Accepting request 844183 from home:firstyear:branches:network:ldap
- bsc#1175568 CVE-2020-8027 openldap_update_modules_path.sh has a number of issues in it's design that lead to security issues. This file has been removed, from the package, and the %post execution of the install. The function is replaced by /usr/sbin/slapd-ldif-update-crc and /usr/lib/openldap/fixup-modulepath, through the addition of the source files: * fixup-modulepath.sh * slapd-ldif-update-crc.sh * update-crc.sh OBS-URL: https://build.opensuse.org/request/show/844183 OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=278
This commit is contained in:
parent
fc56a37d6c
commit
617ae2b561
42
fixup-modulepath.sh
Normal file
42
fixup-modulepath.sh
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
source /usr/lib/openldap/update-crc
|
||||||
|
|
||||||
|
conf_dir='/etc/openldap/slapd.d'
|
||||||
|
tgt_ldif="${conf_dir}/cn=config.ldif"
|
||||||
|
if [ ! -d ${conf_dir} ] || [ ! -f ${tgt_ldif} ]
|
||||||
|
then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Make sure slapd.service is not running.
|
||||||
|
slapd_running=1
|
||||||
|
|
||||||
|
# Don't check if no systemd, we could be in a container.
|
||||||
|
if [ -f "/usr/bin/systemctl" ]; then
|
||||||
|
/usr/bin/systemctl is-active --quiet slapd.service
|
||||||
|
slapd_running=$?
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ $slapd_running -eq 0 ]; then
|
||||||
|
echo "Unable to update crc of '${tgt_ldif}' while slapd.service is running ..."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Remove the module path.
|
||||||
|
sed -n -i '/olcModulePath/!p' ${tgt_ldif}
|
||||||
|
|
||||||
|
res=$?
|
||||||
|
|
||||||
|
if [ $res -ne 0 ]
|
||||||
|
then
|
||||||
|
echo "Failed to remove olcModulePath in ${tgt_ldif}"
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
do_update_crc ${tgt_ldif}
|
||||||
|
echo "Updated crc of ${tgt_ldif}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -1,3 +1,17 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Oct 27 01:01:54 UTC 2020 - William Brown <william.brown@suse.com>
|
||||||
|
|
||||||
|
- bsc#1175568 CVE-2020-8027
|
||||||
|
openldap_update_modules_path.sh has a number of issues in it's
|
||||||
|
design that lead to security issues. This file has been removed,
|
||||||
|
from the package, and the %post execution of the install. The
|
||||||
|
function is replaced by /usr/sbin/slapd-ldif-update-crc and
|
||||||
|
/usr/lib/openldap/fixup-modulepath, through the addition of the
|
||||||
|
source files:
|
||||||
|
* fixup-modulepath.sh
|
||||||
|
* slapd-ldif-update-crc.sh
|
||||||
|
* update-crc.sh
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Oct 26 21:48:45 UTC 2020 - Michael Ströder <michael@stroeder.com>
|
Mon Oct 26 21:48:45 UTC 2020 - Michael Ströder <michael@stroeder.com>
|
||||||
|
|
||||||
|
@ -47,9 +47,11 @@ Source12: slapd.conf.example
|
|||||||
Source13: start
|
Source13: start
|
||||||
Source14: slapd.service
|
Source14: slapd.service
|
||||||
Source16: sysconfig.openldap
|
Source16: sysconfig.openldap
|
||||||
Source17: openldap_update_modules_path.sh
|
|
||||||
Source18: openldap2.conf
|
Source18: openldap2.conf
|
||||||
Source19: ldap-user.conf
|
Source19: ldap-user.conf
|
||||||
|
Source20: fixup-modulepath.sh
|
||||||
|
Source21: slapd-ldif-update-crc.sh
|
||||||
|
Source22: update-crc.sh
|
||||||
Patch1: 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch
|
Patch1: 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch
|
||||||
Patch3: 0003-LDAPI-socket-location.dif
|
Patch3: 0003-LDAPI-socket-location.dif
|
||||||
Patch5: 0005-pie-compile.dif
|
Patch5: 0005-pie-compile.dif
|
||||||
@ -80,6 +82,7 @@ BuildRequires: pkgconfig(systemd)
|
|||||||
%if %{suse_version} < 1500
|
%if %{suse_version} < 1500
|
||||||
%{?systemd_requires}
|
%{?systemd_requires}
|
||||||
%endif
|
%endif
|
||||||
|
Requires: gawk
|
||||||
Requires: libldap-2_4-2 = %{version_main}
|
Requires: libldap-2_4-2 = %{version_main}
|
||||||
Recommends: cyrus-sasl
|
Recommends: cyrus-sasl
|
||||||
Conflicts: openldap
|
Conflicts: openldap
|
||||||
@ -358,12 +361,15 @@ install -m 755 -d %{buildroot}/var/lib/ldap
|
|||||||
chmod a+x %{buildroot}%{_libdir}/liblber.so*
|
chmod a+x %{buildroot}%{_libdir}/liblber.so*
|
||||||
chmod a+x %{buildroot}%{_libdir}/libldap_r.so*
|
chmod a+x %{buildroot}%{_libdir}/libldap_r.so*
|
||||||
install -m 755 %{SOURCE6} %{buildroot}%{_sbindir}/schema2ldif
|
install -m 755 %{SOURCE6} %{buildroot}%{_sbindir}/schema2ldif
|
||||||
install -m 755 %{SOURCE17} %{buildroot}%{_sbindir}
|
|
||||||
mkdir -p %{buildroot}%{_tmpfilesdir}/
|
mkdir -p %{buildroot}%{_tmpfilesdir}/
|
||||||
install -m 644 %{SOURCE18} %{buildroot}%{_tmpfilesdir}/
|
install -m 644 %{SOURCE18} %{buildroot}%{_tmpfilesdir}/
|
||||||
mkdir -p %{buildroot}%{_sysusersdir}
|
mkdir -p %{buildroot}%{_sysusersdir}
|
||||||
install -m 644 %{SOURCE19} %{buildroot}%{_sysusersdir}/
|
install -m 644 %{SOURCE19} %{buildroot}%{_sysusersdir}/
|
||||||
|
|
||||||
|
install -m 755 %{SOURCE19} ${RPM_BUILD_ROOT}/usr/lib/openldap/fixup-modulepath
|
||||||
|
install -m 755 %{SOURCE20} ${RPM_BUILD_ROOT}/%{_sbindir}/slapd-ldif-update-crc
|
||||||
|
install -m 755 %{SOURCE21} ${RPM_BUILD_ROOT}/usr/lib/openldap/update-crc
|
||||||
|
|
||||||
# Install ppolicy check module
|
# Install ppolicy check module
|
||||||
make -C contrib/slapd-modules/ppolicy-check-password STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libexecdir}" install
|
make -C contrib/slapd-modules/ppolicy-check-password STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libexecdir}" install
|
||||||
install -m 0644 %{S:202} %{buildroot}%{_sysconfdir}/openldap/check_password.conf
|
install -m 0644 %{S:202} %{buildroot}%{_sysconfdir}/openldap/check_password.conf
|
||||||
@ -433,9 +439,6 @@ gcc -shared -o "%{buildroot}%{_libdir}/libldap-2.4.so.2" -Wl,--no-as-needed \
|
|||||||
%service_add_pre slapd.service
|
%service_add_pre slapd.service
|
||||||
|
|
||||||
%post
|
%post
|
||||||
if [ ${1:-0} -gt 1 ] && [ ! -f /var/adm/openldap_modules_path_updated ] ; then
|
|
||||||
/usr/sbin/openldap_update_modules_path.sh
|
|
||||||
fi
|
|
||||||
%{fillup_only -n openldap ldap}
|
%{fillup_only -n openldap ldap}
|
||||||
%tmpfiles_create %{name}.conf
|
%tmpfiles_create %{name}.conf
|
||||||
%service_add_post slapd.service
|
%service_add_post slapd.service
|
||||||
@ -468,7 +471,6 @@ fi
|
|||||||
%{_fillupdir}/sysconfig.openldap
|
%{_fillupdir}/sysconfig.openldap
|
||||||
%{_sbindir}/slap*
|
%{_sbindir}/slap*
|
||||||
%{_sbindir}/rcslapd
|
%{_sbindir}/rcslapd
|
||||||
%{_sbindir}/openldap_update_modules_path.sh
|
|
||||||
%{_libdir}/openldap/back_bdb*
|
%{_libdir}/openldap/back_bdb*
|
||||||
%{_libdir}/openldap/back_hdb*
|
%{_libdir}/openldap/back_hdb*
|
||||||
%{_libdir}/openldap/back_ldap*
|
%{_libdir}/openldap/back_ldap*
|
||||||
@ -498,6 +500,8 @@ fi
|
|||||||
%{_libdir}/openldap/valsort*
|
%{_libdir}/openldap/valsort*
|
||||||
%{_libdir}/slapd
|
%{_libdir}/slapd
|
||||||
/usr/lib/openldap/start
|
/usr/lib/openldap/start
|
||||||
|
/usr/lib/openldap/update-crc
|
||||||
|
/usr/lib/openldap/fixup-modulepath
|
||||||
%{_unitdir}/slapd.service
|
%{_unitdir}/slapd.service
|
||||||
%{_tmpfilesdir}/%{name}.conf
|
%{_tmpfilesdir}/%{name}.conf
|
||||||
%{_sysusersdir}/ldap-user.conf
|
%{_sysusersdir}/ldap-user.conf
|
||||||
|
@ -1,150 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
# This script has been created to update the OpenLDAP modules path in cn=config
|
|
||||||
# For details of changing the configuration items' location read these:
|
|
||||||
# https://www.openldap.org/lists/openldap-software/200812/msg00080.html
|
|
||||||
# This script writes over the config entry of backend databases location, which files are necessary to run LDAP. The procedure has been created upon this description:
|
|
||||||
# https://serverfault.com/questions/863274/modify-openldap-cn-config-without-slapd-running
|
|
||||||
|
|
||||||
# Author: Zsolt KALMAR (SUSE Linux GmbH) zkalmar@suse.com
|
|
||||||
|
|
||||||
# define variables
|
|
||||||
conf_dir='/etc/openldap/slapd.d'
|
|
||||||
if [ ! -d ${conf_dir} ] || [ ! -f ${conf_dir}/cn=config.ldif ]
|
|
||||||
then
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
tmp_file='/tmp/ldap_conf_tmp.ldif'
|
|
||||||
backup='/tmp/slapd.d'
|
|
||||||
res=0
|
|
||||||
|
|
||||||
# common functions
|
|
||||||
create_symlinks () {
|
|
||||||
if [ ! -f /usr/lib/openldap/back_bdb.so ]; then ln -s /usr/lib64/openldap/back_bdb.so /usr/lib/openldap/back_bdb.so; fi
|
|
||||||
if [ ! -f /usr/lib/openldap/back_hdb.so ]; then ln -s /usr/lib64/openldap/back_hdb.so /usr/lib/openldap/back_hdb.so; fi
|
|
||||||
if [ ! -f /usr/lib/openldap/back_mdb.so ]; then ln -s /usr/lib64/openldap/back_mdb.so /usr/lib/openldap/back_mdb.so; fi
|
|
||||||
if [ ! -f /usr/lib/openldap/syncprov.so ]; then ln -s /usr/lib64/openldap/syncprov.so /usr/lib/openldap/syncprov.so; fi
|
|
||||||
#logger -p user.info "Update openLDAP: symlinks have been created."
|
|
||||||
}
|
|
||||||
|
|
||||||
cleanup () {
|
|
||||||
rm -f /usr/lib/openldap/back_bdb.so
|
|
||||||
rm -f /usr/lib/openldap/back_hdb.so
|
|
||||||
rm -f /usr/lib/openldap/back_mdb.so
|
|
||||||
rm -f /usr/lib/openldap/syncprov.so
|
|
||||||
rm -f ${tmp_file}
|
|
||||||
#logger -p user.info "Update openLDAP: symlinks have been removed."
|
|
||||||
}
|
|
||||||
|
|
||||||
rm -f ${tmp_file}
|
|
||||||
|
|
||||||
# Check if the configuration is containing the inappropriate entry
|
|
||||||
create_symlinks
|
|
||||||
res=0
|
|
||||||
if [ -f /usr/sbin/slapcat ]
|
|
||||||
then
|
|
||||||
/usr/sbin/slapcat -n0 -F ${conf_dir} -l ${tmp_file} -o ldif-wrap=no
|
|
||||||
res=$?
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ $res -ne 0 ]
|
|
||||||
then
|
|
||||||
#logger -p user.error "LDAP Update script: Creating ${tmp_file} has failed during the search of faulty openLDAP entry."
|
|
||||||
exit 1
|
|
||||||
#else
|
|
||||||
#logger -p user.info "LDAP Update script: ${tmp_file} has been created."
|
|
||||||
fi
|
|
||||||
|
|
||||||
entry_cnt=`cat ${tmp_file} | grep ^[^#\;] | grep olcModulePath | wc -l`
|
|
||||||
|
|
||||||
if [ $entry_cnt -eq 0 ]
|
|
||||||
then
|
|
||||||
#logger -p user.info "LDAP Update script: The current LDAP configuration does not contain the wrong item. Stop applying this script. Bye."
|
|
||||||
cleanup
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
rm -rf ${tmp_file}
|
|
||||||
|
|
||||||
# Make sure the LDAP is not running:
|
|
||||||
/usr/bin/systemctl stop slapd.service
|
|
||||||
#logger -p user.info "LDAP Update script: openLDAP has been stopped."
|
|
||||||
|
|
||||||
# Creating symlinks for the modules required for the slapcat and slapadd
|
|
||||||
create_symlinks
|
|
||||||
|
|
||||||
# Export the config to a text
|
|
||||||
res=0
|
|
||||||
if [ -f /usr/sbin/slapcat ]
|
|
||||||
then
|
|
||||||
/usr/sbin/slapcat -n0 -F ${conf_dir} -l ${tmp_file} -o ldif-wrap=no
|
|
||||||
res=$?
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ $res -ne 0 ]
|
|
||||||
then
|
|
||||||
#logger -p user.error "LDAP Update script: Creating ${tmp_file} has failed."
|
|
||||||
cleanup
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Create a backup of LDAP config
|
|
||||||
mkdir ${backup}
|
|
||||||
cp -r ${conf_dir}/* ${backup}/
|
|
||||||
res=$?
|
|
||||||
|
|
||||||
if [ $res -ne 0 ]
|
|
||||||
then
|
|
||||||
#logger -p user.error "LDAP Update script: Backing up ${conf_dir} has failed."
|
|
||||||
exit 1
|
|
||||||
#else
|
|
||||||
#logger -p user.info "LDAP Update script: Back up has been created of openLDAP configuration."
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Remove the configuration item "olcModulePath"
|
|
||||||
sed -n -i '/olcModulePath/!p' ${tmp_file}
|
|
||||||
res=$?
|
|
||||||
|
|
||||||
if [ $res -ne 0 ]
|
|
||||||
then
|
|
||||||
#logger -p user.error "LDAP Update script: Removing of entry in ${tmp_file} has failed."
|
|
||||||
exit 1
|
|
||||||
#else
|
|
||||||
#logger -p user.info "LDAP Update script: olcModulesPath entry has been removed."
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Remove the current configuration
|
|
||||||
rm -rf ${conf_dir}/*
|
|
||||||
|
|
||||||
# Load the modified configuration
|
|
||||||
/usr/sbin/slapadd -n0 -F ${conf_dir} -l ${tmp_file}
|
|
||||||
res=$?
|
|
||||||
|
|
||||||
# Catch result code of slapadd
|
|
||||||
if [ $res -ne 0 ]
|
|
||||||
then
|
|
||||||
#logger -p user.error "LDAP Update script: Implementing new configuration has failed."
|
|
||||||
exit 1
|
|
||||||
else
|
|
||||||
#logger -p user.info "LDAP Update script: Implementing new configuration has been succeeded."
|
|
||||||
cleanup
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Start the SLAPD with the new configuration
|
|
||||||
/usr/bin/systemctl start slapd.service
|
|
||||||
res=$?
|
|
||||||
|
|
||||||
if [ $res -ne 0 ]
|
|
||||||
then
|
|
||||||
#logger -p user.error "LDAP Update script: Starting updated LDAP server has been failed."
|
|
||||||
exit 1
|
|
||||||
else
|
|
||||||
#logger -p user.info "LDAP Update script: Updated LDAP server has been successfully started."
|
|
||||||
# Remove backups
|
|
||||||
rm -rf ${backup}
|
|
||||||
rm -rf ${tmp_file}
|
|
||||||
# Create "/var/adm/openldap_update_modules"
|
|
||||||
touch /var/adm/openldap_update_modules
|
|
||||||
exit 0
|
|
||||||
fi
|
|
33
slapd-ldif-update-crc.sh
Normal file
33
slapd-ldif-update-crc.sh
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Script to fix the crc of openldap slapd.d ldifs.
|
||||||
|
source /usr/lib/openldap/update-crc
|
||||||
|
|
||||||
|
if [ -z ${1} ]; then
|
||||||
|
echo "Usage: ${0} /etc/openldap/slapd.d/<config ldif to update>"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -f "${1}" ]; then
|
||||||
|
echo "File ${1} does not exist?"
|
||||||
|
echo "Usage: ${0} /etc/openldap/slapd.d/<config ldif to update>"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Make sure slapd.service is not running.
|
||||||
|
slapd_running=1
|
||||||
|
|
||||||
|
# Don't check if no systemd, we could be in a container.
|
||||||
|
if [ -f "/usr/bin/systemctl" ]; then
|
||||||
|
/usr/bin/systemctl is-active --quiet slapd.service
|
||||||
|
slapd_running=$?
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ $slapd_running -eq 0 ]; then
|
||||||
|
echo "Unable to update crc of '${1}' while slapd.service is running ..."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
do_update_crc ${1}
|
||||||
|
|
||||||
|
echo "Updated crc of ${1}"
|
||||||
|
|
67
update-crc.sh
Normal file
67
update-crc.sh
Normal file
@ -0,0 +1,67 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Script to fix the crc of openldap slapd.d ldifs.
|
||||||
|
|
||||||
|
do_update_crc () {
|
||||||
|
if [ -z ${1} ]; then
|
||||||
|
echo "Invalid call to do_update_crc() - no filename provided"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
tgt_ldif=$1
|
||||||
|
|
||||||
|
if [ ! -f "${tgt_ldif}" ]; then
|
||||||
|
echo "invalid call to do_update_crc() - file ${tgt_ldif} does not exist?"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
rm -f "${tgt_ldif}.crcbak"
|
||||||
|
mv "${tgt_ldif}" "${tgt_ldif}.crcbak"
|
||||||
|
|
||||||
|
/usr/bin/awk '
|
||||||
|
BEGIN {
|
||||||
|
# CRC-32 ZIP polynomial in reversed bit order.
|
||||||
|
POLY = 0xedb88320
|
||||||
|
|
||||||
|
# 8-bit character -> ordinal table.
|
||||||
|
for (i = 0; i < 256; i++)
|
||||||
|
ORD[sprintf("%c", i)] = i
|
||||||
|
}
|
||||||
|
|
||||||
|
{
|
||||||
|
# Remember each input line.
|
||||||
|
input[NR] = $0
|
||||||
|
|
||||||
|
# Verify the file header.
|
||||||
|
if (NR == 1 && $0 != "# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.")
|
||||||
|
exit 1
|
||||||
|
if (NR == 2 && $0 !~ /# CRC32 ......../)
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
# Calculate CRC-32.
|
||||||
|
function crc32(crc, string, i, j, c) {
|
||||||
|
crc = and(compl(crc), 0xffffffff)
|
||||||
|
for (i = 1; i <= length(string); i++) {
|
||||||
|
c = substr(string, i, 1)
|
||||||
|
crc = xor(crc, ORD[c])
|
||||||
|
for (j = 0; j < 8; j++)
|
||||||
|
crc = and(crc, 1) ? xor(rshift(crc, 1), POLY) : rshift(crc, 1)
|
||||||
|
}
|
||||||
|
crc = and(compl(crc), 0xffffffff)
|
||||||
|
return crc
|
||||||
|
}
|
||||||
|
|
||||||
|
END {
|
||||||
|
# Calculate CRC-32 of the file and update it in the header.
|
||||||
|
crc = 0
|
||||||
|
for (i = 3; i <= length(input); i++)
|
||||||
|
crc = crc32(crc, input[i] "\n")
|
||||||
|
input[2] = "# CRC32 " sprintf("%08x", crc)
|
||||||
|
|
||||||
|
# Print the output.
|
||||||
|
for (i = 1; i <= length(input); i++)
|
||||||
|
print input[i]
|
||||||
|
}' "${tgt_ldif}.crcbak" > "${tgt_ldif}"
|
||||||
|
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user