LTS update for openldap?

Ryan Tandy ryan at nardis.ca
Wed Aug 14 20:36:10 BST 2019


Dear LTS team,

I propose updating openldap in jessie to fix two no-DSA CVEs and one 
additional important bug. The same changes have been accepted for the 
next point releases of buster (#934507) and stretch (#934508).

The issues all affect specific, mostly uncommon, slapd configurations, 
which is why they were considered not urgent enough for a DSA.

I have built and tested the package in a jessie chroot. If you would 
like to verify the fixes yourselves, I can provide testing instructions 
and scripts for the individual issues.

If you agree with the changes, I would appreciate if someone would 
handle the LTS paperwork for me, and sponsor the upload (if needed -- I 
am a DM).

openldap (2.4.40+dfsg-1+deb8u5) jessie; urgency=medium

  * Fix slapd to restrict rootDN proxyauthz to its own databases
    (CVE-2019-13057) (ITS#9038) (Closes: #932997)

-> No-DSA CVE fix for an admin of one database being able to pivot their 
privileges to other databases in the same slapd instance.

  * Fix slapd to enforce sasl_ssf ACL statement on every connection
    (CVE-2019-13565) (ITS#9052) (Closes: #932998)

-> No-DSA CVE fix for the sasl_ssf ACL variable being uninitialized on 
non-SASL binds, keeping the value from the previous SASL bind.

  * Fix slapo-rwm to not free original filter when rewritten filter is invalid
    (ITS#8964) (Closes: #934277, LP: #1838370)

-> Fix a double-free that can be triggered remotely by a search request 
with a crafted search filter, if the slapo-rwm module is loaded and 
search filter rewriting is enabled.

The debdiff is attached, and I pushed the changes to the 'jessie' branch 
at <https://salsa.debian.org/openldap-team/openldap>.

Also, could you please add openldap to the lts-do-call-me list?

Thank you,
Ryan
-------------- next part --------------
diff -u openldap-2.4.40+dfsg/debian/changelog openldap-2.4.40+dfsg/debian/changelog
--- openldap-2.4.40+dfsg/debian/changelog
+++ openldap-2.4.40+dfsg/debian/changelog
@@ -1,3 +1,14 @@
+openldap (2.4.40+dfsg-1+deb8u5) jessie; urgency=medium
+
+  * Fix slapd to restrict rootDN proxyauthz to its own databases
+    (CVE-2019-13057) (ITS#9038) (Closes: #932997)
+  * Fix slapd to enforce sasl_ssf ACL statement on every connection
+    (CVE-2019-13565) (ITS#9052) (Closes: #932998)
+  * Fix slapo-rwm to not free original filter when rewritten filter is invalid
+    (ITS#8964) (Closes: #934277, LP: #1838370)
+
+ -- Ryan Tandy <ryan at nardis.ca>  Sun, 11 Aug 2019 12:11:57 -0700
+
 openldap (2.4.40+dfsg-1+deb8u4) jessie; urgency=medium
 
   * Fix upgrade failure when olcSuffix contains a backslash. (Closes: #864719)
diff -u openldap-2.4.40+dfsg/debian/patches/series openldap-2.4.40+dfsg/debian/patches/series
--- openldap-2.4.40+dfsg/debian/patches/series
+++ openldap-2.4.40+dfsg/debian/patches/series
@@ -31,0 +32,6 @@
+ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch
+ITS-9038-Update-test028-to-test-this-is-enforced.patch
+ITS-9038-Fix-typo-in-test-script.patch
+ITS-9038-Another-test028-typo.patch
+ITS-9052-zero-out-sasl_ssf-in-connection_init.patch
+ITS-8964-Do-not-free-original-filter.patch
only in patch2:
unchanged:
--- openldap-2.4.40+dfsg.orig/debian/patches/ITS-8964-Do-not-free-original-filter.patch
+++ openldap-2.4.40+dfsg/debian/patches/ITS-8964-Do-not-free-original-filter.patch
@@ -0,0 +1,36 @@
+From 0f7ec3a81258bb2c33b5d7c7434ef1c11d7fa7cb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra at mistotebe.net>
+Date: Mon, 17 Jun 2019 12:49:25 +0200
+Subject: [PATCH] ITS#8964 Do not free original filter
+
+---
+ servers/slapd/overlays/rwm.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/servers/slapd/overlays/rwm.c b/servers/slapd/overlays/rwm.c
+index 36bceaffe..2e24f24cc 100644
+--- a/servers/slapd/overlays/rwm.c
++++ b/servers/slapd/overlays/rwm.c
+@@ -125,11 +125,15 @@ rwm_op_rollback( Operation *op, SlapReply *rs, rwm_op_state *ros )
+ 		break;
+ 	case LDAP_REQ_SEARCH:
+ 		op->o_tmpfree( ros->mapped_attrs, op->o_tmpmemctx );
+-		filter_free_x( op, op->ors_filter, 1 );
+-		op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
+ 		op->ors_attrs = ros->ors_attrs;
+-		op->ors_filter = ros->ors_filter;
+-		op->ors_filterstr = ros->ors_filterstr;
++		if ( op->ors_filter != ros->ors_filter ) {
++			filter_free_x( op, op->ors_filter, 1 );
++			op->ors_filter = ros->ors_filter;
++		}
++		if ( op->ors_filterstr.bv_val != ros->ors_filterstr.bv_val ) {
++			op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
++			op->ors_filterstr = ros->ors_filterstr;
++		}
+ 		break;
+ 	case LDAP_REQ_EXTENDED:
+ 		if ( op->ore_reqdata != ros->ore_reqdata ) {
+-- 
+2.20.1
+
only in patch2:
unchanged:
--- openldap-2.4.40+dfsg.orig/debian/patches/ITS-9038-Another-test028-typo.patch
+++ openldap-2.4.40+dfsg/debian/patches/ITS-9038-Another-test028-typo.patch
@@ -0,0 +1,25 @@
+From 0832ec02f0679cf0862dca2cca5280be1e4fdb37 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra at mistotebe.net>
+Date: Thu, 27 Jun 2019 00:45:29 +0200
+Subject: [PATCH] ITS#9038 Another test028 typo
+
+---
+ tests/scripts/test028-idassert | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert
+index 564a615d2..dacd68d8f 100755
+--- a/tests/scripts/test028-idassert
++++ b/tests/scripts/test028-idassert
+@@ -252,7 +252,7 @@ if test $USE_SASL != "no" ; then
+ 	if test $RC != 50 ; then
+ 		echo "ldapwhoami should have failed ($RC)!"
+ 		test $KILLSERVERS != no && kill -HUP $KILLPIDS
+-		exit $RC
++		exit 1
+ 	fi
+ 
+ 	echo "Filtering ldapsearch results..."
+-- 
+2.20.1
+
only in patch2:
unchanged:
--- openldap-2.4.40+dfsg.orig/debian/patches/ITS-9038-Fix-typo-in-test-script.patch
+++ openldap-2.4.40+dfsg/debian/patches/ITS-9038-Fix-typo-in-test-script.patch
@@ -0,0 +1,25 @@
+From c064d45c5d4551f2321276c3a5ed25b1c08e115d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra at mistotebe.net>
+Date: Mon, 24 Jun 2019 16:37:23 +0200
+Subject: [PATCH] ITS#9038 Fix typo in test script
+
+---
+ tests/scripts/test028-idassert | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert
+index 9e5e10724..564a615d2 100755
+--- a/tests/scripts/test028-idassert
++++ b/tests/scripts/test028-idassert
+@@ -199,7 +199,7 @@ RC=$?
+ if test $RC != 1 ; then
+     echo "ldapwhoami should have failed ($RC)!"
+     test $KILLSERVERS != no && kill -HUP $KILLPIDS
+-    exit $RC
++    exit 1
+ fi
+ 
+ ID="uid=jaj,ou=People,dc=example,dc=it"
+-- 
+2.20.1
+
only in patch2:
unchanged:
--- openldap-2.4.40+dfsg.orig/debian/patches/ITS-9038-Update-test028-to-test-this-is-enforced.patch
+++ openldap-2.4.40+dfsg/debian/patches/ITS-9038-Update-test028-to-test-this-is-enforced.patch
@@ -0,0 +1,102 @@
+From ce5869c89a0cf1a9ec23bde014cb4c11f4d0360c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra at mistotebe.net>
+Date: Wed, 19 Jun 2019 18:47:32 +0200
+Subject: [PATCH] ITS#9038 Update test028 to test this is enforced
+
+---
+ tests/data/idassert.out        |  5 +++++
+ tests/data/slapd-idassert.conf |  1 +
+ tests/data/test-idassert1.ldif |  6 ++++++
+ tests/scripts/test028-idassert | 24 ++++++++++++++++++++++++
+ 4 files changed, 36 insertions(+)
+
+diff --git a/tests/data/idassert.out b/tests/data/idassert.out
+index 53d76bb2e..fa51c25d6 100644
+--- a/tests/data/idassert.out
++++ b/tests/data/idassert.out
+@@ -4,6 +4,11 @@ objectClass: dcObject
+ o: Example, Inc.
+ dc: example
+ 
++dn: cn=Manager,o=Example,c=US
++objectClass: inetOrgPerson
++cn: Manager
++sn: Parson
++
+ dn: ou=People,o=Example,c=US
+ objectClass: organizationalUnit
+ ou: People
+diff --git a/tests/data/slapd-idassert.conf b/tests/data/slapd-idassert.conf
+index 88d66a36f..561c5ccc4 100644
+--- a/tests/data/slapd-idassert.conf
++++ b/tests/data/slapd-idassert.conf
+@@ -36,6 +36,7 @@ argsfile	@TESTDIR@/slapd.1.args
+ #######################################################################
+ 
+ authz-policy	both
++authz-regexp	"^uid=manager,.+" "cn=Manager,dc=example,dc=com"
+ authz-regexp	"^uid=admin/([^,]+),.+" "ldap:///ou=Admin,dc=example,dc=com??sub?(cn=$1)"
+ authz-regexp	"^uid=it/([^,]+),.+" "ldap:///ou=People,dc=example,dc=it??sub?(uid=$1)"
+ authz-regexp	"^uid=(us/)?([^,]+),.+" "ldap:///ou=People,dc=example,dc=com??sub?(uid=$2)"
+diff --git a/tests/data/test-idassert1.ldif b/tests/data/test-idassert1.ldif
+index 063d6ec45..3ccbd1a22 100644
+--- a/tests/data/test-idassert1.ldif
++++ b/tests/data/test-idassert1.ldif
+@@ -4,6 +4,12 @@ objectClass: dcObject
+ o: Example, Inc.
+ dc: example
+ 
++dn: cn=Manager,dc=example,dc=com
++objectClass: inetOrgPerson
++cn: Manager
++sn: Parson
++userPassword: secret
++
+ dn: ou=People,dc=example,dc=com
+ objectClass: organizationalUnit
+ ou: People
+diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert
+index b1e16744a..9e5e10724 100755
+--- a/tests/scripts/test028-idassert
++++ b/tests/scripts/test028-idassert
+@@ -191,6 +191,17 @@ if test $RC != 0 ; then
+ 	exit $RC
+ fi
+ 
++AUTHZID="u:it/jaj"
++echo "Checking another DB's rootdn can't assert identity from another DB..."
++$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD -e\!"authzid=$AUTHZID"
++
++RC=$?
++if test $RC != 1 ; then
++    echo "ldapwhoami should have failed ($RC)!"
++    test $KILLSERVERS != no && kill -HUP $KILLPIDS
++    exit $RC
++fi
++
+ ID="uid=jaj,ou=People,dc=example,dc=it"
+ BASE="o=Example,c=US"
+ echo "Testing ldapsearch as $ID for \"$BASE\"..."
+@@ -231,6 +242,19 @@ if test $USE_SASL != "no" ; then
+ 		exit $RC
+ 	fi
+ 
++	ID="manager"
++	AUTHZID="u:it/jaj"
++	echo "Checking another DB's rootdn can't assert in another (with SASL bind this time)..."
++	$LDAPSASLWHOAMI -h $LOCALHOST -p $PORT1 \
++		-Q -U "$ID" -w $PASSWD -Y $MECH -X $AUTHZID
++
++	RC=$?
++	if test $RC != 50 ; then
++		echo "ldapwhoami should have failed ($RC)!"
++		test $KILLSERVERS != no && kill -HUP $KILLPIDS
++		exit $RC
++	fi
++
+ 	echo "Filtering ldapsearch results..."
+ 	$LDIFFILTER < $SEARCHOUT > $SEARCHFLT
+ 	echo "Filtering original ldif used to create database..."
+-- 
+2.20.1
+
only in patch2:
unchanged:
--- openldap-2.4.40+dfsg.orig/debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch
+++ openldap-2.4.40+dfsg/debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch
@@ -0,0 +1,36 @@
+From f120d0e461178b5974694876ba2d2bdba4f7d122 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc at openldap.org>
+Date: Wed, 19 Jun 2019 12:29:02 +0100
+Subject: [PATCH] ITS#9038 restrict rootDN proxyauthz to its own DBs.
+
+Treat as normal user for any other DB.
+---
+ servers/slapd/saslauthz.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
+index 64c70537d..b3727eafe 100644
+--- a/servers/slapd/saslauthz.c
++++ b/servers/slapd/saslauthz.c
+@@ -2062,12 +2062,13 @@ int slap_sasl_authorized( Operation *op,
+ 		goto DONE;
+ 	}
+ 
+-	/* Allow the manager to authorize as any DN. */
+-	if( op->o_conn->c_authz_backend &&
+-		be_isroot_dn( op->o_conn->c_authz_backend, authcDN ))
++	/* Allow the manager to authorize as any DN in its own DBs. */
+ 	{
+-		rc = LDAP_SUCCESS;
+-		goto DONE;
++		Backend *zbe = select_backend( authzDN, 1 );
++		if ( zbe && be_isroot_dn( zbe, authcDN )) {
++			rc = LDAP_SUCCESS;
++			goto DONE;
++		}
+ 	}
+ 
+ 	/* Check source rules */
+-- 
+2.20.1
+
only in patch2:
unchanged:
--- openldap-2.4.40+dfsg.orig/debian/patches/ITS-9052-zero-out-sasl_ssf-in-connection_init.patch
+++ openldap-2.4.40+dfsg/debian/patches/ITS-9052-zero-out-sasl_ssf-in-connection_init.patch
@@ -0,0 +1,25 @@
+From 744a46a1acb93798f4e027290191d6a11dd4c18c Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc at openldap.org>
+Date: Wed, 10 Jul 2019 21:29:39 +0100
+Subject: [PATCH] ITS#9052 zero out sasl_ssf in connection_init
+
+---
+ servers/slapd/connection.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
+index b85bcb4c6..704067c55 100644
+--- a/servers/slapd/connection.c
++++ b/servers/slapd/connection.c
+@@ -554,7 +554,7 @@ Connection * connection_init(
+ 	c->c_close_reason = "?";			/* should never be needed */
+ 
+ 	c->c_ssf = c->c_transport_ssf = ssf;
+-	c->c_tls_ssf = 0;
++	c->c_tls_ssf = c->c_sasl_ssf = 0;
+ 
+ #ifdef HAVE_TLS
+ 	if ( flags & CONN_IS_TLS ) {
+-- 
+2.20.1
+


More information about the Pkg-openldap-devel mailing list