diff --git a/fixup-modulepath.sh b/fixup-modulepath.sh new file mode 100644 index 0000000..8006f74 --- /dev/null +++ b/fixup-modulepath.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +source /usr/lib/openldap/update-crc + +conf_dir='/etc/openldap/slapd.d' +tgt_ldif="${conf_dir}/cn=config.ldif" +if [ ! -d ${conf_dir} ] || [ ! -f ${tgt_ldif} ] +then + exit 0 +fi + +# Make sure slapd.service is not running. +slapd_running=1 + +# Don't check if no systemd, we could be in a container. +if [ -f "/usr/bin/systemctl" ]; then + /usr/bin/systemctl is-active --quiet slapd.service + slapd_running=$? +fi + +if [ $slapd_running -eq 0 ]; then + echo "Unable to update crc of '${tgt_ldif}' while slapd.service is running ..." + exit 1 +fi + +# Remove the module path. +sed -n -i '/olcModulePath/!p' ${tgt_ldif} + +res=$? + +if [ $res -ne 0 ] +then + echo "Failed to remove olcModulePath in ${tgt_ldif}" + exit 1 +else + do_update_crc ${tgt_ldif} + echo "Updated crc of ${tgt_ldif}" +fi + + + + diff --git a/openldap2.changes b/openldap2.changes index 7decb1c..801a5fe 100644 --- a/openldap2.changes +++ b/openldap2.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Tue Oct 27 01:01:54 UTC 2020 - William Brown + +- bsc#1175568 CVE-2020-8027 + openldap_update_modules_path.sh has a number of issues in it's + design that lead to security issues. This file has been removed, + from the package, and the %post execution of the install. The + function is replaced by /usr/sbin/slapd-ldif-update-crc and + /usr/lib/openldap/fixup-modulepath, through the addition of the + source files: + * fixup-modulepath.sh + * slapd-ldif-update-crc.sh + * update-crc.sh + ------------------------------------------------------------------- Mon Oct 26 21:48:45 UTC 2020 - Michael Ströder diff --git a/openldap2.spec b/openldap2.spec index 5928759..a0fbbe7 100644 --- a/openldap2.spec +++ b/openldap2.spec @@ -47,9 +47,11 @@ Source12: slapd.conf.example Source13: start Source14: slapd.service Source16: sysconfig.openldap -Source17: openldap_update_modules_path.sh Source18: openldap2.conf Source19: ldap-user.conf +Source20: fixup-modulepath.sh +Source21: slapd-ldif-update-crc.sh +Source22: update-crc.sh Patch1: 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch Patch3: 0003-LDAPI-socket-location.dif Patch5: 0005-pie-compile.dif @@ -80,6 +82,7 @@ BuildRequires: pkgconfig(systemd) %if %{suse_version} < 1500 %{?systemd_requires} %endif +Requires: gawk Requires: libldap-2_4-2 = %{version_main} Recommends: cyrus-sasl Conflicts: openldap @@ -358,12 +361,15 @@ install -m 755 -d %{buildroot}/var/lib/ldap chmod a+x %{buildroot}%{_libdir}/liblber.so* chmod a+x %{buildroot}%{_libdir}/libldap_r.so* install -m 755 %{SOURCE6} %{buildroot}%{_sbindir}/schema2ldif -install -m 755 %{SOURCE17} %{buildroot}%{_sbindir} mkdir -p %{buildroot}%{_tmpfilesdir}/ install -m 644 %{SOURCE18} %{buildroot}%{_tmpfilesdir}/ mkdir -p %{buildroot}%{_sysusersdir} install -m 644 %{SOURCE19} %{buildroot}%{_sysusersdir}/ +install -m 755 %{SOURCE19} ${RPM_BUILD_ROOT}/usr/lib/openldap/fixup-modulepath +install -m 755 %{SOURCE20} ${RPM_BUILD_ROOT}/%{_sbindir}/slapd-ldif-update-crc +install -m 755 %{SOURCE21} ${RPM_BUILD_ROOT}/usr/lib/openldap/update-crc + # Install ppolicy check module make -C contrib/slapd-modules/ppolicy-check-password STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libexecdir}" install install -m 0644 %{S:202} %{buildroot}%{_sysconfdir}/openldap/check_password.conf @@ -433,9 +439,6 @@ gcc -shared -o "%{buildroot}%{_libdir}/libldap-2.4.so.2" -Wl,--no-as-needed \ %service_add_pre slapd.service %post -if [ ${1:-0} -gt 1 ] && [ ! -f /var/adm/openldap_modules_path_updated ] ; then - /usr/sbin/openldap_update_modules_path.sh -fi %{fillup_only -n openldap ldap} %tmpfiles_create %{name}.conf %service_add_post slapd.service @@ -468,7 +471,6 @@ fi %{_fillupdir}/sysconfig.openldap %{_sbindir}/slap* %{_sbindir}/rcslapd -%{_sbindir}/openldap_update_modules_path.sh %{_libdir}/openldap/back_bdb* %{_libdir}/openldap/back_hdb* %{_libdir}/openldap/back_ldap* @@ -498,6 +500,8 @@ fi %{_libdir}/openldap/valsort* %{_libdir}/slapd /usr/lib/openldap/start +/usr/lib/openldap/update-crc +/usr/lib/openldap/fixup-modulepath %{_unitdir}/slapd.service %{_tmpfilesdir}/%{name}.conf %{_sysusersdir}/ldap-user.conf diff --git a/openldap_update_modules_path.sh b/openldap_update_modules_path.sh deleted file mode 100644 index fd184a9..0000000 --- a/openldap_update_modules_path.sh +++ /dev/null @@ -1,150 +0,0 @@ -#!/bin/bash -# This script has been created to update the OpenLDAP modules path in cn=config -# For details of changing the configuration items' location read these: -# https://www.openldap.org/lists/openldap-software/200812/msg00080.html -# This script writes over the config entry of backend databases location, which files are necessary to run LDAP. The procedure has been created upon this description: -# https://serverfault.com/questions/863274/modify-openldap-cn-config-without-slapd-running - -# Author: Zsolt KALMAR (SUSE Linux GmbH) zkalmar@suse.com - -# define variables -conf_dir='/etc/openldap/slapd.d' -if [ ! -d ${conf_dir} ] || [ ! -f ${conf_dir}/cn=config.ldif ] -then - exit 0 -fi - - -tmp_file='/tmp/ldap_conf_tmp.ldif' -backup='/tmp/slapd.d' -res=0 - -# common functions -create_symlinks () { -if [ ! -f /usr/lib/openldap/back_bdb.so ]; then ln -s /usr/lib64/openldap/back_bdb.so /usr/lib/openldap/back_bdb.so; fi -if [ ! -f /usr/lib/openldap/back_hdb.so ]; then ln -s /usr/lib64/openldap/back_hdb.so /usr/lib/openldap/back_hdb.so; fi -if [ ! -f /usr/lib/openldap/back_mdb.so ]; then ln -s /usr/lib64/openldap/back_mdb.so /usr/lib/openldap/back_mdb.so; fi -if [ ! -f /usr/lib/openldap/syncprov.so ]; then ln -s /usr/lib64/openldap/syncprov.so /usr/lib/openldap/syncprov.so; fi -#logger -p user.info "Update openLDAP: symlinks have been created." -} - -cleanup () { -rm -f /usr/lib/openldap/back_bdb.so -rm -f /usr/lib/openldap/back_hdb.so -rm -f /usr/lib/openldap/back_mdb.so -rm -f /usr/lib/openldap/syncprov.so -rm -f ${tmp_file} -#logger -p user.info "Update openLDAP: symlinks have been removed." -} - -rm -f ${tmp_file} - -# Check if the configuration is containing the inappropriate entry -create_symlinks -res=0 -if [ -f /usr/sbin/slapcat ] -then - /usr/sbin/slapcat -n0 -F ${conf_dir} -l ${tmp_file} -o ldif-wrap=no - res=$? -fi - -if [ $res -ne 0 ] -then - #logger -p user.error "LDAP Update script: Creating ${tmp_file} has failed during the search of faulty openLDAP entry." - exit 1 -#else - #logger -p user.info "LDAP Update script: ${tmp_file} has been created." -fi - -entry_cnt=`cat ${tmp_file} | grep ^[^#\;] | grep olcModulePath | wc -l` - -if [ $entry_cnt -eq 0 ] -then - #logger -p user.info "LDAP Update script: The current LDAP configuration does not contain the wrong item. Stop applying this script. Bye." - cleanup - exit 0 -fi - -rm -rf ${tmp_file} - -# Make sure the LDAP is not running: -/usr/bin/systemctl stop slapd.service -#logger -p user.info "LDAP Update script: openLDAP has been stopped." - -# Creating symlinks for the modules required for the slapcat and slapadd -create_symlinks - -# Export the config to a text -res=0 -if [ -f /usr/sbin/slapcat ] -then - /usr/sbin/slapcat -n0 -F ${conf_dir} -l ${tmp_file} -o ldif-wrap=no - res=$? -fi - -if [ $res -ne 0 ] -then - #logger -p user.error "LDAP Update script: Creating ${tmp_file} has failed." - cleanup - exit 1 -fi - -# Create a backup of LDAP config -mkdir ${backup} -cp -r ${conf_dir}/* ${backup}/ -res=$? - -if [ $res -ne 0 ] -then - #logger -p user.error "LDAP Update script: Backing up ${conf_dir} has failed." - exit 1 -#else - #logger -p user.info "LDAP Update script: Back up has been created of openLDAP configuration." -fi - -# Remove the configuration item "olcModulePath" -sed -n -i '/olcModulePath/!p' ${tmp_file} -res=$? - -if [ $res -ne 0 ] -then - #logger -p user.error "LDAP Update script: Removing of entry in ${tmp_file} has failed." - exit 1 -#else - #logger -p user.info "LDAP Update script: olcModulesPath entry has been removed." -fi - -# Remove the current configuration -rm -rf ${conf_dir}/* - -# Load the modified configuration -/usr/sbin/slapadd -n0 -F ${conf_dir} -l ${tmp_file} -res=$? - -# Catch result code of slapadd -if [ $res -ne 0 ] -then - #logger -p user.error "LDAP Update script: Implementing new configuration has failed." - exit 1 -else - #logger -p user.info "LDAP Update script: Implementing new configuration has been succeeded." - cleanup -fi - -# Start the SLAPD with the new configuration -/usr/bin/systemctl start slapd.service -res=$? - -if [ $res -ne 0 ] -then - #logger -p user.error "LDAP Update script: Starting updated LDAP server has been failed." - exit 1 -else - #logger -p user.info "LDAP Update script: Updated LDAP server has been successfully started." - # Remove backups - rm -rf ${backup} - rm -rf ${tmp_file} - # Create "/var/adm/openldap_update_modules" - touch /var/adm/openldap_update_modules - exit 0 -fi diff --git a/slapd-ldif-update-crc.sh b/slapd-ldif-update-crc.sh new file mode 100644 index 0000000..2c348bd --- /dev/null +++ b/slapd-ldif-update-crc.sh @@ -0,0 +1,33 @@ +#!/bin/bash +# Script to fix the crc of openldap slapd.d ldifs. +source /usr/lib/openldap/update-crc + +if [ -z ${1} ]; then + echo "Usage: ${0} /etc/openldap/slapd.d/" + exit 1 +fi + +if [ ! -f "${1}" ]; then + echo "File ${1} does not exist?" + echo "Usage: ${0} /etc/openldap/slapd.d/" + exit 1 +fi + +# Make sure slapd.service is not running. +slapd_running=1 + +# Don't check if no systemd, we could be in a container. +if [ -f "/usr/bin/systemctl" ]; then + /usr/bin/systemctl is-active --quiet slapd.service + slapd_running=$? +fi + +if [ $slapd_running -eq 0 ]; then + echo "Unable to update crc of '${1}' while slapd.service is running ..." + exit 1 +fi + +do_update_crc ${1} + +echo "Updated crc of ${1}" + diff --git a/update-crc.sh b/update-crc.sh new file mode 100644 index 0000000..80b2c68 --- /dev/null +++ b/update-crc.sh @@ -0,0 +1,67 @@ +#!/bin/bash +# Script to fix the crc of openldap slapd.d ldifs. + +do_update_crc () { + if [ -z ${1} ]; then + echo "Invalid call to do_update_crc() - no filename provided" + exit 1 + fi + + tgt_ldif=$1 + + if [ ! -f "${tgt_ldif}" ]; then + echo "invalid call to do_update_crc() - file ${tgt_ldif} does not exist?" + exit 1 + fi + + rm -f "${tgt_ldif}.crcbak" + mv "${tgt_ldif}" "${tgt_ldif}.crcbak" + + /usr/bin/awk ' +BEGIN { + # CRC-32 ZIP polynomial in reversed bit order. + POLY = 0xedb88320 + + # 8-bit character -> ordinal table. + for (i = 0; i < 256; i++) + ORD[sprintf("%c", i)] = i +} + +{ + # Remember each input line. + input[NR] = $0 + + # Verify the file header. + if (NR == 1 && $0 != "# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.") + exit 1 + if (NR == 2 && $0 !~ /# CRC32 ......../) + exit 1 +} + +# Calculate CRC-32. +function crc32(crc, string, i, j, c) { + crc = and(compl(crc), 0xffffffff) + for (i = 1; i <= length(string); i++) { + c = substr(string, i, 1) + crc = xor(crc, ORD[c]) + for (j = 0; j < 8; j++) + crc = and(crc, 1) ? xor(rshift(crc, 1), POLY) : rshift(crc, 1) + } + crc = and(compl(crc), 0xffffffff) + return crc +} + +END { + # Calculate CRC-32 of the file and update it in the header. + crc = 0 + for (i = 3; i <= length(input); i++) + crc = crc32(crc, input[i] "\n") + input[2] = "# CRC32 " sprintf("%08x", crc) + + # Print the output. + for (i = 1; i <= length(input); i++) + print input[i] +}' "${tgt_ldif}.crcbak" > "${tgt_ldif}" + +} +