diff --git a/389-ds-base.spec b/389-ds-base.spec index 3b87288e00e71fae15d8c49c198081457865bcdb..6a8375773eb31e68567d8a6e08ce1482187ce285 100644 --- a/389-ds-base.spec +++ b/389-ds-base.spec @@ -6,13 +6,16 @@ ExcludeArch: i686 Name: 389-ds-base Summary: Base 389 Directory Server Version: 1.4.0.31 -Release: 2 +Release: 3 License: GPLv3+ URL: https://www.port389.org Source0: https://releases.pagure.org/389-ds-base/389-ds-base-%{version}.tar.bz2 Source1: 389-ds-base-git.sh Source2: 389-ds-base-devel.README Source3: https://github.com/jemalloc/jemalloc/releases/download/5.2.0/jemalloc-5.2.0.tar.bz2 +Patch0: CVE-2021-3652.patch +Patch1: CVE-2021-3514.patch + BuildRequires: nspr-devel nss-devel >= 3.34 perl-generators openldap-devel libdb-devel cyrus-sasl-devel icu BuildRequires: libicu-devel pcre-devel cracklib-devel gcc-c++ net-snmp-devel lm_sensors-devel bzip2-devel BuildRequires: zlib-devel openssl-devel pam-devel systemd-units systemd-devel pkgconfig pkgconfig(systemd) @@ -344,5 +347,8 @@ exit 0 %{_mandir}/*/* %changelog +* Wed Sep 22 2021 liwu - 1.4.0.31-3 +- fix CVE-2021-3652 CVE-2021-3514 + * Wed Apr 29 2020 lizhenhua - 1.4.0.31-2 - Package init diff --git a/CVE-2021-3514.patch b/CVE-2021-3514.patch new file mode 100644 index 0000000000000000000000000000000000000000..887f5b2761b4e5ae75a7568a3a6f14b35e5e666e --- /dev/null +++ b/CVE-2021-3514.patch @@ -0,0 +1,52 @@ +From 2e5b526012612d1d6ccace46398bee679a730271 Mon Sep 17 00:00:00 2001 +From: tbordaz +Date: Tue, 27 Apr 2021 09:29:32 +0200 +Subject: [PATCH] Issue 4711 - SIGSEV with sync_repl (#4738) + +Bug description: + sync_repl sends back entries identified with a unique + identifier that is 'nsuniqueid'. If 'nsuniqueid' is + missing, then it may crash + +Fix description: + Check a nsuniqueid is available else returns OP_ERR + +relates: https://github.com/389ds/389-ds-base/issues/4711 + +Reviewed by: Pierre Rogier, James Chapman, William Brown (Thanks!) + +Platforms tested: F33 +--- + ldap/servers/plugins/sync/sync_util.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/ldap/servers/plugins/sync/sync_util.c b/ldap/servers/plugins/sync/sync_util.c +index e64d519e1a..3dacee8cad 100644 +--- a/ldap/servers/plugins/sync/sync_util.c ++++ b/ldap/servers/plugins/sync/sync_util.c +@@ -127,8 +127,8 @@ sync_create_state_control(Slapi_Entry *e, LDAPControl **ctrlp, int type, Sync_Co + BerElement *ber; + struct berval *bvp; + char *uuid; +- Slapi_Attr *attr; +- Slapi_Value *val; ++ Slapi_Attr *attr = NULL; ++ Slapi_Value *val = NULL; + + if (type == LDAP_SYNC_NONE || ctrlp == NULL || (ber = der_alloc()) == NULL) { + return (LDAP_OPERATIONS_ERROR); +@@ -138,6 +138,14 @@ sync_create_state_control(Slapi_Entry *e, LDAPControl **ctrlp, int type, Sync_Co + + slapi_entry_attr_find(e, SLAPI_ATTR_UNIQUEID, &attr); + slapi_attr_first_value(attr, &val); ++ if ((attr == NULL) || (val == NULL)) { ++ /* It may happen with entries in special backends ++ * such like cn=config, cn=shema, cn=monitor... ++ */ ++ slapi_log_err(SLAPI_LOG_ERR, SYNC_PLUGIN_SUBSYSTEM, ++ "sync_create_state_control - Entries are missing nsuniqueid. Unable to proceed.\n"); ++ return (LDAP_OPERATIONS_ERROR); ++ } + uuid = sync_nsuniqueid2uuid(slapi_value_get_string(val)); + if ((rc = ber_printf(ber, "{eo", type, uuid, 16)) != -1) { + if (cookie) { diff --git a/CVE-2021-3652.patch b/CVE-2021-3652.patch new file mode 100644 index 0000000000000000000000000000000000000000..7670873f6020f265f7e7a10cff2e5bef3c4a2171 --- /dev/null +++ b/CVE-2021-3652.patch @@ -0,0 +1,118 @@ +From c1926dfc6591b55c4d33f9944de4d7ebe077e964 Mon Sep 17 00:00:00 2001 +From: Firstyear +Date: Fri, 9 Jul 2021 11:53:35 +1000 +Subject: [PATCH] Issue 4817 - BUG - locked crypt accounts on import may allow + all passwords (#4819) + +Bug Description: Due to mishanding of short dbpwd hashes, the +crypt_r algorithm was misused and was only comparing salts +in some cases, rather than checking the actual content +of the password. + +Fix Description: Stricter checks on dbpwd lengths to ensure +that content passed to crypt_r has at least 2 salt bytes and +1 hash byte, as well as stricter checks on ct_memcmp to ensure +that compared values are the same length, rather than potentially +allowing overruns/short comparisons. + +fixes: https://github.com/389ds/389-ds-base/issues/4817 + +Author: William Brown + +Review by: @mreynolds389 +--- + .../password/pwd_crypt_asterisk_test.py | 50 +++++++++++++++++++ + ldap/servers/plugins/pwdstorage/crypt_pwd.c | 20 +++++--- + 2 files changed, 64 insertions(+), 6 deletions(-) + create mode 100644 dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py + +diff --git a/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py b/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py +new file mode 100644 +index 0000000000..d76614db1c +--- /dev/null ++++ b/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py +@@ -0,0 +1,50 @@ ++# --- BEGIN COPYRIGHT BLOCK --- ++# Copyright (C) 2021 William Brown ++# All rights reserved. ++# ++# License: GPL (version 3 or any later version). ++# See LICENSE for details. ++# --- END COPYRIGHT BLOCK --- ++# ++import ldap ++import pytest ++from lib389.topologies import topology_st ++from lib389.idm.user import UserAccounts ++from lib389._constants import (DEFAULT_SUFFIX, PASSWORD) ++ ++pytestmark = pytest.mark.tier1 ++ ++def test_password_crypt_asterisk_is_rejected(topology_st): ++ """It was reported that {CRYPT}* was allowing all passwords to be ++ valid in the bind process. This checks that we should be rejecting ++ these as they should represent locked accounts. Similar, {CRYPT}! ++ ++ :id: 0b8f1a6a-f3eb-4443-985e-da14d0939dc3 ++ :setup: Single instance ++ :steps: 1. Set a password hash in with CRYPT and the content * ++ 2. Test a bind ++ 3. Set a password hash in with CRYPT and the content ! ++ 4. Test a bind ++ :expectedresults: ++ 1. Successfully set the values ++ 2. The bind fails ++ 3. Successfully set the values ++ 4. The bind fails ++ """ ++ topology_st.standalone.config.set('nsslapd-allow-hashed-passwords', 'on') ++ topology_st.standalone.config.set('nsslapd-enable-upgrade-hash', 'off') ++ ++ users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX) ++ user = users.create_test_user() ++ ++ user.set('userPassword', "{CRYPT}*") ++ ++ # Attempt to bind with incorrect password. ++ with pytest.raises(ldap.INVALID_CREDENTIALS): ++ badconn = user.bind('badpassword') ++ ++ user.set('userPassword', "{CRYPT}!") ++ # Attempt to bind with incorrect password. ++ with pytest.raises(ldap.INVALID_CREDENTIALS): ++ badconn = user.bind('badpassword') ++ +diff --git a/ldap/servers/plugins/pwdstorage/crypt_pwd.c b/ldap/servers/plugins/pwdstorage/crypt_pwd.c +index 9031b21996..1b37d41ede 100644 +--- a/ldap/servers/plugins/pwdstorage/crypt_pwd.c ++++ b/ldap/servers/plugins/pwdstorage/crypt_pwd.c +@@ -48,15 +48,23 @@ static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ + int + crypt_pw_cmp(const char *userpwd, const char *dbpwd) + { +- int rc; +- char *cp; ++ int rc = -1; ++ char *cp = NULL; ++ size_t dbpwd_len = strlen(dbpwd); + struct crypt_data data; + data.initialized = 0; + +- /* we use salt (first 2 chars) of encoded password in call to crypt_r() */ +- cp = crypt_r(userpwd, dbpwd, &data); +- if (cp) { +- rc = slapi_ct_memcmp(dbpwd, cp, strlen(dbpwd)); ++ /* ++ * there MUST be at least 2 chars of salt and some pw bytes, else this is INVALID and will ++ * allow any password to bind as we then only compare SALTS. ++ */ ++ if (dbpwd_len >= 3) { ++ /* we use salt (first 2 chars) of encoded password in call to crypt_r() */ ++ cp = crypt_r(userpwd, dbpwd, &data); ++ } ++ /* If these are not the same length, we can not proceed safely with memcmp. */ ++ if (cp && dbpwd_len == strlen(cp)) { ++ rc = slapi_ct_memcmp(dbpwd, cp, dbpwd_len); + } else { + rc = -1; + }