Bug#944150: 389-ds-base: CVE-2019-14824: Read permission check bypass via the deref plugin

Sun, 24 Nov 2019 17:03:54 -0800 

Hi Timo,

On Tue, 05 Nov 2019 07:22:06 +0100 Salvatore Bonaccorso
<car...@debian.org> wrote:
> Source: 389-ds-base
> Version: 1.4.1.6-4
> Severity: grave
> Tags: security upstream
>
> Hi,
>
> The following vulnerability was published for 389-ds-base.
>
> CVE-2019-14824[0]:
> Read permission check bypass via the deref plugin

As a part of my LTS work, I have fixed this in Jessie (upload remaining)
so attaching a patch for Buster, Bullseye, and Sid. Hope you might be
interested in the same :)

Also, while at it, this patch also works for Stretch (just a quilt
refresh) would be required :)
Requesting you to fix the same at the earliest.


Best,
Utkarsh

Description: Add patch to fix CVE-2019-14824.
 For deref plugin we are only concerned with "read" access, not
 "search" access.  Removed the SLAPI_ACL_SEARCH right flag when
 checking access for an attribute.
Author: Mark Reynolds
Author: Utkarsh Gupta <guptautkarsh2...@gmail.com>
Origin: https://pagure.io/389-ds-base/c/fca293427
Bug: https://pagure.io/389-ds-base/issue/50716
Bug-Debian: https://bugs.debian.org/944150
Last-Update: 2019-11-24

--- a/ldap/servers/plugins/deref/deref.c
+++ b/ldap/servers/plugins/deref/deref.c
@@ -573,7 +573,7 @@
     Slapi_Entry **entries = NULL;
     int rc;
 
-    /*  If the access check on the attributes is done without retrieveing the entry
+    /*  If the access check on the attributes is done without retrieving the entry
  *  it cannot handle acis which need teh entry, eg to apply a targetfilter rule
  *  So the determination of attrs which can be dereferenced is delayed
  */
@@ -596,7 +596,7 @@
                 int ii;
                 int needattrvals = 1; /* need attrvals sequence? */
                 if (deref_check_access(pb, entries[0], derefdn, attrs, &retattrs,
-                                       (SLAPI_ACL_SEARCH | SLAPI_ACL_READ))) {
+                                       SLAPI_ACL_READ)) {
                     slapi_log_err(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM,
                                   "deref_do_deref_attr - The client does not have permission to read the requested "
                                   "attributes in entry %s\n",
@@ -714,7 +714,7 @@
         attrs[1] = NULL;
 
         if (deref_check_access(pb, ent, NULL, attrs, &retattrs,
-                               (SLAPI_ACL_SEARCH | SLAPI_ACL_READ))) {
+                               SLAPI_ACL_READ)) {
             slapi_log_err(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM,
                           "deref_pre_entry - The client does not have permission to read attribute %s in entry %s\n",
                           spec->derefattr, slapi_entry_get_dn_const(ent));

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to