adamwill / 389-ds-base

Forked from 389-ds-base 4 years ago
Clone

8078a9e Subject: [PATCH] Bug 1358559 - CVE-2016-4992 389-ds-base: Information disclosure via repeated use of LDAP ADD operation, etc.

Authored and Committed by nhosoi 7 years ago
    Subject: [PATCH] Bug 1358559 - CVE-2016-4992 389-ds-base: Information disclosure via repeated use of LDAP ADD operation, etc.
    
    0. Backported the Bug-1347760 patches from the master branch to 1.2.11.
    
    1. Description: If a bind user has no rights, it should not disclose
    any information including the existence of the entry.
    
       Fix description:
       1) ALREADY_EXISTS in add -- If to be added entry is found existing
          in ldbm_back_add, it checks the ACI and if there is no rights,
          it returns INSUFFICIENT_ACCESS instead of ALREADY_EXISTS.
       2) NO_SUCH_OBJECT in other update operations -- If the target entry
          is found not existing, it checks the ancestor entry's access
          rights in find_entry.  If it is not allowed to access the subtree,
          it returns INSUFFICIENT_ACCESS instead of NO_SUC_OBJECT.  Plus,
          it supresses the "Matched" ancestor message.
       3) NO_SUCH_OBJECT in search -- If a bind entry has no rights to read
          a subtree, it returns no search results with SUCCESS.  It should
          be applied to the no existing subtree if the bind entry has no
          rights to the super tree.
       4) If bind fails because of the non-existence of the bind user or
          the parent nodes, the bind returns LDAP_INVALID_CREDENTIALS to
          the client with no other information.
          The detailed cause is logged in the access log as follows:
            RESULT err=49 .. etime=0 - No such suffix (<given suffix>)
            RESULT err=49 .. etime=0 - Invalid credentials
            RESULT err=49 .. etime=0 - No such entry
    
       Reviewed by lkrispen@redhat.com, mreynolds@redhat.com, and tbordaz@redhat.com.
    
    2. Description:
       1. When an account is inactivated, the error UNWILLING_TO_PERFORM with
          the inactivated message should be returned only when the bind is
          successful.
       2. When SASL bind fails, instead of returning the cause of the failure
          directly to the client, but logging it in the access log.
    
       Reviewed by wibrown@redhat.com (Thank you, William!)
    
    3. Description: do not overwrite rc used to decide if bind was successful.
       When the bind is through ldapi/autobind, an entry does not exist to be
       checked with slapi_check_account_lock.  In that case, a variable rc is
       not supposed to be modified which confuses the following code path.
    
       Reviewed by nhosoi@redhat.com.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1358559
    
        
file modified
+58 -62
file modified
+14 -2