From a1a941fd0253e356bc05179cd776f9143fcd3324 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 16 Dec 2014 16:53:07 -0500
Subject: [PATCH 264/267] Fix for CVE-2014-8105
Description: At server startup check for the Retro Changelog default ACI
on cn=changelog, if present delete it.
Reviewed by: lkrispenz(Thanks!)
(cherry picked from commit 4b812a1af367ed409e21abe73a77e57092e5a5f3)
---
ldap/servers/plugins/retrocl/retrocl.c | 67 ++++++++++++++++++++++++++-
ldap/servers/plugins/retrocl/retrocl_create.c | 4 --
2 files changed, 66 insertions(+), 5 deletions(-)
diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c
index 90c3455..08484c7 100644
--- a/ldap/servers/plugins/retrocl/retrocl.c
+++ b/ldap/servers/plugins/retrocl/retrocl.c
@@ -305,6 +305,68 @@ char *retrocl_get_config_str(const char *attrt)
return ma;
}
+static void
+retrocl_remove_legacy_default_aci(void)
+{
+ Slapi_PBlock *pb = NULL;
+ Slapi_Entry **entries;
+ char **aci_vals = NULL;
+ char *attrs[] = {"aci", NULL};
+ int rc;
+
+ pb = slapi_pblock_new();
+ slapi_search_internal_set_pb(pb, RETROCL_CHANGELOG_DN, LDAP_SCOPE_BASE, "objectclass=*",
+ attrs, 0, NULL, NULL, g_plg_identity[PLUGIN_RETROCL] , 0);
+ slapi_search_internal_pb(pb);
+ slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
+ if (rc == LDAP_SUCCESS) {
+ slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
+ if(entries && entries[0]){
+ if((aci_vals = slapi_entry_attr_get_charray(entries[0], "aci"))){
+ if(charray_inlist(aci_vals, RETROCL_ACL)){
+ /*
+ * Okay, we need to remove the aci
+ */
+ LDAPMod mod;
+ LDAPMod *mods[2];
+ char *val[2];
+ Slapi_PBlock *mod_pb = 0;
+
+ mod_pb = slapi_pblock_new();
+ mods[0] = &mod;
+ mods[1] = 0;
+ val[0] = RETROCL_ACL;
+ val[1] = 0;
+ mod.mod_op = LDAP_MOD_DELETE;
+ mod.mod_type = "aci";
+ mod.mod_values = val;
+
+ slapi_modify_internal_set_pb_ext(mod_pb, slapi_entry_get_sdn(entries[0]),
+ mods, 0, 0, g_plg_identity[PLUGIN_RETROCL], 0);
+ slapi_modify_internal_pb(mod_pb);
+ slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
+ if(rc == LDAP_SUCCESS){
+ slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
+ "Successfully removed vulnerable legacy default aci \"%s\". "
+ "If the aci removal was not desired please use a different \"acl "
+ "name\" so it is not removed at the next plugin startup.\n",
+ RETROCL_ACL);
+ } else {
+ slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
+ "Failed to removed vulnerable legacy default aci (%s) error %d\n",
+ RETROCL_ACL, rc);
+ }
+ slapi_pblock_destroy(mod_pb);
+ }
+ slapi_ch_array_free(aci_vals);
+ }
+ }
+ }
+ slapi_free_search_results_internal(pb);
+ slapi_pblock_destroy(pb);
+}
+
+
/*
* Function: retrocl_start
*
@@ -335,7 +397,10 @@ static int retrocl_start (Slapi_PBlock *pb)
LDAPDebug1Arg(LDAP_DEBUG_TRACE,"Couldnt find backend, not trimming retro changelog (%d).\n",rc);
return rc;
}
-
+
+ /* Remove the old default aci as it exposes passwords changes to anonymous users */
+ retrocl_remove_legacy_default_aci();
+
retrocl_init_trimming();
if (slapi_pblock_get(pb, SLAPI_ADD_ENTRY, &e) != 0) {
diff --git a/ldap/servers/plugins/retrocl/retrocl_create.c b/ldap/servers/plugins/retrocl/retrocl_create.c
index 1ffdaae..870421c 100644
--- a/ldap/servers/plugins/retrocl/retrocl_create.c
+++ b/ldap/servers/plugins/retrocl/retrocl_create.c
@@ -344,10 +344,6 @@ void retrocl_create_cle (void)
val.bv_len = strlen(val.bv_val);
slapi_entry_add_values( e, "cn", vals );
- val.bv_val = RETROCL_ACL;
- val.bv_len = strlen(val.bv_val);
- slapi_entry_add_values( e, "aci", vals );
-
pb = slapi_pblock_new ();
slapi_add_entry_internal_set_pb( pb, e, NULL /* controls */,
g_plg_identity[PLUGIN_RETROCL],
--
1.9.3