andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 5 months ago
Clone
Source Code
GIT

Blame 0264-Fix-for-CVE-2014-8105.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-armhfp c7-beta c8-beta-stream-1.4 c8-stream-1.4 c8s-stream-1.4 c8s-stream-ds c9 c9-beta
  1.   c6
  2.   0264-Fix-for-CVE-2014-8105.patch
Blob History Raw
dc8c34 
From a1a941fd0253e356bc05179cd776f9143fcd3324 Mon Sep 17 00:00:00 2001
dc8c34 
From: Mark Reynolds <mreynolds@redhat.com>
dc8c34 
Date: Tue, 16 Dec 2014 16:53:07 -0500
dc8c34 
Subject: [PATCH 264/267] Fix for CVE-2014-8105
dc8c34
dc8c34 
Description:  At server startup check for the Retro Changelog default ACI
dc8c34 
              on cn=changelog, if present delete it.
dc8c34
dc8c34 
Reviewed by: lkrispenz(Thanks!)
dc8c34
dc8c34 
(cherry picked from commit 4b812a1af367ed409e21abe73a77e57092e5a5f3)
dc8c34 
---
dc8c34 
 ldap/servers/plugins/retrocl/retrocl.c        | 67 ++++++++++++++++++++++++++-
dc8c34 
 ldap/servers/plugins/retrocl/retrocl_create.c |  4 --
dc8c34 
 2 files changed, 66 insertions(+), 5 deletions(-)
dc8c34
dc8c34 
diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c
dc8c34 
index 90c3455..08484c7 100644
dc8c34 
--- a/ldap/servers/plugins/retrocl/retrocl.c
dc8c34 
+++ b/ldap/servers/plugins/retrocl/retrocl.c
dc8c34 
@@ -305,6 +305,68 @@ char *retrocl_get_config_str(const char *attrt)
dc8c34 
     return ma;
dc8c34 
 }
dc8c34
dc8c34 
+static void
dc8c34 
+retrocl_remove_legacy_default_aci(void)
dc8c34 
+{
dc8c34 
+    Slapi_PBlock *pb = NULL;
dc8c34 
+    Slapi_Entry **entries;
dc8c34 
+    char **aci_vals = NULL;
dc8c34 
+    char *attrs[] = {"aci", NULL};
dc8c34 
+    int rc;
dc8c34 
+
dc8c34 
+    pb = slapi_pblock_new();
dc8c34 
+    slapi_search_internal_set_pb(pb, RETROCL_CHANGELOG_DN, LDAP_SCOPE_BASE, "objectclass=*",
dc8c34 
+            attrs, 0, NULL, NULL, g_plg_identity[PLUGIN_RETROCL] , 0);
dc8c34 
+    slapi_search_internal_pb(pb);
dc8c34 
+    slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
dc8c34 
+    if (rc == LDAP_SUCCESS) {
dc8c34 
+        slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
dc8c34 
+        if(entries && entries[0]){
dc8c34 
+            if((aci_vals = slapi_entry_attr_get_charray(entries[0], "aci"))){
dc8c34 
+                if(charray_inlist(aci_vals, RETROCL_ACL)){
dc8c34 
+                    /*
dc8c34 
+                     * Okay, we need to remove the aci
dc8c34 
+                     */
dc8c34 
+                    LDAPMod mod;
dc8c34 
+                    LDAPMod *mods[2];
dc8c34 
+                    char *val[2];
dc8c34 
+                    Slapi_PBlock *mod_pb = 0;
dc8c34 
+
dc8c34 
+                    mod_pb = slapi_pblock_new();
dc8c34 
+                    mods[0] = &mod;
dc8c34 
+                    mods[1] = 0;
dc8c34 
+                    val[0] = RETROCL_ACL;
dc8c34 
+                    val[1] = 0;
dc8c34 
+                    mod.mod_op = LDAP_MOD_DELETE;
dc8c34 
+                    mod.mod_type = "aci";
dc8c34 
+                    mod.mod_values = val;
dc8c34 
+
dc8c34 
+                    slapi_modify_internal_set_pb_ext(mod_pb, slapi_entry_get_sdn(entries[0]),
dc8c34 
+                                                    mods, 0, 0, g_plg_identity[PLUGIN_RETROCL], 0);
dc8c34 
+                    slapi_modify_internal_pb(mod_pb);
dc8c34 
+                    slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
dc8c34 
+                    if(rc == LDAP_SUCCESS){
dc8c34 
+                        slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
dc8c34 
+                                "Successfully removed vulnerable legacy default aci \"%s\".  "
dc8c34 
+                                "If the aci removal was not desired please use a different \"acl "
dc8c34 
+                                "name\" so it is not removed at the next plugin startup.\n",
dc8c34 
+                                RETROCL_ACL);
dc8c34 
+                    } else {
dc8c34 
+                        slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
dc8c34 
+                                "Failed to removed vulnerable legacy default aci (%s) error %d\n",
dc8c34 
+                                RETROCL_ACL, rc);
dc8c34 
+                    }
dc8c34 
+                    slapi_pblock_destroy(mod_pb);
dc8c34 
+                }
dc8c34 
+                slapi_ch_array_free(aci_vals);
dc8c34 
+            }
dc8c34 
+        }
dc8c34 
+    }
dc8c34 
+    slapi_free_search_results_internal(pb);
dc8c34 
+    slapi_pblock_destroy(pb);
dc8c34 
+}
dc8c34 
+
dc8c34 
+
dc8c34 
 /*
dc8c34 
  * Function: retrocl_start
dc8c34 
  *
dc8c34 
@@ -335,7 +397,10 @@ static int retrocl_start (Slapi_PBlock *pb)
dc8c34 
       LDAPDebug1Arg(LDAP_DEBUG_TRACE,"Couldnt find backend, not trimming retro changelog (%d).\n",rc);
dc8c34 
       return rc;
dc8c34 
     }
dc8c34 
-
dc8c34 
+
dc8c34 
+    /* Remove the old default aci as it exposes passwords changes to anonymous users */
dc8c34 
+    retrocl_remove_legacy_default_aci();
dc8c34 
+
dc8c34 
     retrocl_init_trimming();
dc8c34
dc8c34 
     if (slapi_pblock_get(pb, SLAPI_ADD_ENTRY, &e) != 0) {
dc8c34 
diff --git a/ldap/servers/plugins/retrocl/retrocl_create.c b/ldap/servers/plugins/retrocl/retrocl_create.c
dc8c34 
index 1ffdaae..870421c 100644
dc8c34 
--- a/ldap/servers/plugins/retrocl/retrocl_create.c
dc8c34 
+++ b/ldap/servers/plugins/retrocl/retrocl_create.c
dc8c34 
@@ -344,10 +344,6 @@ void retrocl_create_cle (void)
dc8c34 
     val.bv_len = strlen(val.bv_val);
dc8c34 
     slapi_entry_add_values( e, "cn", vals );
dc8c34
dc8c34 
-    val.bv_val = RETROCL_ACL;
dc8c34 
-    val.bv_len = strlen(val.bv_val);
dc8c34 
-    slapi_entry_add_values( e, "aci", vals );
dc8c34 
-
dc8c34 
     pb = slapi_pblock_new ();
dc8c34 
     slapi_add_entry_internal_set_pb( pb, e, NULL /* controls */,
dc8c34 
 				     g_plg_identity[PLUGIN_RETROCL],
dc8c34 
--
dc8c34 
1.9.3
dc8c34

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation