Hi Timo, On Tue, 05 Nov 2019 07:22:06 +0100 Salvatore Bonaccorso <car...@debian.org> wrote: > Source: 389-ds-base > Version: 1.4.1.6-4 > Severity: grave > Tags: security upstream > > Hi, > > The following vulnerability was published for 389-ds-base. > > CVE-2019-14824[0]: > Read permission check bypass via the deref plugin
As a part of my LTS work, I have fixed this in Jessie (upload remaining) so attaching a patch for Buster, Bullseye, and Sid. Hope you might be interested in the same :) Also, while at it, this patch also works for Stretch (just a quilt refresh) would be required :) Requesting you to fix the same at the earliest. Best, Utkarsh
Description: Add patch to fix CVE-2019-14824. For deref plugin we are only concerned with "read" access, not "search" access. Removed the SLAPI_ACL_SEARCH right flag when checking access for an attribute. Author: Mark Reynolds Author: Utkarsh Gupta <guptautkarsh2...@gmail.com> Origin: https://pagure.io/389-ds-base/c/fca293427 Bug: https://pagure.io/389-ds-base/issue/50716 Bug-Debian: https://bugs.debian.org/944150 Last-Update: 2019-11-24 --- a/ldap/servers/plugins/deref/deref.c +++ b/ldap/servers/plugins/deref/deref.c @@ -573,7 +573,7 @@ Slapi_Entry **entries = NULL; int rc; - /* If the access check on the attributes is done without retrieveing the entry + /* If the access check on the attributes is done without retrieving the entry * it cannot handle acis which need teh entry, eg to apply a targetfilter rule * So the determination of attrs which can be dereferenced is delayed */ @@ -596,7 +596,7 @@ int ii; int needattrvals = 1; /* need attrvals sequence? */ if (deref_check_access(pb, entries[0], derefdn, attrs, &retattrs, - (SLAPI_ACL_SEARCH | SLAPI_ACL_READ))) { + SLAPI_ACL_READ)) { slapi_log_err(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM, "deref_do_deref_attr - The client does not have permission to read the requested " "attributes in entry %s\n", @@ -714,7 +714,7 @@ attrs[1] = NULL; if (deref_check_access(pb, ent, NULL, attrs, &retattrs, - (SLAPI_ACL_SEARCH | SLAPI_ACL_READ))) { + SLAPI_ACL_READ)) { slapi_log_err(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM, "deref_pre_entry - The client does not have permission to read attribute %s in entry %s\n", spec->derefattr, slapi_entry_get_dn_const(ent));
signature.asc
Description: OpenPGP digital signature