[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#934507: marked as done (buster-pu: package openldap/2.4.47+dfsg-3+deb10u1)

Your message dated Sat, 07 Sep 2019 14:34:49 +0100
with message-id <[🔎] f49e2985d8466065c49c03185c24465a32228fb5.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes including in 10.1 point release
has caused the Debian Bug report #934507,
regarding buster-pu: package openldap/2.4.47+dfsg-3+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
934507: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934507
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Dear SRM,

I would like to update openldap in buster to fix two CVEs and one 
additional important bug. I already discussed the CVEs with the security 
team and we agreed on fixing them in a point release.

The changes are in testing, backports, and Ubuntu already; no 
regressions that I'm aware of. Changelog as follows:

openldap (2.4.47+dfsg-3+deb10u1) buster; urgency=medium

  * Fix slapd to restrict rootDN proxyauthz to its own databases
    (CVE-2019-13057) (ITS#9038) (Closes: #932997)

-> No-DSA CVE fix for an admin of one database being able to pivot their 
privileges to other databases in the same slapd instance.

  * Fix slapd to enforce sasl_ssf ACL statement on every connection
    (CVE-2019-13565) (ITS#9052) (Closes: #932998)

-> No-DSA CVE fix for the sasl_ssf ACL variable being uninitialized on 
non-SASL binds, keeping the value from the previous SASL bind.

  * Fix slapo-rwm to not free original filter when rewritten filter is invalid
    (ITS#8964) (Closes: #934277, LP: #1838370)

-> Fix a double-free that can be triggered remotely by a search request 
with a crafted search filter, if the slapo-rwm module is loaded and 
search filter rewriting is enabled.

Thank you,
Ryan

diff -Nru openldap-2.4.47+dfsg/debian/changelog openldap-2.4.47+dfsg/debian/changelog
--- openldap-2.4.47+dfsg/debian/changelog	2019-02-02 10:30:10.000000000 -0800
+++ openldap-2.4.47+dfsg/debian/changelog	2019-08-10 11:58:18.000000000 -0700
@@ -1,3 +1,14 @@
+openldap (2.4.47+dfsg-3+deb10u1) buster; urgency=medium
+
+  * Fix slapd to restrict rootDN proxyauthz to its own databases
+    (CVE-2019-13057) (ITS#9038) (Closes: #932997)
+  * Fix slapd to enforce sasl_ssf ACL statement on every connection
+    (CVE-2019-13565) (ITS#9052) (Closes: #932998)
+  * Fix slapo-rwm to not free original filter when rewritten filter is invalid
+    (ITS#8964) (Closes: #934277, LP: #1838370)
+
+ -- Ryan Tandy <ryan@nardis.ca>  Sat, 10 Aug 2019 11:58:18 -0700
+
 openldap (2.4.47+dfsg-3) unstable; urgency=medium
 
   * Restore patches to contrib Makefiles to set CFLAGS, CPPFLAGS, and LDFLAGS
diff -Nru openldap-2.4.47+dfsg/debian/patches/ITS-8964-Do-not-free-original-filter.patch openldap-2.4.47+dfsg/debian/patches/ITS-8964-Do-not-free-original-filter.patch
--- openldap-2.4.47+dfsg/debian/patches/ITS-8964-Do-not-free-original-filter.patch	1969-12-31 16:00:00.000000000 -0800
+++ openldap-2.4.47+dfsg/debian/patches/ITS-8964-Do-not-free-original-filter.patch	2019-08-10 11:58:18.000000000 -0700
@@ -0,0 +1,36 @@
+From 0f7ec3a81258bb2c33b5d7c7434ef1c11d7fa7cb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Mon, 17 Jun 2019 12:49:25 +0200
+Subject: [PATCH] ITS#8964 Do not free original filter
+
+---
+ servers/slapd/overlays/rwm.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/servers/slapd/overlays/rwm.c b/servers/slapd/overlays/rwm.c
+index 36bceaffe..2e24f24cc 100644
+--- a/servers/slapd/overlays/rwm.c
++++ b/servers/slapd/overlays/rwm.c
+@@ -125,11 +125,15 @@ rwm_op_rollback( Operation *op, SlapReply *rs, rwm_op_state *ros )
+ 		break;
+ 	case LDAP_REQ_SEARCH:
+ 		op->o_tmpfree( ros->mapped_attrs, op->o_tmpmemctx );
+-		filter_free_x( op, op->ors_filter, 1 );
+-		op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
+ 		op->ors_attrs = ros->ors_attrs;
+-		op->ors_filter = ros->ors_filter;
+-		op->ors_filterstr = ros->ors_filterstr;
++		if ( op->ors_filter != ros->ors_filter ) {
++			filter_free_x( op, op->ors_filter, 1 );
++			op->ors_filter = ros->ors_filter;
++		}
++		if ( op->ors_filterstr.bv_val != ros->ors_filterstr.bv_val ) {
++			op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
++			op->ors_filterstr = ros->ors_filterstr;
++		}
+ 		break;
+ 	case LDAP_REQ_EXTENDED:
+ 		if ( op->ore_reqdata != ros->ore_reqdata ) {
+-- 
+2.20.1
+
diff -Nru openldap-2.4.47+dfsg/debian/patches/ITS-9038-Another-test028-typo.patch openldap-2.4.47+dfsg/debian/patches/ITS-9038-Another-test028-typo.patch
--- openldap-2.4.47+dfsg/debian/patches/ITS-9038-Another-test028-typo.patch	1969-12-31 16:00:00.000000000 -0800
+++ openldap-2.4.47+dfsg/debian/patches/ITS-9038-Another-test028-typo.patch	2019-08-10 11:58:18.000000000 -0700
@@ -0,0 +1,25 @@
+From 0832ec02f0679cf0862dca2cca5280be1e4fdb37 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Thu, 27 Jun 2019 00:45:29 +0200
+Subject: [PATCH] ITS#9038 Another test028 typo
+
+---
+ tests/scripts/test028-idassert | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert
+index 564a615d2..dacd68d8f 100755
+--- a/tests/scripts/test028-idassert
++++ b/tests/scripts/test028-idassert
+@@ -252,7 +252,7 @@ if test $USE_SASL != "no" ; then
+ 	if test $RC != 50 ; then
+ 		echo "ldapwhoami should have failed ($RC)!"
+ 		test $KILLSERVERS != no && kill -HUP $KILLPIDS
+-		exit $RC
++		exit 1
+ 	fi
+ 
+ 	echo "Filtering ldapsearch results..."
+-- 
+2.20.1
+
diff -Nru openldap-2.4.47+dfsg/debian/patches/ITS-9038-Fix-typo-in-test-script.patch openldap-2.4.47+dfsg/debian/patches/ITS-9038-Fix-typo-in-test-script.patch
--- openldap-2.4.47+dfsg/debian/patches/ITS-9038-Fix-typo-in-test-script.patch	1969-12-31 16:00:00.000000000 -0800
+++ openldap-2.4.47+dfsg/debian/patches/ITS-9038-Fix-typo-in-test-script.patch	2019-08-10 11:58:18.000000000 -0700
@@ -0,0 +1,25 @@
+From c064d45c5d4551f2321276c3a5ed25b1c08e115d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Mon, 24 Jun 2019 16:37:23 +0200
+Subject: [PATCH] ITS#9038 Fix typo in test script
+
+---
+ tests/scripts/test028-idassert | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert
+index 9e5e10724..564a615d2 100755
+--- a/tests/scripts/test028-idassert
++++ b/tests/scripts/test028-idassert
+@@ -199,7 +199,7 @@ RC=$?
+ if test $RC != 1 ; then
+     echo "ldapwhoami should have failed ($RC)!"
+     test $KILLSERVERS != no && kill -HUP $KILLPIDS
+-    exit $RC
++    exit 1
+ fi
+ 
+ ID="uid=jaj,ou=People,dc=example,dc=it"
+-- 
+2.20.1
+
diff -Nru openldap-2.4.47+dfsg/debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch openldap-2.4.47+dfsg/debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch
--- openldap-2.4.47+dfsg/debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch	1969-12-31 16:00:00.000000000 -0800
+++ openldap-2.4.47+dfsg/debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch	2019-08-10 11:58:18.000000000 -0700
@@ -0,0 +1,36 @@
+From f120d0e461178b5974694876ba2d2bdba4f7d122 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Wed, 19 Jun 2019 12:29:02 +0100
+Subject: [PATCH] ITS#9038 restrict rootDN proxyauthz to its own DBs.
+
+Treat as normal user for any other DB.
+---
+ servers/slapd/saslauthz.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
+index 64c70537d..b3727eafe 100644
+--- a/servers/slapd/saslauthz.c
++++ b/servers/slapd/saslauthz.c
+@@ -2062,12 +2062,13 @@ int slap_sasl_authorized( Operation *op,
+ 		goto DONE;
+ 	}
+ 
+-	/* Allow the manager to authorize as any DN. */
+-	if( op->o_conn->c_authz_backend &&
+-		be_isroot_dn( op->o_conn->c_authz_backend, authcDN ))
++	/* Allow the manager to authorize as any DN in its own DBs. */
+ 	{
+-		rc = LDAP_SUCCESS;
+-		goto DONE;
++		Backend *zbe = select_backend( authzDN, 1 );
++		if ( zbe && be_isroot_dn( zbe, authcDN )) {
++			rc = LDAP_SUCCESS;
++			goto DONE;
++		}
+ 	}
+ 
+ 	/* Check source rules */
+-- 
+2.20.1
+
diff -Nru openldap-2.4.47+dfsg/debian/patches/ITS-9038-Update-test028-to-test-this-is-enforced.patch openldap-2.4.47+dfsg/debian/patches/ITS-9038-Update-test028-to-test-this-is-enforced.patch
--- openldap-2.4.47+dfsg/debian/patches/ITS-9038-Update-test028-to-test-this-is-enforced.patch	1969-12-31 16:00:00.000000000 -0800
+++ openldap-2.4.47+dfsg/debian/patches/ITS-9038-Update-test028-to-test-this-is-enforced.patch	2019-08-10 11:58:18.000000000 -0700
@@ -0,0 +1,102 @@
+From ce5869c89a0cf1a9ec23bde014cb4c11f4d0360c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Wed, 19 Jun 2019 18:47:32 +0200
+Subject: [PATCH] ITS#9038 Update test028 to test this is enforced
+
+---
+ tests/data/idassert.out        |  5 +++++
+ tests/data/slapd-idassert.conf |  1 +
+ tests/data/test-idassert1.ldif |  6 ++++++
+ tests/scripts/test028-idassert | 24 ++++++++++++++++++++++++
+ 4 files changed, 36 insertions(+)
+
+diff --git a/tests/data/idassert.out b/tests/data/idassert.out
+index 53d76bb2e..fa51c25d6 100644
+--- a/tests/data/idassert.out
++++ b/tests/data/idassert.out
+@@ -4,6 +4,11 @@ objectClass: dcObject
+ o: Example, Inc.
+ dc: example
+ 
++dn: cn=Manager,o=Example,c=US
++objectClass: inetOrgPerson
++cn: Manager
++sn: Parson
++
+ dn: ou=People,o=Example,c=US
+ objectClass: organizationalUnit
+ ou: People
+diff --git a/tests/data/slapd-idassert.conf b/tests/data/slapd-idassert.conf
+index 88d66a36f..561c5ccc4 100644
+--- a/tests/data/slapd-idassert.conf
++++ b/tests/data/slapd-idassert.conf
+@@ -36,6 +36,7 @@ argsfile	@TESTDIR@/slapd.1.args
+ #######################################################################
+ 
+ authz-policy	both
++authz-regexp	"^uid=manager,.+" "cn=Manager,dc=example,dc=com"
+ authz-regexp	"^uid=admin/([^,]+),.+" "ldap:///ou=Admin,dc=example,dc=com??sub?(cn=$1)"
+ authz-regexp	"^uid=it/([^,]+),.+" "ldap:///ou=People,dc=example,dc=it??sub?(uid=$1)"
+ authz-regexp	"^uid=(us/)?([^,]+),.+" "ldap:///ou=People,dc=example,dc=com??sub?(uid=$2)"
+diff --git a/tests/data/test-idassert1.ldif b/tests/data/test-idassert1.ldif
+index 063d6ec45..3ccbd1a22 100644
+--- a/tests/data/test-idassert1.ldif
++++ b/tests/data/test-idassert1.ldif
+@@ -4,6 +4,12 @@ objectClass: dcObject
+ o: Example, Inc.
+ dc: example
+ 
++dn: cn=Manager,dc=example,dc=com
++objectClass: inetOrgPerson
++cn: Manager
++sn: Parson
++userPassword: secret
++
+ dn: ou=People,dc=example,dc=com
+ objectClass: organizationalUnit
+ ou: People
+diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert
+index b1e16744a..9e5e10724 100755
+--- a/tests/scripts/test028-idassert
++++ b/tests/scripts/test028-idassert
+@@ -191,6 +191,17 @@ if test $RC != 0 ; then
+ 	exit $RC
+ fi
+ 
++AUTHZID="u:it/jaj"
++echo "Checking another DB's rootdn can't assert identity from another DB..."
++$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD -e\!"authzid=$AUTHZID"
++
++RC=$?
++if test $RC != 1 ; then
++    echo "ldapwhoami should have failed ($RC)!"
++    test $KILLSERVERS != no && kill -HUP $KILLPIDS
++    exit $RC
++fi
++
+ ID="uid=jaj,ou=People,dc=example,dc=it"
+ BASE="o=Example,c=US"
+ echo "Testing ldapsearch as $ID for \"$BASE\"..."
+@@ -231,6 +242,19 @@ if test $USE_SASL != "no" ; then
+ 		exit $RC
+ 	fi
+ 
++	ID="manager"
++	AUTHZID="u:it/jaj"
++	echo "Checking another DB's rootdn can't assert in another (with SASL bind this time)..."
++	$LDAPSASLWHOAMI -h $LOCALHOST -p $PORT1 \
++		-Q -U "$ID" -w $PASSWD -Y $MECH -X $AUTHZID
++
++	RC=$?
++	if test $RC != 50 ; then
++		echo "ldapwhoami should have failed ($RC)!"
++		test $KILLSERVERS != no && kill -HUP $KILLPIDS
++		exit $RC
++	fi
++
+ 	echo "Filtering ldapsearch results..."
+ 	$LDIFFILTER < $SEARCHOUT > $SEARCHFLT
+ 	echo "Filtering original ldif used to create database..."
+-- 
+2.20.1
+
diff -Nru openldap-2.4.47+dfsg/debian/patches/ITS-9052-zero-out-sasl_ssf-in-connection_init.patch openldap-2.4.47+dfsg/debian/patches/ITS-9052-zero-out-sasl_ssf-in-connection_init.patch
--- openldap-2.4.47+dfsg/debian/patches/ITS-9052-zero-out-sasl_ssf-in-connection_init.patch	1969-12-31 16:00:00.000000000 -0800
+++ openldap-2.4.47+dfsg/debian/patches/ITS-9052-zero-out-sasl_ssf-in-connection_init.patch	2019-08-10 11:58:18.000000000 -0700
@@ -0,0 +1,25 @@
+From 744a46a1acb93798f4e027290191d6a11dd4c18c Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Wed, 10 Jul 2019 21:29:39 +0100
+Subject: [PATCH] ITS#9052 zero out sasl_ssf in connection_init
+
+---
+ servers/slapd/connection.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
+index b85bcb4c6..704067c55 100644
+--- a/servers/slapd/connection.c
++++ b/servers/slapd/connection.c
+@@ -554,7 +554,7 @@ Connection * connection_init(
+ 	c->c_close_reason = "?";			/* should never be needed */
+ 
+ 	c->c_ssf = c->c_transport_ssf = ssf;
+-	c->c_tls_ssf = 0;
++	c->c_tls_ssf = c->c_sasl_ssf = 0;
+ 
+ #ifdef HAVE_TLS
+ 	if ( flags & CONN_IS_TLS ) {
+-- 
+2.20.1
+
diff -Nru openldap-2.4.47+dfsg/debian/patches/series openldap-2.4.47+dfsg/debian/patches/series
--- openldap-2.4.47+dfsg/debian/patches/series	2019-01-27 16:13:38.000000000 -0800
+++ openldap-2.4.47+dfsg/debian/patches/series	2019-08-10 11:58:18.000000000 -0700
@@ -20,3 +20,9 @@
 ITS6035-olcauthzregex-needs-restart.patch
 set-maintainer-name
 no-gnutls_global_set_mutex
+ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch
+ITS-9038-Update-test028-to-test-this-is-enforced.patch
+ITS-9038-Fix-typo-in-test-script.patch
+ITS-9038-Another-test028-typo.patch
+ITS-9052-zero-out-sasl_ssf-in-connection_init.patch
+ITS-8964-Do-not-free-original-filter.patch

--- End Message ---
--- Begin Message --- 
Version: 10.1

Hi,

The fixes referenced by each of these bugs were included in today's
buster point release.

Regards,

Adam

--- End Message ---
Reply to: