[freeipa/f18] Fix DoS when connecting with a missing username/dn (#928387)
Martin Kosek
mkosek at fedoraproject.org
Fri Mar 29 07:20:15 UTC 2013
commit bb4eca061bb01bb5215461dee6938f403256baa4
Author: Martin Kosek <mkosek at redhat.com>
Date: Fri Mar 29 08:19:19 2013 +0100
Fix DoS when connecting with a missing username/dn (#928387)
...s-when-connecting-with-a-missing-username.patch | 70 ++++++++++++++++++++
freeipa.spec | 7 ++-
2 files changed, 76 insertions(+), 1 deletions(-)
---
diff --git a/0001-bz928387-dos-when-connecting-with-a-missing-username.patch b/0001-bz928387-dos-when-connecting-with-a-missing-username.patch
new file mode 100644
index 0000000..e483ca8
--- /dev/null
+++ b/0001-bz928387-dos-when-connecting-with-a-missing-username.patch
@@ -0,0 +1,70 @@
+From 6e7ef35195ab0e9b93b3b937125c3f9e285219de Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose at redhat.com>
+Date: Fri, 22 Feb 2013 09:40:35 +0100
+Subject: [PATCH] pa-pwd-extop: do not use dn until it is really set
+
+---
+ .../ipa-pwd-extop/ipa_pwd_extop.c | 40 +++++++++++-----------
+ 1 file changed, 20 insertions(+), 20 deletions(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+index 974eda31889109de80a263d1715e3a194ae431ef..b64084e9d503733a797dacfb06471ad580a0c886 100644
+--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+@@ -240,26 +240,6 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
+ }
+
+ parse_req_done:
+-
+- if (usetxn) {
+- Slapi_DN *sdn = slapi_sdn_new_dn_byref(dn);
+- Slapi_Backend *be = slapi_be_select(sdn);
+- slapi_sdn_free(&sdn);
+- if (be) {
+- chpwop_pb = slapi_pblock_new();
+- if (slapi_pblock_set(chpwop_pb, SLAPI_BACKEND, be)) {
+- LOG_FATAL("slapi_pblock_set failed!\n");
+- rc = LDAP_OPERATIONS_ERROR;
+- goto free_and_return;
+- }
+- rc = slapi_back_transaction_begin(chpwop_pb);
+- if (rc) {
+- LOG_FATAL("failed to start transaction\n");
+- }
+- } else {
+- LOG_FATAL("failed to get be backend from %s\n", dn);
+- }
+- }
+ /* Uncomment for debugging, otherwise we don't want to leak the
+ * password values into the log... */
+ /* LDAPDebug( LDAP_DEBUG_ARGS, "passwd: dn (%s), oldPasswd (%s),
+@@ -313,6 +293,26 @@ parse_req_done:
+ goto free_and_return;
+ }
+
++ if (usetxn) {
++ Slapi_DN *sdn = slapi_sdn_new_dn_byref(dn);
++ Slapi_Backend *be = slapi_be_select(sdn);
++ slapi_sdn_free(&sdn);
++ if (be) {
++ chpwop_pb = slapi_pblock_new();
++ if (slapi_pblock_set(chpwop_pb, SLAPI_BACKEND, be)) {
++ LOG_FATAL("slapi_pblock_set failed!\n");
++ rc = LDAP_OPERATIONS_ERROR;
++ goto free_and_return;
++ }
++ rc = slapi_back_transaction_begin(chpwop_pb);
++ if (rc) {
++ LOG_FATAL("failed to start transaction\n");
++ }
++ } else {
++ LOG_FATAL("failed to get be backend from %s\n", dn);
++ }
++ }
++
+ /* Now we have the DN, look for the entry */
+ ret = ipapwd_getEntry(dn, &targetEntry, attrlist);
+ /* If we can't find the entry, then that's an error */
+--
+1.8.1.4
+
diff --git a/freeipa.spec b/freeipa.spec
index 4e1bc00..3821ffb 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -15,7 +15,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
Name: freeipa
Version: 3.1.3
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -24,6 +24,8 @@ URL: http://www.freeipa.org/
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+Patch0001: 0001-bz928387-dos-when-connecting-with-a-missing-username.patch
+
%if ! %{ONLY_CLIENT}
BuildRequires: 389-ds-base-devel >= 1.3.0
BuildRequires: svrcore-devel
@@ -774,6 +776,9 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
+* Fri Mar 29 2013 Martin Kosek <mkosek at redhat.com> - 3.1.3-3
+- DoS when connecting with a missing username/dn (#928387)
+
* Thu Mar 28 2013 Martin Kosek <mkosek at redhat.com> - 3.1.3-2
- Avoid running ipa-ldap-updater twice
More information about the scm-commits
mailing list