Bug#780298: marked as done (unblock: 389-ds-base/1.3.3.5-4)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 11 Mar 2015 21:51:57 +0100
with message-id <5500AAED.1090002@thykier.net>
and subject line Re: Bug#780298: unblock: 389-ds-base/1.3.3.5-4
has caused the Debian Bug report #780298,
regarding unblock: 389-ds-base/1.3.3.5-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
780298: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780298
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: 389-ds-base/1.3.3.5-4
• From: Moritz Muehlenhoff <jmm@debian.org>
• Date: Wed, 11 Mar 2015 20:12:34 +0100
• Message-id: <[🔎] 20150311191234.3687.67870.reportbug@pisco.westfalen.local>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package 389-ds-base. It fixes CVE-2014-8105
and CVE-2014-8112.

unblock 389-ds-base/1.3.3.5-4

debdiff:

diff -Nru 389-ds-base-1.3.3.5/debian/changelog 389-ds-base-1.3.3.5/debian/changelog
--- 389-ds-base-1.3.3.5/debian/changelog	2015-01-16 14:40:30.000000000 +0100
+++ 389-ds-base-1.3.3.5/debian/changelog	2015-03-09 09:53:08.000000000 +0100
@@ -1,3 +1,11 @@
+389-ds-base (1.3.3.5-4) unstable; urgency=medium
+
+  * Security fixes (Closes: #779909)
+    - cve-2014-8105.diff: Fix for CVE-2014-8105
+    - cve-2014-8112.diff: Fix for CVE-2014-8112
+
+ -- Timo Aaltonen <tjaalton@debian.org>  Mon, 09 Mar 2015 10:53:03 +0200
+
 389-ds-base (1.3.3.5-3) unstable; urgency=medium
 
   * use-bash-instead-of-sh.diff: Drop admin_scripts.diff and patch the
diff -Nru 389-ds-base-1.3.3.5/debian/patches/cve-2014-8105.diff 389-ds-base-1.3.3.5/debian/patches/cve-2014-8105.diff
--- 389-ds-base-1.3.3.5/debian/patches/cve-2014-8105.diff	1970-01-01 01:00:00.000000000 +0100
+++ 389-ds-base-1.3.3.5/debian/patches/cve-2014-8105.diff	2015-03-09 09:46:02.000000000 +0100
@@ -0,0 +1,116 @@
+commit 74e80db8380a4606e07672dfb5e3f7d403efe150
+Author: Mark Reynolds <mreynolds@redhat.com>
+Date:   Tue Dec 16 16:53:07 2014 -0500
+
+    Bug 1199675 - CVE-2014-8112 CVE-2014-8105 389-ds-base: various flaws [fedora-all]
+    
+    Fix for CVE-2014-8105
+    
+    Description:  At server startup check for the Retro Changelog default ACI
+                  on cn=changelog, if present delete it.
+    
+    Reviewed by: lkrispenz(Thanks!)
+    
+    (cherry picked from commit 4b812a1af367ed409e21abe73a77e57092e5a5f3)
+    (cherry picked from commit 29652118e2ae17ca98c1934af5109f1ac87d94ae)
+
+diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c
+index 0d2a6dc..8a0f350 100644
+--- a/ldap/servers/plugins/retrocl/retrocl.c
++++ b/ldap/servers/plugins/retrocl/retrocl.c
+@@ -308,6 +308,68 @@ char *retrocl_get_config_str(const char *attrt)
+     return ma;
+ }
+ 
++static void
++retrocl_remove_legacy_default_aci(void)
++{
++    Slapi_PBlock *pb = NULL;
++    Slapi_Entry **entries;
++    char **aci_vals = NULL;
++    char *attrs[] = {"aci", NULL};
++    int rc;
++
++    pb = slapi_pblock_new();
++    slapi_search_internal_set_pb(pb, RETROCL_CHANGELOG_DN, LDAP_SCOPE_BASE, "objectclass=*",
++            attrs, 0, NULL, NULL, g_plg_identity[PLUGIN_RETROCL] , 0);
++    slapi_search_internal_pb(pb);
++    slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
++    if (rc == LDAP_SUCCESS) {
++        slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
++        if(entries && entries[0]){
++            if((aci_vals = slapi_entry_attr_get_charray(entries[0], "aci"))){
++                if(charray_inlist(aci_vals, RETROCL_ACL)){
++                    /*
++                     * Okay, we need to remove the aci
++                     */
++                    LDAPMod mod;
++                    LDAPMod *mods[2];
++                    char *val[2];
++                    Slapi_PBlock *mod_pb = 0;
++
++                    mod_pb = slapi_pblock_new();
++                    mods[0] = &mod;
++                    mods[1] = 0;
++                    val[0] = RETROCL_ACL;
++                    val[1] = 0;
++                    mod.mod_op = LDAP_MOD_DELETE;
++                    mod.mod_type = "aci";
++                    mod.mod_values = val;
++
++                    slapi_modify_internal_set_pb_ext(mod_pb, slapi_entry_get_sdn(entries[0]),
++                                                    mods, 0, 0, g_plg_identity[PLUGIN_RETROCL], 0);
++                    slapi_modify_internal_pb(mod_pb);
++                    slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
++                    if(rc == LDAP_SUCCESS){
++                        slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
++                                "Successfully removed vulnerable legacy default aci \"%s\".  "
++                                "If the aci removal was not desired please use a different \"acl "
++                                "name\" so it is not removed at the next plugin startup.\n",
++                                RETROCL_ACL);
++                    } else {
++                        slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
++                                "Failed to removed vulnerable legacy default aci (%s) error %d\n",
++                                RETROCL_ACL, rc);
++                    }
++                    slapi_pblock_destroy(mod_pb);
++                }
++                slapi_ch_array_free(aci_vals);
++            }
++        }
++    }
++    slapi_free_search_results_internal(pb);
++    slapi_pblock_destroy(pb);
++}
++
++
+ /*
+  * Function: retrocl_start
+  *
+@@ -333,7 +395,10 @@ static int retrocl_start (Slapi_PBlock *pb)
+       LDAPDebug1Arg(LDAP_DEBUG_TRACE,"Couldnt find backend, not trimming retro changelog (%d).\n",rc);
+       return rc;
+     }
+-   
++
++    /* Remove the old default aci as it exposes passwords changes to anonymous users */
++    retrocl_remove_legacy_default_aci();
++
+     retrocl_init_trimming();
+ 
+     if (slapi_pblock_get(pb, SLAPI_ADD_ENTRY, &e) != 0) {
+diff --git a/ldap/servers/plugins/retrocl/retrocl_create.c b/ldap/servers/plugins/retrocl/retrocl_create.c
+index 1ffdaae..870421c 100644
+--- a/ldap/servers/plugins/retrocl/retrocl_create.c
++++ b/ldap/servers/plugins/retrocl/retrocl_create.c
+@@ -344,10 +344,6 @@ void retrocl_create_cle (void)
+     val.bv_len = strlen(val.bv_val);
+     slapi_entry_add_values( e, "cn", vals );  
+     
+-    val.bv_val = RETROCL_ACL;
+-    val.bv_len = strlen(val.bv_val);
+-    slapi_entry_add_values( e, "aci", vals );  
+-
+     pb = slapi_pblock_new ();
+     slapi_add_entry_internal_set_pb( pb, e, NULL /* controls */, 
+ 				     g_plg_identity[PLUGIN_RETROCL], 
diff -Nru 389-ds-base-1.3.3.5/debian/patches/cve-2014-8112.diff 389-ds-base-1.3.3.5/debian/patches/cve-2014-8112.diff
--- 389-ds-base-1.3.3.5/debian/patches/cve-2014-8112.diff	1970-01-01 01:00:00.000000000 +0100
+++ 389-ds-base-1.3.3.5/debian/patches/cve-2014-8112.diff	2015-03-09 09:45:56.000000000 +0100
@@ -0,0 +1,115 @@
+commit 8603d6533d84009e13a94ce6327abfba7ae73ef4
+Author: Ludwig Krispenz <lkrispen@redhat.com>
+Date:   Fri Nov 28 14:23:06 2014 +0100
+
+    Bug 1199675 - CVE-2014-8112 CVE-2014-8105 389-ds-base: various flaws [fedora-all]
+    
+    Fix for CVE-2014-8112
+    
+    	If the unhashed pw switch is set to off this should only
+            prevent the generation of the unhashed#user#password
+    	attribute.
+    	But encoding of pw values and detiecetion which values have
+    	to be deleted needs to stay intact.
+    	So the check if the switch is set has to be placed close to
+            the generation of the attribute in different 'if' branches
+    
+    Reviewed by Noriko, thanks
+    
+    (cherry picked from commit e5de803f4ab1b097c637c269fcc8b567e664c00d)
+    (cherry picked from commit 84b8bfd7d18a0613920dce36f1d3775d75e45a3e)
+
+diff --git a/ldap/servers/plugins/retrocl/retrocl_po.c b/ldap/servers/plugins/retrocl/retrocl_po.c
+index bcf53cd..61f99cf 100644
+--- a/ldap/servers/plugins/retrocl/retrocl_po.c
++++ b/ldap/servers/plugins/retrocl/retrocl_po.c
+@@ -101,6 +101,12 @@ static lenstr *make_changes_string(LDAPMod **ldm, const char **includeattrs)
+ 		continue;
+ 	    }
+ 	}
++	if (SLAPD_UNHASHED_PW_NOLOG == slapi_config_get_unhashed_pw_switch()) {
++		if (0 == strcasecmp(ldm[ i ]->mod_type, PSEUDO_ATTR_UNHASHEDUSERPASSWORD)) {
++			/* If nsslapd-unhashed-pw-switch == nolog, skip writing it to cl. */
++			continue;
++		}
++	}
+ 	switch ( ldm[ i ]->mod_op  & ~LDAP_MOD_BVALUES ) {
+ 	case LDAP_MOD_ADD:
+ 	    addlenstr( l, "add: " );
+diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
+index 9b2f42d..ab12f56 100644
+--- a/ldap/servers/slapd/modify.c
++++ b/ldap/servers/slapd/modify.c
+@@ -836,8 +836,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
+ 	 * before calling the preop plugins
+ 	 */
+ 
+-	if (pw_change && !repl_op &&
+-	    (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch())) {
++	if (pw_change && !repl_op ) {
+ 		Slapi_Value **va = NULL;
+ 
+ 		unhashed_pw_attr = slapi_attr_syntax_normalize(PSEUDO_ATTR_UNHASHEDUSERPASSWORD);
+@@ -907,13 +906,15 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
+ 						 *  Finally, delete the unhashed userpassword
+ 						 *  (this will update the password entry extension)
+ 						 */
+-						bval.bv_val = password;
+-						bval.bv_len = strlen(password);
+-						bv[0] = &bval;
+-						bv[1] = NULL;
+-						valuearray_init_bervalarray(bv, &va);
+-						slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
+-						valuearray_free(&va);
++						if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
++							bval.bv_val = password;
++							bval.bv_len = strlen(password);
++							bv[0] = &bval;
++							bv[1] = NULL;
++							valuearray_init_bervalarray(bv, &va);
++							slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
++							valuearray_free(&va);
++						}
+ 					} else {
+ 						/*
+ 						 *  Password is encoded, try and find a matching unhashed_password to delete
+@@ -945,19 +946,23 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
+ 								if(strcmp(unhashed_pwsp->pws_name, "CLEAR") == 0){
+ 									if((*(pwsp->pws_cmp))((char *)unhashed_pwd , valpwd) == 0 ){
+ 										/* match, add the delete mod for this particular unhashed userpassword */
+-										valuearray_init_bervalarray(bv, &va);
+-										slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
+-										valuearray_free(&va);
+-										free_pw_scheme( unhashed_pwsp );
++										if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
++										    valuearray_init_bervalarray(bv, &va);
++										    slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
++										    valuearray_free(&va);
++										    free_pw_scheme( unhashed_pwsp );
++										}
+ 										break;
+ 									}
+ 								} else {
+ 									/*
+ 									 *  We have a hashed unhashed_userpassword!  We must delete it.
+ 									 */
+-									valuearray_init_bervalarray(bv, &va);
+-									slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
+-									valuearray_free(&va);
++									if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
++										valuearray_init_bervalarray(bv, &va);
++										slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
++										valuearray_free(&va);
++									}
+ 								}
+ 								free_pw_scheme( unhashed_pwsp );
+ 							}
+@@ -972,7 +977,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
+ 				if (remove_unhashed_pw && !slapi_entry_attr_find(e, unhashed_pw_attr, &a)){
+ 					slapi_mods_add_mod_values(&smods, pw_mod->mod_op,unhashed_pw_attr, va);
+ 				}
+-			} else {
++			} else if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
+ 				/* add pseudo password attribute */
+ 				valuearray_init_bervalarray_unhashed_only(pw_mod->mod_bvalues, &va);
+ 				if(va && va[0]){
diff -Nru 389-ds-base-1.3.3.5/debian/patches/series 389-ds-base-1.3.3.5/debian/patches/series
--- 389-ds-base-1.3.3.5/debian/patches/series	2015-01-16 13:46:01.000000000 +0100
+++ 389-ds-base-1.3.3.5/debian/patches/series	2015-03-09 09:47:59.000000000 +0100
@@ -6,3 +6,6 @@
 support-kfreebsd.patch
 fix-obsolete-target.diff
 fix-saslpath.diff
+
+cve-2014-8112.diff
+cve-2014-8105.diff


-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---

--- Begin Message ---

• To: Moritz Muehlenhoff <jmm@debian.org>, 780298-done@bugs.debian.org
• Subject: Re: Bug#780298: unblock: 389-ds-base/1.3.3.5-4
• From: Niels Thykier <niels@thykier.net>
• Date: Wed, 11 Mar 2015 21:51:57 +0100
• Message-id: <5500AAED.1090002@thykier.net>
• In-reply-to: <[🔎] 20150311191234.3687.67870.reportbug@pisco.westfalen.local>
• References: <[🔎] 20150311191234.3687.67870.reportbug@pisco.westfalen.local>

On 2015-03-11 20:12, Moritz Muehlenhoff wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package 389-ds-base. It fixes CVE-2014-8105
> and CVE-2014-8112.
> 
> unblock 389-ds-base/1.3.3.5-4
> 
> debdiff:
> 
> [...]
> 
> 

Unblocked, thanks.

~Niels

--- End Message ---