[bind-dyndb-ldap] Fix CVE-2012-3429
Adam Tkac
atkac at fedoraproject.org
Thu Aug 2 11:40:22 UTC 2012
commit 7f4ce0a96fb53cb9ad22e5cf84311bb30f556ba7
Author: Adam Tkac <vonsch at gmail.com>
Date: Thu Aug 2 13:39:50 2012 +0200
Fix CVE-2012-3429
Signed-off-by: Adam Tkac <vonsch at gmail.com>
...den-DNS-to-LDAP-name-conversion.-Fixes-CV.patch | 91 ++++++++++++++++++++
bind-dyndb-ldap.spec | 7 ++-
2 files changed, 97 insertions(+), 1 deletions(-)
---
diff --git a/0001-Fix-and-harden-DNS-to-LDAP-name-conversion.-Fixes-CV.patch b/0001-Fix-and-harden-DNS-to-LDAP-name-conversion.-Fixes-CV.patch
new file mode 100644
index 0000000..1ed2c71
--- /dev/null
+++ b/0001-Fix-and-harden-DNS-to-LDAP-name-conversion.-Fixes-CV.patch
@@ -0,0 +1,91 @@
+From f345805c73c294db42452ae966c48fbc36c48006 Mon Sep 17 00:00:00 2001
+From: Petr Spacek <pspacek at redhat.com>
+Date: Fri, 20 Jul 2012 14:55:43 +0200
+Subject: [PATCH] Fix and harden DNS-to-LDAP name conversion. Fixes
+ CVE-2012-3429.
+
+Signed-off-by: Petr Spacek <pspacek at redhat.com>
+---
+ src/ldap_convert.c | 44 +++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 33 insertions(+), 11 deletions(-)
+
+diff --git a/src/ldap_convert.c b/src/ldap_convert.c
+index 6b4e321..3352c57 100644
+--- a/src/ldap_convert.c
++++ b/src/ldap_convert.c
+@@ -192,16 +192,23 @@ cleanup:
+ }
+
+ /**
++ * WARNING! This function is used to mangle input from network
++ * and it is security sensitive.
++ *
+ * Convert a string from DNS escaping to LDAP escaping.
+ * The Input string dns_str is expected to be the result of dns_name_tostring().
+ * The DNS label can contain any binary data as described in
+ * http://tools.ietf.org/html/rfc2181#section-11 .
+ *
+- * DNS escaping uses form "\123" = ASCII value 123 (decimal)
++ * DNS escaping uses 2 forms: (see dns_name_totext2() in bind/lib/dns/name.c)
++ * form "\123" = ASCII value 123 (decimal)
++ * form "\$" = character '$' is escaped with '\'
++ * WARNING! Some characters are not escaped at all (e.g. ',').
++ *
+ * LDAP escaping users form "\7b" = ASCII value 7b (hexadecimal)
+ *
+- * Input (DNS escaped) example : _aaa,bbb\255\000ccc.555.ddd-eee
+- * Output (LDAP escaped) example: _aaa\2cbbb\ff\00ccc.555.ddd-eee
++ * Input (DNS escaped) example: \$.\255_aaa,bbb\127\000ccc.555.ddd-eee
++ * Output (LDAP escaped) example: \24.\ff_aaa\2cbbb\7f\00ccc.555.ddd-eee
+ *
+ * The DNS to text functions from ISC libraries do not convert certain
+ * characters (e.g. ","). This function converts \123 form to \7b form in all
+@@ -248,13 +255,23 @@ dns_to_ldap_dn_escape(isc_mem_t *mctx, const char const * dns_str, char ** ldap_
+ }
+ if (dns_str[dns_idx] != '\\') { /* not nice raw value, e.g. ',' */
+ ascii_val = dns_str[dns_idx];
+- } else { /* not nice value in DNS \123 decimal format */
+- /* check if input length <= expected size */
+- REQUIRE (dns_str_len > dns_idx + 3); /* this problem should never happen */
+- ascii_val = 100 * (dns_str[dns_idx + 1] - '0')
+- + 10 * (dns_str[dns_idx + 2] - '0')
+- + (dns_str[dns_idx + 3] - '0');
+- dns_idx += 3;
++ } else { /* DNS escaped value, it starts with '\' */
++ if (!(dns_idx + 1 < dns_str_len)) {
++ CHECK(DNS_R_BADESCAPE); /* this problem should never happen */
++ }
++ if (isdigit(dns_str[dns_idx + 1])) { /* \123 decimal format */
++ /* check if input length <= expected size */
++ if (!(dns_idx + 3 < dns_str_len)) {
++ CHECK(DNS_R_BADESCAPE); /* this problem should never happen */
++ }
++ ascii_val = 100 * (dns_str[dns_idx + 1] - '0')
++ + 10 * (dns_str[dns_idx + 2] - '0')
++ + (dns_str[dns_idx + 3] - '0');
++ dns_idx += 3;
++ } else { /* \$ single char format */
++ ascii_val = dns_str[dns_idx + 1];
++ dns_idx += 1;
++ }
+ }
+ /* LDAP uses \xy escaping. "xy" represent two hexadecimal digits.*/
+ /* TODO: optimize to bit mask & rotate & dec->hex table? */
+@@ -272,8 +289,13 @@ dns_to_ldap_dn_escape(isc_mem_t *mctx, const char const * dns_str, char ** ldap_
+ return ISC_R_SUCCESS;
+
+ cleanup:
+- if (*ldap_name)
++ if (result == DNS_R_BADESCAPE)
++ log_bug("improperly escaped DNS string: '%s'", dns_str);
++
++ if (*ldap_name) {
+ isc_mem_free(mctx, *ldap_name);
++ *ldap_name = NULL;
++ }
+ return result;
+ }
+
+--
+1.7.11.2
+
diff --git a/bind-dyndb-ldap.spec b/bind-dyndb-ldap.spec
index f9e35fa..5962306 100644
--- a/bind-dyndb-ldap.spec
+++ b/bind-dyndb-ldap.spec
@@ -6,7 +6,7 @@
Name: bind-dyndb-ldap
Version: 1.1.0
-Release: 0.13.%{PREVER}%{?dist}
+Release: 0.14.%{PREVER}%{?dist}
Summary: LDAP back-end plug-in for BIND
Group: System Environment/Libraries
@@ -22,6 +22,7 @@ BuildRequires: openldap-devel
Requires: bind >= 32:9.6.1-0.3.b1
Patch0: bind-dyndb-ldap110-master.patch
+Patch1: 0001-Fix-and-harden-DNS-to-LDAP-name-conversion.-Fixes-CV.patch
%description
This package provides an LDAP back-end plug-in for BIND. It features
@@ -33,6 +34,7 @@ off of your LDAP server.
%setup -q -n %{name}-%{VERSION}
%patch0 -p1 -b .master
+%patch1 -p1 -b .CVE-2012-3429
%build
export CFLAGS="`isc-config.sh --cflags dns` $RPM_OPT_FLAGS"
@@ -60,6 +62,9 @@ rm -rf %{buildroot}
%changelog
+* Thu Aug 02 2012 Adam Tkac <atkac redhat com> 1.1.0-0.14.rc1
+- fix CVE-2012-3429
+
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.1.0-0.13.rc1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
More information about the scm-commits
mailing list