CVES

(cherry picked from commit 9191d12fa499881449ea729195231b6de4ef9898)
2021-09-22 11:26:24 +08:00 · 2021-09-22 11:26:24 +08:00 · 196db52347
commit 196db52347
parent f4a84bd65b
3 changed files with 176 additions and 1 deletions
--- a/389-ds-base.spec
+++ b/389-ds-base.spec
@ -6,7 +6,7 @@ ExcludeArch:   i686
 Name:          389-ds-base
 Summary:       Base 389 Directory Server
 Version:       1.4.0.31
-Release:       4
+Release:       5
 License:       GPLv3+
 URL:           https://www.port389.org
 Source0:       https://releases.pagure.org/389-ds-base/389-ds-base-%{version}.tar.bz2
@ -15,6 +15,8 @@ Source2:       389-ds-base-devel.README
 Source3:       https://github.com/jemalloc/jemalloc/releases/download/5.2.0/jemalloc-5.2.0.tar.bz2

 Patch0:        0000-fix-compilation-failed.patch
+Patch1:        CVE-2021-3652.patch
+Patch2:        CVE-2021-3514.patch

 BuildRequires: nspr-devel nss-devel >= 3.34 perl-generators openldap-devel libdb-devel cyrus-sasl-devel icu
 BuildRequires: libicu-devel pcre-devel cracklib-devel gcc-c++ net-snmp-devel lm_sensors-devel bzip2-devel
@ -360,6 +362,9 @@ exit 0
 %{_mandir}/*/*

 %changelog
+* Wed Sep 22 2021 liwu<liwu13@huawei.com> - 1.4.0.31-5
+- fix CVE-2021-3652 CVE-2021-3514
+
 * Wed Sep 08 2021 chenchen <chen_aka_jan@163.com> - 1.4.0.31-4
 - del rpath from some binaries and bin

--- a/CVE-2021-3514.patch
+++ b/CVE-2021-3514.patch
@ -0,0 +1,52 @@
+From 2e5b526012612d1d6ccace46398bee679a730271 Mon Sep 17 00:00:00 2001
+From: tbordaz <tbordaz@redhat.com>
+Date: Tue, 27 Apr 2021 09:29:32 +0200
+Subject: [PATCH] Issue 4711 - SIGSEV with sync_repl (#4738)
+
+Bug description:
+	sync_repl sends back entries identified with a unique
+	identifier that is 'nsuniqueid'. If 'nsuniqueid' is
+	missing, then it may crash
+
+Fix description:
+	Check a nsuniqueid is available else returns OP_ERR
+
+relates: https://github.com/389ds/389-ds-base/issues/4711
+
+Reviewed by: Pierre Rogier, James Chapman, William Brown (Thanks!)
+
+Platforms tested:  F33
+---
+ ldap/servers/plugins/sync/sync_util.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/ldap/servers/plugins/sync/sync_util.c b/ldap/servers/plugins/sync/sync_util.c
+index e64d519e1a..3dacee8cad 100644
+--- a/ldap/servers/plugins/sync/sync_util.c
+++ b/ldap/servers/plugins/sync/sync_util.c
+@@ -127,8 +127,8 @@ sync_create_state_control(Slapi_Entry *e, LDAPControl **ctrlp, int type, Sync_Co
+     BerElement *ber;
+     struct berval *bvp;
+     char *uuid;
+-    Slapi_Attr *attr;
+-    Slapi_Value *val;
+    Slapi_Attr *attr = NULL;
+    Slapi_Value *val = NULL;
+ 
+     if (type == LDAP_SYNC_NONE || ctrlp == NULL || (ber = der_alloc()) == NULL) {
+         return (LDAP_OPERATIONS_ERROR);
+@@ -138,6 +138,14 @@ sync_create_state_control(Slapi_Entry *e, LDAPControl **ctrlp, int type, Sync_Co
+ 
+     slapi_entry_attr_find(e, SLAPI_ATTR_UNIQUEID, &attr);
+     slapi_attr_first_value(attr, &val);
+    if ((attr == NULL) || (val == NULL)) {
+        /* It may happen with entries in special backends
+         * such like cn=config, cn=shema, cn=monitor...
+         */
+        slapi_log_err(SLAPI_LOG_ERR, SYNC_PLUGIN_SUBSYSTEM,
+		      "sync_create_state_control - Entries are missing nsuniqueid. Unable to proceed.\n");
+        return (LDAP_OPERATIONS_ERROR);
+    }
+     uuid = sync_nsuniqueid2uuid(slapi_value_get_string(val));
+     if ((rc = ber_printf(ber, "{eo", type, uuid, 16)) != -1) {
+         if (cookie) {
--- a/CVE-2021-3652.patch
+++ b/CVE-2021-3652.patch
@ -0,0 +1,118 @@
+From c1926dfc6591b55c4d33f9944de4d7ebe077e964 Mon Sep 17 00:00:00 2001
+From: Firstyear <william@blackhats.net.au>
+Date: Fri, 9 Jul 2021 11:53:35 +1000
+Subject: [PATCH] Issue 4817 - BUG - locked crypt accounts on import may allow
+ all passwords (#4819)
+
+Bug Description: Due to mishanding of short dbpwd hashes, the
+crypt_r algorithm was misused and was only comparing salts
+in some cases, rather than checking the actual content
+of the password.
+
+Fix Description: Stricter checks on dbpwd lengths to ensure
+that content passed to crypt_r has at least 2 salt bytes and
+1 hash byte, as well as stricter checks on ct_memcmp to ensure
+that compared values are the same length, rather than potentially
+allowing overruns/short comparisons.
+
+fixes: https://github.com/389ds/389-ds-base/issues/4817
+
+Author: William Brown <william@blackhats.net.au>
+
+Review by: @mreynolds389
+---
+ .../password/pwd_crypt_asterisk_test.py       | 50 +++++++++++++++++++
+ ldap/servers/plugins/pwdstorage/crypt_pwd.c   | 20 +++++---
+ 2 files changed, 64 insertions(+), 6 deletions(-)
+ create mode 100644 dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py
+
+diff --git a/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py b/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py
+new file mode 100644
+index 0000000000..d76614db1c
+--- /dev/null
+++ b/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py
+@@ -0,0 +1,50 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2021 William Brown <william@blackhats.net.au>
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ---
+#
+import ldap
+import pytest
+from lib389.topologies import topology_st
+from lib389.idm.user import UserAccounts
+from lib389._constants import (DEFAULT_SUFFIX, PASSWORD)
+
+pytestmark = pytest.mark.tier1
+
+def test_password_crypt_asterisk_is_rejected(topology_st):
+    """It was reported that {CRYPT}* was allowing all passwords to be
+    valid in the bind process. This checks that we should be rejecting
+    these as they should represent locked accounts. Similar, {CRYPT}!
+
+    :id: 0b8f1a6a-f3eb-4443-985e-da14d0939dc3
+    :setup: Single instance
+    :steps: 1. Set a password hash in with CRYPT and the content *
+            2. Test a bind
+            3. Set a password hash in with CRYPT and the content !
+            4. Test a bind
+    :expectedresults:
+            1. Successfully set the values
+            2. The bind fails
+            3. Successfully set the values
+            4. The bind fails
+    """
+    topology_st.standalone.config.set('nsslapd-allow-hashed-passwords', 'on')
+    topology_st.standalone.config.set('nsslapd-enable-upgrade-hash', 'off')
+
+    users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX)
+    user = users.create_test_user()
+
+    user.set('userPassword', "{CRYPT}*")
+
+    # Attempt to bind with incorrect password.
+    with pytest.raises(ldap.INVALID_CREDENTIALS):
+        badconn = user.bind('badpassword')
+
+    user.set('userPassword', "{CRYPT}!")
+    # Attempt to bind with incorrect password.
+    with pytest.raises(ldap.INVALID_CREDENTIALS):
+        badconn = user.bind('badpassword')
+
+diff --git a/ldap/servers/plugins/pwdstorage/crypt_pwd.c b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
+index 9031b21996..1b37d41ede 100644
+--- a/ldap/servers/plugins/pwdstorage/crypt_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
+@@ -48,15 +48,23 @@ static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */
+ int
+ crypt_pw_cmp(const char *userpwd, const char *dbpwd)
+ {
+-    int rc;
+-    char *cp;
+    int rc = -1;
+    char *cp = NULL;
+    size_t dbpwd_len = strlen(dbpwd);
+     struct crypt_data data;
+     data.initialized = 0;
+ 
+-    /* we use salt (first 2 chars) of encoded password in call to crypt_r() */
+-    cp = crypt_r(userpwd, dbpwd, &data);
+-    if (cp) {
+-        rc = slapi_ct_memcmp(dbpwd, cp, strlen(dbpwd));
+    /*
+     * there MUST be at least 2 chars of salt and some pw bytes, else this is INVALID and will
+     * allow any password to bind as we then only compare SALTS.
+     */
+    if (dbpwd_len >= 3) {
+        /* we use salt (first 2 chars) of encoded password in call to crypt_r() */
+        cp = crypt_r(userpwd, dbpwd, &data);
+    }
+    /* If these are not the same length, we can not proceed safely with memcmp. */
+    if (cp && dbpwd_len == strlen(cp)) {
+        rc = slapi_ct_memcmp(dbpwd, cp, dbpwd_len);
+     } else {
+         rc = -1;
+     }