Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE
389-ds.2045
0005-Bug-1347760-CVE-2016-4992-389-ds-base-Info...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0005-Bug-1347760-CVE-2016-4992-389-ds-base-Information-di.patch of Package 389-ds.2045
From 7d35d136173b67e36ad87a778cc04ebcc8bb2434 Mon Sep 17 00:00:00 2001 From: Noriko Hosoi <nhosoi@redhat.com> Date: Tue, 26 Jul 2016 18:08:38 -0700 Subject: [PATCH 05/14] Bug 1347760 - CVE-2016-4992 389-ds-base: Information disclosure via repeated use of LDAP ADD operation, etc. Description: 1. When an account is inactivated, the error UNWILLING_TO_PERFORM with the inactivated message should be returned only when the bind is successful. 2. When SASL bind fails, instead of returning the cause of the failure directly to the client, but logging it in the access log. https://bugzilla.redhat.com/show_bug.cgi?id=1347760 Reviewed by wibrown@redhat.com (Thank you, William!) (cherry picked from commit b8767d510d11c7cbfede24daaae3348b9f028f47) --- ldap/servers/slapd/bind.c | 49 ++++++++++++++++++++----------------------- ldap/servers/slapd/saslbind.c | 4 ++-- 2 files changed, 25 insertions(+), 28 deletions(-) diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c index 6763fc371..8f5375a6d 100644 --- a/ldap/servers/slapd/bind.c +++ b/ldap/servers/slapd/bind.c @@ -720,25 +720,6 @@ do_bind( Slapi_PBlock *pb ) } } } - - /* - * Is this account locked ? - * could be locked through the account inactivation - * or by the password policy - * - * rc=0: account not locked - * rc=1: account locked, can not bind, result has been sent - * rc!=0 and rc!=1: error. Result was not sent, lets be_bind - * deal with it. - * - */ - - /* get the entry now, so that we can give it to slapi_check_account_lock and reslimit_update_from_dn */ - if (! slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) { - bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn)); - rc = slapi_check_account_lock ( pb, bind_target_entry, pw_response_requested, 1, 1); - } - slapi_pblock_set( pb, SLAPI_PLUGIN, be->be_database ); set_db_default_result_handlers(pb); if ( (rc != 1) && @@ -777,6 +758,28 @@ do_bind( Slapi_PBlock *pb ) if ( rc == SLAPI_BIND_SUCCESS ) { int myrc = 0; + /* + * The bind is successful. + * We can give it to slapi_check_account_lock and reslimit_update_from_dn. + */ + /* + * Is this account locked ? + * could be locked through the account inactivation + * or by the password policy + * + * rc=0: account not locked + * rc=1: account locked, can not bind, result has been sent + * rc!=0 and rc!=1: error. Result was not sent, lets be_bind + * deal with it. + * + */ + if (!slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) { + bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn)); + rc = slapi_check_account_lock(pb, bind_target_entry, pw_response_requested, 1, 1); + if (1 == rc) { /* account is locked */ + goto account_locked; + } + } if (!auto_bind) { /* * There could be a race that bind_target_entry was not added @@ -787,13 +790,7 @@ do_bind( Slapi_PBlock *pb ) if (!slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA) && !bind_target_entry) { bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn)); - if (bind_target_entry) { - myrc = slapi_check_account_lock(pb, bind_target_entry, - pw_response_requested, 1, 1); - if (1 == myrc) { /* account is locked */ - goto account_locked; - } - } else { + if (!bind_target_entry) { slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "No such entry"); send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, "", 0, NULL); goto free_and_return; diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c index 76294ac6d..d56f0ed9f 100644 --- a/ldap/servers/slapd/saslbind.c +++ b/ldap/servers/slapd/saslbind.c @@ -1049,8 +1049,8 @@ sasl_check_result: errstr = sasl_errdetail(sasl_conn); PR_ExitMonitor(pb->pb_conn->c_mutex); /* BIG LOCK */ - send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, - (char*)errstr, 0, NULL); + slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, (void *)errstr); + send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL); break; } -- 2.15.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor