389-ds-base: CVE-2014-0132

Debian Bug report logs - #741600
389-ds-base: CVE-2014-0132

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: 389-ds-base: CVE-2014-0132

Date: Fri, 14 Mar 2014 13:07:17 +0100

Package: 389-ds-base
Severity: grave
Tags: security
Justification: user security hole

Hi,
please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0132 for details.

Cheers,
        Moritz

Message #10 received at 741600@bugs.debian.org (full text, mbox, reply):

From: Timo Aaltonen <tjaalton@ubuntu.com>

To: Moritz Muehlenhoff <jmm@inutil.org>, 741600@bugs.debian.org

Subject: Re: Bug#741600: 389-ds-base: CVE-2014-0132

Date: Fri, 14 Mar 2014 19:28:09 +0200

On 14.03.2014 14:07, Moritz Muehlenhoff wrote:
> Package: 389-ds-base
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Hi,
> please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0132 for details.

Thanks, fixed in git.d.o.


-- 
t

Message #15 received at 741600@bugs.debian.org (full text, mbox, reply):

From: tobi@coldtobi.de

To: 741600@bugs.debian.org, 745821@bugs.debian.org

Subject: 389-ds-base: diff for NMU version 1.3.2.9-1.1

Date: Fri, 25 Apr 2014 18:07:29 +0200

tags 741600 + patch
tags 741600 + pending
thanks

Dear maintainer,

I've prepared an NMU for 389-ds-base (versioned as 1.3.2.9-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards.
diff -Nru 389-ds-base-1.3.2.9/debian/changelog 389-ds-base-1.3.2.9/debian/changelog
--- 389-ds-base-1.3.2.9/debian/changelog	2014-02-03 10:09:07.000000000 +0100
+++ 389-ds-base-1.3.2.9/debian/changelog	2014-04-25 16:55:53.000000000 +0200
@@ -1,3 +1,12 @@
+389-ds-base (1.3.2.9-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Apply fix for CVE-2014-0132, see like named patch (Closes: 741600)
+  * Fix m4-macro for libsrvcore and add missing B-D on libpci-dev
+    (Closes: #745821)
+
+ -- Tobias Frost <tobi@coldtobi.de>  Fri, 25 Apr 2014 15:11:16 +0200
+
 389-ds-base (1.3.2.9-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru 389-ds-base-1.3.2.9/debian/control 389-ds-base-1.3.2.9/debian/control
--- 389-ds-base-1.3.2.9/debian/control	2014-01-11 11:40:42.000000000 +0100
+++ 389-ds-base-1.3.2.9/debian/control	2014-04-25 16:37:03.000000000 +0200
@@ -22,6 +22,7 @@
  libperl-dev,
  libkrb5-dev,
  libpcre3-dev,
+ libpci-dev
 Standards-Version: 3.9.5
 Vcs-Git: git://git.debian.org/git/pkg-fedora-ds/389-ds-base.git
 Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-fedora-ds/389-ds-base.git
diff -Nru 389-ds-base-1.3.2.9/debian/patches/CVE-2014-0132.patch 389-ds-base-1.3.2.9/debian/patches/CVE-2014-0132.patch
--- 389-ds-base-1.3.2.9/debian/patches/CVE-2014-0132.patch	1970-01-01 01:00:00.000000000 +0100
+++ 389-ds-base-1.3.2.9/debian/patches/CVE-2014-0132.patch	2014-04-25 15:11:13.000000000 +0200
@@ -0,0 +1,49 @@
+--- a/ldap/servers/slapd/saslbind.c
++++ b/ldap/servers/slapd/saslbind.c
+@@ -229,34 +229,6 @@
+     return SASL_OK;
+ }
+ 
+-static int ids_sasl_proxy_policy(
+-    sasl_conn_t *conn,
+-    void *context,
+-    const char *requested_user, int rlen,
+-    const char *auth_identity, int alen,
+-    const char *def_realm, int urlen,
+-    struct propctx *propctx
+-)
+-{
+-    int retVal = SASL_OK;
+-    /* do not permit sasl proxy authorization */
+-    /* if the auth_identity is null or empty string, allow the sasl request to go thru */    
+-    if ( (auth_identity != NULL ) && ( strlen(auth_identity) > 0 ) ) {
+-        Slapi_DN authId , reqUser;
+-        slapi_sdn_init_dn_byref(&authId,auth_identity);
+-        slapi_sdn_init_dn_byref(&reqUser,requested_user);
+-        if (slapi_sdn_compare((const Slapi_DN *)&reqUser,(const Slapi_DN *) &authId) != 0) {
+-            LDAPDebug(LDAP_DEBUG_TRACE, 
+-                  "sasl proxy auth not permitted authid=%s user=%s\n",
+-                  auth_identity, requested_user, 0);
+-            retVal =  SASL_NOAUTHZ;
+-        }
+-        slapi_sdn_done(&authId);
+-        slapi_sdn_done(&reqUser); 
+-    }
+-    return retVal;
+-}
+-
+ static void ids_sasl_user_search(
+     char *basedn,
+     int scope,
+@@ -583,11 +555,6 @@
+       NULL
+     },
+     {
+-      SASL_CB_PROXY_POLICY,
+-      (IFP) ids_sasl_proxy_policy,
+-      NULL
+-    },
+-    {
+       SASL_CB_CANON_USER,
+       (IFP) ids_sasl_canon_user,
+       NULL
diff -Nru 389-ds-base-1.3.2.9/debian/patches/ftbs_lsoftotkn3.patch 389-ds-base-1.3.2.9/debian/patches/ftbs_lsoftotkn3.patch
--- 389-ds-base-1.3.2.9/debian/patches/ftbs_lsoftotkn3.patch	1970-01-01 01:00:00.000000000 +0100
+++ 389-ds-base-1.3.2.9/debian/patches/ftbs_lsoftotkn3.patch	2014-04-25 16:17:53.000000000 +0200
@@ -0,0 +1,20 @@
+Description: Fix autoconf macro to detect svrcore properly
+ configure bails out with a linking error against libsoftokn, which is according
+ #473275 the correct behaviour. The patch modifies the m4 file to do not link
+ against this lib.
+Author: Tobias Frost <tobi@coldtobi.de>
+Forwarded: no
+Last-Update: 2014-04-25
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/m4/svrcore.m4
++++ b/m4/svrcore.m4
+@@ -96,7 +96,7 @@
+ if test -z "$svrcore_inc" -o -z "$svrcore_lib"; then
+ dnl just see if SVRCORE is already a system library
+   AC_CHECK_LIB([svrcore], [SVRCORE_GetRegisteredPinObj], [havesvrcore=1],
+-	       [], [$nss_inc $nspr_inc $nss_lib -lnss3 -lsoftokn3 $nspr_lib -lplds4 -lplc4 -lnspr4])
++	       [], [$nss_inc $nspr_inc $nss_lib -lnss3 $nspr_lib -lplds4 -lplc4 -lnspr4])
+   if test -n "$havesvrcore" ; then
+ dnl just see if SVRCORE is already a system header file
+     save_cppflags="$CPPFLAGS"
diff -Nru 389-ds-base-1.3.2.9/debian/patches/rename-online-scripts.diff 389-ds-base-1.3.2.9/debian/patches/rename-online-scripts.diff
--- 389-ds-base-1.3.2.9/debian/patches/rename-online-scripts.diff	2014-01-11 11:39:16.000000000 +0100
+++ 389-ds-base-1.3.2.9/debian/patches/rename-online-scripts.diff	2014-04-25 15:11:03.000000000 +0200
@@ -1,8 +1,14 @@
-diff --git a/ldap/admin/src/scripts/template-bak2db.pl.in b/ldap/admin/src/scripts/template-bak2db.pl.in
-index 4c7bab8..a972878 100644
+Description: Cherrypick fix for CVE-2014-0132
+Author: Noriko Hosoi <nhosoi@redhat.com>
+Origin: https://fedorahosted.org/389/ticket/47739
+Forwarded: not
+Applied-Upstream: https://fedorahosted.org/389/changeset/9bc2b46b7c7ee4c975d04b041f73a5992906b07c/
+Last-Update: 2014-04-25
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
 --- a/ldap/admin/src/scripts/template-bak2db.pl.in
 +++ b/ldap/admin/src/scripts/template-bak2db.pl.in
-@@ -49,6 +49,6 @@ while ($i <= $#ARGV) {
+@@ -49,6 +49,6 @@
          $i++;
  }
  
@@ -10,11 +16,9 @@
 +exec "{{SERVERBIN-DIR}}/bak2db-online @wrapperArgs -Z {{SERV-ID}}";
  
  exit ($?);
-diff --git a/ldap/admin/src/scripts/template-db2bak.pl.in b/ldap/admin/src/scripts/template-db2bak.pl.in
-index 712f387..e5f44eb 100644
 --- a/ldap/admin/src/scripts/template-db2bak.pl.in
 +++ b/ldap/admin/src/scripts/template-db2bak.pl.in
-@@ -49,7 +49,7 @@ while ($i <= $#ARGV) {
+@@ -49,7 +49,7 @@
          $i++;
  }
  
@@ -23,11 +27,9 @@
  
  exit ($?);
  
-diff --git a/ldap/admin/src/scripts/template-db2index.pl.in b/ldap/admin/src/scripts/template-db2index.pl.in
-index d2d6d87..7edb3c2 100644
 --- a/ldap/admin/src/scripts/template-db2index.pl.in
 +++ b/ldap/admin/src/scripts/template-db2index.pl.in
-@@ -49,6 +49,6 @@ while ($i <= $#ARGV) {
+@@ -49,6 +49,6 @@
          $i++;
  }
  
@@ -35,11 +37,9 @@
 +exec "{{SERVERBIN-DIR}}/db2index-online @wrapperArgs -Z {{SERV-ID}}";
  
  exit ($?);
-diff --git a/ldap/admin/src/scripts/template-db2ldif.pl.in b/ldap/admin/src/scripts/template-db2ldif.pl.in
-index feb8af9..10db293 100644
 --- a/ldap/admin/src/scripts/template-db2ldif.pl.in
 +++ b/ldap/admin/src/scripts/template-db2ldif.pl.in
-@@ -53,6 +53,6 @@ while ($i <= $#ARGV) {
+@@ -53,6 +53,6 @@
  
  $cwd = cwd();
  
@@ -47,11 +47,9 @@
 +exec "{{SERVERBIN-DIR}}/db2ldif-online -c $cwd @wrapperArgs -Z {{SERV-ID}}";
  
  exit ($?);
-diff --git a/ldap/admin/src/scripts/template-ldif2db.pl.in b/ldap/admin/src/scripts/template-ldif2db.pl.in
-index 5211fd5..0bae57d 100644
 --- a/ldap/admin/src/scripts/template-ldif2db.pl.in
 +++ b/ldap/admin/src/scripts/template-ldif2db.pl.in
-@@ -49,6 +49,6 @@ while ($i <= $#ARGV) {
+@@ -49,6 +49,6 @@
          $i++;
  }
  
diff -Nru 389-ds-base-1.3.2.9/debian/patches/series 389-ds-base-1.3.2.9/debian/patches/series
--- 389-ds-base-1.3.2.9/debian/patches/series	2014-01-11 11:39:16.000000000 +0100
+++ 389-ds-base-1.3.2.9/debian/patches/series	2014-04-25 16:09:52.000000000 +0200
@@ -2,3 +2,5 @@
 fix-sasl-path.diff
 admin_scripts.diff
 rename-online-scripts.diff
+CVE-2014-0132.patch
+ftbs_lsoftotkn3.patch

Message #24 received at 741600-close@bugs.debian.org (full text, mbox, reply):

From: Tobias Frost <tobi@coldtobi.de>

To: 741600-close@bugs.debian.org

Subject: Bug#741600: fixed in 389-ds-base 1.3.2.9-1.1

Date: Fri, 25 Apr 2014 21:34:02 +0000

Source: 389-ds-base
Source-Version: 1.3.2.9-1.1

We believe that the bug you reported is fixed in the latest version of
389-ds-base, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 741600@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tobias Frost <tobi@coldtobi.de> (supplier of updated 389-ds-base package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 25 Apr 2014 15:11:16 +0200
Source: 389-ds-base
Binary: 389-ds 389-ds-base-libs 389-ds-base-libs-dbg 389-ds-base-dev 389-ds-base 389-ds-base-dbg
Architecture: source all amd64
Version: 1.3.2.9-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian 389ds Team <pkg-fedora-ds-maintainers@lists.alioth.debian.org>
Changed-By: Tobias Frost <tobi@coldtobi.de>
Description: 
 389-ds     - 389 Directory Server suite - metapackage
 389-ds-base - 389 Directory Server suite - server
 389-ds-base-dbg - 389 Directory Server suite - server debugging symbols
 389-ds-base-dev - 389 Directory Server suite - development files
 389-ds-base-libs - 389 Directory Server suite - libraries
 389-ds-base-libs-dbg - 389 Directory Server suite - library debugging symbols
Closes: 741600 745821
Changes: 
 389-ds-base (1.3.2.9-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Apply fix for CVE-2014-0132, see like named patch (Closes: 741600)
   * Fix m4-macro for libsrvcore and add missing B-D on libpci-dev
     (Closes: #745821)
Checksums-Sha1: 
 46bb7385c1304964e81bca719d7830b2dfbab8f0 2583 389-ds-base_1.3.2.9-1.1.dsc
 ffafead56e41340eea8a0fb54f2fdaabddd8dba9 20292 389-ds-base_1.3.2.9-1.1.debian.tar.xz
 293657c1efed08cd531c40b2c4fdc71faaad0734 14682 389-ds_1.3.2.9-1.1_all.deb
 518767ebbb416c14c5150b71814941b9c594d7f7 355482 389-ds-base-libs_1.3.2.9-1.1_amd64.deb
 eebaaee6eb0777c34056f1461af23035de34e9e3 1286850 389-ds-base-libs-dbg_1.3.2.9-1.1_amd64.deb
 eae5e60ff15d61d11d605ae209be32ed45d05cf2 66862 389-ds-base-dev_1.3.2.9-1.1_amd64.deb
 ff1ab63e0ab67f38b3ba050951ab5ac208682049 1394896 389-ds-base_1.3.2.9-1.1_amd64.deb
 a241d67cbd7a4dbba254d107f611e6b0f404faa6 4362090 389-ds-base-dbg_1.3.2.9-1.1_amd64.deb
Checksums-Sha256: 
 052cb4017ed9f554289e9521134dde6f4bcbdf8bea4ef70f62b898ba564e9bef 2583 389-ds-base_1.3.2.9-1.1.dsc
 2439b773d438e1a884eeabf7ed81ff574bc647898fb56ec3fa2b7f95c0435614 20292 389-ds-base_1.3.2.9-1.1.debian.tar.xz
 cb6d4d31aefa03fb8e169f4ee37880e14cc1cd4d3f934f0c772f9b16f531debe 14682 389-ds_1.3.2.9-1.1_all.deb
 e94d9c848d9423c626d54cacee37a5feda110bd1697afebe6a47d0bf47e76df8 355482 389-ds-base-libs_1.3.2.9-1.1_amd64.deb
 dc37aeef3115aa00d3118f7326b8ba9af482801cf2a852d1e37e06b8adc92b98 1286850 389-ds-base-libs-dbg_1.3.2.9-1.1_amd64.deb
 4a52fedfbe2602882467cd80e78373e4bdee10594824591ee1ab501a0b64414a 66862 389-ds-base-dev_1.3.2.9-1.1_amd64.deb
 7bb9bf971a81df9a79eadde8253402ed8a9d5ecb6b4dff169fc5ec84fa440fda 1394896 389-ds-base_1.3.2.9-1.1_amd64.deb
 c5a136300aef05b57f4bf18ca2840184604a105a157aba2af61834af540c2703 4362090 389-ds-base-dbg_1.3.2.9-1.1_amd64.deb
Files: 
 45e6bf17837906bd788cd4c42ac3e49b 14682 net optional 389-ds_1.3.2.9-1.1_all.deb
 270e8d3e59d2e8f21ee4f5085995b519 355482 libs optional 389-ds-base-libs_1.3.2.9-1.1_amd64.deb
 11134b552968d64717a1cc61f7eea67b 1286850 debug extra 389-ds-base-libs-dbg_1.3.2.9-1.1_amd64.deb
 239ceafc5b142f1b6341432ff04dd5b0 66862 libdevel optional 389-ds-base-dev_1.3.2.9-1.1_amd64.deb
 ec5aa74c5a026891d6a0200845aa376d 1394896 net optional 389-ds-base_1.3.2.9-1.1_amd64.deb
 9e9540e0f65c50fc0b1e82375e755db2 4362090 debug extra 389-ds-base-dbg_1.3.2.9-1.1_amd64.deb
 8ce4c2f4ba2698008395964ba8a36f6e 2583 net optional 389-ds-base_1.3.2.9-1.1.dsc
 6f248fec8102eea40b3a99a4fb308148 20292 net optional 389-ds-base_1.3.2.9-1.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTWsGRAAoJEKGwm0IzOWHoGSoQAOH8Q84cVfd13rCcF5vjZ316
MSAqtutlKM9wn5zYnym49hsJxFXwCMrxIdGVdW3UxDEXUgo0RwGMXg5bWY8qUieY
p1eXF6ILcjhrbPmbJP7OTOiUYDMJyIQrvNPI/bjWGLxjjvD0zD0z4Lzu+yScj/X1
YX63fBE06HyBwjqyB3A/tdhHPIUl+cmV9HcFAVLNGiDN8F14OSHW/H0IDbp7KqkK
cW9wFXAoGWAZorgHrZ4fg5VnLKqUhRCR9OByhiBmCQqXxfbmN1PidbjFj9FL4hu5
R5EVdfsmL5HnoRB7DgXx6kJoeMpMmd3GVWao+P/ATiGW5h4Yog9NlfYtqIPPUtCJ
Y7kg72atISq/T6NhmVxobIDcN9gErRi4LTjI8c3ZFV0wOlrcCgRUFk2/VVghlp53
Dxm/2DWTVs6CDWizFraON7zBtwiL85DRkY6D0jlvFj3YxgP1eSIViIqr53cgi705
nJ7kv/oFoTdwZ8lXFG3Kl2LRUTi4fPMwFvke2VehwDi9xDpplhlbOWZ0uXmZhM4f
db8Y+m+NCTuGmoIHe7fA1KZzdLapmtzlvFeGUvn4EO8DCCktLx/3RJcTaqo4K7FS
SeQFBKY8FzkPowAe/Xontb/sjehbXfVyRtIYBkOGfyqvI6Zoi9opI2ltGzN08doG
H15xdV/jB++5YwnBHq52
=pXLa
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.