Bug#883124: marked as done (stretch-pu: package golang-github-go-ldap-ldap/2.4.1-1)

Sat, 10 Mar 2018 03:06:07 -0800 

Your message dated Sat, 10 Mar 2018 10:57:46 +0000
with message-id <1520679466.2744.57.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 9.4
has caused the Debian Bug report #883124,
regarding stretch-pu: package golang-github-go-ldap-ldap/2.4.1-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
883124: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883124
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

Dear stable release managers,

I've prepared a fix for CVE-2017-14623, Debian BTS #876404. The security
team does not intend to publish a DSA for this minor issue, so I'm
asking here if you would accept an upload for stable-proposed-updates.

The source debdiff is attached. Please tell me if I should upload the
package or if you need further changes.

Regards,
Tobias

diff -Nru golang-github-go-ldap-ldap-2.4.1/debian/changelog golang-github-go-ldap-ldap-2.4.1/debian/changelog
--- golang-github-go-ldap-ldap-2.4.1/debian/changelog	2016-08-16 18:19:35.000000000 +0200
+++ golang-github-go-ldap-ldap-2.4.1/debian/changelog	2017-11-29 23:45:26.000000000 +0100
@@ -1,3 +1,17 @@
+golang-github-go-ldap-ldap (2.4.1-1+deb9u1) stretch; urgency=medium
+
+  * Team upload.
+  * Require explicit intention for empty password.
+    This is normally used for unauthenticated bind, and
+    https://tools.ietf.org/html/rfc4513#section-5.1.2 recommends:
+    "Clients SHOULD disallow an empty password input to a Name/Password
+    Authentication user interface"
+    This is (mostly) a cherry-pick of 95ede12 from upstream, except
+    the bit in ldap_test.go, which is unrelated to the security issue.
+    This fixes CVE-2017-14623. (Closes: #876404)
+
+ -- Dr. Tobias Quathamer <to...@debian.org>  Wed, 29 Nov 2017 23:45:26 +0100
+
 golang-github-go-ldap-ldap (2.4.1-1) unstable; urgency=medium
 
   * New upstream version.
diff -Nru golang-github-go-ldap-ldap-2.4.1/debian/patches/0002-Require-explicit-intention-for-empty-password.patch golang-github-go-ldap-ldap-2.4.1/debian/patches/0002-Require-explicit-intention-for-empty-password.patch
--- golang-github-go-ldap-ldap-2.4.1/debian/patches/0002-Require-explicit-intention-for-empty-password.patch	1970-01-01 01:00:00.000000000 +0100
+++ golang-github-go-ldap-ldap-2.4.1/debian/patches/0002-Require-explicit-intention-for-empty-password.patch	2017-11-29 23:02:18.000000000 +0100
@@ -0,0 +1,170 @@
+From: "Dr. Tobias Quathamer" <to...@debian.org>
+Date: Wed, 29 Nov 2017 14:34:16 +0100
+Subject: Require explicit intention for empty password.
+
+This is normally used for unauthenticated bind, and
+https://tools.ietf.org/html/rfc4513#section-5.1.2 recommends:
+
+> Clients SHOULD disallow an empty password input to a Name/Password
+> Authentication user interface
+
+This is (mostly) a cherry-pick of 95ede12 from upstream. I've removed
+the bit in ldap_test.go, which is unrelated to the security issue.
+
+This fixes CVE-2017-14623.
+
+https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66
+---
+ bind.go      | 80 ++++++++++++++++++++++++++++--------------------------------
+ error.go     |  9 +++++++
+ ldap_test.go | 64 +++++++++++++++++++++++-------------------------
+ 3 files changed, 77 insertions(+), 76 deletions(-)
+
+diff --git a/bind.go b/bind.go
+index 26b3cc7..432efa7 100644
+--- a/bind.go
++++ b/bind.go
+@@ -7,7 +7,7 @@ package ldap
+ import (
+ 	"errors"
+ 
+-	"gopkg.in/asn1-ber.v1"
++	ber "gopkg.in/asn1-ber.v1"
+ )
+ 
+ // SimpleBindRequest represents a username/password bind operation
+@@ -18,6 +18,9 @@ type SimpleBindRequest struct {
+ 	Password string
+ 	// Controls are optional controls to send with the bind request
+ 	Controls []Control
++	// AllowEmptyPassword sets whether the client allows binding with an empty password
++	// (normally used for unauthenticated bind).
++	AllowEmptyPassword bool
+ }
+ 
+ // SimpleBindResult contains the response from the server
+@@ -28,9 +31,10 @@ type SimpleBindResult struct {
+ // NewSimpleBindRequest returns a bind request
+ func NewSimpleBindRequest(username string, password string, controls []Control) *SimpleBindRequest {
+ 	return &SimpleBindRequest{
+-		Username: username,
+-		Password: password,
+-		Controls: controls,
++		Username:           username,
++		Password:           password,
++		Controls:           controls,
++		AllowEmptyPassword: false,
+ 	}
+ }
+ 
+@@ -47,6 +51,10 @@ func (bindRequest *SimpleBindRequest) encode() *ber.Packet {
+ 
+ // SimpleBind performs the simple bind operation defined in the given request
+ func (l *Conn) SimpleBind(simpleBindRequest *SimpleBindRequest) (*SimpleBindResult, error) {
++	if simpleBindRequest.Password == "" && !simpleBindRequest.AllowEmptyPassword {
++		return nil, NewError(ErrorEmptyPassword, errors.New("ldap: empty password not allowed by the client"))
++	}
++
+ 	packet := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "LDAP Request")
+ 	packet.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, l.nextMessageID(), "MessageID"))
+ 	encodedBindRequest := simpleBindRequest.encode()
+@@ -97,47 +105,33 @@ func (l *Conn) SimpleBind(simpleBindRequest *SimpleBindRequest) (*SimpleBindResu
+ 	return result, nil
+ }
+ 
+-// Bind performs a bind with the given username and password
++// Bind performs a bind with the given username and password.
++//
++// It does not allow unauthenticated bind (i.e. empty password). Use the UnauthenticatedBind method
++// for that.
+ func (l *Conn) Bind(username, password string) error {
+-	packet := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "LDAP Request")
+-	packet.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, l.nextMessageID(), "MessageID"))
+-	bindRequest := ber.Encode(ber.ClassApplication, ber.TypeConstructed, ApplicationBindRequest, nil, "Bind Request")
+-	bindRequest.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, 3, "Version"))
+-	bindRequest.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, username, "User Name"))
+-	bindRequest.AppendChild(ber.NewString(ber.ClassContext, ber.TypePrimitive, 0, password, "Password"))
+-	packet.AppendChild(bindRequest)
+-
+-	if l.Debug {
+-		ber.PrintPacket(packet)
+-	}
+-
+-	msgCtx, err := l.sendMessage(packet)
+-	if err != nil {
+-		return err
+-	}
+-	defer l.finishMessage(msgCtx)
+-
+-	packetResponse, ok := <-msgCtx.responses
+-	if !ok {
+-		return NewError(ErrorNetwork, errors.New("ldap: response channel closed"))
+-	}
+-	packet, err = packetResponse.ReadPacket()
+-	l.Debug.Printf("%d: got response %p", msgCtx.id, packet)
+-	if err != nil {
+-		return err
+-	}
+-
+-	if l.Debug {
+-		if err := addLDAPDescriptions(packet); err != nil {
+-			return err
+-		}
+-		ber.PrintPacket(packet)
++	req := &SimpleBindRequest{
++		Username:           username,
++		Password:           password,
++		AllowEmptyPassword: false,
+ 	}
++	_, err := l.SimpleBind(req)
++	return err
++}
+ 
+-	resultCode, resultDescription := getLDAPResultCode(packet)
+-	if resultCode != 0 {
+-		return NewError(resultCode, errors.New(resultDescription))
++// UnauthenticatedBind performs an unauthenticated bind.
++//
++// A username may be provided for trace (e.g. logging) purpose only, but it is normally not
++// authenticated or otherwise validated by the LDAP server.
++//
++// See https://tools.ietf.org/html/rfc4513#section-5.1.2 .
++// See https://tools.ietf.org/html/rfc4513#section-6.3.1 .
++func (l *Conn) UnauthenticatedBind(username string) error {
++	req := &SimpleBindRequest{
++		Username:           username,
++		Password:           "",
++		AllowEmptyPassword: true,
+ 	}
+-
+-	return nil
++	_, err := l.SimpleBind(req)
++	return err
+ }
+diff --git a/error.go b/error.go
+index ff69787..6e1277f 100644
+--- a/error.go
++++ b/error.go
+@@ -54,6 +54,7 @@ const (
+ 	ErrorDebugging          = 203
+ 	ErrorUnexpectedMessage  = 204
+ 	ErrorUnexpectedResponse = 205
++	ErrorEmptyPassword      = 206
+ )
+ 
+ // LDAPResultCodeMap contains string descriptions for LDAP error codes
+@@ -97,6 +98,14 @@ var LDAPResultCodeMap = map[uint8]string{
+ 	LDAPResultObjectClassModsProhibited:    "Object Class Mods Prohibited",
+ 	LDAPResultAffectsMultipleDSAs:          "Affects Multiple DSAs",
+ 	LDAPResultOther:                        "Other",
++
++	ErrorNetwork:            "Network Error",
++	ErrorFilterCompile:      "Filter Compile Error",
++	ErrorFilterDecompile:    "Filter Decompile Error",
++	ErrorDebugging:          "Debugging Error",
++	ErrorUnexpectedMessage:  "Unexpected Message",
++	ErrorUnexpectedResponse: "Unexpected Response",
++	ErrorEmptyPassword:      "Empty password not allowed by the client",
+ }
+ 
+ func getLDAPResultCode(packet *ber.Packet) (code uint8, description string) {
diff -Nru golang-github-go-ldap-ldap-2.4.1/debian/patches/series golang-github-go-ldap-ldap-2.4.1/debian/patches/series
--- golang-github-go-ldap-ldap-2.4.1/debian/patches/series	2016-08-16 18:19:35.000000000 +0200
+++ golang-github-go-ldap-ldap-2.4.1/debian/patches/series	2017-11-29 14:37:00.000000000 +0100
@@ -1 +1,2 @@
 disable-internet-tests.patch
+0002-Require-explicit-intention-for-empty-password.patch

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message --- 
Version: 9.4

Hi,

The update referenced by each of these bugs was included in this
morning's stretch point release.

Regards,

Adam

--- End Message ---

Reply via email to