Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 701812 (CVE-2019-14824)

Summary: net-nds/389-ds-base: Read permission check bypass via the deref plugin (CVE-2019-14824)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: proxy-maint, treecleaner
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://pagure.io/389-ds-base/issue/50716
See Also: https://bugs.gentoo.org/show_bug.cgi?id=655176
https://github.com/gentoo/gentoo/pull/15907
Whiteboard: ~4 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 731296    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2019-12-02 22:17:00 UTC 
CVE-2019-14824 (https://nvd.nist.gov/vuln/detail/CVE-2019-14824):
  A flaw was found in the 'deref' plugin of 389-ds-base where it could use the
  'search' permission to display attribute values. In some configurations,
  this could allow an authenticated attacker to view private attributes, such
  as password hashes.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2019-12-02 22:18:07 UTC 
Upstream patch: https://pagure.io/389-ds-base/c/ddbe3c8fe

fb3d355..ddbe3c8 master -> master

becdf20..86776bb 389-ds-base-1.4.1 -> 389-ds-base-1.4.1

959057c..fca2934 389-ds-base-1.4.0 -> 389-ds-base-1.4.0

428a8ff..b6ba778 389-ds-base-1.3.10 -> 389-ds-base-1.3.10
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2020-05-21 23:47:06 UTC 
Since this package has no maintainers, and since it is not being updated. Please consider dropping the package.
Comment 3 Larry the Git Cow gentoo-dev 2020-06-04 19:14:48 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=66a48ca5d52d4699c4ef38209dfcad8ebdd149aa

commit 66a48ca5d52d4699c4ef38209dfcad8ebdd149aa
Author:     Sam James (sam_c) <sam@cmpct.info>
AuthorDate: 2020-06-04 18:24:47 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-06-04 19:14:36 +0000

    net-nds/389-ds-base, dev-libs/389-adminutil: Last rites
    
    Bug: https://bugs.gentoo.org/655176
    Bug: https://bugs.gentoo.org/701812
    Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 profiles/package.mask | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)
Comment 4 Larry the Git Cow gentoo-dev 2020-07-13 04:53:01 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7414f8c33bb75cd9a4f6a61040886852fcf2afe1

commit 7414f8c33bb75cd9a4f6a61040886852fcf2afe1
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-07-13 04:52:07 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-07-13 04:52:31 +0000

    dev-libs/svrcore: Remove last-rited pkg
    
    Bug: https://bugs.gentoo.org/655176
    Bug: https://bugs.gentoo.org/701812
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-libs/svrcore/Manifest                         |   2 -
 dev-libs/svrcore/files/svrcore-4.0.4-gentoo.patch | 100 ----------------------
 dev-libs/svrcore/files/svrcore-4.1-gentoo.patch   | 100 ----------------------
 dev-libs/svrcore/metadata.xml                     |   5 --
 dev-libs/svrcore/svrcore-4.0.4-r1.ebuild          |  40 ---------
 dev-libs/svrcore/svrcore-4.1.2.ebuild             |  35 --------
 profiles/package.mask                             |   6 --
 7 files changed, 288 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aef3f76fb5607ea9fcecd97c192a0ab06d224737

commit aef3f76fb5607ea9fcecd97c192a0ab06d224737
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-07-13 04:51:55 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-07-13 04:52:27 +0000

    dev-libs/389-adminutil: Remove last-rited pkg
    
    Bug: https://bugs.gentoo.org/655176
    Bug: https://bugs.gentoo.org/701812
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-libs/389-adminutil/389-adminutil-1.1.15.ebuild | 46 ----------------------
 dev-libs/389-adminutil/Manifest                    |  1 -
 dev-libs/389-adminutil/metadata.xml                |  5 ---
 profiles/package.mask                              |  2 -
 4 files changed, 54 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eb6602276b3003bcdafd619a28ac6f163f52fb30

commit eb6602276b3003bcdafd619a28ac6f163f52fb30
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-07-13 04:50:40 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-07-13 04:52:23 +0000

    net-nds/389-ds-base: Remove last-rited pkg
    
    Bug: https://bugs.gentoo.org/655176
    Bug: https://bugs.gentoo.org/701812
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 net-nds/389-ds-base/389-ds-base-1.3.6.8-r1.ebuild  | 126 -------
 net-nds/389-ds-base/389-ds-base-9999.ebuild        | 133 --------
 net-nds/389-ds-base/Manifest                       |   1 -
 ...-base-1.3.6-backport-invalid-password-mig.patch | 376 ---------------------
 net-nds/389-ds-base/files/389-ds-snmp.initd        |  44 ---
 net-nds/389-ds-base/files/389-ds.initd-r1          |  90 -----
 net-nds/389-ds-base/metadata.xml                   |  23 --
 7 files changed, 793 deletions(-)
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-23 13:19:56 UTC 
noglsa, tree clean, closing.