Subject: [PATCH] Bug 1358559 - CVE-2016-4992 389-ds-base: Information disclosure via repeated use of LDAP ADD operation, etc.
0. Backported the Bug-1347760 patches from the master branch to 1.2.11.
1. Description: If a bind user has no rights, it should not disclose
any information including the existence of the entry.
Fix description:
1) ALREADY_EXISTS in add -- If to be added entry is found existing
in ldbm_back_add, it checks the ACI and if there is no rights,
it returns INSUFFICIENT_ACCESS instead of ALREADY_EXISTS.
2) NO_SUCH_OBJECT in other update operations -- If the target entry
is found not existing, it checks the ancestor entry's access
rights in find_entry. If it is not allowed to access the subtree,
it returns INSUFFICIENT_ACCESS instead of NO_SUC_OBJECT. Plus,
it supresses the "Matched" ancestor message.
3) NO_SUCH_OBJECT in search -- If a bind entry has no rights to read
a subtree, it returns no search results with SUCCESS. It should
be applied to the no existing subtree if the bind entry has no
rights to the super tree.
4) If bind fails because of the non-existence of the bind user or
the parent nodes, the bind returns LDAP_INVALID_CREDENTIALS to
the client with no other information.
The detailed cause is logged in the access log as follows:
RESULT err=49 .. etime=0 - No such suffix (<given suffix>)
RESULT err=49 .. etime=0 - Invalid credentials
RESULT err=49 .. etime=0 - No such entry
Reviewed by lkrispen@redhat.com, mreynolds@redhat.com, and tbordaz@redhat.com.
2. Description:
1. When an account is inactivated, the error UNWILLING_TO_PERFORM with
the inactivated message should be returned only when the bind is
successful.
2. When SASL bind fails, instead of returning the cause of the failure
directly to the client, but logging it in the access log.
Reviewed by wibrown@redhat.com (Thank you, William!)
3. Description: do not overwrite rc used to decide if bind was successful.
When the bind is through ldapi/autobind, an entry does not exist to be
checked with slapi_check_account_lock. In that case, a variable rc is
not supposed to be modified which confuses the following code path.
Reviewed by nhosoi@redhat.com.
https://bugzilla.redhat.com/show_bug.cgi?id=1358559