!6 [sync] PR-5: fix CVE-2021-3514 CVE-2021-3652

From: @openeuler-sync-bot
Reviewed-by: @small_leek
Signed-off-by: @small_leek

389-ds-base.spec

@@ -6,7 +6,7 @@ ExcludeArch:   i686
 Name:          389-ds-base
 Summary:       Base 389 Directory Server
 Version:       1.4.0.31
-Release:       4
+Release:       5
 License:       GPLv3+
 URL:           https://www.port389.org
 Source0:       https://releases.pagure.org/389-ds-base/389-ds-base-%{version}.tar.bz2
@@ -15,6 +15,8 @@ Source2:       389-ds-base-devel.README
 Source3:       https://github.com/jemalloc/jemalloc/releases/download/5.2.0/jemalloc-5.2.0.tar.bz2
 
 Patch0:        0000-fix-compilation-failed.patch
+Patch1:        CVE-2021-3652.patch
+Patch2:        CVE-2021-3514.patch
 
 BuildRequires: nspr-devel nss-devel >= 3.34 perl-generators openldap-devel libdb-devel cyrus-sasl-devel icu
 BuildRequires: libicu-devel pcre-devel cracklib-devel gcc-c++ net-snmp-devel lm_sensors-devel bzip2-devel
@@ -360,6 +362,9 @@ exit 0
 %{_mandir}/*/*
 
 %changelog
+* Wed Sep 22 2021 liwu<liwu13@huawei.com> - 1.4.0.31-5
+- fix CVE-2021-3652 CVE-2021-3514
+
 * Wed Sep 08 2021 chenchen <chen_aka_jan@163.com> - 1.4.0.31-4
 - del rpath from some binaries and bin
 

CVE-2021-3514.patch

@@ -0,0 +1,52 @@
+From 2e5b526012612d1d6ccace46398bee679a730271 Mon Sep 17 00:00:00 2001
+From: tbordaz <tbordaz@redhat.com>
+Date: Tue, 27 Apr 2021 09:29:32 +0200
+Subject: [PATCH] Issue 4711 - SIGSEV with sync_repl (#4738)
+
+Bug description:
+	sync_repl sends back entries identified with a unique
+	identifier that is 'nsuniqueid'. If 'nsuniqueid' is
+	missing, then it may crash
+
+Fix description:
+	Check a nsuniqueid is available else returns OP_ERR
+
+relates: https://github.com/389ds/389-ds-base/issues/4711
+
+Reviewed by: Pierre Rogier, James Chapman, William Brown (Thanks!)
+
+Platforms tested:  F33
+---
+ ldap/servers/plugins/sync/sync_util.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/ldap/servers/plugins/sync/sync_util.c b/ldap/servers/plugins/sync/sync_util.c
+index e64d519e1a..3dacee8cad 100644
+--- a/ldap/servers/plugins/sync/sync_util.c
++++ b/ldap/servers/plugins/sync/sync_util.c
+@@ -127,8 +127,8 @@ sync_create_state_control(Slapi_Entry *e, LDAPControl **ctrlp, int type, Sync_Co
+     BerElement *ber;
+     struct berval *bvp;
+     char *uuid;
+-    Slapi_Attr *attr;
+-    Slapi_Value *val;
++    Slapi_Attr *attr = NULL;
++    Slapi_Value *val = NULL;
+ 
+     if (type == LDAP_SYNC_NONE || ctrlp == NULL || (ber = der_alloc()) == NULL) {
+         return (LDAP_OPERATIONS_ERROR);
+@@ -138,6 +138,14 @@ sync_create_state_control(Slapi_Entry *e, LDAPControl **ctrlp, int type, Sync_Co
+ 
+     slapi_entry_attr_find(e, SLAPI_ATTR_UNIQUEID, &attr);
+     slapi_attr_first_value(attr, &val);
++    if ((attr == NULL) || (val == NULL)) {
++        /* It may happen with entries in special backends
++         * such like cn=config, cn=shema, cn=monitor...
++         */
++        slapi_log_err(SLAPI_LOG_ERR, SYNC_PLUGIN_SUBSYSTEM,
++		      "sync_create_state_control - Entries are missing nsuniqueid. Unable to proceed.\n");
++        return (LDAP_OPERATIONS_ERROR);
++    }
+     uuid = sync_nsuniqueid2uuid(slapi_value_get_string(val));
+     if ((rc = ber_printf(ber, "{eo", type, uuid, 16)) != -1) {
+         if (cookie) {

CVE-2021-3652.patch

@@ -0,0 +1,118 @@
+From c1926dfc6591b55c4d33f9944de4d7ebe077e964 Mon Sep 17 00:00:00 2001
+From: Firstyear <william@blackhats.net.au>
+Date: Fri, 9 Jul 2021 11:53:35 +1000
+Subject: [PATCH] Issue 4817 - BUG - locked crypt accounts on import may allow
+ all passwords (#4819)
+
+Bug Description: Due to mishanding of short dbpwd hashes, the
+crypt_r algorithm was misused and was only comparing salts
+in some cases, rather than checking the actual content
+of the password.
+
+Fix Description: Stricter checks on dbpwd lengths to ensure
+that content passed to crypt_r has at least 2 salt bytes and
+1 hash byte, as well as stricter checks on ct_memcmp to ensure
+that compared values are the same length, rather than potentially
+allowing overruns/short comparisons.
+
+fixes: https://github.com/389ds/389-ds-base/issues/4817
+
+Author: William Brown <william@blackhats.net.au>
+
+Review by: @mreynolds389
+---
+ .../password/pwd_crypt_asterisk_test.py       | 50 +++++++++++++++++++
+ ldap/servers/plugins/pwdstorage/crypt_pwd.c   | 20 +++++---
+ 2 files changed, 64 insertions(+), 6 deletions(-)
+ create mode 100644 dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py
+
+diff --git a/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py b/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py
+new file mode 100644
+index 0000000000..d76614db1c
+--- /dev/null
++++ b/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py
+@@ -0,0 +1,50 @@
++# --- BEGIN COPYRIGHT BLOCK ---
++# Copyright (C) 2021 William Brown <william@blackhats.net.au>
++# All rights reserved.
++#
++# License: GPL (version 3 or any later version).
++# See LICENSE for details.
++# --- END COPYRIGHT BLOCK ---
++#
++import ldap
++import pytest
++from lib389.topologies import topology_st
++from lib389.idm.user import UserAccounts
++from lib389._constants import (DEFAULT_SUFFIX, PASSWORD)
++
++pytestmark = pytest.mark.tier1
++
++def test_password_crypt_asterisk_is_rejected(topology_st):
++    """It was reported that {CRYPT}* was allowing all passwords to be
++    valid in the bind process. This checks that we should be rejecting
++    these as they should represent locked accounts. Similar, {CRYPT}!
++
++    :id: 0b8f1a6a-f3eb-4443-985e-da14d0939dc3
++    :setup: Single instance
++    :steps: 1. Set a password hash in with CRYPT and the content *
++            2. Test a bind
++            3. Set a password hash in with CRYPT and the content !
++            4. Test a bind
++    :expectedresults:
++            1. Successfully set the values
++            2. The bind fails
++            3. Successfully set the values
++            4. The bind fails
++    """
++    topology_st.standalone.config.set('nsslapd-allow-hashed-passwords', 'on')
++    topology_st.standalone.config.set('nsslapd-enable-upgrade-hash', 'off')
++
++    users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX)
++    user = users.create_test_user()
++
++    user.set('userPassword', "{CRYPT}*")
++
++    # Attempt to bind with incorrect password.
++    with pytest.raises(ldap.INVALID_CREDENTIALS):
++        badconn = user.bind('badpassword')
++
++    user.set('userPassword', "{CRYPT}!")
++    # Attempt to bind with incorrect password.
++    with pytest.raises(ldap.INVALID_CREDENTIALS):
++        badconn = user.bind('badpassword')
++
+diff --git a/ldap/servers/plugins/pwdstorage/crypt_pwd.c b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
+index 9031b21996..1b37d41ede 100644
+--- a/ldap/servers/plugins/pwdstorage/crypt_pwd.c
++++ b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
+@@ -48,15 +48,23 @@ static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */
+ int
+ crypt_pw_cmp(const char *userpwd, const char *dbpwd)
+ {
+-    int rc;
+-    char *cp;
++    int rc = -1;
++    char *cp = NULL;
++    size_t dbpwd_len = strlen(dbpwd);
+     struct crypt_data data;
+     data.initialized = 0;
+ 
+-    /* we use salt (first 2 chars) of encoded password in call to crypt_r() */
+-    cp = crypt_r(userpwd, dbpwd, &data);
+-    if (cp) {
+-        rc = slapi_ct_memcmp(dbpwd, cp, strlen(dbpwd));
++    /*
++     * there MUST be at least 2 chars of salt and some pw bytes, else this is INVALID and will
++     * allow any password to bind as we then only compare SALTS.
++     */
++    if (dbpwd_len >= 3) {
++        /* we use salt (first 2 chars) of encoded password in call to crypt_r() */
++        cp = crypt_r(userpwd, dbpwd, &data);
++    }
++    /* If these are not the same length, we can not proceed safely with memcmp. */
++    if (cp && dbpwd_len == strlen(cp)) {
++        rc = slapi_ct_memcmp(dbpwd, cp, dbpwd_len);
+     } else {
+         rc = -1;
+     }