Página inicial Explorar Ajuda
Registrar Entrar
Apq
/
389-ds-base
mirror de https://github.com/389ds/389-ds-base.git
1
0
Fork 0
Arquivos Issues 0 Wiki
Ver código fonte

Bug 1199675 - CVE-2014-8112 CVE-2014-8105 389-ds-base: various flaws [fedora-all]

Fix for CVE-2014-8112

	If the unhashed pw switch is set to off this should only
        prevent the generation of the unhashed#user#password
	attribute.
	But encoding of pw values and detiecetion which values have
	to be deleted needs to stay intact.
	So the check if the switch is set has to be placed close to
        the generation of the attribute in different 'if' branches

Reviewed by Noriko, thanks

(cherry picked from commit e5de803f4ab1b097c637c269fcc8b567e664c00d)
Ludwig Krispenz 11 anos atrás
pai
c170d9541c
commit
84b8bfd7d1
2 arquivos alterados com 28 adições e 17 exclusões
Visão dividida Mostrar estatísticas do Diff
  1. 6 0
      ldap/servers/plugins/retrocl/retrocl_po.c
  2. 22 17
      ldap/servers/slapd/modify.c

+ 6 - 0
ldap/servers/plugins/retrocl/retrocl_po.c
Ver arquivo 

@@ -101,6 +101,12 @@ static lenstr *make_changes_string(LDAPMod **ldm, const char **includeattrs)
 
 		continue;
 
 	    }
 
 	}
 
+	if (SLAPD_UNHASHED_PW_NOLOG == slapi_config_get_unhashed_pw_switch()) {
 
+		if (0 == strcasecmp(ldm[ i ]->mod_type, PSEUDO_ATTR_UNHASHEDUSERPASSWORD)) {
 
+			/* If nsslapd-unhashed-pw-switch == nolog, skip writing it to cl. */
 
+			continue;
 
+		}
 
+	}
 
 	switch ( ldm[ i ]->mod_op  & ~LDAP_MOD_BVALUES ) {
 
 	case LDAP_MOD_ADD:
 
 	    addlenstr( l, "add: " );

+ 22 - 17
ldap/servers/slapd/modify.c
Ver arquivo 

@@ -836,8 +836,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 
 	 * before calling the preop plugins
 
 	 */
 
 
-	if (pw_change && !repl_op &&
 
-	    (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch())) {
 
+	if (pw_change && !repl_op ) {
 
 		Slapi_Value **va = NULL;
 
 
 		unhashed_pw_attr = slapi_attr_syntax_normalize(PSEUDO_ATTR_UNHASHEDUSERPASSWORD);
 
@@ -907,13 +906,15 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 
 						 *  Finally, delete the unhashed userpassword
 
 						 *  (this will update the password entry extension)
 
 						 */
 
-						bval.bv_val = password;
 
-						bval.bv_len = strlen(password);
 
-						bv[0] = &bval;
 
-						bv[1] = NULL;
 
-						valuearray_init_bervalarray(bv, &va);
 
-						slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
 
-						valuearray_free(&va);
 
+						if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
 
+							bval.bv_val = password;
 
+							bval.bv_len = strlen(password);
 
+							bv[0] = &bval;
 
+							bv[1] = NULL;
 
+							valuearray_init_bervalarray(bv, &va);
 
+							slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
 
+							valuearray_free(&va);
 
+						}
 
 					} else {
 
 						/*
 
 						 *  Password is encoded, try and find a matching unhashed_password to delete
 
@@ -945,19 +946,23 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 
 								if(strcmp(unhashed_pwsp->pws_name, "CLEAR") == 0){
 
 									if((*(pwsp->pws_cmp))((char *)unhashed_pwd , valpwd) == 0 ){
 
 										/* match, add the delete mod for this particular unhashed userpassword */
 
-										valuearray_init_bervalarray(bv, &va);
 
-										slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
 
-										valuearray_free(&va);
 
-										free_pw_scheme( unhashed_pwsp );
 
+										if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
 
+										    valuearray_init_bervalarray(bv, &va);
 
+										    slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
 
+										    valuearray_free(&va);
 
+										    free_pw_scheme( unhashed_pwsp );
 
+										}
 
 										break;
 
 									}
 
 								} else {
 
 									/*
 
 									 *  We have a hashed unhashed_userpassword!  We must delete it.
 
 									 */
 
-									valuearray_init_bervalarray(bv, &va);
 
-									slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
 
-									valuearray_free(&va);
 
+									if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
 
+										valuearray_init_bervalarray(bv, &va);
 
+										slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
 
+										valuearray_free(&va);
 
+									}
 
 								}
 
 								free_pw_scheme( unhashed_pwsp );
 
 							}
 
@@ -972,7 +977,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 
 				if (remove_unhashed_pw && !slapi_entry_attr_find(e, unhashed_pw_attr, &a)){
 
 					slapi_mods_add_mod_values(&smods, pw_mod->mod_op,unhashed_pw_attr, va);
 
 				}
 
-			} else {
 
+			} else if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
 
 				/* add pseudo password attribute */
 
 				valuearray_init_bervalarray_unhashed_only(pw_mod->mod_bvalues, &va);
 
 				if(va && va[0]){