From f1e19a00f882f4636da861183308222d861fc06c Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 06 2021 19:06:00 +0000 Subject: import slapi-nis-0.56.6-3.module+el8.5.0+11646+10d60346 --- diff --git a/SOURCES/cve-2021-3480-fix.patch b/SOURCES/cve-2021-3480-fix.patch new file mode 100644 index 0000000..592c2d3 --- /dev/null +++ b/SOURCES/cve-2021-3480-fix.patch @@ -0,0 +1,33 @@ +From 2f2b7ecd9d6a0f5044c24e4f96464942a1d873db Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 7 Apr 2021 14:40:52 +0300 +Subject: [PATCH] CVE-2021-3480: invalid bind DN crash + +For certain LDAP bind operations 389-ds would pass unvalidated bind DN +to bind plugins. A first attempt to normalize the DN would find that out +and should reject the request. + +Signed-off-by: Alexander Bokovoy +--- + src/back-sch.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/back-sch.c b/src/back-sch.c +index a5e4c04..d806627 100644 +--- a/src/back-sch.c ++++ b/src/back-sch.c +@@ -1988,6 +1988,11 @@ backend_locate_cb(const char *group, const char *set, bool_t flag, + rdn = slapi_rdn_new_sdn(cbdata->target_dn); + if (rdn != NULL) { + rdnstr = slapi_rdn_get_nrdn(rdn); ++ if (rdnstr == NULL) { ++ /* normalizing RDN failed, break the search */ ++ slapi_rdn_free(&rdn); ++ return FALSE; ++ } + if (map_match(cbdata->state, group, set, &flag, + strlen(rdnstr), rdnstr, + &ndnlen, &ndn, +-- +2.31.1 + diff --git a/SOURCES/slapi-nis-bz1958909.patch b/SOURCES/slapi-nis-bz1958909.patch new file mode 100644 index 0000000..07c2282 --- /dev/null +++ b/SOURCES/slapi-nis-bz1958909.patch @@ -0,0 +1,41 @@ +From d18b1d105c928363eddec87af37fda0757cfb440 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 1 Jul 2021 11:37:38 +0300 +Subject: [PATCH] back-sch: reuse backend_should_descend + +When backend_search_find_set_dn_cb() is called, use the same logic as in +other callbacks -- identify whether we should descend into the group by +using backend_should_descend(). + +The issue was introduced in 2015 with ID Views support but was masked +until 61ea8f6a104da25329e301a8f56944f860de8177 as we always felt through +to the full scan of the groups anyway. with the latter change the +fell-through part was removed. + +Resolves: rhbz#1958909 + +Signed-off-by: Alexander Bokovoy +Signed-off-by: Thierry Bordaz +--- + src/back-sch.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/back-sch.c b/src/back-sch.c +index d806627..0ed06fb 100644 +--- a/src/back-sch.c ++++ b/src/back-sch.c +@@ -1369,8 +1369,9 @@ backend_search_find_set_dn_cb(const char *group, void *cb_data) + + /* Check the group itself. */ + group_dn = slapi_sdn_new_dn_byval(group); +- if (slapi_sdn_scope_test(group_dn, cbdata->target_dn, +- cbdata->scope) == 1) { ++ if (backend_should_descend(group_dn, ++ cbdata->target_dn, ++ cbdata->scope)) { + cbdata->answer = TRUE; + slapi_sdn_free(&group_dn); + return TRUE; +-- +2.31.1 + diff --git a/SOURCES/slapi-nis-bz1978189.patch b/SOURCES/slapi-nis-bz1978189.patch new file mode 100644 index 0000000..93762b4 --- /dev/null +++ b/SOURCES/slapi-nis-bz1978189.patch @@ -0,0 +1,52 @@ +From 0f700cf71f5531fb6c863990216aa1eb88970dc8 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 16 Jun 2021 11:08:21 +0300 +Subject: [PATCH] back-sch-nss: only loop if asked to try again + +slapi-nis uses sss-idmap library to discover user group membership. Its +sss_nss_getgrouplist_timeout() function can return timeout errors as +well which might cause a busy looping. sss_nss_getgrouplist_timeout() +will return ERANGE which is translated by slapi-nis to NSS_STATUS_TRYAGAIN. + +Fixes: rhbz#1967179 + +Signed-off-by: Alexander Bokovoy +--- + src/back-sch-nss.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c +index df04a96..b595f3b 100644 +--- a/src/back-sch-nss.c ++++ b/src/back-sch-nss.c +@@ -589,19 +589,22 @@ repeat: + return NULL; + } + +- do { ++ for(rc = NSS_STATUS_TRYAGAIN; rc == NSS_STATUS_TRYAGAIN;) { + rc = backend_nss_getgrouplist(ctx, user_name, pwd.pw_gid, + grouplist, &ngroups, + &lerrno); +- if ((rc != NSS_STATUS_SUCCESS)) { +- tmp_list = realloc(grouplist, ngroups * sizeof(gid_t)); +- if (tmp_list == NULL) { ++ if (rc == NSS_STATUS_TRYAGAIN) { ++ tmp_list = NULL; ++ if (lerrno == ERANGE) { ++ tmp_list = realloc(grouplist, ngroups * sizeof(gid_t)); ++ } ++ if ((tmp_list == NULL) || (lerrno == ENOMEM)) { + free(grouplist); + return NULL; + } + grouplist = tmp_list; + } +- } while (rc != NSS_STATUS_SUCCESS); ++ } + + entries = calloc(ngroups + 1, sizeof(entries[0])); + if (entries == NULL) { +-- +2.31.1 + diff --git a/SPECS/slapi-nis.spec b/SPECS/slapi-nis.spec index 23d7c4f..c0aff9a 100644 --- a/SPECS/slapi-nis.spec +++ b/SPECS/slapi-nis.spec @@ -11,13 +11,16 @@ Name: slapi-nis Version: 0.56.6 -Release: 1%{?dist} +Release: 3%{?dist} Summary: NIS Server and Schema Compatibility plugins for Directory Server Group: System Environment/Daemons License: GPLv2 URL: http://pagure.io/slapi-nis/ Source0: https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz Source1: https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz.asc +Patch1: cve-2021-3480-fix.patch +Patch2: slapi-nis-bz1978189.patch +Patch3: slapi-nis-bz1958909.patch BuildRequires: autoconf BuildRequires: automake @@ -56,6 +59,9 @@ for attributes from multiple entries in the tree. %prep %setup -q +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build autoconf --force @@ -84,6 +90,14 @@ make check %{_sbindir}/nisserver-plugin-defs %changelog +* Thu Jul 01 2021 Alexander Bokovoy - 0.56.6-3 +- Resolves: rhbz#1958909 - fix regression for scoped searches in compat tree +- Resolves: rhbz#1978189 - better handle error response from libsss_nss_idmap + +* Wed Apr 07 2021 Alexander Bokovoy - 0.56.6-2 +- CVE 2021-3480: idm:DL1/slapi-nis: NULL dereference (DoS) with specially crafted Binding DN +- Resolves: rhbz#1944713 + * Fri Dec 04 2020 Alexander Bokovoy - 0.56.6-1 - Upstream release 0.56.6 - Resolves rhbz#1891741