bd0bf95 Subject: [PATCH 1/2] Bug 1347760 - CVE-2016-4992 389-ds-base: Information

Authored and Committed by nhosoi 3 years ago
    Subject: [PATCH 1/2] Bug 1347760 - CVE-2016-4992 389-ds-base: Information
     disclosure via repeated use of LDAP ADD operation, etc.
    
    Description: If a bind user has no rights, it should not disclose
    any information including the existence of the entry.
    
    Fix description:
    1) ALREADY_EXISTS in add -- If to be added entry is found existing
       in ldbm_back_add, it checks the ACI and if there is no rights,
       it returns INSUFFICIENT_ACCESS instead of ALREADY_EXISTS.
    2) NO_SUCH_OBJECT in other update operations -- If the target entry
       is found not existing, it checks the ancestor entry's access
       rights in find_entry.  If it is not allowed to access the subtree,
       it returns INSUFFICIENT_ACCESS instead of NO_SUC_OBJECT.  Plus,
       it supresses the "Matched" ancestor message.
    3) NO_SUCH_OBJECT in search -- If a bind entry has no rights to read
       a subtree, it returns no search results with SUCCESS.  It should
       be applied to the no existing subtree if the bind entry has no
       rights to the super tree.
    4) If bind fails because of the non-existence of the bind user or
       the parent nodes, the bind returns LDAP_INVALID_CREDENTIALS to
       the client with no other information.
       The detailed cause is logged in the access log as follows:
    	 RESULT err=49 .. etime=0 - No such suffix (<given suffix="">)
    	 RESULT err=49 .. etime=0 - Invalid credentials
    	 RESULT err=49 .. etime=0 - No such entry
    
        
file modified
+39 -36
file modified
+14 -2