Accepting request 844183 from home:firstyear:branches:network:ldap

- bsc#1175568 CVE-2020-8027
  openldap_update_modules_path.sh has a number of issues in it's
  design that lead to security issues. This file has been removed,
  from the package, and the %post execution of the install. The
  function is replaced by /usr/sbin/slapd-ldif-update-crc and
  /usr/lib/openldap/fixup-modulepath, through the addition of the
  source files:
  * fixup-modulepath.sh
  * slapd-ldif-update-crc.sh
  * update-crc.sh

OBS-URL: https://build.opensuse.org/request/show/844183
OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=278

fixup-modulepath.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+source /usr/lib/openldap/update-crc
+
+conf_dir='/etc/openldap/slapd.d'
+tgt_ldif="${conf_dir}/cn=config.ldif"
+if [ ! -d ${conf_dir} ] || [ ! -f ${tgt_ldif} ]
+then
+	exit 0
+fi
+
+# Make sure slapd.service is not running.
+slapd_running=1
+
+# Don't check if no systemd, we could be in a container.
+if [ -f "/usr/bin/systemctl" ]; then
+    /usr/bin/systemctl is-active --quiet slapd.service
+    slapd_running=$?
+fi
+
+if [ $slapd_running -eq 0 ]; then
+    echo "Unable to update crc of '${tgt_ldif}' while slapd.service is running ..."
+    exit 1
+fi
+
+# Remove the module path.
+sed -n -i '/olcModulePath/!p'  ${tgt_ldif}
+
+res=$?
+
+if [ $res -ne 0 ]
+then
+    echo "Failed to remove olcModulePath in ${tgt_ldif}"
+    exit 1
+else
+    do_update_crc ${tgt_ldif}
+    echo "Updated crc of ${tgt_ldif}"
+fi
+
+
+
+

openldap2.changes

@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Tue Oct 27 01:01:54 UTC 2020 - William Brown <william.brown@suse.com>
+
+- bsc#1175568 CVE-2020-8027
+  openldap_update_modules_path.sh has a number of issues in it's
+  design that lead to security issues. This file has been removed,
+  from the package, and the %post execution of the install. The
+  function is replaced by /usr/sbin/slapd-ldif-update-crc and
+  /usr/lib/openldap/fixup-modulepath, through the addition of the
+  source files:
+  * fixup-modulepath.sh
+  * slapd-ldif-update-crc.sh
+  * update-crc.sh
+
 -------------------------------------------------------------------
 Mon Oct 26 21:48:45 UTC 2020 - Michael Ströder <michael@stroeder.com>
 

openldap2.spec

@@ -47,9 +47,11 @@ Source12:       slapd.conf.example
 Source13:       start
 Source14:       slapd.service
 Source16:       sysconfig.openldap
-Source17:       openldap_update_modules_path.sh
 Source18:       openldap2.conf
 Source19:       ldap-user.conf
+Source20:       fixup-modulepath.sh
+Source21:       slapd-ldif-update-crc.sh
+Source22:       update-crc.sh
 Patch1:         0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch
 Patch3:         0003-LDAPI-socket-location.dif
 Patch5:         0005-pie-compile.dif
@@ -80,6 +82,7 @@ BuildRequires:  pkgconfig(systemd)
 %if %{suse_version} < 1500
 %{?systemd_requires}
 %endif
+Requires:       gawk
 Requires:       libldap-2_4-2 = %{version_main}
 Recommends:     cyrus-sasl
 Conflicts:      openldap
@@ -358,12 +361,15 @@ install -m 755 -d %{buildroot}/var/lib/ldap
 chmod a+x %{buildroot}%{_libdir}/liblber.so*
 chmod a+x %{buildroot}%{_libdir}/libldap_r.so*
 install -m 755 %{SOURCE6} %{buildroot}%{_sbindir}/schema2ldif
-install -m 755 %{SOURCE17} %{buildroot}%{_sbindir}
 mkdir -p  %{buildroot}%{_tmpfilesdir}/
 install -m 644 %{SOURCE18} %{buildroot}%{_tmpfilesdir}/
 mkdir -p %{buildroot}%{_sysusersdir}
 install -m 644 %{SOURCE19} %{buildroot}%{_sysusersdir}/
 
+install -m 755 %{SOURCE19}  ${RPM_BUILD_ROOT}/usr/lib/openldap/fixup-modulepath
+install -m 755 %{SOURCE20}  ${RPM_BUILD_ROOT}/%{_sbindir}/slapd-ldif-update-crc
+install -m 755 %{SOURCE21}  ${RPM_BUILD_ROOT}/usr/lib/openldap/update-crc
+
 # Install ppolicy check module
 make -C contrib/slapd-modules/ppolicy-check-password STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libexecdir}" install
 install -m 0644 %{S:202}  %{buildroot}%{_sysconfdir}/openldap/check_password.conf
@@ -433,9 +439,6 @@ gcc -shared -o "%{buildroot}%{_libdir}/libldap-2.4.so.2" -Wl,--no-as-needed \
 %service_add_pre slapd.service
 
 %post
-if [ ${1:-0} -gt 1 ] && [ ! -f /var/adm/openldap_modules_path_updated ] ; then
-    /usr/sbin/openldap_update_modules_path.sh
-fi
 %{fillup_only -n openldap ldap}
 %tmpfiles_create %{name}.conf
 %service_add_post slapd.service
@@ -468,7 +471,6 @@ fi
 %{_fillupdir}/sysconfig.openldap
 %{_sbindir}/slap*
 %{_sbindir}/rcslapd
-%{_sbindir}/openldap_update_modules_path.sh
 %{_libdir}/openldap/back_bdb*
 %{_libdir}/openldap/back_hdb*
 %{_libdir}/openldap/back_ldap*
@@ -498,6 +500,8 @@ fi
 %{_libdir}/openldap/valsort*
 %{_libdir}/slapd
 /usr/lib/openldap/start
+/usr/lib/openldap/update-crc
+/usr/lib/openldap/fixup-modulepath
 %{_unitdir}/slapd.service
 %{_tmpfilesdir}/%{name}.conf
 %{_sysusersdir}/ldap-user.conf

openldap_update_modules_path.sh

@@ -1,150 +0,0 @@
-#!/bin/bash
-# This script has been created to update the OpenLDAP modules path in cn=config
-# For details of changing the configuration items' location read these:
-# https://www.openldap.org/lists/openldap-software/200812/msg00080.html
-# This script writes over the config entry of backend databases location, which files are necessary to run LDAP. The procedure has been created upon this description:
-# https://serverfault.com/questions/863274/modify-openldap-cn-config-without-slapd-running
-
-# Author: Zsolt KALMAR (SUSE Linux GmbH) zkalmar@suse.com
-
-# define variables
-conf_dir='/etc/openldap/slapd.d'
-if [ ! -d ${conf_dir} ] || [ ! -f ${conf_dir}/cn=config.ldif ]
-then
-	exit 0
-fi
-
-
-tmp_file='/tmp/ldap_conf_tmp.ldif'
-backup='/tmp/slapd.d'
-res=0
-
-# common functions
-create_symlinks () {
-if [ ! -f /usr/lib/openldap/back_bdb.so ]; then ln -s /usr/lib64/openldap/back_bdb.so /usr/lib/openldap/back_bdb.so; fi
-if [ ! -f /usr/lib/openldap/back_hdb.so ]; then ln -s /usr/lib64/openldap/back_hdb.so /usr/lib/openldap/back_hdb.so; fi
-if [ ! -f /usr/lib/openldap/back_mdb.so ]; then ln -s /usr/lib64/openldap/back_mdb.so /usr/lib/openldap/back_mdb.so; fi
-if [ ! -f /usr/lib/openldap/syncprov.so ]; then ln -s /usr/lib64/openldap/syncprov.so /usr/lib/openldap/syncprov.so; fi
-#logger -p user.info "Update openLDAP: symlinks have been created."
-}
-
-cleanup () {
-rm -f /usr/lib/openldap/back_bdb.so
-rm -f /usr/lib/openldap/back_hdb.so
-rm -f /usr/lib/openldap/back_mdb.so
-rm -f /usr/lib/openldap/syncprov.so
-rm -f ${tmp_file}
-#logger -p user.info "Update openLDAP: symlinks have been removed."
-}
-
-rm -f ${tmp_file}
-
-# Check if the configuration is containing the inappropriate entry
-create_symlinks
-res=0
-if [ -f /usr/sbin/slapcat ]
-then
-    /usr/sbin/slapcat -n0 -F ${conf_dir} -l ${tmp_file} -o ldif-wrap=no
-    res=$?
-fi
-
-if [ $res -ne 0 ]
-then
-    #logger -p user.error "LDAP Update script: Creating ${tmp_file} has failed during the search of faulty openLDAP entry."
-    exit 1
-#else
-    #logger -p user.info "LDAP Update script: ${tmp_file} has been created."
-fi
-
-entry_cnt=`cat ${tmp_file} | grep ^[^#\;] | grep olcModulePath | wc -l`
-
-if [ $entry_cnt -eq 0 ]
-then
-    #logger -p user.info "LDAP Update script: The current LDAP configuration does not contain the wrong item. Stop applying this script. Bye."
-    cleanup
-    exit 0
-fi
-
-rm -rf ${tmp_file}
-
-# Make sure the LDAP is not running:
-/usr/bin/systemctl stop slapd.service
-#logger -p user.info "LDAP Update script: openLDAP has been stopped."
-
-# Creating symlinks for the modules required for the slapcat and slapadd
-create_symlinks
-
-# Export the config to a text
-res=0
-if [ -f /usr/sbin/slapcat ]
-then
-    /usr/sbin/slapcat -n0 -F ${conf_dir} -l ${tmp_file} -o ldif-wrap=no
-    res=$?
-fi
-
-if [ $res -ne 0 ]
-then
-    #logger -p user.error "LDAP Update script: Creating ${tmp_file} has failed."
-    cleanup
-    exit 1
-fi
-
-# Create a backup of LDAP config
-mkdir ${backup}
-cp -r ${conf_dir}/* ${backup}/
-res=$?
-
-if [ $res -ne 0 ]
-then
-    #logger -p user.error "LDAP Update script: Backing up ${conf_dir} has failed."
-    exit 1
-#else
-    #logger -p user.info "LDAP Update script: Back up has been created of openLDAP configuration."
-fi
-
-# Remove the configuration item "olcModulePath"
-sed -n -i '/olcModulePath/!p'  ${tmp_file}
-res=$?
-
-if [ $res -ne 0 ]
-then
-    #logger -p user.error "LDAP Update script: Removing of entry in ${tmp_file} has failed."
-    exit 1
-#else
-    #logger -p user.info "LDAP Update script: olcModulesPath entry has been removed."
-fi
-
-# Remove the current configuration
-rm -rf ${conf_dir}/*
-
-# Load the modified configuration
-/usr/sbin/slapadd -n0 -F ${conf_dir} -l ${tmp_file}
-res=$?
-
-# Catch result code of slapadd
-if [ $res -ne 0 ]
-then
-    #logger -p user.error "LDAP Update script: Implementing new configuration has failed."
-    exit 1
-else
-    #logger -p user.info "LDAP Update script: Implementing new configuration has been succeeded."
-    cleanup
-fi
-
-# Start the SLAPD with the new configuration
-/usr/bin/systemctl start slapd.service
-res=$?
-
-if [ $res -ne 0 ]
-then
- #logger -p user.error "LDAP Update script: Starting updated LDAP server has been failed."
-    exit 1
-else
-    #logger -p user.info "LDAP Update script: Updated LDAP server has been successfully started."
-    # Remove backups
-    rm -rf ${backup}
-    rm -rf ${tmp_file}
-    # Create "/var/adm/openldap_update_modules"
-    touch /var/adm/openldap_update_modules
-    exit 0
-fi

slapd-ldif-update-crc.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# Script to fix the crc of openldap slapd.d ldifs.
+source /usr/lib/openldap/update-crc
+
+if [ -z ${1} ]; then
+    echo "Usage: ${0} /etc/openldap/slapd.d/<config ldif to update>"
+    exit 1
+fi
+
+if [ ! -f "${1}" ]; then
+    echo "File ${1} does not exist?"
+    echo "Usage: ${0} /etc/openldap/slapd.d/<config ldif to update>"
+    exit 1
+fi
+
+# Make sure slapd.service is not running.
+slapd_running=1
+
+# Don't check if no systemd, we could be in a container.
+if [ -f "/usr/bin/systemctl" ]; then
+    /usr/bin/systemctl is-active --quiet slapd.service
+    slapd_running=$?
+fi
+
+if [ $slapd_running -eq 0 ]; then
+    echo "Unable to update crc of '${1}' while slapd.service is running ..."
+    exit 1
+fi
+
+do_update_crc ${1}
+
+echo "Updated crc of ${1}"
+

update-crc.sh

@@ -0,0 +1,67 @@
+#!/bin/bash
+# Script to fix the crc of openldap slapd.d ldifs.
+
+do_update_crc () {
+    if [ -z ${1} ]; then
+        echo "Invalid call to do_update_crc() - no filename provided"
+        exit 1
+    fi
+    
+    tgt_ldif=$1
+    
+    if [ ! -f "${tgt_ldif}" ]; then
+        echo "invalid call to do_update_crc() - file ${tgt_ldif} does not exist?"
+        exit 1
+    fi
+    
+    rm -f "${tgt_ldif}.crcbak"
+    mv "${tgt_ldif}" "${tgt_ldif}.crcbak"
+    
+    /usr/bin/awk '
+BEGIN {
+    # CRC-32 ZIP polynomial in reversed bit order.
+    POLY = 0xedb88320
+
+    # 8-bit character -> ordinal table.
+    for (i = 0; i < 256; i++)
+        ORD[sprintf("%c", i)] = i
+}
+
+{
+    # Remember each input line.
+    input[NR] = $0
+
+    # Verify the file header.
+    if (NR == 1 && $0 != "# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.")
+        exit 1
+    if (NR == 2 && $0 !~ /# CRC32 ......../)
+        exit 1
+}
+
+# Calculate CRC-32.
+function crc32(crc, string,    i, j, c) {
+    crc = and(compl(crc), 0xffffffff)
+    for (i = 1; i <= length(string); i++) {
+        c = substr(string, i, 1)
+        crc = xor(crc, ORD[c])
+        for (j = 0; j < 8; j++)
+            crc = and(crc, 1) ? xor(rshift(crc, 1), POLY) : rshift(crc, 1)
+    }
+    crc = and(compl(crc), 0xffffffff)
+    return crc
+}
+
+END {
+    # Calculate CRC-32 of the file and update it in the header.
+    crc = 0
+    for (i = 3; i <= length(input); i++)
+        crc = crc32(crc, input[i] "\n")
+    input[2] = "# CRC32 " sprintf("%08x", crc)
+
+    # Print the output.
+    for (i = 1; i <= length(input); i++)
+        print input[i]
+}' "${tgt_ldif}.crcbak" > "${tgt_ldif}"
+
+}
+