diff -Nru 389-ds-base-1.3.3.5/debian/changelog 389-ds-base-1.3.3.5/debian/changelog --- 389-ds-base-1.3.3.5/debian/changelog 2015-01-16 13:40:30.000000000 +0000 +++ 389-ds-base-1.3.3.5/debian/changelog 2015-03-09 08:53:08.000000000 +0000 @@ -1,3 +1,11 @@ +389-ds-base (1.3.3.5-4) unstable; urgency=medium + + * Security fixes (Closes: #779909) + - cve-2014-8105.diff: Fix for CVE-2014-8105 + - cve-2014-8112.diff: Fix for CVE-2014-8112 + + -- Timo Aaltonen Mon, 09 Mar 2015 10:53:03 +0200 + 389-ds-base (1.3.3.5-3) unstable; urgency=medium * use-bash-instead-of-sh.diff: Drop admin_scripts.diff and patch the diff -Nru 389-ds-base-1.3.3.5/debian/patches/cve-2014-8105.diff 389-ds-base-1.3.3.5/debian/patches/cve-2014-8105.diff --- 389-ds-base-1.3.3.5/debian/patches/cve-2014-8105.diff 1970-01-01 00:00:00.000000000 +0000 +++ 389-ds-base-1.3.3.5/debian/patches/cve-2014-8105.diff 2015-03-09 08:46:02.000000000 +0000 @@ -0,0 +1,116 @@ +commit 74e80db8380a4606e07672dfb5e3f7d403efe150 +Author: Mark Reynolds +Date: Tue Dec 16 16:53:07 2014 -0500 + + Bug 1199675 - CVE-2014-8112 CVE-2014-8105 389-ds-base: various flaws [fedora-all] + + Fix for CVE-2014-8105 + + Description: At server startup check for the Retro Changelog default ACI + on cn=changelog, if present delete it. + + Reviewed by: lkrispenz(Thanks!) + + (cherry picked from commit 4b812a1af367ed409e21abe73a77e57092e5a5f3) + (cherry picked from commit 29652118e2ae17ca98c1934af5109f1ac87d94ae) + +diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c +index 0d2a6dc..8a0f350 100644 +--- a/ldap/servers/plugins/retrocl/retrocl.c ++++ b/ldap/servers/plugins/retrocl/retrocl.c +@@ -308,6 +308,68 @@ char *retrocl_get_config_str(const char *attrt) + return ma; + } + ++static void ++retrocl_remove_legacy_default_aci(void) ++{ ++ Slapi_PBlock *pb = NULL; ++ Slapi_Entry **entries; ++ char **aci_vals = NULL; ++ char *attrs[] = {"aci", NULL}; ++ int rc; ++ ++ pb = slapi_pblock_new(); ++ slapi_search_internal_set_pb(pb, RETROCL_CHANGELOG_DN, LDAP_SCOPE_BASE, "objectclass=*", ++ attrs, 0, NULL, NULL, g_plg_identity[PLUGIN_RETROCL] , 0); ++ slapi_search_internal_pb(pb); ++ slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rc); ++ if (rc == LDAP_SUCCESS) { ++ slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries); ++ if(entries && entries[0]){ ++ if((aci_vals = slapi_entry_attr_get_charray(entries[0], "aci"))){ ++ if(charray_inlist(aci_vals, RETROCL_ACL)){ ++ /* ++ * Okay, we need to remove the aci ++ */ ++ LDAPMod mod; ++ LDAPMod *mods[2]; ++ char *val[2]; ++ Slapi_PBlock *mod_pb = 0; ++ ++ mod_pb = slapi_pblock_new(); ++ mods[0] = &mod; ++ mods[1] = 0; ++ val[0] = RETROCL_ACL; ++ val[1] = 0; ++ mod.mod_op = LDAP_MOD_DELETE; ++ mod.mod_type = "aci"; ++ mod.mod_values = val; ++ ++ slapi_modify_internal_set_pb_ext(mod_pb, slapi_entry_get_sdn(entries[0]), ++ mods, 0, 0, g_plg_identity[PLUGIN_RETROCL], 0); ++ slapi_modify_internal_pb(mod_pb); ++ slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &rc); ++ if(rc == LDAP_SUCCESS){ ++ slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME, ++ "Successfully removed vulnerable legacy default aci \"%s\". " ++ "If the aci removal was not desired please use a different \"acl " ++ "name\" so it is not removed at the next plugin startup.\n", ++ RETROCL_ACL); ++ } else { ++ slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME, ++ "Failed to removed vulnerable legacy default aci (%s) error %d\n", ++ RETROCL_ACL, rc); ++ } ++ slapi_pblock_destroy(mod_pb); ++ } ++ slapi_ch_array_free(aci_vals); ++ } ++ } ++ } ++ slapi_free_search_results_internal(pb); ++ slapi_pblock_destroy(pb); ++} ++ ++ + /* + * Function: retrocl_start + * +@@ -333,7 +395,10 @@ static int retrocl_start (Slapi_PBlock *pb) + LDAPDebug1Arg(LDAP_DEBUG_TRACE,"Couldnt find backend, not trimming retro changelog (%d).\n",rc); + return rc; + } +- ++ ++ /* Remove the old default aci as it exposes passwords changes to anonymous users */ ++ retrocl_remove_legacy_default_aci(); ++ + retrocl_init_trimming(); + + if (slapi_pblock_get(pb, SLAPI_ADD_ENTRY, &e) != 0) { +diff --git a/ldap/servers/plugins/retrocl/retrocl_create.c b/ldap/servers/plugins/retrocl/retrocl_create.c +index 1ffdaae..870421c 100644 +--- a/ldap/servers/plugins/retrocl/retrocl_create.c ++++ b/ldap/servers/plugins/retrocl/retrocl_create.c +@@ -344,10 +344,6 @@ void retrocl_create_cle (void) + val.bv_len = strlen(val.bv_val); + slapi_entry_add_values( e, "cn", vals ); + +- val.bv_val = RETROCL_ACL; +- val.bv_len = strlen(val.bv_val); +- slapi_entry_add_values( e, "aci", vals ); +- + pb = slapi_pblock_new (); + slapi_add_entry_internal_set_pb( pb, e, NULL /* controls */, + g_plg_identity[PLUGIN_RETROCL], diff -Nru 389-ds-base-1.3.3.5/debian/patches/cve-2014-8112.diff 389-ds-base-1.3.3.5/debian/patches/cve-2014-8112.diff --- 389-ds-base-1.3.3.5/debian/patches/cve-2014-8112.diff 1970-01-01 00:00:00.000000000 +0000 +++ 389-ds-base-1.3.3.5/debian/patches/cve-2014-8112.diff 2015-03-09 08:45:56.000000000 +0000 @@ -0,0 +1,115 @@ +commit 8603d6533d84009e13a94ce6327abfba7ae73ef4 +Author: Ludwig Krispenz +Date: Fri Nov 28 14:23:06 2014 +0100 + + Bug 1199675 - CVE-2014-8112 CVE-2014-8105 389-ds-base: various flaws [fedora-all] + + Fix for CVE-2014-8112 + + If the unhashed pw switch is set to off this should only + prevent the generation of the unhashed#user#password + attribute. + But encoding of pw values and detiecetion which values have + to be deleted needs to stay intact. + So the check if the switch is set has to be placed close to + the generation of the attribute in different 'if' branches + + Reviewed by Noriko, thanks + + (cherry picked from commit e5de803f4ab1b097c637c269fcc8b567e664c00d) + (cherry picked from commit 84b8bfd7d18a0613920dce36f1d3775d75e45a3e) + +diff --git a/ldap/servers/plugins/retrocl/retrocl_po.c b/ldap/servers/plugins/retrocl/retrocl_po.c +index bcf53cd..61f99cf 100644 +--- a/ldap/servers/plugins/retrocl/retrocl_po.c ++++ b/ldap/servers/plugins/retrocl/retrocl_po.c +@@ -101,6 +101,12 @@ static lenstr *make_changes_string(LDAPMod **ldm, const char **includeattrs) + continue; + } + } ++ if (SLAPD_UNHASHED_PW_NOLOG == slapi_config_get_unhashed_pw_switch()) { ++ if (0 == strcasecmp(ldm[ i ]->mod_type, PSEUDO_ATTR_UNHASHEDUSERPASSWORD)) { ++ /* If nsslapd-unhashed-pw-switch == nolog, skip writing it to cl. */ ++ continue; ++ } ++ } + switch ( ldm[ i ]->mod_op & ~LDAP_MOD_BVALUES ) { + case LDAP_MOD_ADD: + addlenstr( l, "add: " ); +diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c +index 9b2f42d..ab12f56 100644 +--- a/ldap/servers/slapd/modify.c ++++ b/ldap/servers/slapd/modify.c +@@ -836,8 +836,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw) + * before calling the preop plugins + */ + +- if (pw_change && !repl_op && +- (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch())) { ++ if (pw_change && !repl_op ) { + Slapi_Value **va = NULL; + + unhashed_pw_attr = slapi_attr_syntax_normalize(PSEUDO_ATTR_UNHASHEDUSERPASSWORD); +@@ -907,13 +906,15 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw) + * Finally, delete the unhashed userpassword + * (this will update the password entry extension) + */ +- bval.bv_val = password; +- bval.bv_len = strlen(password); +- bv[0] = &bval; +- bv[1] = NULL; +- valuearray_init_bervalarray(bv, &va); +- slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va); +- valuearray_free(&va); ++ if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) { ++ bval.bv_val = password; ++ bval.bv_len = strlen(password); ++ bv[0] = &bval; ++ bv[1] = NULL; ++ valuearray_init_bervalarray(bv, &va); ++ slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va); ++ valuearray_free(&va); ++ } + } else { + /* + * Password is encoded, try and find a matching unhashed_password to delete +@@ -945,19 +946,23 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw) + if(strcmp(unhashed_pwsp->pws_name, "CLEAR") == 0){ + if((*(pwsp->pws_cmp))((char *)unhashed_pwd , valpwd) == 0 ){ + /* match, add the delete mod for this particular unhashed userpassword */ +- valuearray_init_bervalarray(bv, &va); +- slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va); +- valuearray_free(&va); +- free_pw_scheme( unhashed_pwsp ); ++ if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) { ++ valuearray_init_bervalarray(bv, &va); ++ slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va); ++ valuearray_free(&va); ++ free_pw_scheme( unhashed_pwsp ); ++ } + break; + } + } else { + /* + * We have a hashed unhashed_userpassword! We must delete it. + */ +- valuearray_init_bervalarray(bv, &va); +- slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va); +- valuearray_free(&va); ++ if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) { ++ valuearray_init_bervalarray(bv, &va); ++ slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va); ++ valuearray_free(&va); ++ } + } + free_pw_scheme( unhashed_pwsp ); + } +@@ -972,7 +977,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw) + if (remove_unhashed_pw && !slapi_entry_attr_find(e, unhashed_pw_attr, &a)){ + slapi_mods_add_mod_values(&smods, pw_mod->mod_op,unhashed_pw_attr, va); + } +- } else { ++ } else if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) { + /* add pseudo password attribute */ + valuearray_init_bervalarray_unhashed_only(pw_mod->mod_bvalues, &va); + if(va && va[0]){ diff -Nru 389-ds-base-1.3.3.5/debian/patches/series 389-ds-base-1.3.3.5/debian/patches/series --- 389-ds-base-1.3.3.5/debian/patches/series 2015-01-16 12:46:01.000000000 +0000 +++ 389-ds-base-1.3.3.5/debian/patches/series 2015-03-09 08:47:59.000000000 +0000 @@ -6,3 +6,6 @@ support-kfreebsd.patch fix-obsolete-target.diff fix-saslpath.diff + +cve-2014-8112.diff +cve-2014-8105.diff