Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 849401 (CVE-2022-1949)

Summary: <net-nds/389-ds-base-2.3.2: access control bypass vulnerability
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: ajak, chris, Dessa, proxy-maint
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/389ds/389-ds-base/issues/5170
See Also: https://github.com/gentoo/gentoo/pull/36458
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-02 22:02:28 UTC
CVE-2022-1949:

An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.

Redhat bug: https://bugzilla.redhat.com/show_bug.cgi?id=2091781

There are some PRs upstream with potential fixes: https://github.com/389ds/389-ds-base/issues/5170#issuecomment-1140630971
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-18 00:41:49 UTC
If I'm reading this git spaghetti correctly, it looks like this made it into 2.0.16, 2.1.2, and 2.2.2
Comment 2 Larry the Git Cow gentoo-dev 2024-04-28 07:24:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=db6509134724c8a14ca82fe9e1e931f3e6e5e116

commit db6509134724c8a14ca82fe9e1e931f3e6e5e116
Author:     Robert Förster <Dessa@gmake.de>
AuthorDate: 2024-04-27 15:17:11 +0000
Commit:     Arthur Zamarin <arthurzam@gentoo.org>
CommitDate: 2024-04-28 07:08:27 +0000

    net-nds/389-ds-base: drop 1.4.4.19-r4, 2.1.0-r4, 2.3.2
    
    Bug: https://bugs.gentoo.org/849401
    Bug: https://bugs.gentoo.org/835611
    Bug: https://bugs.gentoo.org/833631
    Signed-off-by: Robert Förster <Dessa@gmake.de>
    Closes: https://github.com/gentoo/gentoo/pull/36458
    Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>

 net-nds/389-ds-base/389-ds-base-1.4.4.19-r4.ebuild | 324 ---------------------
 net-nds/389-ds-base/389-ds-base-2.1.0-r4.ebuild    | 321 --------------------
 net-nds/389-ds-base/389-ds-base-2.3.2.ebuild       | 298 -------------------
 net-nds/389-ds-base/Manifest                       | 134 ---------
 ...-ds-base-2.3.2-setuptools-67-packaging-23.patch | 167 -----------
 5 files changed, 1244 deletions(-)
Comment 3 Hans de Graaff gentoo-dev Security 2024-04-28 08:37:23 UTC
All done. thanks!