Hi, I've released slapi-nis 0.54.2 this morning as a fix for CVE-2015-0283, packages are built for Fedora and RHEL7.1. However, to complete the cycle, we need to release FreeIPA 4.1.4 to fix CVE-2015-1827.
Both CVEs are for processing of group membership when dealing with users from trusted AD domains. Fix in FreeIPA is in extdom plugin which is in use by sssd 1.12.x, while slapi-nis fix is for legacy clients. We need to commit attached patches to FreeIPA and make a release of FreeIPA 4.1.4 today. Then I can do Fedora builds and a combined update push for slapi-nis+freeipa packages in Fedora. Patch 1 is actual CVE-2015-1827 fix. Patch 2 is to remove wrong values from Makefile.am files that actually prevent regenerating Makefiles in daemons/ subdirectory, causing non-working RHEL build. We fixed 4.1.0 base with this patch in RHEL and we just need to bring upstream in sync with downstream on this. Patch 3 raises requirement of slapi-nis to the fixed version. -- / Alexander Bokovoy
From 175a63357354ae3b4c04fa9cbef0cbe6084f0bee Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Wed, 25 Feb 2015 10:28:22 +0100 Subject: [PATCH 1/3] extdom: fix wrong realloc size --- daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index 47bcb17..686128e 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -386,7 +386,7 @@ static int get_user_grouplist(const char *name, gid_t gid, ret = getgrouplist(name, gid, groups, &ngroups); if (ret == -1) { - new_groups = realloc(groups, ngroups); + new_groups = realloc(groups, ngroups * sizeof(gid_t)); if (new_groups == NULL) { free(groups); return LDAP_OPERATIONS_ERROR; -- 2.1.0
From 3811fee25fff1074e39cf541a5fa0c411255e9f4 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <[email protected]> Date: Wed, 18 Mar 2015 17:09:06 +0000 Subject: [PATCH 2/3] fix Makefile.am for daemons --- daemons/Makefile.am | 2 +- daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am | 1 - daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am | 1 - daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am | 1 - 4 files changed, 1 insertion(+), 4 deletions(-) diff --git a/daemons/Makefile.am b/daemons/Makefile.am index 956f399..f919429 100644 --- a/daemons/Makefile.am +++ b/daemons/Makefile.am @@ -1,6 +1,6 @@ # This file will be processed with automake-1.7 to create Makefile.in # -AUTOMAKE_OPTIONS = 1.7 +AUTOMAKE_OPTIONS = 1.7 subdir-objects NULL = diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am b/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am index 8e35cdb..fba5b08 100644 --- a/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am @@ -6,7 +6,6 @@ AM_CPPFLAGS = \ -I. \ -I$(srcdir) \ -I$(PLUGIN_COMMON_DIR) \ - -I$(COMMON_BER_DIR) \ -DPREFIX=\""$(prefix)"\" \ -DBINDIR=\""$(bindir)"\" \ -DLIBDIR=\""$(libdir)"\" \ diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am index a167981..8ee26a7 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am @@ -7,7 +7,6 @@ AM_CPPFLAGS = \ -I$(srcdir) \ -I$(PLUGIN_COMMON_DIR) \ -I$(KRB5_UTIL_DIR) \ - -I$(COMMON_BER_DIR) \ -DPREFIX=\""$(prefix)"\" \ -DBINDIR=\""$(bindir)"\" \ -DLIBDIR=\""$(libdir)"\" \ diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am index 1ab6c67..078ff9c 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am @@ -14,7 +14,6 @@ AM_CPPFLAGS = \ -I$(PLUGIN_COMMON_DIR) \ -I$(KRB5_UTIL_DIR) \ -I$(ASN1_UTIL_DIR) \ - -I$(COMMON_BER_DIR) \ -DPREFIX=\""$(prefix)"\" \ -DBINDIR=\""$(bindir)"\" \ -DLIBDIR=\""$(libdir)"\" \ -- 2.1.0
From ab679d2d95ec8105f8c32159f4ef4b22a2e9feac Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <[email protected]> Date: Thu, 26 Mar 2015 14:59:03 +0200 Subject: [PATCH 3/3] slapi-nis: require 0.54.2 for CVE-2015-0283 fixes --- freeipa.spec.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index cb104f4..1a444dc 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -129,7 +129,7 @@ Requires(pre): systemd-units Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base -Requires: slapi-nis >= 0.54.1-1 +Requires: slapi-nis >= 0.54.2-1 %if (0%{?fedora} <= 20 || 0%{?rhel}) # pki-ca 10.1.2-4 contains patches required by FreeIPA 4.1 # The goal is to lower the requirement of pki-ca in Fedora 20 -- 2.1.0
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
