diff --git a/389-ds-base.spec b/389-ds-base.spec index 1a3cca6ef51ec99eaa35fe5505c341d804e8b9b5..4a82564c82e51954615bbeffeee0ec373439b2bc 100644 --- a/389-ds-base.spec +++ b/389-ds-base.spec @@ -6,7 +6,7 @@ ExcludeArch: i686 Name: 389-ds-base Summary: Base 389 Directory Server Version: 1.4.3.36 -Release: 5 +Release: 6 License: GPLv3+ URL: https://www.port389.org Source0: https://github.com/389ds/389-ds-base/archive/refs/tags/389-ds-base-%{version}.tar.gz @@ -20,6 +20,8 @@ Patch2: CVE-2024-1062-1.patch Patch3: CVE-2024-1062-2.patch Patch4: CVE-2024-2199.patch Patch5: CVE-2024-3657.patch +Patch6: CVE-2022-1949-Fix-ACI-bypass-in-shortcut-filter-condition.patch +Patch7: CVE-2024-5953.patch BuildRequires: nspr-devel nss-devel >= 3.34 perl-generators openldap-devel libdb-devel cyrus-sasl-devel icu BuildRequires: libicu-devel pcre-devel cracklib-devel gcc-c++ net-snmp-devel lm_sensors-devel bzip2-devel @@ -360,6 +362,9 @@ exit 0 %{_mandir}/*/* %changelog +* Thu Sep 12 2024 wangkai <13474090681@163.com> - 1.4.3.36-6 +- Fix CVE-2022-1949,CVE-2024-5953 + * Wed Jun 05 2024 wangkai <13474090681@163.com> - 1.4.3.36-5 - Fix CVE-2024-2199 and CVE-2024-3657 diff --git a/CVE-2022-1949-Fix-ACI-bypass-in-shortcut-filter-condition.patch b/CVE-2022-1949-Fix-ACI-bypass-in-shortcut-filter-condition.patch new file mode 100644 index 0000000000000000000000000000000000000000..1c8eba7f0aa9ddd62766aa4a000005934fcf0f34 --- /dev/null +++ b/CVE-2022-1949-Fix-ACI-bypass-in-shortcut-filter-condition.patch @@ -0,0 +1,26 @@ +Origin: https://build.opensuse.org/projects/SUSE:SLE-15-SP2:Update/packages/389-ds/files/0001-Fix-ACI-bypass-in-shortcut-filter-condition.patch?expand=1 + +From 21629670b92260c64c0355d656cd106ff8b84732 Mon Sep 17 00:00:00 2001 +From: William Brown +Date: Tue, 31 May 2022 10:26:00 +1000 +Subject: [PATCH] Fix ACI bypass in shortcut filter condition + +--- + ldap/servers/slapd/back-ldbm/back-ldbm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ldap/servers/slapd/back-ldbm/back-ldbm.h b/ldap/servers/slapd/back-ldbm/back-ldbm.h +index 9d78ad778..7fb85f0f6 100644 +--- a/ldap/servers/slapd/back-ldbm/back-ldbm.h ++++ b/ldap/servers/slapd/back-ldbm/back-ldbm.h +@@ -194,7 +194,7 @@ extern int ldbm_warn_if_no_db; + * The candidate list size at which it is cheaper to apply the filter test + * to the whole list than to continue ANDing in IDLs. + */ +-#define FILTER_TEST_THRESHOLD (NIDS)10 ++#define FILTER_TEST_THRESHOLD (NIDS)0 + + /* flags to indicate what kind of startup the dblayer should do */ + #define DBLAYER_IMPORT_MODE 0x1 +-- +2.36.1 diff --git a/CVE-2024-5953.patch b/CVE-2024-5953.patch new file mode 100644 index 0000000000000000000000000000000000000000..4a96d3508b41941dbd70201c6c10e9658d429d06 --- /dev/null +++ b/CVE-2024-5953.patch @@ -0,0 +1,167 @@ +Origin: +https://github.com/389ds/389-ds-base/commit/e269182d7a5d6d23abba86dbfe0cbadce2ea3147 +https://git.almalinux.org/rpms/389-ds-base/src/commit/4a9b4e4bb82f35452e19999ed6a946d412e82619/SOURCES/0012-Security-fix-for-CVE-2024-5953.patch + +From 57051154bafaf50b83fc27dadbd89a49fd1c8c36 Mon Sep 17 00:00:00 2001 +From: Pierre Rogier +Date: Fri, 14 Jun 2024 13:27:10 +0200 +Subject: [PATCH] Security fix for CVE-2024-5953 + +Description: +A denial of service vulnerability was found in the 389 Directory Server. +This issue may allow an authenticated user to cause a server denial +of service while attempting to log in with a user with a malformed hash +in their password. + +Fix Description: +To prevent buffer overflow when a bind request is processed, the bind fails +if the hash size is not coherent without even attempting to process further +the hashed password. + +References: +- https://nvd.nist.gov/vuln/detail/CVE-2024-5953 +- https://access.redhat.com/security/cve/CVE-2024-5953 +- https://bugzilla.redhat.com/show_bug.cgi?id=2292104 +--- + .../tests/suites/password/regression_test.py | 54 ++++++++++++++++++- + ldap/servers/plugins/pwdstorage/md5_pwd.c | 9 +++- + ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c | 6 +++ + 3 files changed, 66 insertions(+), 3 deletions(-) + +diff --git a/dirsrvtests/tests/suites/password/regression_test.py b/dirsrvtests/tests/suites/password/regression_test.py +index 8f1facb6d..1fa581643 100644 +--- a/dirsrvtests/tests/suites/password/regression_test.py ++++ b/dirsrvtests/tests/suites/password/regression_test.py +@@ -7,12 +7,14 @@ + # + import pytest + import time ++import glob ++import base64 + from lib389._constants import PASSWORD, DN_DM, DEFAULT_SUFFIX + from lib389._constants import SUFFIX, PASSWORD, DN_DM, DN_CONFIG, PLUGIN_RETRO_CHANGELOG, DEFAULT_SUFFIX, DEFAULT_CHANGELOG_DB + from lib389 import Entry + from lib389.topologies import topology_m1 as topo_supplier +-from lib389.idm.user import UserAccounts +-from lib389.utils import ldap, os, logging, ensure_bytes, ds_is_newer ++from lib389.idm.user import UserAccounts, UserAccount ++from lib389.utils import ldap, os, logging, ensure_bytes, ds_is_newer, ds_supports_new_changelog + from lib389.topologies import topology_st as topo + from lib389.idm.organizationalunit import OrganizationalUnits + +@@ -39,6 +41,13 @@ TEST_PASSWORDS += ['CNpwtest1ZZZZ', 'ZZZZZCNpwtest1', + TEST_PASSWORDS2 = ( + 'CN12pwtest31', 'SN3pwtest231', 'UID1pwtest123', 'MAIL2pwtest12@redhat.com', '2GN1pwtest123', 'People123') + ++SUPPORTED_SCHEMES = ( ++ "{SHA}", "{SSHA}", "{SHA256}", "{SSHA256}", ++ "{SHA384}", "{SSHA384}", "{SHA512}", "{SSHA512}", ++ "{crypt}", "{NS-MTA-MD5}", "{clear}", "{MD5}", ++ "{SMD5}", "{PBKDF2_SHA256}", "{PBKDF2_SHA512}", ++ "{GOST_YESCRYPT}", "{PBKDF2-SHA256}", "{PBKDF2-SHA512}" ) ++ + def _check_unhashed_userpw(inst, user_dn, is_present=False): + """Check if unhashed#user#password attribute is present or not in the changelog""" + unhashed_pwd_attribute = 'unhashed#user#password' +@@ -319,6 +328,47 @@ def test_unhashed_pw_switch(topo_supplier): + # Add debugging steps(if any)... + pass + ++@pytest.mark.parametrize("scheme", SUPPORTED_SCHEMES ) ++def test_long_hashed_password(topo, create_user, scheme): ++ """Check that hashed password with very long value does not cause trouble ++ ++ :id: 252a1f76-114b-11ef-8a7a-482ae39447e5 ++ :setup: standalone Instance ++ :parametrized: yes ++ :steps: ++ 1. Add a test user user ++ 2. Set a long password with requested scheme ++ 3. Bind on that user using a wrong password ++ 4. Check that instance is still alive ++ 5. Remove the added user ++ :expectedresults: ++ 1. Success ++ 2. Success ++ 3. Should get ldap.INVALID_CREDENTIALS exception ++ 4. Success ++ 5. Success ++ """ ++ inst = topo.standalone ++ inst.simple_bind_s(DN_DM, PASSWORD) ++ users = UserAccounts(inst, DEFAULT_SUFFIX) ++ # Make sure that server is started as this test may crash it ++ inst.start() ++ # Adding Test user (It may already exists if previous test failed) ++ user2 = UserAccount(inst, dn='uid=test_user_1002,ou=People,dc=example,dc=com') ++ if not user2.exists(): ++ user2 = users.create_test_user(uid=1002, gid=2002) ++ # Setting hashed password ++ passwd = 'A'*4000 ++ hashed_passwd = scheme.encode('utf-8') + base64.b64encode(passwd.encode('utf-8')) ++ user2.replace('userpassword', hashed_passwd) ++ # Bind on that user using a wrong password ++ with pytest.raises(ldap.INVALID_CREDENTIALS): ++ conn = user2.bind(PASSWORD) ++ # Check that instance is still alive ++ assert inst.status() ++ # Remove the added user ++ user2.delete() ++ + + if __name__ == '__main__': + # Run isolated +diff --git a/ldap/servers/plugins/pwdstorage/md5_pwd.c b/ldap/servers/plugins/pwdstorage/md5_pwd.c +index 1e2cf58e7..b9a48d5ca 100644 +--- a/ldap/servers/plugins/pwdstorage/md5_pwd.c ++++ b/ldap/servers/plugins/pwdstorage/md5_pwd.c +@@ -37,6 +37,7 @@ md5_pw_cmp(const char *userpwd, const char *dbpwd) + unsigned char hash_out[MD5_HASH_LEN]; + unsigned char b2a_out[MD5_HASH_LEN * 2]; /* conservative */ + SECItem binary_item; ++ size_t dbpwd_len = strlen(dbpwd); + + ctx = PK11_CreateDigestContext(SEC_OID_MD5); + if (ctx == NULL) { +@@ -45,6 +46,12 @@ md5_pw_cmp(const char *userpwd, const char *dbpwd) + goto loser; + } + ++ if (dbpwd_len >= sizeof b2a_out) { ++ slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME, ++ "The hashed password stored in the user entry is longer than any valid md5 hash"); ++ goto loser; ++ } ++ + /* create the hash */ + PK11_DigestBegin(ctx); + PK11_DigestOp(ctx, (const unsigned char *)userpwd, strlen(userpwd)); +@@ -57,7 +64,7 @@ md5_pw_cmp(const char *userpwd, const char *dbpwd) + bver = NSSBase64_EncodeItem(NULL, (char *)b2a_out, sizeof b2a_out, &binary_item); + /* bver points to b2a_out upon success */ + if (bver) { +- rc = slapi_ct_memcmp(bver, dbpwd, strlen(dbpwd)); ++ rc = slapi_ct_memcmp(bver, dbpwd, dbpwd_len); + } else { + slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME, + "Could not base64 encode hashed value for password compare"); +diff --git a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c +index dcac4fcdd..82b8c9501 100644 +--- a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c ++++ b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c +@@ -255,6 +255,12 @@ pbkdf2_sha256_pw_cmp(const char *userpwd, const char *dbpwd) + passItem.data = (unsigned char *)userpwd; + passItem.len = strlen(userpwd); + ++ if (pwdstorage_base64_decode_len(dbpwd, dbpwd_len) > sizeof dbhash) { ++ /* Hashed value is too long and cannot match any value generated by pbkdf2_sha256_hash */ ++ slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to base64 decode dbpwd value. (hashed value is too long)\n"); ++ return result; ++ } ++ + /* Decode the DBpwd to bytes from b64 */ + if (PL_Base64Decode(dbpwd, dbpwd_len, dbhash) == NULL) { + slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to base64 decode dbpwd value\n"); +-- +2.46.0 +