrs)
continue;
}
}
+ if (SLAPD_UNHASHED_PW_NOLOG == slapi_config_get_unhashed_pw_switch()) {
+ if (0 == strcasecmp(ldm[ i ]->mod_type, PSEUDO_ATTR_UNHASHEDUSERPASSWORD)) {
+ /* If nsslapd-unhashed-pw-switch == nolog, skip writing it to cl. */
+ continue;
+ }
+ }
switch ( ldm[ i ]->mod_op & ~LDAP_MOD_BVALUES ) {
case LDAP_MOD_ADD:
addlenstr( l, "add: " );
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
index 34fc326..7b506b2 100644
--- a/ldap/servers/slapd/modify.c
+++ b/ldap/servers/slapd/modify.c
@@ -836,8 +836,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char
*old_pw)
* before calling the preop plugins
*/
- if (pw_change && !repl_op &&
- (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch())) {
+ if (pw_change && !repl_op ) {
Slapi_Value **va = NULL;
unhashed_pw_attr = slapi_attr_syntax_normalize(PSEUDO_ATTR_UNHASHEDUSERPASSWORD);
@@ -907,13 +906,15 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char
*old_pw)
* Finally, delete the unhashed userpassword
* (this will update the password entry extension)
*/
- bval.bv_val = password;
- bval.bv_len = strlen(password);
- bv[0] = &bval;
- bv[1] = NULL;
- valuearray_init_bervalarray(bv, &va);
- slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
- valuearray_free(&va);
+ if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
+ bval.bv_val = password;
+ bval.bv_len = strlen(password);
+ bv[0] = &bval;
+ bv[1] = NULL;
+ valuearray_init_bervalarray(bv, &va);
+ slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
+ valuearray_free(&va);
+ }
} else {
/*
* Password is encoded, try and find a matching unhashed_password to delete
@@ -945,19 +946,23 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char
*old_pw)
if(strcmp(unhashed_pwsp->pws_name, "CLEAR") == 0){
if((*(pwsp->pws_cmp))((char *)unhashed_pwd , valpwd) == 0 ){
/* match, add the delete mod for this particular unhashed userpassword */
- valuearray_init_bervalarray(bv, &va);
- slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr,
va);
- valuearray_free(&va);
- free_pw_scheme( unhashed_pwsp );
+ if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
+ valuearray_init_bervalarray(bv, &va);
+ slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr,
va);
+ valuearray_free(&va);
+ free_pw_scheme( unhashed_pwsp );
+ }
break;
}
} else {
/*
* We have a hashed unhashed_userpassword! We must delete it.
*/
- valuearray_init_bervalarray(bv, &va);
- slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
- valuearray_free(&va);
+ if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
+ valuearray_init_bervalarray(bv, &va);
+ slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr,
va);
+ valuearray_free(&va);
+ }
}
free_pw_scheme( unhashed_pwsp );
}
@@ -972,7 +977,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char
*old_pw)
if (remove_unhashed_pw && !slapi_entry_attr_find(e, unhashed_pw_attr,
&a)){
slapi_mods_add_mod_values(&smods, pw_mod->mod_op,unhashed_pw_attr, va);
}
- } else {
+ } else if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
/* add pseudo password attribute */
valuearray_init_bervalarray_unhashed_only(pw_mod->mod_bvalues, &va);
if(va){