Accepting request 844183 from home:firstyear:branches:network:ldap
- bsc#1175568 CVE-2020-8027 openldap_update_modules_path.sh has a number of issues in it's design that lead to security issues. This file has been removed, from the package, and the %post execution of the install. The function is replaced by /usr/sbin/slapd-ldif-update-crc and /usr/lib/openldap/fixup-modulepath, through the addition of the source files: * fixup-modulepath.sh * slapd-ldif-update-crc.sh * update-crc.sh OBS-URL: https://build.opensuse.org/request/show/844183 OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=278
This commit is contained in:
parent
fc56a37d6c
commit
617ae2b561
42
fixup-modulepath.sh
Normal file
42
fixup-modulepath.sh
Normal file
@ -0,0 +1,42 @@
|
||||
#!/bin/bash
|
||||
|
||||
source /usr/lib/openldap/update-crc
|
||||
|
||||
conf_dir='/etc/openldap/slapd.d'
|
||||
tgt_ldif="${conf_dir}/cn=config.ldif"
|
||||
if [ ! -d ${conf_dir} ] || [ ! -f ${tgt_ldif} ]
|
||||
then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Make sure slapd.service is not running.
|
||||
slapd_running=1
|
||||
|
||||
# Don't check if no systemd, we could be in a container.
|
||||
if [ -f "/usr/bin/systemctl" ]; then
|
||||
/usr/bin/systemctl is-active --quiet slapd.service
|
||||
slapd_running=$?
|
||||
fi
|
||||
|
||||
if [ $slapd_running -eq 0 ]; then
|
||||
echo "Unable to update crc of '${tgt_ldif}' while slapd.service is running ..."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Remove the module path.
|
||||
sed -n -i '/olcModulePath/!p' ${tgt_ldif}
|
||||
|
||||
res=$?
|
||||
|
||||
if [ $res -ne 0 ]
|
||||
then
|
||||
echo "Failed to remove olcModulePath in ${tgt_ldif}"
|
||||
exit 1
|
||||
else
|
||||
do_update_crc ${tgt_ldif}
|
||||
echo "Updated crc of ${tgt_ldif}"
|
||||
fi
|
||||
|
||||
|
||||
|
||||
|
@ -1,3 +1,17 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 27 01:01:54 UTC 2020 - William Brown <william.brown@suse.com>
|
||||
|
||||
- bsc#1175568 CVE-2020-8027
|
||||
openldap_update_modules_path.sh has a number of issues in it's
|
||||
design that lead to security issues. This file has been removed,
|
||||
from the package, and the %post execution of the install. The
|
||||
function is replaced by /usr/sbin/slapd-ldif-update-crc and
|
||||
/usr/lib/openldap/fixup-modulepath, through the addition of the
|
||||
source files:
|
||||
* fixup-modulepath.sh
|
||||
* slapd-ldif-update-crc.sh
|
||||
* update-crc.sh
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 26 21:48:45 UTC 2020 - Michael Ströder <michael@stroeder.com>
|
||||
|
||||
|
@ -47,9 +47,11 @@ Source12: slapd.conf.example
|
||||
Source13: start
|
||||
Source14: slapd.service
|
||||
Source16: sysconfig.openldap
|
||||
Source17: openldap_update_modules_path.sh
|
||||
Source18: openldap2.conf
|
||||
Source19: ldap-user.conf
|
||||
Source20: fixup-modulepath.sh
|
||||
Source21: slapd-ldif-update-crc.sh
|
||||
Source22: update-crc.sh
|
||||
Patch1: 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch
|
||||
Patch3: 0003-LDAPI-socket-location.dif
|
||||
Patch5: 0005-pie-compile.dif
|
||||
@ -80,6 +82,7 @@ BuildRequires: pkgconfig(systemd)
|
||||
%if %{suse_version} < 1500
|
||||
%{?systemd_requires}
|
||||
%endif
|
||||
Requires: gawk
|
||||
Requires: libldap-2_4-2 = %{version_main}
|
||||
Recommends: cyrus-sasl
|
||||
Conflicts: openldap
|
||||
@ -358,12 +361,15 @@ install -m 755 -d %{buildroot}/var/lib/ldap
|
||||
chmod a+x %{buildroot}%{_libdir}/liblber.so*
|
||||
chmod a+x %{buildroot}%{_libdir}/libldap_r.so*
|
||||
install -m 755 %{SOURCE6} %{buildroot}%{_sbindir}/schema2ldif
|
||||
install -m 755 %{SOURCE17} %{buildroot}%{_sbindir}
|
||||
mkdir -p %{buildroot}%{_tmpfilesdir}/
|
||||
install -m 644 %{SOURCE18} %{buildroot}%{_tmpfilesdir}/
|
||||
mkdir -p %{buildroot}%{_sysusersdir}
|
||||
install -m 644 %{SOURCE19} %{buildroot}%{_sysusersdir}/
|
||||
|
||||
install -m 755 %{SOURCE19} ${RPM_BUILD_ROOT}/usr/lib/openldap/fixup-modulepath
|
||||
install -m 755 %{SOURCE20} ${RPM_BUILD_ROOT}/%{_sbindir}/slapd-ldif-update-crc
|
||||
install -m 755 %{SOURCE21} ${RPM_BUILD_ROOT}/usr/lib/openldap/update-crc
|
||||
|
||||
# Install ppolicy check module
|
||||
make -C contrib/slapd-modules/ppolicy-check-password STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libexecdir}" install
|
||||
install -m 0644 %{S:202} %{buildroot}%{_sysconfdir}/openldap/check_password.conf
|
||||
@ -433,9 +439,6 @@ gcc -shared -o "%{buildroot}%{_libdir}/libldap-2.4.so.2" -Wl,--no-as-needed \
|
||||
%service_add_pre slapd.service
|
||||
|
||||
%post
|
||||
if [ ${1:-0} -gt 1 ] && [ ! -f /var/adm/openldap_modules_path_updated ] ; then
|
||||
/usr/sbin/openldap_update_modules_path.sh
|
||||
fi
|
||||
%{fillup_only -n openldap ldap}
|
||||
%tmpfiles_create %{name}.conf
|
||||
%service_add_post slapd.service
|
||||
@ -468,7 +471,6 @@ fi
|
||||
%{_fillupdir}/sysconfig.openldap
|
||||
%{_sbindir}/slap*
|
||||
%{_sbindir}/rcslapd
|
||||
%{_sbindir}/openldap_update_modules_path.sh
|
||||
%{_libdir}/openldap/back_bdb*
|
||||
%{_libdir}/openldap/back_hdb*
|
||||
%{_libdir}/openldap/back_ldap*
|
||||
@ -498,6 +500,8 @@ fi
|
||||
%{_libdir}/openldap/valsort*
|
||||
%{_libdir}/slapd
|
||||
/usr/lib/openldap/start
|
||||
/usr/lib/openldap/update-crc
|
||||
/usr/lib/openldap/fixup-modulepath
|
||||
%{_unitdir}/slapd.service
|
||||
%{_tmpfilesdir}/%{name}.conf
|
||||
%{_sysusersdir}/ldap-user.conf
|
||||
|
@ -1,150 +0,0 @@
|
||||
#!/bin/bash
|
||||
# This script has been created to update the OpenLDAP modules path in cn=config
|
||||
# For details of changing the configuration items' location read these:
|
||||
# https://www.openldap.org/lists/openldap-software/200812/msg00080.html
|
||||
# This script writes over the config entry of backend databases location, which files are necessary to run LDAP. The procedure has been created upon this description:
|
||||
# https://serverfault.com/questions/863274/modify-openldap-cn-config-without-slapd-running
|
||||
|
||||
# Author: Zsolt KALMAR (SUSE Linux GmbH) zkalmar@suse.com
|
||||
|
||||
# define variables
|
||||
conf_dir='/etc/openldap/slapd.d'
|
||||
if [ ! -d ${conf_dir} ] || [ ! -f ${conf_dir}/cn=config.ldif ]
|
||||
then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
|
||||
tmp_file='/tmp/ldap_conf_tmp.ldif'
|
||||
backup='/tmp/slapd.d'
|
||||
res=0
|
||||
|
||||
# common functions
|
||||
create_symlinks () {
|
||||
if [ ! -f /usr/lib/openldap/back_bdb.so ]; then ln -s /usr/lib64/openldap/back_bdb.so /usr/lib/openldap/back_bdb.so; fi
|
||||
if [ ! -f /usr/lib/openldap/back_hdb.so ]; then ln -s /usr/lib64/openldap/back_hdb.so /usr/lib/openldap/back_hdb.so; fi
|
||||
if [ ! -f /usr/lib/openldap/back_mdb.so ]; then ln -s /usr/lib64/openldap/back_mdb.so /usr/lib/openldap/back_mdb.so; fi
|
||||
if [ ! -f /usr/lib/openldap/syncprov.so ]; then ln -s /usr/lib64/openldap/syncprov.so /usr/lib/openldap/syncprov.so; fi
|
||||
#logger -p user.info "Update openLDAP: symlinks have been created."
|
||||
}
|
||||
|
||||
cleanup () {
|
||||
rm -f /usr/lib/openldap/back_bdb.so
|
||||
rm -f /usr/lib/openldap/back_hdb.so
|
||||
rm -f /usr/lib/openldap/back_mdb.so
|
||||
rm -f /usr/lib/openldap/syncprov.so
|
||||
rm -f ${tmp_file}
|
||||
#logger -p user.info "Update openLDAP: symlinks have been removed."
|
||||
}
|
||||
|
||||
rm -f ${tmp_file}
|
||||
|
||||
# Check if the configuration is containing the inappropriate entry
|
||||
create_symlinks
|
||||
res=0
|
||||
if [ -f /usr/sbin/slapcat ]
|
||||
then
|
||||
/usr/sbin/slapcat -n0 -F ${conf_dir} -l ${tmp_file} -o ldif-wrap=no
|
||||
res=$?
|
||||
fi
|
||||
|
||||
if [ $res -ne 0 ]
|
||||
then
|
||||
#logger -p user.error "LDAP Update script: Creating ${tmp_file} has failed during the search of faulty openLDAP entry."
|
||||
exit 1
|
||||
#else
|
||||
#logger -p user.info "LDAP Update script: ${tmp_file} has been created."
|
||||
fi
|
||||
|
||||
entry_cnt=`cat ${tmp_file} | grep ^[^#\;] | grep olcModulePath | wc -l`
|
||||
|
||||
if [ $entry_cnt -eq 0 ]
|
||||
then
|
||||
#logger -p user.info "LDAP Update script: The current LDAP configuration does not contain the wrong item. Stop applying this script. Bye."
|
||||
cleanup
|
||||
exit 0
|
||||
fi
|
||||
|
||||
rm -rf ${tmp_file}
|
||||
|
||||
# Make sure the LDAP is not running:
|
||||
/usr/bin/systemctl stop slapd.service
|
||||
#logger -p user.info "LDAP Update script: openLDAP has been stopped."
|
||||
|
||||
# Creating symlinks for the modules required for the slapcat and slapadd
|
||||
create_symlinks
|
||||
|
||||
# Export the config to a text
|
||||
res=0
|
||||
if [ -f /usr/sbin/slapcat ]
|
||||
then
|
||||
/usr/sbin/slapcat -n0 -F ${conf_dir} -l ${tmp_file} -o ldif-wrap=no
|
||||
res=$?
|
||||
fi
|
||||
|
||||
if [ $res -ne 0 ]
|
||||
then
|
||||
#logger -p user.error "LDAP Update script: Creating ${tmp_file} has failed."
|
||||
cleanup
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Create a backup of LDAP config
|
||||
mkdir ${backup}
|
||||
cp -r ${conf_dir}/* ${backup}/
|
||||
res=$?
|
||||
|
||||
if [ $res -ne 0 ]
|
||||
then
|
||||
#logger -p user.error "LDAP Update script: Backing up ${conf_dir} has failed."
|
||||
exit 1
|
||||
#else
|
||||
#logger -p user.info "LDAP Update script: Back up has been created of openLDAP configuration."
|
||||
fi
|
||||
|
||||
# Remove the configuration item "olcModulePath"
|
||||
sed -n -i '/olcModulePath/!p' ${tmp_file}
|
||||
res=$?
|
||||
|
||||
if [ $res -ne 0 ]
|
||||
then
|
||||
#logger -p user.error "LDAP Update script: Removing of entry in ${tmp_file} has failed."
|
||||
exit 1
|
||||
#else
|
||||
#logger -p user.info "LDAP Update script: olcModulesPath entry has been removed."
|
||||
fi
|
||||
|
||||
# Remove the current configuration
|
||||
rm -rf ${conf_dir}/*
|
||||
|
||||
# Load the modified configuration
|
||||
/usr/sbin/slapadd -n0 -F ${conf_dir} -l ${tmp_file}
|
||||
res=$?
|
||||
|
||||
# Catch result code of slapadd
|
||||
if [ $res -ne 0 ]
|
||||
then
|
||||
#logger -p user.error "LDAP Update script: Implementing new configuration has failed."
|
||||
exit 1
|
||||
else
|
||||
#logger -p user.info "LDAP Update script: Implementing new configuration has been succeeded."
|
||||
cleanup
|
||||
fi
|
||||
|
||||
# Start the SLAPD with the new configuration
|
||||
/usr/bin/systemctl start slapd.service
|
||||
res=$?
|
||||
|
||||
if [ $res -ne 0 ]
|
||||
then
|
||||
#logger -p user.error "LDAP Update script: Starting updated LDAP server has been failed."
|
||||
exit 1
|
||||
else
|
||||
#logger -p user.info "LDAP Update script: Updated LDAP server has been successfully started."
|
||||
# Remove backups
|
||||
rm -rf ${backup}
|
||||
rm -rf ${tmp_file}
|
||||
# Create "/var/adm/openldap_update_modules"
|
||||
touch /var/adm/openldap_update_modules
|
||||
exit 0
|
||||
fi
|
33
slapd-ldif-update-crc.sh
Normal file
33
slapd-ldif-update-crc.sh
Normal file
@ -0,0 +1,33 @@
|
||||
#!/bin/bash
|
||||
# Script to fix the crc of openldap slapd.d ldifs.
|
||||
source /usr/lib/openldap/update-crc
|
||||
|
||||
if [ -z ${1} ]; then
|
||||
echo "Usage: ${0} /etc/openldap/slapd.d/<config ldif to update>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -f "${1}" ]; then
|
||||
echo "File ${1} does not exist?"
|
||||
echo "Usage: ${0} /etc/openldap/slapd.d/<config ldif to update>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Make sure slapd.service is not running.
|
||||
slapd_running=1
|
||||
|
||||
# Don't check if no systemd, we could be in a container.
|
||||
if [ -f "/usr/bin/systemctl" ]; then
|
||||
/usr/bin/systemctl is-active --quiet slapd.service
|
||||
slapd_running=$?
|
||||
fi
|
||||
|
||||
if [ $slapd_running -eq 0 ]; then
|
||||
echo "Unable to update crc of '${1}' while slapd.service is running ..."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
do_update_crc ${1}
|
||||
|
||||
echo "Updated crc of ${1}"
|
||||
|
67
update-crc.sh
Normal file
67
update-crc.sh
Normal file
@ -0,0 +1,67 @@
|
||||
#!/bin/bash
|
||||
# Script to fix the crc of openldap slapd.d ldifs.
|
||||
|
||||
do_update_crc () {
|
||||
if [ -z ${1} ]; then
|
||||
echo "Invalid call to do_update_crc() - no filename provided"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
tgt_ldif=$1
|
||||
|
||||
if [ ! -f "${tgt_ldif}" ]; then
|
||||
echo "invalid call to do_update_crc() - file ${tgt_ldif} does not exist?"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
rm -f "${tgt_ldif}.crcbak"
|
||||
mv "${tgt_ldif}" "${tgt_ldif}.crcbak"
|
||||
|
||||
/usr/bin/awk '
|
||||
BEGIN {
|
||||
# CRC-32 ZIP polynomial in reversed bit order.
|
||||
POLY = 0xedb88320
|
||||
|
||||
# 8-bit character -> ordinal table.
|
||||
for (i = 0; i < 256; i++)
|
||||
ORD[sprintf("%c", i)] = i
|
||||
}
|
||||
|
||||
{
|
||||
# Remember each input line.
|
||||
input[NR] = $0
|
||||
|
||||
# Verify the file header.
|
||||
if (NR == 1 && $0 != "# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.")
|
||||
exit 1
|
||||
if (NR == 2 && $0 !~ /# CRC32 ......../)
|
||||
exit 1
|
||||
}
|
||||
|
||||
# Calculate CRC-32.
|
||||
function crc32(crc, string, i, j, c) {
|
||||
crc = and(compl(crc), 0xffffffff)
|
||||
for (i = 1; i <= length(string); i++) {
|
||||
c = substr(string, i, 1)
|
||||
crc = xor(crc, ORD[c])
|
||||
for (j = 0; j < 8; j++)
|
||||
crc = and(crc, 1) ? xor(rshift(crc, 1), POLY) : rshift(crc, 1)
|
||||
}
|
||||
crc = and(compl(crc), 0xffffffff)
|
||||
return crc
|
||||
}
|
||||
|
||||
END {
|
||||
# Calculate CRC-32 of the file and update it in the header.
|
||||
crc = 0
|
||||
for (i = 3; i <= length(input); i++)
|
||||
crc = crc32(crc, input[i] "\n")
|
||||
input[2] = "# CRC32 " sprintf("%08x", crc)
|
||||
|
||||
# Print the output.
|
||||
for (i = 1; i <= length(input); i++)
|
||||
print input[i]
|
||||
}' "${tgt_ldif}.crcbak" > "${tgt_ldif}"
|
||||
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user