From a1a941fd0253e356bc05179cd776f9143fcd3324 Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Tue, 16 Dec 2014 16:53:07 -0500 Subject: [PATCH 264/267] Fix for CVE-2014-8105 Description: At server startup check for the Retro Changelog default ACI on cn=changelog, if present delete it. Reviewed by: lkrispenz(Thanks!) (cherry picked from commit 4b812a1af367ed409e21abe73a77e57092e5a5f3) --- ldap/servers/plugins/retrocl/retrocl.c | 67 ++++++++++++++++++++++++++- ldap/servers/plugins/retrocl/retrocl_create.c | 4 -- 2 files changed, 66 insertions(+), 5 deletions(-) diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c index 90c3455..08484c7 100644 --- a/ldap/servers/plugins/retrocl/retrocl.c +++ b/ldap/servers/plugins/retrocl/retrocl.c @@ -305,6 +305,68 @@ char *retrocl_get_config_str(const char *attrt) return ma; } +static void +retrocl_remove_legacy_default_aci(void) +{ + Slapi_PBlock *pb = NULL; + Slapi_Entry **entries; + char **aci_vals = NULL; + char *attrs[] = {"aci", NULL}; + int rc; + + pb = slapi_pblock_new(); + slapi_search_internal_set_pb(pb, RETROCL_CHANGELOG_DN, LDAP_SCOPE_BASE, "objectclass=*", + attrs, 0, NULL, NULL, g_plg_identity[PLUGIN_RETROCL] , 0); + slapi_search_internal_pb(pb); + slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rc); + if (rc == LDAP_SUCCESS) { + slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries); + if(entries && entries[0]){ + if((aci_vals = slapi_entry_attr_get_charray(entries[0], "aci"))){ + if(charray_inlist(aci_vals, RETROCL_ACL)){ + /* + * Okay, we need to remove the aci + */ + LDAPMod mod; + LDAPMod *mods[2]; + char *val[2]; + Slapi_PBlock *mod_pb = 0; + + mod_pb = slapi_pblock_new(); + mods[0] = &mod; + mods[1] = 0; + val[0] = RETROCL_ACL; + val[1] = 0; + mod.mod_op = LDAP_MOD_DELETE; + mod.mod_type = "aci"; + mod.mod_values = val; + + slapi_modify_internal_set_pb_ext(mod_pb, slapi_entry_get_sdn(entries[0]), + mods, 0, 0, g_plg_identity[PLUGIN_RETROCL], 0); + slapi_modify_internal_pb(mod_pb); + slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &rc); + if(rc == LDAP_SUCCESS){ + slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME, + "Successfully removed vulnerable legacy default aci \"%s\". " + "If the aci removal was not desired please use a different \"acl " + "name\" so it is not removed at the next plugin startup.\n", + RETROCL_ACL); + } else { + slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME, + "Failed to removed vulnerable legacy default aci (%s) error %d\n", + RETROCL_ACL, rc); + } + slapi_pblock_destroy(mod_pb); + } + slapi_ch_array_free(aci_vals); + } + } + } + slapi_free_search_results_internal(pb); + slapi_pblock_destroy(pb); +} + + /* * Function: retrocl_start * @@ -335,7 +397,10 @@ static int retrocl_start (Slapi_PBlock *pb) LDAPDebug1Arg(LDAP_DEBUG_TRACE,"Couldnt find backend, not trimming retro changelog (%d).\n",rc); return rc; } - + + /* Remove the old default aci as it exposes passwords changes to anonymous users */ + retrocl_remove_legacy_default_aci(); + retrocl_init_trimming(); if (slapi_pblock_get(pb, SLAPI_ADD_ENTRY, &e) != 0) { diff --git a/ldap/servers/plugins/retrocl/retrocl_create.c b/ldap/servers/plugins/retrocl/retrocl_create.c index 1ffdaae..870421c 100644 --- a/ldap/servers/plugins/retrocl/retrocl_create.c +++ b/ldap/servers/plugins/retrocl/retrocl_create.c @@ -344,10 +344,6 @@ void retrocl_create_cle (void) val.bv_len = strlen(val.bv_val); slapi_entry_add_values( e, "cn", vals ); - val.bv_val = RETROCL_ACL; - val.bv_len = strlen(val.bv_val); - slapi_entry_add_values( e, "aci", vals ); - pb = slapi_pblock_new (); slapi_add_entry_internal_set_pb( pb, e, NULL /* controls */, g_plg_identity[PLUGIN_RETROCL], -- 1.9.3