From 07ea6178fd210d28665e1c8daf3f2cc1359e6a27 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Aug 02 2022 07:09:04 +0000
Subject: import 389-ds-base-1.4.3.28-7.module+el8.6.0+15293+4900ec12


---

diff --git a/SOURCES/0018-Issue-5221-User-with-expired-password-can-still-logi.patch b/SOURCES/0018-Issue-5221-User-with-expired-password-can-still-logi.patch
new file mode 100644
index 0000000..7b2f4ba
--- /dev/null
+++ b/SOURCES/0018-Issue-5221-User-with-expired-password-can-still-logi.patch
@@ -0,0 +1,108 @@
+From ad7573252147770c66ff3761add0f04fc8fa6f6c Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Thu, 3 Mar 2022 16:29:41 -0500
+Subject: [PATCH 1/2] Issue 5221 - User with expired password can still login
+ with full privledges
+
+Bug Description:
+
+A user with an expired password can still login and perform operations
+with its typical access perimssions.  But an expired password means the
+account should be considered anonymous.
+
+Fix Description:
+
+Clear the bind credentials if the password is expired
+
+relates: https://github.com/389ds/389-ds-base/issues/5221
+
+Reviewed by: progier(Thanks!)
+---
+ .../suites/password/pw_expired_access_test.py | 62 +++++++++++++++++++
+ ldap/servers/slapd/pw_mgmt.c                  |  1 +
+ 2 files changed, 63 insertions(+)
+ create mode 100644 dirsrvtests/tests/suites/password/pw_expired_access_test.py
+
+diff --git a/dirsrvtests/tests/suites/password/pw_expired_access_test.py b/dirsrvtests/tests/suites/password/pw_expired_access_test.py
+new file mode 100644
+index 000000000..fb0afb190
+--- /dev/null
++++ b/dirsrvtests/tests/suites/password/pw_expired_access_test.py
+@@ -0,0 +1,62 @@
++import ldap
++import logging
++import pytest
++import os
++import time
++from lib389._constants import DEFAULT_SUFFIX, PASSWORD
++from lib389.idm.domain import Domain
++from lib389.idm.user import UserAccounts
++from lib389.topologies import topology_st as topo
++
++log = logging.getLogger(__name__)
++
++def test_expired_user_has_no_privledge(topo):
++    """Specify a test case purpose or name here
++
++    :id: 3df86b45-9929-414b-9bf6-06c25301d207
++    :setup: Standalone Instance
++    :steps:
++        1. Set short password expiration time
++        2. Add user and wait for expiration time to run out
++        3. Set one aci that allows authenticated users full access
++        4. Bind as user (password should be expired)
++        5. Attempt modify
++    :expectedresults:
++        1. Success
++        2. Success
++        3. Success
++        4. Success
++        5. Success
++    """
++
++    # Configured password epxiration
++    topo.standalone.config.replace_many(('passwordexp', 'on'), ('passwordmaxage', '1'))
++
++    # Set aci
++    suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
++    ACI_TEXT = '(targetattr="*")(version 3.0; acl "test aci"; allow (all) (userdn="ldap:///all");)'
++    suffix.replace('aci', ACI_TEXT)
++
++    # Add user
++    user = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None).create_test_user()
++    user.replace('userpassword', PASSWORD)
++    time.sleep(2)
++
++    # Bind as user with expired password.  Need to use raw ldap calls because
++    # lib389 will close the connection when an error 49 is encountered.
++    ldap_object = ldap.initialize(topo.standalone.toLDAPURL())
++    with pytest.raises(ldap.INVALID_CREDENTIALS):
++        res_type, res_data, res_msgid, res_ctrls = ldap_object.simple_bind_s(
++            user.dn, PASSWORD)
++
++    # Try modify
++    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
++        modlist = [ (ldap.MOD_REPLACE, 'description', b'Should not work!') ]
++        ldap_object.modify_ext_s(DEFAULT_SUFFIX, modlist)
++
++
++if __name__ == '__main__':
++    # Run isolated
++    # -s for DEBUG mode
++    CURRENT_FILE = os.path.realpath(__file__)
++    pytest.main(["-s", CURRENT_FILE])
+diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c
+index 59b90dfa6..b67c2c8c0 100644
+--- a/ldap/servers/slapd/pw_mgmt.c
++++ b/ldap/servers/slapd/pw_mgmt.c
+@@ -208,6 +208,7 @@ skip:
+             slapi_pwpolicy_make_response_control(pb, -1, -1, LDAP_PWPOLICY_PWDEXPIRED);
+         }
+         slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRED, 0);
++        bind_credentials_clear(pb_conn, PR_FALSE, PR_TRUE);
+         slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL,
+                                "password expired!", 0, NULL);
+ 
+-- 
+2.31.1
+
diff --git a/SOURCES/0019-Issue-5242-Craft-message-may-crash-the-server-5243.patch b/SOURCES/0019-Issue-5242-Craft-message-may-crash-the-server-5243.patch
new file mode 100644
index 0000000..cca43d1
--- /dev/null
+++ b/SOURCES/0019-Issue-5242-Craft-message-may-crash-the-server-5243.patch
@@ -0,0 +1,45 @@
+From c7f4542fade3d06c8725d0c2976d81f5206719c4 Mon Sep 17 00:00:00 2001
+From: tbordaz <tbordaz@redhat.com>
+Date: Wed, 30 Mar 2022 18:07:23 +0200
+Subject: [PATCH 2/2] Issue 5242- Craft message may crash the server (#5243)
+
+Bug description:
+	A craft request can result in DoS
+
+Fix description:
+	If the server fails to decode the ber value
+	then return an Error
+
+relates: 5242
+
+Reviewed by: Pierre Rogier, Mark Reynolds (thanks !)
+
+Platforms tested:  F34
+---
+ ldap/servers/slapd/filter.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/ldap/servers/slapd/filter.c b/ldap/servers/slapd/filter.c
+index d671c87ff..52fd95750 100644
+--- a/ldap/servers/slapd/filter.c
++++ b/ldap/servers/slapd/filter.c
+@@ -647,8 +647,14 @@ get_extensible_filter(BerElement *ber, mr_filter_t *mrf)
+         }
+     }
+ 
+-    if ((tag != LBER_ERROR) && (len != -1)) {
+-        goto parsing_error;
++    if (tag == LBER_ERROR) {
++        if (len == -1) {
++            /* means that the ber sequence ended without  LBER_END_OF_SEQORSET tag
++             * and it is considered as valid to ensure compatibility with open ldap.
++             */
++        } else {
++            goto parsing_error;
++        }
+     }
+ 
+     slapi_log_err(SLAPI_LOG_FILTER, "get_extensible_filter", "<= %i\n", rc);
+-- 
+2.31.1
+
diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec
index 3180aed..c3d1ed3 100644
--- a/SPECS/389-ds-base.spec
+++ b/SPECS/389-ds-base.spec
@@ -48,7 +48,7 @@ ExcludeArch: i686
 Summary:          389 Directory Server (base)
 Name:             389-ds-base
 Version:          1.4.3.28
-Release:          %{?relprefix}6%{?prerel}%{?dist}
+Release:          %{?relprefix}7%{?prerel}%{?dist}
 License:          GPLv3+
 URL:              https://www.port389.org
 Group:            System Environment/Daemons
@@ -266,6 +266,8 @@ Patch14:          0014-Issue-5127-run-restorecon-on-dev-shm-at-server-start.patc
 Patch15:          0015-Issue-5127-ds_selinux_restorecon.sh-always-exit-0.patch
 Patch16:          0016-Issue-4775-Add-entryuuid-CLI-and-Fixup-4776.patch
 Patch17:          0017-Issue-4775-Fix-cherry-pick-error.patch
+Patch18:          0018-Issue-5221-User-with-expired-password-can-still-logi.patch
+Patch19:          0019-Issue-5242-Craft-message-may-crash-the-server-5243.patch
 
 %description
 389 Directory Server is an LDAPv3 compliant server.  The base package includes
@@ -885,6 +887,11 @@ exit 0
 %doc README.md
 
 %changelog
+* Thu May 19 2022 Thierry Bordaz <tbordaz@redhat.com> - 1.4.3.28-7
+- Bump version to 1.4.3.28-7
+- Resolves: Bug 2081008 - CVE-2022-0996 389-ds:1.4/389-ds-base: expired password was still allowed to access the database
+- Resolves: Bug 2081014 - CVE-2022-0918 389-ds:1.4/389-ds-base: sending crafted message could result in DoS
+
 * Thu Feb 3 2022 Mark Reynolds <mreynolds@redhat.com> - 1.4.3.28-6
 - Bump version to 1.4.3.28-6
 - Resolves: Bug 2047171 - Based on 1944494 (RFC 4530 entryUUID attribute) - plugin entryuuid failing