!76 Fix CVE-2024-2199 and CVE-2024-3657

From: @wk333 
Reviewed-by: @starlet-dx 
Signed-off-by: @starlet-dx

389-ds-base.spec

@@ -6,7 +6,7 @@ ExcludeArch:   i686
 Name:          389-ds-base
 Summary:       Base 389 Directory Server
 Version:       1.4.3.36
-Release:       1
+Release:       6
 License:       GPLv3+
 URL:           https://www.port389.org
 Source0:       https://github.com/389ds/389-ds-base/archive/refs/tags/389-ds-base-%{version}.tar.gz
@@ -15,6 +15,11 @@ Source2:       389-ds-base-devel.README
 Source3:       https://github.com/jemalloc/jemalloc/releases/download/5.2.1/jemalloc-5.2.1.tar.bz2
 # Refer: https://github.com/389ds/389-ds-base/pull/5374
 Patch0:        fix-dsidm-posixgroup-get_dn-fails-with-search_ext.patch
+Patch1:        fix-dn2rdn-get-args-error.patch
+Patch2:        CVE-2024-1062-1.patch
+Patch3:        CVE-2024-1062-2.patch
+Patch4:        CVE-2024-2199.patch
+Patch5:        CVE-2024-3657.patch
 
 BuildRequires: nspr-devel nss-devel >= 3.34 perl-generators openldap-devel libdb-devel cyrus-sasl-devel icu
 BuildRequires: libicu-devel pcre-devel cracklib-devel gcc-c++ net-snmp-devel lm_sensors-devel bzip2-devel
@@ -27,7 +32,7 @@ BuildRequires: python%{python3_pkgversion}-argcomplete python%{python3_pkgversio
 BuildRequires: python%{python3_pkgversion}-libselinux python%{python3_pkgversion}-policycoreutils
 BuildRequires: python%{python3_pkgversion}-packaging rsync npm nodejs libtalloc-devel libtevent-devel
 BuildRequires: python%{python3_pkgversion}-cryptography
-Requires:      389-ds-base-libs = %{version}-%{release}
+Requires:      389-ds-base-libs = %{version}-%{release} 389-ds-base-legacy-tools = %{version}-%{release}
 Requires:      python%{python3_pkgversion}-lib389 = %{version}-%{release}
 Requires:      policycoreutils-python-utils /usr/sbin/semanage libsemanage-python%{python3_pkgversion}
 Requires:      selinux-policy >= 3.14.1-29 openldap-clients openssl-perl python%{python3_pkgversion}-ldap
@@ -235,6 +240,7 @@ if [ $1 = 0 ]; then
 fi
 
 %post          snmp
+mkdir -p /run/dirsrv
 %systemd_post dirsrv-snmp.service
 
 %preun         snmp
@@ -376,6 +382,21 @@ exit 0
 %{_mandir}/*/*
 
 %changelog
+* Wed Jun 05 2024 wangkai <13474090681@163.com> - 1.4.3.36-6
+- Fix CVE-2024-2199 and CVE-2024-3657
+
+* Mon Feb 05 2024 wangkai <13474090681@163.com> - 1.4.3.36-5
+- Fix CVE-2024-1062
+
+* Sun Feb 4 2024 liyanan <liyanan61@h-partners.com> - 1.4.3.36-4
+- Add requires 389-ds-base-legacy-tools
+
+* Thu Nov 02 2023 wangkai <13474090681@163.com> - 1.4.3.36-3
+- Fix dirsrv-snmp.service start fail
+
+* Fri Oct 27 2023 wangkai <13474090681@163.com> - 1.4.3.36-2
+- Fix dn2rdn -v error
+
 * Tue Oct 24 2023 wangkai <13474090681@163.com> - 1.4.3.36-1
 - Update to 1.4.3.36
 - Fix dsidm user/posixgroup get_dn fails with search_ext()

CVE-2024-1062-1.patch

@@ -0,0 +1,116 @@
+From dddb14210b402f317e566b6387c76a8e659bf7fa Mon Sep 17 00:00:00 2001
+From: progier389 <progier@redhat.com>
+Date: Tue, 14 Feb 2023 13:34:10 +0100
+Subject: [PATCH] issue 5647 - covscan: memory leak in audit log when adding
+ entries (#5650)
+
+covscan reported an issue about "vals" variable in auditlog.c:231 and indeed a charray_free is missing.
+Issue: 5647
+Reviewed by: @mreynolds389, @droideck
+---
+ ldap/servers/slapd/auditlog.c | 71 +++++++++++++++++++----------------
+ 1 file changed, 38 insertions(+), 33 deletions(-)
+
+diff --git a/ldap/servers/slapd/auditlog.c b/ldap/servers/slapd/auditlog.c
+index 68cbc674dc..3128e04974 100644
+--- a/ldap/servers/slapd/auditlog.c
++++ b/ldap/servers/slapd/auditlog.c
+@@ -177,6 +177,40 @@ write_auditfail_log_entry(Slapi_PBlock *pb)
+     slapi_ch_free_string(&audit_config);
+ }
+ 
++/*
++ * Write the attribute values to the audit log as "comments"
++ *
++ *   Slapi_Attr *entry - the attribute begin logged.
++ *   char *attrname - the attribute name.
++ *   lenstr *l - the audit log buffer
++ *
++ *   Resulting output in the log:
++ *
++ *       #ATTR: VALUE
++ *       #ATTR: VALUE
++ */
++static void
++log_entry_attr(Slapi_Attr *entry_attr, char *attrname, lenstr *l)
++{
++    Slapi_Value **vals = attr_get_present_values(entry_attr);
++    for(size_t i = 0; vals && vals[i]; i++) {
++        char log_val[256] = "";
++        const struct berval *bv = slapi_value_get_berval(vals[i]);
++        if (bv->bv_len >= 256) {
++            strncpy(log_val, bv->bv_val, 252);
++            strcpy(log_val+252, "...");
++        } else {
++            strncpy(log_val, bv->bv_val, bv->bv_len);
++            log_val[bv->bv_len] = 0;
++        }
++        addlenstr(l, "#");
++        addlenstr(l, attrname);
++        addlenstr(l, ": ");
++        addlenstr(l, log_val);
++        addlenstr(l, "\n");
++    }
++}
++
+ /*
+  * Write "requested" attributes from the entry to the audit log as "comments"
+  *
+@@ -212,21 +246,9 @@ add_entry_attrs(Slapi_Entry *entry, lenstr *l)
+         for (req_attr = ldap_utf8strtok_r(display_attrs, ", ", &last); req_attr;
+              req_attr = ldap_utf8strtok_r(NULL, ", ", &last))
+         {
+-            char **vals = slapi_entry_attr_get_charray(entry, req_attr);
+-            for(size_t i = 0; vals && vals[i]; i++) {
+-                char log_val[256] = {0};
+-
+-                if (strlen(vals[i]) > 256) {
+-                    strncpy(log_val, vals[i], 252);
+-                    strcat(log_val, "...");
+-                } else {
+-                    strcpy(log_val, vals[i]);
+-                }
+-                addlenstr(l, "#");
+-                addlenstr(l, req_attr);
+-                addlenstr(l, ": ");
+-                addlenstr(l, log_val);
+-                addlenstr(l, "\n");
++            slapi_entry_attr_find(entry, req_attr, &entry_attr);
++            if (entry_attr) {
++                log_entry_attr(entry_attr, req_attr, l);
+             }
+         }
+     } else {
+@@ -234,7 +256,6 @@ add_entry_attrs(Slapi_Entry *entry, lenstr *l)
+         for (; entry_attr; entry_attr = entry_attr->a_next) {
+             Slapi_Value **vals = attr_get_present_values(entry_attr);
+             char *attr = NULL;
+-            const char *val = NULL;
+ 
+             slapi_attr_get_type(entry_attr, &attr);
+             if (strcmp(attr, PSEUDO_ATTR_UNHASHEDUSERPASSWORD) == 0) {
+@@ -251,23 +272,7 @@ add_entry_attrs(Slapi_Entry *entry, lenstr *l)
+                 addlenstr(l, ": ****************************\n");
+                 continue;
+             }
+-
+-            for(size_t i = 0; vals && vals[i]; i++) {
+-                char log_val[256] = {0};
+-
+-                val = slapi_value_get_string(vals[i]);
+-                if (strlen(val) > 256) {
+-                    strncpy(log_val, val, 252);
+-                    strcat(log_val, "...");
+-                } else {
+-                    strcpy(log_val, val);
+-                }
+-                addlenstr(l, "#");
+-                addlenstr(l, attr);
+-                addlenstr(l, ": ");
+-                addlenstr(l, log_val);
+-                addlenstr(l, "\n");
+-            }
++            log_entry_attr(entry_attr, attr, l);
+         }
+     }
+     slapi_ch_free_string(&display_attrs);

CVE-2024-1062-2.patch

@@ -0,0 +1,24 @@
+From be7c2b82958e91ce08775bf6b5da3c311d3b00e5 Mon Sep 17 00:00:00 2001
+From: progier389 <progier@redhat.com>
+Date: Mon, 20 Feb 2023 16:14:05 +0100
+Subject: [PATCH] Issue 5647 - Fix unused variable warning from previous commit
+ (#5670)
+
+* issue 5647 - memory leak in audit log when adding entries
+* Issue 5647 - Fix unused variable warning from previous commit
+---
+ ldap/servers/slapd/auditlog.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/ldap/servers/slapd/auditlog.c b/ldap/servers/slapd/auditlog.c
+index 3128e04974..0597ecc6f1 100644
+--- a/ldap/servers/slapd/auditlog.c
++++ b/ldap/servers/slapd/auditlog.c
+@@ -254,7 +254,6 @@ add_entry_attrs(Slapi_Entry *entry, lenstr *l)
+     } else {
+         /* Return all attributes */
+         for (; entry_attr; entry_attr = entry_attr->a_next) {
+-            Slapi_Value **vals = attr_get_present_values(entry_attr);
+             char *attr = NULL;
+ 
+             slapi_attr_get_type(entry_attr, &attr);

CVE-2024-2199.patch

@@ -0,0 +1,110 @@
+Origin: https://git.centos.org/rpms/389-ds-base/raw/bdd565525ec24ecfb7b354f73b602209e570aee5/f/SOURCES/0048-CVE-2024-2199.patch
+
+From 23956cfb86a312318667fb9376322574fa8ec7f4 Mon Sep 17 00:00:00 2001
+From: James Chapman <jachapma@redhat.com>
+Date: Wed, 1 May 2024 15:01:33 +0100
+Subject: [PATCH] CVE-2024-2199
+
+---
+ .../tests/suites/password/password_test.py    | 56 +++++++++++++++++++
+ ldap/servers/slapd/modify.c                   |  8 ++-
+ 2 files changed, 62 insertions(+), 2 deletions(-)
+
+diff --git a/dirsrvtests/tests/suites/password/password_test.py b/dirsrvtests/tests/suites/password/password_test.py
+index 1245feb31..e4abd9907 100644
+--- a/dirsrvtests/tests/suites/password/password_test.py
++++ b/dirsrvtests/tests/suites/password/password_test.py
+@@ -63,6 +63,62 @@ def test_password_delete_specific_password(topology_st):
+     log.info('test_password_delete_specific_password: PASSED')
+ 
+ 
++def test_password_modify_non_utf8(topology_st):
++    """Attempt a modify of the userPassword attribute with
++    an invalid non utf8 value
++
++    :id: a31af9d5-d665-42b9-8d6e-fea3d0837d36
++    :setup: Standalone instance
++    :steps:
++        1. Add a user if it doesnt exist and set its password
++        2. Verify password with a bind
++        3. Modify userPassword attr with invalid value
++        4. Attempt a bind with invalid password value
++        5. Verify original password with a bind
++    :expectedresults:
++        1. The user with userPassword should be added successfully
++        2. Operation should be successful
++        3. Server returns ldap.UNWILLING_TO_PERFORM
++        4. Server returns ldap.INVALID_CREDENTIALS
++        5. Operation should be successful
++     """
++
++    log.info('Running test_password_modify_non_utf8...')
++
++    # Create user and set password
++    standalone = topology_st.standalone
++    users = UserAccounts(standalone, DEFAULT_SUFFIX)
++    if not users.exists(TEST_USER_PROPERTIES['uid'][0]):
++        user = users.create(properties=TEST_USER_PROPERTIES)
++    else:
++        user = users.get(TEST_USER_PROPERTIES['uid'][0])
++    user.set('userpassword', PASSWORD)
++
++    # Verify password
++    try:
++        user.bind(PASSWORD)
++    except ldap.LDAPError as e:
++        log.fatal('Failed to bind as {}, error: '.format(user.dn) + e.args[0]['desc'])
++        assert False
++
++    # Modify userPassword with an invalid value
++    password = b'tes\x82t-password' # A non UTF-8 encoded password
++    with pytest.raises(ldap.UNWILLING_TO_PERFORM):
++        user.replace('userpassword', password)
++
++    # Verify a bind fails with invalid pasword
++    with pytest.raises(ldap.INVALID_CREDENTIALS):
++        user.bind(password)
++
++    # Verify we can still bind with original password
++    try:
++        user.bind(PASSWORD)
++    except ldap.LDAPError as e:
++        log.fatal('Failed to bind as {}, error: '.format(user.dn) + e.args[0]['desc'])
++        assert False
++
++    log.info('test_password_modify_non_utf8: PASSED')
++
+ if __name__ == '__main__':
+     # Run isolated
+     # -s for DEBUG mode
+diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
+index a20984e0b..fb65d58b3 100644
+--- a/ldap/servers/slapd/modify.c
++++ b/ldap/servers/slapd/modify.c
+@@ -762,8 +762,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
+      * flagged - leave mod attributes alone */
+     if (!repl_op && !skip_modified_attrs && lastmod) {
+         modify_update_last_modified_attr(pb, &smods);
++        slapi_pblock_set(pb, SLAPI_MODIFY_MODS, slapi_mods_get_ldapmods_byref(&smods));
+     }
+ 
++
+     if (0 == slapi_mods_get_num_mods(&smods)) {
+         /* nothing to do - no mods - this is not an error - just
+            send back LDAP_SUCCESS */
+@@ -930,8 +932,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
+ 
+             /* encode password */
+             if (pw_encodevals_ext(pb, sdn, va)) {
+-                slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s.\n", slapi_entry_get_dn_const(e));
+-                send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to store attribute \"userPassword\" correctly\n", 0, NULL);
++                slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s, "
++                    "check value is utf8 string.\n", slapi_entry_get_dn_const(e));
++                send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to hash \"userPassword\" attribute, "
++                    "check value is utf8 string.\n", 0, NULL);
+                 valuearray_free(&va);
+                 goto free_and_return;
+             }
+-- 
+2.41.0
+

CVE-2024-3657.patch

@@ -0,0 +1,150 @@
+Origin: https://git.centos.org/rpms/389-ds-base/blob/bdd565525ec24ecfb7b354f73b602209e570aee5/f/SOURCES/0049-CVE-2024-3657-7.9.patch
+
+From 7f5ac2097be424a55248e391c6b40635d01b1fa6 Mon Sep 17 00:00:00 2001
+From: Pierre Rogier <progier@redhat.com>
+Date: Wed, 17 Apr 2024 18:18:04 +0200
+Subject: [PATCH] CVE-2024-3657-7.9
+
+---
+ ldap/servers/slapd/back-ldbm/index.c | 111 ++++++++++++++-------------
+ 1 file changed, 59 insertions(+), 52 deletions(-)
+
+diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c
+index f0b969ff4..53a041ad1 100644
+--- a/ldap/servers/slapd/back-ldbm/index.c
++++ b/ldap/servers/slapd/back-ldbm/index.c
+@@ -71,6 +71,32 @@ typedef struct _index_buffer_handle index_buffer_handle;
+ #define INDEX_BUFFER_FLAG_SERIALIZE 1
+ #define INDEX_BUFFER_FLAG_STATS 2
+ 
++/*
++ * space needed to encode a byte:
++ *  0x00-0x31 and 0x7f-0xff requires 3 bytes: \xx
++ *  0x22 and 0x5C requires 2 bytes: \" and \\
++ *  other requires 1 byte: c
++ */
++static char encode_size[] = {
++    /* 0x00 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
++    /* 0x10 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
++    /* 0x20 */   1, 1, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
++    /* 0x30 */   1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
++    /* 0x40 */   1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
++    /* 0x50 */   1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 1, 1, 1,
++    /* 0x60 */   1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
++    /* 0x70 */   1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3,
++    /* 0x80 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
++    /* 0x90 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
++    /* 0xA0 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
++    /* 0xB0 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
++    /* 0xC0 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
++    /* 0xD0 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
++    /* 0xE0 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
++    /* 0xF0 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
++};
++
++
+ /* Index buffering functions */
+ 
+ static int
+@@ -800,65 +826,46 @@ index_add_mods(
+ 
+ /*
+  * Convert a 'struct berval' into a displayable ASCII string
++ * returns the printable string
+  */
+-
+-#define SPECIAL(c) (c < 32 || c > 126 || c == '\\' || c == '"')
+-
+ const char *
+ encode(const struct berval *data, char buf[BUFSIZ])
+ {
+-    char *s;
+-    char *last;
+-    if (data == NULL || data->bv_len == 0)
+-        return "";
+-    last = data->bv_val + data->bv_len - 1;
+-    for (s = data->bv_val; s < last; ++s) {
+-        if (SPECIAL(*s)) {
+-            char *first = data->bv_val;
+-            char *bufNext = buf;
+-            size_t bufSpace = BUFSIZ - 4;
+-            while (1) {
+-                /* printf ("%lu bytes ASCII\n", (unsigned long)(s - first)); */
+-                if (bufSpace < (size_t)(s - first))
+-                    s = first + bufSpace - 1;
+-                if (s != first) {
+-                    memcpy(bufNext, first, s - first);
+-                    bufNext += (s - first);
+-                    bufSpace -= (s - first);
+-                }
+-                do {
+-                    if (bufSpace) {
+-                        *bufNext++ = '\\';
+-                        --bufSpace;
+-                    }
+-                    if (bufSpace < 2) {
+-                        memcpy(bufNext, "..", 2);
+-                        bufNext += 2;
+-                        goto bail;
+-                    }
+-                    if (*s == '\\' || *s == '"') {
+-                        *bufNext++ = *s;
+-                        --bufSpace;
+-                    } else {
+-                        sprintf(bufNext, "%02x", (unsigned)*(unsigned char *)s);
+-                        bufNext += 2;
+-                        bufSpace -= 2;
+-                    }
+-                } while (++s <= last && SPECIAL(*s));
+-                if (s > last)
+-                    break;
+-                first = s;
+-                while (!SPECIAL(*s) && s <= last)
+-                    ++s;
+-            }
+-        bail:
+-            *bufNext = '\0';
+-            /* printf ("%lu chars in buffer\n", (unsigned long)(bufNext - buf)); */
++    if (!data || !data->bv_val) {
++        strcpy(buf, "<NULL>");
++        return buf;
++    }
++    char *endbuff = &buf[BUFSIZ-4];  /* Reserve space to append "...\0" */
++    char *ptout = buf;
++    unsigned char *ptin = (unsigned char*) data->bv_val;
++    unsigned char *endptin = ptin+data->bv_len;
++
++    while (ptin < endptin) {
++        if (ptout >= endbuff) {
++            /*
++             * BUFSIZ(8K) > SLAPI_LOG_BUFSIZ(2K) so the error log message will be
++             * truncated anyway. So there is no real interrest to test if the original
++             * data contains no special characters and return it as is.
++             */
++            strcpy(endbuff, "...");
+             return buf;
+         }
++        switch (encode_size[*ptin]) {
++            case 1:
++                *ptout++ = *ptin++;
++                break;
++            case 2:
++                *ptout++ = '\\';
++                *ptout++ = *ptin++;
++                break;
++            case 3:
++                sprintf(ptout, "\\%02x", *ptin++);
++                ptout += 3;
++                break;
++        }
+     }
+-    /* printf ("%lu bytes, all ASCII\n", (unsigned long)(s - data->bv_val)); */
+-    return data->bv_val;
++    *ptout = 0;
++    return buf;
+ }
+ 
+ static const char *
+-- 
+2.41.0
+

fix-dn2rdn-get-args-error.patch

@@ -0,0 +1,22 @@
+diff --git a/ldap/admin/src/scripts/dn2rdn.in b/ldap/admin/src/scripts/dn2rdn.in
+index 3974b00..b707efc 100755
+--- a/ldap/admin/src/scripts/dn2rdn.in
++++ b/ldap/admin/src/scripts/dn2rdn.in
+@@ -27,12 +27,12 @@ do
+         h) usage
+            exit 0;;
+         Z) servid=$OPTARG;;
+-        d) arg=$arg" -d \"$OPTARG\"";;
+-        a) arg=$arg" -a \"$OPTARG\""
++        d) args=$args" -d \"$OPTARG\"";;
++        a) args=$args" -a \"$OPTARG\""
+            archive="provided";;
+-        v) arg=$arg" -v";;
+-        f) arg=$arg" -f";;
+-        D) arg=$arg" -D \"$OPTARG\"";;
++        v) args=$args" -v";;
++        f) args=$args" -f";;
++        D) args=$args" -D \"$OPTARG\"";;
+         ?) usage
+            exit 1;;
+     esac