Bug 13019 - 389-ds-base new security issue CVE-2014-0132
: 389-ds-base new security issue CVE-2014-0132
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/590753/
: MGA3TOO advisory has_procedure mga3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-03-14 19:31 CET by David Walser
Modified: 2014-03-31 21:45 CEST (History)
6 users (show)

See Also:
Source RPM: 389-ds-base
CVE:


Attachments

Description David Walser 2014-03-14 19:31:20 CET
RedHat has issued an advisory on March 13:
https://rhn.redhat.com/errata/RHSA-2014-0292.html

The upstream patch to fix the issue is linked in the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1074845

Reproducible: 

Steps to Reproduce:
Comment 1 Thomas Spuhler 2014-03-14 19:41:40 CET
we will just update Cauldron when it builds.
But as I read it, it will affect mga3 and mga4 too
Comment 2 Thomas Spuhler 2014-03-14 22:13:40 CET
This bug is now fixed. I didn't do any test. Per upstream, the deleted code wasn't used anyway.

Cauldron doesn't have this bug. The fix was already applied in the source.

mga3 and mga4 have the patch from upstream applied.
The following paackges are now un updates_testing, mageia3 and mageia4:
389-ds-base-1.3.0.9-1.1.mga3.src.rpm
389-ds-base-1.3.0.9-1.1.mga3.x86_64.rpm
389-ds-base-libs-1.3.0.9-1.1.mga3.x86_64.rpm
389-ds-base-devel-1.3.0.9-1.1.mga3.x86_64.rpm
389-ds-base-debuginfo-1.3.0.9-1.1.mga3.x86_64.rpm
and 32 bit

389-ds-base-1.3.2.7-1.1.mga4.src.rpm
389-ds-base-1.3.2.7-1.1.mga4.x86_64.rpm
389-ds-base-libs-1.3.2.7-1.1.mga4.x86_64.rpm
389-ds-base-devel-1.3.2.7-1.1.mga4.x86_64.rpm
389-ds-base-debuginfo-1.3.2.7-1.1.mga4.x86_64.rpm
and 32bit
Comment 3 David Walser 2014-03-14 22:33:26 CET
Thanks Thomas!

Advisory:
========================

Updated 389-ds-base packages fix security vulnerabilities:

It was discovered that the 389 Directory Server did not properly handle
certain SASL-based authentication mechanisms. A user able to authenticate
to the directory using these SASL mechanisms could connect as any other
directory user, including the administrative Directory Manager account.
This could allow them to modify configuration values, as well as read and
write any data the directory holds (CVE-2014-0132).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0132
https://rhn.redhat.com/errata/RHSA-2014-0292.html
========================

Updated packages in core/updates_testing:
========================
389-ds-base-1.3.0.9-1.1.mga3
389-ds-base-libs-1.3.0.9-1.1.mga3
389-ds-base-devel-1.3.0.9-1.1.mga3
389-ds-base-1.3.2.7-1.1.mga4
389-ds-base-libs-1.3.2.7-1.1.mga4
389-ds-base-devel-1.3.2.7-1.1.mga4
389-ds-base-debuginfo-1.3.2.7-1.1.mga4

from SRPMS:
389-ds-base-1.3.0.9-1.1.mga3.src.rpm
389-ds-base-1.3.2.7-1.1.mga4.src.rpm
Comment 4 Dave Hodgins 2014-03-15 02:11:26 CET
The following packages have bad signatures:            
/var/cache/urpmi/rpms/389-ds-base-1.3.0.9-1.1.mga3.i586.rpm: Missing signature (OK ((none)))
/var/cache/urpmi/rpms/389-ds-base-devel-1.3.0.9-1.1.mga3.i586.rpm: Missing signature (OK ((none)))
/var/cache/urpmi/rpms/389-ds-base-libs-1.3.0.9-1.1.mga3.i586.rpm: Missing signature (OK ((none)))
Comment 5 Dave Hodgins 2014-03-15 02:23:40 CET
Also
/var/cache/urpmi/rpms/389-ds-base-libs-1.3.0.9-1.1.mga3.x86_64.rpm: Missing signature (OK ((none)))
/var/cache/urpmi/rpms/389-ds-base-libs-1.3.0.9-1.1.mga3.x86_64.rpm: Missing signature (OK ((none)))
/var/cache/urpmi/rpms/389-ds-base-1.3.2.7-1.1.mga4.i586.rpm: Missing signature (OK ((none)))
/var/cache/urpmi/rpms/389-ds-base-libs-1.3.2.7-1.1.mga4.i586.rpm: Missing signature (OK ((none)))
/var/cache/urpmi/rpms/389-ds-base-1.3.2.7-1.1.mga4.x86_64.rpm: Missing signature (OK ((none)))
/var/cache/urpmi/rpms/389-ds-base-devel-1.3.2.7-1.1.mga4.x86_64.rpm: Missing signature (OK ((none)))
/var/cache/urpmi/rpms/389-ds-base-libs-1.3.2.7-1.1.mga4.x86_64.rpm: Missing signature (OK ((none)))
Comment 6 Thomas Backlund 2014-03-15 11:58:03 CET
signed packages are being mirrored out
Comment 7 claire robinson 2014-03-25 09:17:53 CET
Procedure: https://bugs.mageia.org/show_bug.cgi?id=11720#c7

It needs a properly set hostname to work so it starts with checking the hostname is set to something sane.

Difficult to reproduce the CVE but used madb to confirm the patch has been applied in both mga3 and mga4.
Comment 8 claire robinson 2014-03-25 17:47:47 CET
Testing complete mga3 32
Comment 9 claire robinson 2014-03-25 18:34:36 CET
Testing complete mga3 64
Comment 10 Lewis Smith 2014-03-25 20:54:12 CET
Trying MGA4 64-bit real hardware.
https://fedorahosted.org/389/ticket/47739 describes the actual fault.
https://fedorahosted.org/389/attachment/ticket/47739/f1 demonstrates it.

Procedure as referenced in Comment 7.
Having chosen Express setup 1, and entered a null Directory Manager DN with real password, it gave:
Traceback (most recent call last):
  File "/usr/sbin/semanage", line 28, in <module>
    import seobject
  File "/usr/lib64/python2.7/site-packages/seobject.py", line 24, in <module>
    import pwd, grp, string, selinux, tempfile, os, re, sys, stat
ImportError: No module named selinux
 Then hung a long time, but eventually said:
Your new DS instance 'freebox' was successfully created.

# systemctl start dirsrv@freebox.service
# netstat -pant | grep 389
tcp        0      0 :::389  :::*     LISTEN      6914/ns-slapd

The O/P from
 ldapsearch -x -h localhost -s base -b ""  "objectclass=*"
was as in the procedure.

Unable to probe deeper without investigating kinit. OK to OK this?
Comment 11 claire robinson 2014-03-27 16:59:40 CET
Tests ok here Lewis mga4 64
Comment 12 claire robinson 2014-03-27 18:09:44 CET
Testing complete mga4 32

Validating. Advisory previously uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks
Comment 13 Pascal Terjan 2014-03-31 21:45:11 CEST
http://advisories.mageia.org/MGASA-2014-0145.html

Note You need to log in before you can comment on or make changes to this bug.