[Pkg-freeipa-devel] [Git][freeipa-team/389-ds-base][master] 3 commits: close a bug
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Mon Oct 18 16:36:56 BST 2021
Timo Aaltonen pushed to branch master at FreeIPA packaging / 389-ds-base
Commits:
28a9ab44 by Timo Aaltonen at 2021-10-18T18:36:07+03:00
close a bug
- - - - -
7835b2b7 by Timo Aaltonen at 2021-10-18T18:36:10+03:00
CVE-2017-15135.patch: Dropped, fixed by upstream issue #4817.
- - - - -
73809254 by Timo Aaltonen at 2021-10-18T18:36:37+03:00
releasing package 389-ds-base version 1.4.4.17-1
- - - - -
2 changed files:
- debian/changelog
- − debian/patches/CVE-2017-15135.patch
Changes:
=====================================
debian/changelog
=====================================
@@ -1,11 +1,13 @@
-389-ds-base (1.4.4.17-1) UNRELEASED; urgency=medium
+389-ds-base (1.4.4.17-1) unstable; urgency=medium
* New upstream release.
+ - CVE-2021-3652 (Closes: #991405)
* tests: Add isolation-container to restrictions.
* Add a dependency to libjemalloc2, and add a symlink to it so the
preload works. (Closes: #992696)
+ * CVE-2017-15135.patch: Dropped, fixed by upstream issue #4817.
- -- Timo Aaltonen <tjaalton at debian.org> Tue, 07 Sep 2021 15:39:36 +0300
+ -- Timo Aaltonen <tjaalton at debian.org> Mon, 18 Oct 2021 18:36:30 +0300
389-ds-base (1.4.4.16-1) unstable; urgency=medium
=====================================
debian/patches/CVE-2017-15135.patch deleted
=====================================
@@ -1,258 +0,0 @@
-From 872c98cd1b5059a4b76e3707d92f1445663db83d Mon Sep 17 00:00:00 2001
-From: William Brown <firstyear at redhat.com>
-Date: Thu, 18 Jan 2018 11:27:58 +1000
-Subject: [PATCH] Ticket bz1525628 - invalid password migration causes unauth
- bind
-
-Bug Description: Slapi_ct_memcmp expects both inputs to be
-at LEAST size n. If they are not, we only compared UP to n.
-
-Invalid migrations of passwords (IE {CRYPT}XX) would create
-a pw which is just salt and no hash. ct_memcmp would then
-only verify the salt bits and would allow the authentication.
-
-This relies on an administrative mistake both of allowing
-password migration (nsslapd-allow-hashed-passwords) and then
-subsequently migrating an INVALID password to the server.
-
-Fix Description: slapi_ct_memcmp now access n1, n2 size
-and will FAIL if they are not the same, but will still compare
-n bytes, where n is the "longest" memory, to the first byte
-of the other to prevent length disclosure of the shorter
-value (generally the mis-migrated password)
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1525628
-
-Author: wibrown
-
-Review by: ???
----
- .../bz1525628_ct_memcmp_invalid_hash_test.py | 56 ++++++++++++++++++++++
- ldap/servers/plugins/pwdstorage/clear_pwd.c | 4 +-
- ldap/servers/plugins/pwdstorage/crypt_pwd.c | 4 +-
- ldap/servers/plugins/pwdstorage/md5_pwd.c | 4 +-
- ldap/servers/plugins/pwdstorage/sha_pwd.c | 4 +-
- ldap/servers/plugins/pwdstorage/smd5_pwd.c | 2 +-
- ldap/servers/slapd/ch_malloc.c | 36 ++++++++++++--
- ldap/servers/slapd/slapi-plugin.h | 2 +-
- 8 files changed, 97 insertions(+), 15 deletions(-)
- create mode 100644 dirsrvtests/tests/suites/password/bz1525628_ct_memcmp_invalid_hash_test.py
-
---- /dev/null
-+++ b/dirsrvtests/tests/suites/password/bz1525628_ct_memcmp_invalid_hash_test.py
-@@ -0,0 +1,56 @@
-+# --- BEGIN COPYRIGHT BLOCK ---
-+# Copyright (C) 2018 Red Hat, Inc.
-+# All rights reserved.
-+#
-+# License: GPL (version 3 or any later version).
-+# See LICENSE for details.
-+# --- END COPYRIGHT BLOCK ---
-+#
-+
-+import ldap
-+import pytest
-+import logging
-+from lib389.topologies import topology_st
-+from lib389._constants import PASSWORD, DEFAULT_SUFFIX
-+
-+from lib389.idm.user import UserAccounts, TEST_USER_PROPERTIES
-+
-+logging.getLogger(__name__).setLevel(logging.DEBUG)
-+log = logging.getLogger(__name__)
-+
-+def test_invalid_hash_fails(topology_st):
-+ """When given a malformed hash from userpassword migration
-+ slapi_ct_memcmp would check only to the length of the shorter
-+ field. This affects some values where it would ONLY verify
-+ the salt is valid, and thus would allow any password to bind.
-+
-+ :id: 8131c029-7147-47db-8d03-ec5db2a01cfb
-+ :setup: Standalone Instance
-+ :steps:
-+ 1. Create a user
-+ 2. Add an invalid password hash (truncated)
-+ 3. Attempt to bind
-+ :expectedresults:
-+ 1. User is added
-+ 2. Invalid pw hash is added
-+ 3. Bind fails
-+ """
-+ log.info("Running invalid hash test")
-+
-+ # Allow setting raw password hashes for migration.
-+ topology_st.standalone.config.set('nsslapd-allow-hashed-passwords', 'on')
-+
-+ users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX)
-+ user = users.create(properties=TEST_USER_PROPERTIES)
-+ user.set('userPassword', '{CRYPT}XX')
-+
-+ # Attempt to bind. This should fail.
-+ with pytest.raises(ldap.INVALID_CREDENTIALS):
-+ user.bind(PASSWORD)
-+ with pytest.raises(ldap.INVALID_CREDENTIALS):
-+ user.bind('XX')
-+ with pytest.raises(ldap.INVALID_CREDENTIALS):
-+ user.bind('{CRYPT}XX')
-+
-+ log.info("PASSED")
-+
---- a/ldap/servers/plugins/pwdstorage/clear_pwd.c
-+++ b/ldap/servers/plugins/pwdstorage/clear_pwd.c
-@@ -39,7 +39,7 @@ clear_pw_cmp(const char *userpwd, const
- * However, even if the first part of userpw matches dbpwd, but len !=, we
- * have already failed anyawy. This prevents substring matching..
- */
-- if (slapi_ct_memcmp(userpwd, dbpwd, len_dbp) != 0) {
-+ if (slapi_ct_memcmp(userpwd, dbpwd, len_user, len_dbp) != 0) {
- result = 1;
- }
- } else {
-@@ -51,7 +51,7 @@ clear_pw_cmp(const char *userpwd, const
- * dbpwd to itself. We have already got result == 1 if we are here, so we are
- * just trying to take up time!
- */
-- if (slapi_ct_memcmp(dbpwd, dbpwd, len_dbp)) {
-+ if (slapi_ct_memcmp(dbpwd, dbpwd, len_dbp, len_dbp)) {
- /* Do nothing, we have the if to fix a coverity check. */
- }
- }
---- a/ldap/servers/plugins/pwdstorage/crypt_pwd.c
-+++ b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
-@@ -48,7 +48,7 @@ static unsigned char itoa64[] = /* 0 ...
- int
- crypt_pw_cmp(const char *userpwd, const char *dbpwd)
- {
-- int rc;
-+ int32_t rc;
- char *cp;
- struct crypt_data data;
- data.initialized = 0;
-@@ -56,7 +56,7 @@ crypt_pw_cmp(const char *userpwd, const
- /* we use salt (first 2 chars) of encoded password in call to crypt_r() */
- cp = crypt_r(userpwd, dbpwd, &data);
- if (cp) {
-- rc = slapi_ct_memcmp(dbpwd, cp, strlen(dbpwd));
-+ rc = slapi_ct_memcmp(dbpwd, cp, strlen(dbpwd), strlen(cp));
- } else {
- rc = -1;
- }
---- a/ldap/servers/plugins/pwdstorage/md5_pwd.c
-+++ b/ldap/servers/plugins/pwdstorage/md5_pwd.c
-@@ -30,7 +30,7 @@
- int
- md5_pw_cmp(const char *userpwd, const char *dbpwd)
- {
-- int rc = -1;
-+ int32_t rc = -1;
- char *bver;
- PK11Context *ctx = NULL;
- unsigned int outLen;
-@@ -57,7 +57,7 @@ md5_pw_cmp(const char *userpwd, const ch
- bver = NSSBase64_EncodeItem(NULL, (char *)b2a_out, sizeof b2a_out, &binary_item);
- /* bver points to b2a_out upon success */
- if (bver) {
-- rc = slapi_ct_memcmp(bver, dbpwd, strlen(dbpwd));
-+ rc = slapi_ct_memcmp(bver, dbpwd, strlen(dbpwd), strlen(bver));
- } else {
- slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
- "Could not base64 encode hashed value for password compare");
---- a/ldap/servers/plugins/pwdstorage/sha_pwd.c
-+++ b/ldap/servers/plugins/pwdstorage/sha_pwd.c
-@@ -122,9 +122,9 @@ sha_pw_cmp(const char *userpwd, const ch
-
- /* the proof is in the comparison... */
- if (hash_len >= shaLen) {
-- result = slapi_ct_memcmp(userhash, dbhash, shaLen);
-+ result = slapi_ct_memcmp(userhash, dbhash, shaLen, shaLen);
- } else {
-- result = slapi_ct_memcmp(userhash, dbhash + OLD_SALT_LENGTH, hash_len - OLD_SALT_LENGTH);
-+ result = slapi_ct_memcmp(userhash, dbhash + OLD_SALT_LENGTH, hash_len - OLD_SALT_LENGTH, hash_len - OLD_SALT_LENGTH);
- }
-
- loser:
---- a/ldap/servers/plugins/pwdstorage/smd5_pwd.c
-+++ b/ldap/servers/plugins/pwdstorage/smd5_pwd.c
-@@ -82,7 +82,7 @@ smd5_pw_cmp(const char *userpwd, const c
- PK11_DestroyContext(ctx, 1);
-
- /* Compare everything up to the salt. */
-- rc = slapi_ct_memcmp(userhash, dbhash, MD5_LENGTH);
-+ rc = slapi_ct_memcmp(userhash, dbhash, MD5_LENGTH, MD5_LENGTH);
-
- loser:
- if (dbhash && dbhash != quick_dbhash)
---- a/ldap/servers/slapd/ch_malloc.c
-+++ b/ldap/servers/slapd/ch_malloc.c
-@@ -331,8 +331,8 @@ slapi_ch_smprintf(const char *fmt, ...)
-
- /* Constant time memcmp. Does not shortcircuit on failure! */
- /* This relies on p1 and p2 both being size at least n! */
--int
--slapi_ct_memcmp(const void *p1, const void *p2, size_t n)
-+int32_t
-+slapi_ct_memcmp(const void *p1, const void *p2, size_t n1, size_t n2)
- {
- int result = 0;
- const unsigned char *_p1 = (const unsigned char *)p1;
-@@ -342,9 +342,35 @@ slapi_ct_memcmp(const void *p1, const vo
- return 2;
- }
-
-- for (size_t i = 0; i < n; i++) {
-- if (_p1[i] ^ _p2[i]) {
-- result = 1;
-+ if (n1 == n2) {
-+ for (size_t i = 0; i < n1; i++) {
-+ if (_p1[i] ^ _p2[i]) {
-+ result = 1;
-+ }
-+ }
-+ } else {
-+ const unsigned char *_pa;
-+ const unsigned char *_pb;
-+ size_t nl;
-+ if (n2 > n1) {
-+ _pa = _p2;
-+ _pb = _p2;
-+ nl = n2;
-+ } else {
-+ _pa = _p1;
-+ _pb = _p1;
-+ nl = n1;
-+ }
-+ /* We already fail as n1 != n2 */
-+ result = 3;
-+ for (size_t i = 0; i < nl; i++) {
-+ if (_pa[i] ^ _pb[i]) {
-+ /*
-+ * If we don't mutate result here, dead code elimination
-+ * we remove for loop.
-+ */
-+ result = 4;
-+ }
- }
- }
- return result;
---- a/ldap/servers/slapd/slapi-plugin.h
-+++ b/ldap/servers/slapd/slapi-plugin.h
-@@ -5828,7 +5828,7 @@ char *slapi_ch_smprintf(const char *fmt,
- * \param n length in bytes of the content of p1 AND p2.
- * \return 0 on match. 1 on non-match. 2 on presence of NULL pointer in p1 or p2.
- */
--int slapi_ct_memcmp(const void *p1, const void *p2, size_t n);
-+int32_t slapi_ct_memcmp(const void *p1, const void *p2, size_t n1, size_t n2);
-
- /*
- * syntax plugin routines
---- a/ldap/servers/plugins/pwdstorage/gost_yescrypt.c
-+++ b/ldap/servers/plugins/pwdstorage/gost_yescrypt.c
-@@ -27,7 +27,7 @@ gost_yescrypt_pw_cmp(const char *userpwd
- return rc;
- }
-
-- if (slapi_ct_memcmp(hash, dbpwd, strlen(dbpwd)) == 0) {
-+ if (slapi_ct_memcmp(hash, dbpwd, strlen(dbpwd), strlen(dbpwd)) == 0) {
- rc = 0;
- }
-
View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/93fc088ca87e524136f774419744f3655fe3661c...738092545de5a47f4d56d2bf080d4aea4a4804cc
--
View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/93fc088ca87e524136f774419744f3655fe3661c...738092545de5a47f4d56d2bf080d4aea4a4804cc
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20211018/011e2408/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list