Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Dear SRM, I would like to update openldap in stretch to fix two CVEs and one additional important bug. I already discussed the CVEs with the security team and we agreed on fixing them in a point release. The changes are in testing, backports, and Ubuntu already; no regressions that I'm aware of. Changelog as follows: openldap (2.4.44+dfsg-5+deb9u3) stretch; urgency=medium * Fix slapd to restrict rootDN proxyauthz to its own databases (CVE-2019-13057) (ITS#9038) (Closes: #932997) -> No-DSA CVE fix for an admin of one database being able to pivot their privileges to other databases in the same slapd instance. * Fix slapd to enforce sasl_ssf ACL statement on every connection (CVE-2019-13565) (ITS#9052) (Closes: #932998) -> No-DSA CVE fix for the sasl_ssf ACL variable being uninitialized on non-SASL binds, keeping the value from the previous SASL bind. * Fix slapo-rwm to not free original filter when rewritten filter is invalid (ITS#8964) (Closes: #934277, LP: #1838370) -> Fix a double-free that can be triggered remotely by a search request with a crafted search filter, if the slapo-rwm module is loaded and search filter rewriting is enabled. Thank you, Ryan
diff -Nru openldap-2.4.44+dfsg/debian/changelog openldap-2.4.44+dfsg/debian/changelog --- openldap-2.4.44+dfsg/debian/changelog 2018-05-22 21:25:19.000000000 -0700 +++ openldap-2.4.44+dfsg/debian/changelog 2019-08-10 12:17:00.000000000 -0700 @@ -1,3 +1,14 @@ +openldap (2.4.44+dfsg-5+deb9u3) stretch; urgency=medium + + * Fix slapd to restrict rootDN proxyauthz to its own databases + (CVE-2019-13057) (ITS#9038) (Closes: #932997) + * Fix slapd to enforce sasl_ssf ACL statement on every connection + (CVE-2019-13565) (ITS#9052) (Closes: #932998) + * Fix slapo-rwm to not free original filter when rewritten filter is invalid + (ITS#8964) (Closes: #934277, LP: #1838370) + + -- Ryan Tandy <r...@nardis.ca> Sat, 10 Aug 2019 12:17:00 -0700 + openldap (2.4.44+dfsg-5+deb9u2) stretch; urgency=medium * Import upstream patch to fix an out-of-sync issue with delta-syncrepl diff -Nru openldap-2.4.44+dfsg/debian/patches/ITS-8964-Do-not-free-original-filter.patch openldap-2.4.44+dfsg/debian/patches/ITS-8964-Do-not-free-original-filter.patch --- openldap-2.4.44+dfsg/debian/patches/ITS-8964-Do-not-free-original-filter.patch 1969-12-31 16:00:00.000000000 -0800 +++ openldap-2.4.44+dfsg/debian/patches/ITS-8964-Do-not-free-original-filter.patch 2019-08-10 12:17:00.000000000 -0700 @@ -0,0 +1,36 @@ +From 0f7ec3a81258bb2c33b5d7c7434ef1c11d7fa7cb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <on...@mistotebe.net> +Date: Mon, 17 Jun 2019 12:49:25 +0200 +Subject: [PATCH] ITS#8964 Do not free original filter + +--- + servers/slapd/overlays/rwm.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/servers/slapd/overlays/rwm.c b/servers/slapd/overlays/rwm.c +index 36bceaffe..2e24f24cc 100644 +--- a/servers/slapd/overlays/rwm.c ++++ b/servers/slapd/overlays/rwm.c +@@ -125,11 +125,15 @@ rwm_op_rollback( Operation *op, SlapReply *rs, rwm_op_state *ros ) + break; + case LDAP_REQ_SEARCH: + op->o_tmpfree( ros->mapped_attrs, op->o_tmpmemctx ); +- filter_free_x( op, op->ors_filter, 1 ); +- op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx ); + op->ors_attrs = ros->ors_attrs; +- op->ors_filter = ros->ors_filter; +- op->ors_filterstr = ros->ors_filterstr; ++ if ( op->ors_filter != ros->ors_filter ) { ++ filter_free_x( op, op->ors_filter, 1 ); ++ op->ors_filter = ros->ors_filter; ++ } ++ if ( op->ors_filterstr.bv_val != ros->ors_filterstr.bv_val ) { ++ op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx ); ++ op->ors_filterstr = ros->ors_filterstr; ++ } + break; + case LDAP_REQ_EXTENDED: + if ( op->ore_reqdata != ros->ore_reqdata ) { +-- +2.20.1 + diff -Nru openldap-2.4.44+dfsg/debian/patches/ITS-9038-Another-test028-typo.patch openldap-2.4.44+dfsg/debian/patches/ITS-9038-Another-test028-typo.patch --- openldap-2.4.44+dfsg/debian/patches/ITS-9038-Another-test028-typo.patch 1969-12-31 16:00:00.000000000 -0800 +++ openldap-2.4.44+dfsg/debian/patches/ITS-9038-Another-test028-typo.patch 2019-08-10 12:15:41.000000000 -0700 @@ -0,0 +1,25 @@ +From 0832ec02f0679cf0862dca2cca5280be1e4fdb37 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <on...@mistotebe.net> +Date: Thu, 27 Jun 2019 00:45:29 +0200 +Subject: [PATCH] ITS#9038 Another test028 typo + +--- + tests/scripts/test028-idassert | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert +index 564a615d2..dacd68d8f 100755 +--- a/tests/scripts/test028-idassert ++++ b/tests/scripts/test028-idassert +@@ -252,7 +252,7 @@ if test $USE_SASL != "no" ; then + if test $RC != 50 ; then + echo "ldapwhoami should have failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC ++ exit 1 + fi + + echo "Filtering ldapsearch results..." +-- +2.20.1 + diff -Nru openldap-2.4.44+dfsg/debian/patches/ITS-9038-Fix-typo-in-test-script.patch openldap-2.4.44+dfsg/debian/patches/ITS-9038-Fix-typo-in-test-script.patch --- openldap-2.4.44+dfsg/debian/patches/ITS-9038-Fix-typo-in-test-script.patch 1969-12-31 16:00:00.000000000 -0800 +++ openldap-2.4.44+dfsg/debian/patches/ITS-9038-Fix-typo-in-test-script.patch 2019-08-10 12:15:41.000000000 -0700 @@ -0,0 +1,25 @@ +From c064d45c5d4551f2321276c3a5ed25b1c08e115d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <on...@mistotebe.net> +Date: Mon, 24 Jun 2019 16:37:23 +0200 +Subject: [PATCH] ITS#9038 Fix typo in test script + +--- + tests/scripts/test028-idassert | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert +index 9e5e10724..564a615d2 100755 +--- a/tests/scripts/test028-idassert ++++ b/tests/scripts/test028-idassert +@@ -199,7 +199,7 @@ RC=$? + if test $RC != 1 ; then + echo "ldapwhoami should have failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC ++ exit 1 + fi + + ID="uid=jaj,ou=People,dc=example,dc=it" +-- +2.20.1 + diff -Nru openldap-2.4.44+dfsg/debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch openldap-2.4.44+dfsg/debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch --- openldap-2.4.44+dfsg/debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch 1969-12-31 16:00:00.000000000 -0800 +++ openldap-2.4.44+dfsg/debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch 2019-08-10 12:15:41.000000000 -0700 @@ -0,0 +1,36 @@ +From f120d0e461178b5974694876ba2d2bdba4f7d122 Mon Sep 17 00:00:00 2001 +From: Howard Chu <h...@openldap.org> +Date: Wed, 19 Jun 2019 12:29:02 +0100 +Subject: [PATCH] ITS#9038 restrict rootDN proxyauthz to its own DBs. + +Treat as normal user for any other DB. +--- + servers/slapd/saslauthz.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c +index 64c70537d..b3727eafe 100644 +--- a/servers/slapd/saslauthz.c ++++ b/servers/slapd/saslauthz.c +@@ -2062,12 +2062,13 @@ int slap_sasl_authorized( Operation *op, + goto DONE; + } + +- /* Allow the manager to authorize as any DN. */ +- if( op->o_conn->c_authz_backend && +- be_isroot_dn( op->o_conn->c_authz_backend, authcDN )) ++ /* Allow the manager to authorize as any DN in its own DBs. */ + { +- rc = LDAP_SUCCESS; +- goto DONE; ++ Backend *zbe = select_backend( authzDN, 1 ); ++ if ( zbe && be_isroot_dn( zbe, authcDN )) { ++ rc = LDAP_SUCCESS; ++ goto DONE; ++ } + } + + /* Check source rules */ +-- +2.20.1 + diff -Nru openldap-2.4.44+dfsg/debian/patches/ITS-9038-Update-test028-to-test-this-is-enforced.patch openldap-2.4.44+dfsg/debian/patches/ITS-9038-Update-test028-to-test-this-is-enforced.patch --- openldap-2.4.44+dfsg/debian/patches/ITS-9038-Update-test028-to-test-this-is-enforced.patch 1969-12-31 16:00:00.000000000 -0800 +++ openldap-2.4.44+dfsg/debian/patches/ITS-9038-Update-test028-to-test-this-is-enforced.patch 2019-08-10 12:15:41.000000000 -0700 @@ -0,0 +1,102 @@ +From ce5869c89a0cf1a9ec23bde014cb4c11f4d0360c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <on...@mistotebe.net> +Date: Wed, 19 Jun 2019 18:47:32 +0200 +Subject: [PATCH] ITS#9038 Update test028 to test this is enforced + +--- + tests/data/idassert.out | 5 +++++ + tests/data/slapd-idassert.conf | 1 + + tests/data/test-idassert1.ldif | 6 ++++++ + tests/scripts/test028-idassert | 24 ++++++++++++++++++++++++ + 4 files changed, 36 insertions(+) + +diff --git a/tests/data/idassert.out b/tests/data/idassert.out +index 53d76bb2e..fa51c25d6 100644 +--- a/tests/data/idassert.out ++++ b/tests/data/idassert.out +@@ -4,6 +4,11 @@ objectClass: dcObject + o: Example, Inc. + dc: example + ++dn: cn=Manager,o=Example,c=US ++objectClass: inetOrgPerson ++cn: Manager ++sn: Parson ++ + dn: ou=People,o=Example,c=US + objectClass: organizationalUnit + ou: People +diff --git a/tests/data/slapd-idassert.conf b/tests/data/slapd-idassert.conf +index 88d66a36f..561c5ccc4 100644 +--- a/tests/data/slapd-idassert.conf ++++ b/tests/data/slapd-idassert.conf +@@ -36,6 +36,7 @@ argsfile @TESTDIR@/slapd.1.args + ####################################################################### + + authz-policy both ++authz-regexp "^uid=manager,.+" "cn=Manager,dc=example,dc=com" + authz-regexp "^uid=admin/([^,]+),.+" "ldap:///ou=Admin,dc=example,dc=com??sub?(cn=$1)" + authz-regexp "^uid=it/([^,]+),.+" "ldap:///ou=People,dc=example,dc=it??sub?(uid=$1)" + authz-regexp "^uid=(us/)?([^,]+),.+" "ldap:///ou=People,dc=example,dc=com??sub?(uid=$2)" +diff --git a/tests/data/test-idassert1.ldif b/tests/data/test-idassert1.ldif +index 063d6ec45..3ccbd1a22 100644 +--- a/tests/data/test-idassert1.ldif ++++ b/tests/data/test-idassert1.ldif +@@ -4,6 +4,12 @@ objectClass: dcObject + o: Example, Inc. + dc: example + ++dn: cn=Manager,dc=example,dc=com ++objectClass: inetOrgPerson ++cn: Manager ++sn: Parson ++userPassword: secret ++ + dn: ou=People,dc=example,dc=com + objectClass: organizationalUnit + ou: People +diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert +index b1e16744a..9e5e10724 100755 +--- a/tests/scripts/test028-idassert ++++ b/tests/scripts/test028-idassert +@@ -191,6 +191,17 @@ if test $RC != 0 ; then + exit $RC + fi + ++AUTHZID="u:it/jaj" ++echo "Checking another DB's rootdn can't assert identity from another DB..." ++$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD -e\!"authzid=$AUTHZID" ++ ++RC=$? ++if test $RC != 1 ; then ++ echo "ldapwhoami should have failed ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ + ID="uid=jaj,ou=People,dc=example,dc=it" + BASE="o=Example,c=US" + echo "Testing ldapsearch as $ID for \"$BASE\"..." +@@ -231,6 +242,19 @@ if test $USE_SASL != "no" ; then + exit $RC + fi + ++ ID="manager" ++ AUTHZID="u:it/jaj" ++ echo "Checking another DB's rootdn can't assert in another (with SASL bind this time)..." ++ $LDAPSASLWHOAMI -h $LOCALHOST -p $PORT1 \ ++ -Q -U "$ID" -w $PASSWD -Y $MECH -X $AUTHZID ++ ++ RC=$? ++ if test $RC != 50 ; then ++ echo "ldapwhoami should have failed ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++ fi ++ + echo "Filtering ldapsearch results..." + $LDIFFILTER < $SEARCHOUT > $SEARCHFLT + echo "Filtering original ldif used to create database..." +-- +2.20.1 + diff -Nru openldap-2.4.44+dfsg/debian/patches/ITS-9052-zero-out-sasl_ssf-in-connection_init.patch openldap-2.4.44+dfsg/debian/patches/ITS-9052-zero-out-sasl_ssf-in-connection_init.patch --- openldap-2.4.44+dfsg/debian/patches/ITS-9052-zero-out-sasl_ssf-in-connection_init.patch 1969-12-31 16:00:00.000000000 -0800 +++ openldap-2.4.44+dfsg/debian/patches/ITS-9052-zero-out-sasl_ssf-in-connection_init.patch 2019-08-10 12:15:41.000000000 -0700 @@ -0,0 +1,25 @@ +From 744a46a1acb93798f4e027290191d6a11dd4c18c Mon Sep 17 00:00:00 2001 +From: Howard Chu <h...@openldap.org> +Date: Wed, 10 Jul 2019 21:29:39 +0100 +Subject: [PATCH] ITS#9052 zero out sasl_ssf in connection_init + +--- + servers/slapd/connection.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c +index b85bcb4c6..704067c55 100644 +--- a/servers/slapd/connection.c ++++ b/servers/slapd/connection.c +@@ -554,7 +554,7 @@ Connection * connection_init( + c->c_close_reason = "?"; /* should never be needed */ + + c->c_ssf = c->c_transport_ssf = ssf; +- c->c_tls_ssf = 0; ++ c->c_tls_ssf = c->c_sasl_ssf = 0; + + #ifdef HAVE_TLS + if ( flags & CONN_IS_TLS ) { +-- +2.20.1 + diff -Nru openldap-2.4.44+dfsg/debian/patches/series openldap-2.4.44+dfsg/debian/patches/series --- openldap-2.4.44+dfsg/debian/patches/series 2018-05-22 21:25:19.000000000 -0700 +++ openldap-2.4.44+dfsg/debian/patches/series 2019-08-10 12:17:00.000000000 -0700 @@ -32,3 +32,9 @@ ITS-8648-check-result-of-ldap_int_initialize-in-ldap.patch ITS-8648-init-SASL-library-in-global-init.patch ITS-8444-Do-not-clear-the-pending-operation-when-che.patch +ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch +ITS-9038-Update-test028-to-test-this-is-enforced.patch +ITS-9038-Fix-typo-in-test-script.patch +ITS-9038-Another-test028-typo.patch +ITS-9052-zero-out-sasl_ssf-in-connection_init.patch +ITS-8964-Do-not-free-original-filter.patch