Subject: [PATCH 1/2] Bug 1347760 - CVE-2016-4992 389-ds-base: Information
disclosure via repeated use of LDAP ADD operation, etc.
Description: If a bind user has no rights, it should not disclose
any information including the existence of the entry.
Fix description:
1) ALREADY_EXISTS in add -- If to be added entry is found existing
in ldbm_back_add, it checks the ACI and if there is no rights,
it returns INSUFFICIENT_ACCESS instead of ALREADY_EXISTS.
2) NO_SUCH_OBJECT in other update operations -- If the target entry
is found not existing, it checks the ancestor entry's access
rights in find_entry. If it is not allowed to access the subtree,
it returns INSUFFICIENT_ACCESS instead of NO_SUC_OBJECT. Plus,
it supresses the "Matched" ancestor message.
3) NO_SUCH_OBJECT in search -- If a bind entry has no rights to read
a subtree, it returns no search results with SUCCESS. It should
be applied to the no existing subtree if the bind entry has no
rights to the super tree.
4) If bind fails because of the non-existence of the bind user or
the parent nodes, the bind returns LDAP_INVALID_CREDENTIALS to
the client with no other information.
The detailed cause is logged in the access log as follows:
RESULT err=49 .. etime=0 - No such suffix (<given suffix>)
RESULT err=49 .. etime=0 - Invalid credentials
RESULT err=49 .. etime=0 - No such entry