Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package 389-ds-base. It fixes CVE-2014-8105
and CVE-2014-8112.
unblock 389-ds-base/1.3.3.5-4
debdiff:
diff -Nru 389-ds-base-1.3.3.5/debian/changelog
389-ds-base-1.3.3.5/debian/changelog
--- 389-ds-base-1.3.3.5/debian/changelog 2015-01-16 14:40:30.000000000
+0100
+++ 389-ds-base-1.3.3.5/debian/changelog 2015-03-09 09:53:08.000000000
+0100
@@ -1,3 +1,11 @@
+389-ds-base (1.3.3.5-4) unstable; urgency=medium
+
+ * Security fixes (Closes: #779909)
+ - cve-2014-8105.diff: Fix for CVE-2014-8105
+ - cve-2014-8112.diff: Fix for CVE-2014-8112
+
+ -- Timo Aaltonen <tjaal...@debian.org> Mon, 09 Mar 2015 10:53:03 +0200
+
389-ds-base (1.3.3.5-3) unstable; urgency=medium
* use-bash-instead-of-sh.diff: Drop admin_scripts.diff and patch the
diff -Nru 389-ds-base-1.3.3.5/debian/patches/cve-2014-8105.diff
389-ds-base-1.3.3.5/debian/patches/cve-2014-8105.diff
--- 389-ds-base-1.3.3.5/debian/patches/cve-2014-8105.diff 1970-01-01
01:00:00.000000000 +0100
+++ 389-ds-base-1.3.3.5/debian/patches/cve-2014-8105.diff 2015-03-09
09:46:02.000000000 +0100
@@ -0,0 +1,116 @@
+commit 74e80db8380a4606e07672dfb5e3f7d403efe150
+Author: Mark Reynolds <mreyno...@redhat.com>
+Date: Tue Dec 16 16:53:07 2014 -0500
+
+ Bug 1199675 - CVE-2014-8112 CVE-2014-8105 389-ds-base: various flaws
[fedora-all]
+
+ Fix for CVE-2014-8105
+
+ Description: At server startup check for the Retro Changelog default ACI
+ on cn=changelog, if present delete it.
+
+ Reviewed by: lkrispenz(Thanks!)
+
+ (cherry picked from commit 4b812a1af367ed409e21abe73a77e57092e5a5f3)
+ (cherry picked from commit 29652118e2ae17ca98c1934af5109f1ac87d94ae)
+
+diff --git a/ldap/servers/plugins/retrocl/retrocl.c
b/ldap/servers/plugins/retrocl/retrocl.c
+index 0d2a6dc..8a0f350 100644
+--- a/ldap/servers/plugins/retrocl/retrocl.c
++++ b/ldap/servers/plugins/retrocl/retrocl.c
+@@ -308,6 +308,68 @@ char *retrocl_get_config_str(const char *attrt)
+ return ma;
+ }
+
++static void
++retrocl_remove_legacy_default_aci(void)
++{
++ Slapi_PBlock *pb = NULL;
++ Slapi_Entry **entries;
++ char **aci_vals = NULL;
++ char *attrs[] = {"aci", NULL};
++ int rc;
++
++ pb = slapi_pblock_new();
++ slapi_search_internal_set_pb(pb, RETROCL_CHANGELOG_DN, LDAP_SCOPE_BASE,
"objectclass=*",
++ attrs, 0, NULL, NULL, g_plg_identity[PLUGIN_RETROCL] , 0);
++ slapi_search_internal_pb(pb);
++ slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
++ if (rc == LDAP_SUCCESS) {
++ slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
++ if(entries && entries[0]){
++ if((aci_vals = slapi_entry_attr_get_charray(entries[0], "aci"))){
++ if(charray_inlist(aci_vals, RETROCL_ACL)){
++ /*
++ * Okay, we need to remove the aci
++ */
++ LDAPMod mod;
++ LDAPMod *mods[2];
++ char *val[2];
++ Slapi_PBlock *mod_pb = 0;
++
++ mod_pb = slapi_pblock_new();
++ mods[0] = &mod;
++ mods[1] = 0;
++ val[0] = RETROCL_ACL;
++ val[1] = 0;
++ mod.mod_op = LDAP_MOD_DELETE;
++ mod.mod_type = "aci";
++ mod.mod_values = val;
++
++ slapi_modify_internal_set_pb_ext(mod_pb,
slapi_entry_get_sdn(entries[0]),
++ mods, 0, 0,
g_plg_identity[PLUGIN_RETROCL], 0);
++ slapi_modify_internal_pb(mod_pb);
++ slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
++ if(rc == LDAP_SUCCESS){
++ slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
++ "Successfully removed vulnerable legacy
default aci \"%s\". "
++ "If the aci removal was not desired please
use a different \"acl "
++ "name\" so it is not removed at the next
plugin startup.\n",
++ RETROCL_ACL);
++ } else {
++ slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
++ "Failed to removed vulnerable legacy default
aci (%s) error %d\n",
++ RETROCL_ACL, rc);
++ }
++ slapi_pblock_destroy(mod_pb);
++ }
++ slapi_ch_array_free(aci_vals);
++ }
++ }
++ }
++ slapi_free_search_results_internal(pb);
++ slapi_pblock_destroy(pb);
++}
++
++
+ /*
+ * Function: retrocl_start
+ *
+@@ -333,7 +395,10 @@ static int retrocl_start (Slapi_PBlock *pb)
+ LDAPDebug1Arg(LDAP_DEBUG_TRACE,"Couldnt find backend, not trimming
retro changelog (%d).\n",rc);
+ return rc;
+ }
+-
++
++ /* Remove the old default aci as it exposes passwords changes to
anonymous users */
++ retrocl_remove_legacy_default_aci();
++
+ retrocl_init_trimming();
+
+ if (slapi_pblock_get(pb, SLAPI_ADD_ENTRY, &e) != 0) {
+diff --git a/ldap/servers/plugins/retrocl/retrocl_create.c
b/ldap/servers/plugins/retrocl/retrocl_create.c
+index 1ffdaae..870421c 100644
+--- a/ldap/servers/plugins/retrocl/retrocl_create.c
++++ b/ldap/servers/plugins/retrocl/retrocl_create.c
+@@ -344,10 +344,6 @@ void retrocl_create_cle (void)
+ val.bv_len = strlen(val.bv_val);
+ slapi_entry_add_values( e, "cn", vals );
+
+- val.bv_val = RETROCL_ACL;
+- val.bv_len = strlen(val.bv_val);
+- slapi_entry_add_values( e, "aci", vals );
+-
+ pb = slapi_pblock_new ();
+ slapi_add_entry_internal_set_pb( pb, e, NULL /* controls */,
+ g_plg_identity[PLUGIN_RETROCL],
diff -Nru 389-ds-base-1.3.3.5/debian/patches/cve-2014-8112.diff
389-ds-base-1.3.3.5/debian/patches/cve-2014-8112.diff
--- 389-ds-base-1.3.3.5/debian/patches/cve-2014-8112.diff 1970-01-01
01:00:00.000000000 +0100
+++ 389-ds-base-1.3.3.5/debian/patches/cve-2014-8112.diff 2015-03-09
09:45:56.000000000 +0100
@@ -0,0 +1,115 @@
+commit 8603d6533d84009e13a94ce6327abfba7ae73ef4
+Author: Ludwig Krispenz <lkris...@redhat.com>
+Date: Fri Nov 28 14:23:06 2014 +0100
+
+ Bug 1199675 - CVE-2014-8112 CVE-2014-8105 389-ds-base: various flaws
[fedora-all]
+
+ Fix for CVE-2014-8112
+
+ If the unhashed pw switch is set to off this should only
+ prevent the generation of the unhashed#user#password
+ attribute.
+ But encoding of pw values and detiecetion which values have
+ to be deleted needs to stay intact.
+ So the check if the switch is set has to be placed close to
+ the generation of the attribute in different 'if' branches
+
+ Reviewed by Noriko, thanks
+
+ (cherry picked from commit e5de803f4ab1b097c637c269fcc8b567e664c00d)
+ (cherry picked from commit 84b8bfd7d18a0613920dce36f1d3775d75e45a3e)
+
+diff --git a/ldap/servers/plugins/retrocl/retrocl_po.c
b/ldap/servers/plugins/retrocl/retrocl_po.c
+index bcf53cd..61f99cf 100644
+--- a/ldap/servers/plugins/retrocl/retrocl_po.c
++++ b/ldap/servers/plugins/retrocl/retrocl_po.c
+@@ -101,6 +101,12 @@ static lenstr *make_changes_string(LDAPMod **ldm, const
char **includeattrs)
+ continue;
+ }
+ }
++ if (SLAPD_UNHASHED_PW_NOLOG == slapi_config_get_unhashed_pw_switch()) {
++ if (0 == strcasecmp(ldm[ i ]->mod_type,
PSEUDO_ATTR_UNHASHEDUSERPASSWORD)) {
++ /* If nsslapd-unhashed-pw-switch == nolog, skip writing
it to cl. */
++ continue;
++ }
++ }
+ switch ( ldm[ i ]->mod_op & ~LDAP_MOD_BVALUES ) {
+ case LDAP_MOD_ADD:
+ addlenstr( l, "add: " );
+diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
+index 9b2f42d..ab12f56 100644
+--- a/ldap/servers/slapd/modify.c
++++ b/ldap/servers/slapd/modify.c
+@@ -836,8 +836,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int
pw_change, char *old_pw)
+ * before calling the preop plugins
+ */
+
+- if (pw_change && !repl_op &&
+- (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch())) {
++ if (pw_change && !repl_op ) {
+ Slapi_Value **va = NULL;
+
+ unhashed_pw_attr =
slapi_attr_syntax_normalize(PSEUDO_ATTR_UNHASHEDUSERPASSWORD);
+@@ -907,13 +906,15 @@ static void op_shared_modify (Slapi_PBlock *pb, int
pw_change, char *old_pw)
+ * Finally, delete the
unhashed userpassword
+ * (this will update the
password entry extension)
+ */
+- bval.bv_val = password;
+- bval.bv_len = strlen(password);
+- bv[0] = &bval;
+- bv[1] = NULL;
+- valuearray_init_bervalarray(bv,
&va);
+-
slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
+- valuearray_free(&va);
++ if (SLAPD_UNHASHED_PW_OFF !=
config_get_unhashed_pw_switch()) {
++ bval.bv_val = password;
++ bval.bv_len =
strlen(password);
++ bv[0] = &bval;
++ bv[1] = NULL;
++
valuearray_init_bervalarray(bv, &va);
++
slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
++ valuearray_free(&va);
++ }
+ } else {
+ /*
+ * Password is encoded, try
and find a matching unhashed_password to delete
+@@ -945,19 +946,23 @@ static void op_shared_modify (Slapi_PBlock *pb, int
pw_change, char *old_pw)
+
if(strcmp(unhashed_pwsp->pws_name, "CLEAR") == 0){
+
if((*(pwsp->pws_cmp))((char *)unhashed_pwd , valpwd) == 0 ){
+
/* match, add the delete mod for this particular unhashed userpassword */
+-
valuearray_init_bervalarray(bv, &va);
+-
slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
+-
valuearray_free(&va);
+-
free_pw_scheme( unhashed_pwsp );
++
if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
++
valuearray_init_bervalarray(bv, &va);
++
slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
++
valuearray_free(&va);
++
free_pw_scheme( unhashed_pwsp );
++
}
+
break;
+ }
+ } else {
+ /*
+ * We
have a hashed unhashed_userpassword! We must delete it.
+ */
+-
valuearray_init_bervalarray(bv, &va);
+-
slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
+-
valuearray_free(&va);
++ if
(SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
++
valuearray_init_bervalarray(bv, &va);
++
slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
++
valuearray_free(&va);
++ }
+ }
+ free_pw_scheme(
unhashed_pwsp );
+ }
+@@ -972,7 +977,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int
pw_change, char *old_pw)
+ if (remove_unhashed_pw &&
!slapi_entry_attr_find(e, unhashed_pw_attr, &a)){
+ slapi_mods_add_mod_values(&smods,
pw_mod->mod_op,unhashed_pw_attr, va);
+ }
+- } else {
++ } else if (SLAPD_UNHASHED_PW_OFF !=
config_get_unhashed_pw_switch()) {
+ /* add pseudo password attribute */
+
valuearray_init_bervalarray_unhashed_only(pw_mod->mod_bvalues, &va);
+ if(va && va[0]){
diff -Nru 389-ds-base-1.3.3.5/debian/patches/series
389-ds-base-1.3.3.5/debian/patches/series
--- 389-ds-base-1.3.3.5/debian/patches/series 2015-01-16 13:46:01.000000000
+0100
+++ 389-ds-base-1.3.3.5/debian/patches/series 2015-03-09 09:47:59.000000000
+0100
@@ -6,3 +6,6 @@
support-kfreebsd.patch
fix-obsolete-target.diff
fix-saslpath.diff
+
+cve-2014-8112.diff
+cve-2014-8105.diff
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
