Accepting request 844183 from home:firstyear:branches:network:ldap

- bsc#1175568 CVE-2020-8027
  openldap_update_modules_path.sh has a number of issues in it's
  design that lead to security issues. This file has been removed,
  from the package, and the %post execution of the install. The
  function is replaced by /usr/sbin/slapd-ldif-update-crc and
  /usr/lib/openldap/fixup-modulepath, through the addition of the
  source files:
  * fixup-modulepath.sh
  * slapd-ldif-update-crc.sh
  * update-crc.sh

OBS-URL: https://build.opensuse.org/request/show/844183
OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=278
This commit is contained in:
Michael Ströder 2020-10-27 01:14:55 +00:00 committed by Git OBS Bridge
parent fc56a37d6c
commit 617ae2b561
6 changed files with 166 additions and 156 deletions

42
fixup-modulepath.sh Normal file
View File

@ -0,0 +1,42 @@
#!/bin/bash
source /usr/lib/openldap/update-crc
conf_dir='/etc/openldap/slapd.d'
tgt_ldif="${conf_dir}/cn=config.ldif"
if [ ! -d ${conf_dir} ] || [ ! -f ${tgt_ldif} ]
then
exit 0
fi
# Make sure slapd.service is not running.
slapd_running=1
# Don't check if no systemd, we could be in a container.
if [ -f "/usr/bin/systemctl" ]; then
/usr/bin/systemctl is-active --quiet slapd.service
slapd_running=$?
fi
if [ $slapd_running -eq 0 ]; then
echo "Unable to update crc of '${tgt_ldif}' while slapd.service is running ..."
exit 1
fi
# Remove the module path.
sed -n -i '/olcModulePath/!p' ${tgt_ldif}
res=$?
if [ $res -ne 0 ]
then
echo "Failed to remove olcModulePath in ${tgt_ldif}"
exit 1
else
do_update_crc ${tgt_ldif}
echo "Updated crc of ${tgt_ldif}"
fi

View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Tue Oct 27 01:01:54 UTC 2020 - William Brown <william.brown@suse.com>
- bsc#1175568 CVE-2020-8027
openldap_update_modules_path.sh has a number of issues in it's
design that lead to security issues. This file has been removed,
from the package, and the %post execution of the install. The
function is replaced by /usr/sbin/slapd-ldif-update-crc and
/usr/lib/openldap/fixup-modulepath, through the addition of the
source files:
* fixup-modulepath.sh
* slapd-ldif-update-crc.sh
* update-crc.sh
-------------------------------------------------------------------
Mon Oct 26 21:48:45 UTC 2020 - Michael Ströder <michael@stroeder.com>

View File

@ -47,9 +47,11 @@ Source12: slapd.conf.example
Source13: start
Source14: slapd.service
Source16: sysconfig.openldap
Source17: openldap_update_modules_path.sh
Source18: openldap2.conf
Source19: ldap-user.conf
Source20: fixup-modulepath.sh
Source21: slapd-ldif-update-crc.sh
Source22: update-crc.sh
Patch1: 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch
Patch3: 0003-LDAPI-socket-location.dif
Patch5: 0005-pie-compile.dif
@ -80,6 +82,7 @@ BuildRequires: pkgconfig(systemd)
%if %{suse_version} < 1500
%{?systemd_requires}
%endif
Requires: gawk
Requires: libldap-2_4-2 = %{version_main}
Recommends: cyrus-sasl
Conflicts: openldap
@ -358,12 +361,15 @@ install -m 755 -d %{buildroot}/var/lib/ldap
chmod a+x %{buildroot}%{_libdir}/liblber.so*
chmod a+x %{buildroot}%{_libdir}/libldap_r.so*
install -m 755 %{SOURCE6} %{buildroot}%{_sbindir}/schema2ldif
install -m 755 %{SOURCE17} %{buildroot}%{_sbindir}
mkdir -p %{buildroot}%{_tmpfilesdir}/
install -m 644 %{SOURCE18} %{buildroot}%{_tmpfilesdir}/
mkdir -p %{buildroot}%{_sysusersdir}
install -m 644 %{SOURCE19} %{buildroot}%{_sysusersdir}/
install -m 755 %{SOURCE19} ${RPM_BUILD_ROOT}/usr/lib/openldap/fixup-modulepath
install -m 755 %{SOURCE20} ${RPM_BUILD_ROOT}/%{_sbindir}/slapd-ldif-update-crc
install -m 755 %{SOURCE21} ${RPM_BUILD_ROOT}/usr/lib/openldap/update-crc
# Install ppolicy check module
make -C contrib/slapd-modules/ppolicy-check-password STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libexecdir}" install
install -m 0644 %{S:202} %{buildroot}%{_sysconfdir}/openldap/check_password.conf
@ -433,9 +439,6 @@ gcc -shared -o "%{buildroot}%{_libdir}/libldap-2.4.so.2" -Wl,--no-as-needed \
%service_add_pre slapd.service
%post
if [ ${1:-0} -gt 1 ] && [ ! -f /var/adm/openldap_modules_path_updated ] ; then
/usr/sbin/openldap_update_modules_path.sh
fi
%{fillup_only -n openldap ldap}
%tmpfiles_create %{name}.conf
%service_add_post slapd.service
@ -468,7 +471,6 @@ fi
%{_fillupdir}/sysconfig.openldap
%{_sbindir}/slap*
%{_sbindir}/rcslapd
%{_sbindir}/openldap_update_modules_path.sh
%{_libdir}/openldap/back_bdb*
%{_libdir}/openldap/back_hdb*
%{_libdir}/openldap/back_ldap*
@ -498,6 +500,8 @@ fi
%{_libdir}/openldap/valsort*
%{_libdir}/slapd
/usr/lib/openldap/start
/usr/lib/openldap/update-crc
/usr/lib/openldap/fixup-modulepath
%{_unitdir}/slapd.service
%{_tmpfilesdir}/%{name}.conf
%{_sysusersdir}/ldap-user.conf

View File

@ -1,150 +0,0 @@
#!/bin/bash
# This script has been created to update the OpenLDAP modules path in cn=config
# For details of changing the configuration items' location read these:
# https://www.openldap.org/lists/openldap-software/200812/msg00080.html
# This script writes over the config entry of backend databases location, which files are necessary to run LDAP. The procedure has been created upon this description:
# https://serverfault.com/questions/863274/modify-openldap-cn-config-without-slapd-running
# Author: Zsolt KALMAR (SUSE Linux GmbH) zkalmar@suse.com
# define variables
conf_dir='/etc/openldap/slapd.d'
if [ ! -d ${conf_dir} ] || [ ! -f ${conf_dir}/cn=config.ldif ]
then
exit 0
fi
tmp_file='/tmp/ldap_conf_tmp.ldif'
backup='/tmp/slapd.d'
res=0
# common functions
create_symlinks () {
if [ ! -f /usr/lib/openldap/back_bdb.so ]; then ln -s /usr/lib64/openldap/back_bdb.so /usr/lib/openldap/back_bdb.so; fi
if [ ! -f /usr/lib/openldap/back_hdb.so ]; then ln -s /usr/lib64/openldap/back_hdb.so /usr/lib/openldap/back_hdb.so; fi
if [ ! -f /usr/lib/openldap/back_mdb.so ]; then ln -s /usr/lib64/openldap/back_mdb.so /usr/lib/openldap/back_mdb.so; fi
if [ ! -f /usr/lib/openldap/syncprov.so ]; then ln -s /usr/lib64/openldap/syncprov.so /usr/lib/openldap/syncprov.so; fi
#logger -p user.info "Update openLDAP: symlinks have been created."
}
cleanup () {
rm -f /usr/lib/openldap/back_bdb.so
rm -f /usr/lib/openldap/back_hdb.so
rm -f /usr/lib/openldap/back_mdb.so
rm -f /usr/lib/openldap/syncprov.so
rm -f ${tmp_file}
#logger -p user.info "Update openLDAP: symlinks have been removed."
}
rm -f ${tmp_file}
# Check if the configuration is containing the inappropriate entry
create_symlinks
res=0
if [ -f /usr/sbin/slapcat ]
then
/usr/sbin/slapcat -n0 -F ${conf_dir} -l ${tmp_file} -o ldif-wrap=no
res=$?
fi
if [ $res -ne 0 ]
then
#logger -p user.error "LDAP Update script: Creating ${tmp_file} has failed during the search of faulty openLDAP entry."
exit 1
#else
#logger -p user.info "LDAP Update script: ${tmp_file} has been created."
fi
entry_cnt=`cat ${tmp_file} | grep ^[^#\;] | grep olcModulePath | wc -l`
if [ $entry_cnt -eq 0 ]
then
#logger -p user.info "LDAP Update script: The current LDAP configuration does not contain the wrong item. Stop applying this script. Bye."
cleanup
exit 0
fi
rm -rf ${tmp_file}
# Make sure the LDAP is not running:
/usr/bin/systemctl stop slapd.service
#logger -p user.info "LDAP Update script: openLDAP has been stopped."
# Creating symlinks for the modules required for the slapcat and slapadd
create_symlinks
# Export the config to a text
res=0
if [ -f /usr/sbin/slapcat ]
then
/usr/sbin/slapcat -n0 -F ${conf_dir} -l ${tmp_file} -o ldif-wrap=no
res=$?
fi
if [ $res -ne 0 ]
then
#logger -p user.error "LDAP Update script: Creating ${tmp_file} has failed."
cleanup
exit 1
fi
# Create a backup of LDAP config
mkdir ${backup}
cp -r ${conf_dir}/* ${backup}/
res=$?
if [ $res -ne 0 ]
then
#logger -p user.error "LDAP Update script: Backing up ${conf_dir} has failed."
exit 1
#else
#logger -p user.info "LDAP Update script: Back up has been created of openLDAP configuration."
fi
# Remove the configuration item "olcModulePath"
sed -n -i '/olcModulePath/!p' ${tmp_file}
res=$?
if [ $res -ne 0 ]
then
#logger -p user.error "LDAP Update script: Removing of entry in ${tmp_file} has failed."
exit 1
#else
#logger -p user.info "LDAP Update script: olcModulesPath entry has been removed."
fi
# Remove the current configuration
rm -rf ${conf_dir}/*
# Load the modified configuration
/usr/sbin/slapadd -n0 -F ${conf_dir} -l ${tmp_file}
res=$?
# Catch result code of slapadd
if [ $res -ne 0 ]
then
#logger -p user.error "LDAP Update script: Implementing new configuration has failed."
exit 1
else
#logger -p user.info "LDAP Update script: Implementing new configuration has been succeeded."
cleanup
fi
# Start the SLAPD with the new configuration
/usr/bin/systemctl start slapd.service
res=$?
if [ $res -ne 0 ]
then
#logger -p user.error "LDAP Update script: Starting updated LDAP server has been failed."
exit 1
else
#logger -p user.info "LDAP Update script: Updated LDAP server has been successfully started."
# Remove backups
rm -rf ${backup}
rm -rf ${tmp_file}
# Create "/var/adm/openldap_update_modules"
touch /var/adm/openldap_update_modules
exit 0
fi

33
slapd-ldif-update-crc.sh Normal file
View File

@ -0,0 +1,33 @@
#!/bin/bash
# Script to fix the crc of openldap slapd.d ldifs.
source /usr/lib/openldap/update-crc
if [ -z ${1} ]; then
echo "Usage: ${0} /etc/openldap/slapd.d/<config ldif to update>"
exit 1
fi
if [ ! -f "${1}" ]; then
echo "File ${1} does not exist?"
echo "Usage: ${0} /etc/openldap/slapd.d/<config ldif to update>"
exit 1
fi
# Make sure slapd.service is not running.
slapd_running=1
# Don't check if no systemd, we could be in a container.
if [ -f "/usr/bin/systemctl" ]; then
/usr/bin/systemctl is-active --quiet slapd.service
slapd_running=$?
fi
if [ $slapd_running -eq 0 ]; then
echo "Unable to update crc of '${1}' while slapd.service is running ..."
exit 1
fi
do_update_crc ${1}
echo "Updated crc of ${1}"

67
update-crc.sh Normal file
View File

@ -0,0 +1,67 @@
#!/bin/bash
# Script to fix the crc of openldap slapd.d ldifs.
do_update_crc () {
if [ -z ${1} ]; then
echo "Invalid call to do_update_crc() - no filename provided"
exit 1
fi
tgt_ldif=$1
if [ ! -f "${tgt_ldif}" ]; then
echo "invalid call to do_update_crc() - file ${tgt_ldif} does not exist?"
exit 1
fi
rm -f "${tgt_ldif}.crcbak"
mv "${tgt_ldif}" "${tgt_ldif}.crcbak"
/usr/bin/awk '
BEGIN {
# CRC-32 ZIP polynomial in reversed bit order.
POLY = 0xedb88320
# 8-bit character -> ordinal table.
for (i = 0; i < 256; i++)
ORD[sprintf("%c", i)] = i
}
{
# Remember each input line.
input[NR] = $0
# Verify the file header.
if (NR == 1 && $0 != "# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.")
exit 1
if (NR == 2 && $0 !~ /# CRC32 ......../)
exit 1
}
# Calculate CRC-32.
function crc32(crc, string, i, j, c) {
crc = and(compl(crc), 0xffffffff)
for (i = 1; i <= length(string); i++) {
c = substr(string, i, 1)
crc = xor(crc, ORD[c])
for (j = 0; j < 8; j++)
crc = and(crc, 1) ? xor(rshift(crc, 1), POLY) : rshift(crc, 1)
}
crc = and(compl(crc), 0xffffffff)
return crc
}
END {
# Calculate CRC-32 of the file and update it in the header.
crc = 0
for (i = 3; i <= length(input); i++)
crc = crc32(crc, input[i] "\n")
input[2] = "# CRC32 " sprintf("%08x", crc)
# Print the output.
for (i = 1; i <= length(input); i++)
print input[i]
}' "${tgt_ldif}.crcbak" > "${tgt_ldif}"
}