22718 – 389-ds-base new security issue CVE-2017-15135

Bug 22718 - 389-ds-base new security issue CVE-2017-15135

Summary: 389-ds-base new security issue CVE-2017-15135

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6-32-OK MGA6-64-OK
Keywords:	advisory, has_procedure, validated_update

Depends on:
Blocks:

Reported:	2018-03-07 23:15 CET by David Walser
Modified:	2018-04-07 00:55 CEST (History)
CC List:	6 users (show)

See Also:
Source RPM:	389-ds-base-1.3.5.17-1.3.mga6.src.rpm
CVE:
Status comment:	Patch available from RedHat

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-03-07 23:15:46 CET

RedHat has issued an advisory on March 6:
https://access.redhat.com/errata/RHSA-2018:0414

Comment 1 Marja Van Waes 2018-03-08 18:24:07 CET

Assigning to all packagers collectively, since there is no registered maintainer for this package.

Adding MGA6TOO to the whiteboard, because the SRPM field contained the Mga6 version. Adding the cauldron version because this bug was filed against cauldron.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, mrambo, smelror
Source RPM: 389-ds-base-1.3.5.17-1.3.mga6.src.rpm => 389-ds-base-1.3.5.17-1.3.mga6 389-ds-base-1.3.5.19-4.mga7
Whiteboard: (none) => MGA6TOO

David Walser 2018-03-11 16:13:32 CET

Source RPM: 389-ds-base-1.3.5.17-1.3.mga6 389-ds-base-1.3.5.19-4.mga7 => 389-ds-base-1.3.5.17-1.3.mga6.src.rpm
Status comment: (none) => Patch available from RedHat

Comment 2 Mike Rambo 2018-03-24 03:36:53 CET

Patched package uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated 389-ds-base package fixes security vulnerability:

It was discovered that a lack of size check in slapi_ct_memcmp() function may lead to authentication bypass through pre-hashed userPassword attributes under highly specific circumstances (CVE-2017-15135).


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15135
https://access.redhat.com/security/cve/cve-2017-15135
https://bugzilla.redhat.com/show_bug.cgi?id=1525628
========================

Updated packages in core/updates_testing:
========================
389-ds-base-1.3.5.17-1.4.mga6
389-ds-base-snmp-1.3.5.17-1.4.mga6
lib64389-ds-base0-1.3.5.17-1.4.mga6
lib64389-ds-base-devel-1.3.5.17-1.4.mga6

from 389-ds-base-1.3.5.17-1.4.mga6.src.rpm


Testing procedures:
https://bugs.mageia.org/show_bug.cgi?id=11720#c7
https://bugs.mageia.org/show_bug.cgi?id=16928#c7

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
Assignee: pkg-bugs => qa-bugs
Keywords: (none) => has_procedure

Comment 3 Len Lawrence 2018-04-02 20:07:06 CEST

Mageia6, x86_64

Treading old ground here.  Referring to previous reports on this bug (Claire and lewis) set up the dirserver before updating using hostname difda.temp.
That worked fine but the hostname needed to be reverted to difda before MageiaUpdate would work.

# hostname difda.temp
# echo difda.temp > /etc/hostname
# echo "192.168.1.103 difda.temp" >> /etc/hosts

This did not work so overwrote difda by difda.temp.

# setup-ds.pl
Directory server network port = 29690 (previous values in use).
server identifier = tarazed (difda already in use)

Success at last.
# systemctl start dirsrv@difda
# systemctl status dirsrv@difda
● dirsrv@difda.service - 389 Directory Server difda.
   Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor pres
   Active: active (running) since Mon 2018-04-02 18:25:20 BST; 26min ago

# netstat -pant | grep 29690
tcp6       0      0 :::29690                :::*                    LISTEN      16817/ns-slapd      
# ldapsearch -x -h difda.temp -s base -b ""  "objectclass=*"
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: objectclass=*
# requesting: ALL
dn:
objectClass: top
defaultnamingcontext: dc=difda,dc=temp
dataversion: 020180402172520
netscapemdsuffix: cn=ldap://dc=difda,dc=temp:389
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

Not sure if this is correct because it is looking at port 389 which had been assigned in the first run of setup-ds.pl.  Restarted the service and ran that command again but it still came back with port 389.

In general the tests look fine but the false starts give cause for concern.
Might have to clear the slate and start again.

CC: (none) => tarazed25

Comment 4 Herman Viaene 2018-04-03 15:52:27 CEST

MGA6-32 on Dell Latitude D600 MATE
No installation issues
Running setup-ds.pl with all typical setup and accepting all defaults (except password of course) gives running service
netstat and ldapsearch as above give same results. This is OK
One concern:
At the start of the setup-ds.pl there is an error mentioning that this CPU does not support the CMPXCHG16B instruction - cpuflag cx16 and that in a future release this platform will not be supported.
Might be the end for 32-bit support for this package???

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 5 Lewis Smith 2018-04-04 10:41:45 CEST

(In reply to Len Lawrence from comment #3)
> Mageia6, x86_64
> In general the tests look fine but the false starts give cause for concern.
> Might have to clear the slate and start again.
No need, I am re-doing this, partly to have this software, since it comes up often.
My reference:  https://bugs.mageia.org/show_bug.cgi?id=21671#c8

$ cat /etc/hosts
127.0.0.1   localhost.localdomain localhost
::1         localhost

Installed:
 389-ds-base-snmp-1.3.5.17-1.3.mga6
 lib64389-ds-base0-1.3.5.17-1.3.mga6
 389-ds-base-1.3.5.17-1.3.mga6
Setup: # setup-ds.pl just as noted in the earlier comment, Express.

# systemctl start dirsrv@localhost

# systemctl status dirsrv@localhost
● dirsrv@localhost.service - 389 Directory Server localhost.
   Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor pres
   Active: active (running) since Mer 2018-04-04 10:04:53 CEST; 59s ago
  Process: 24584 ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl /etc/dirsrv/
 Main PID: 24591 (ns-slapd)
   Status: "slapd started: Ready to process requests"
   CGroup: /system.slice/system-dirsrv.slice/dirsrv@localhost.service
           └─24591 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-localhost -i /var/run
Ebr 04 10:04:51 localhost.localdomain systemd[1]: Starting 389 Directory Server 
...
Ebr 04 10:04:53 localhost.localdomain systemd[1]: Started 389 Directory Server

# netstat -pant | grep 389
tcp6       0      0 :::389                  :::*                    LISTEN      24591/ns-slapd      

# ldapsearch -x -h localhost -s base -b ""  "objectclass=*"
# extended LDIF
# LDAPv3
# base <> with scope baseObject
# filter: objectclass=*
# requesting: ALL
#
dn:
objectClass: top
defaultnamingcontext: dc=localdomain
dataversion: 020180404080452
netscapemdsuffix: cn=ldap://dc=localhost,dc=localdomain:389
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

# systemctl stop dirsrv@localhost
---------------------------------
AFTER update to:
- 389-ds-base-1.3.5.17-1.4.mga6.x86_64
- 389-ds-base-snmp-1.3.5.17-1.4.mga6.x86_64
- lib64389-ds-base0-1.3.5.17-1.4.mga6.x86_64

# systemctl start dirsrv@localhost

# systemctl status dirsrv@localhost
 Essentially the same as before.

# netstat -pant | grep 389
 Essentially the same as before.

# ldapsearch -x -h localhost -s base -b ""  "objectclass=*"
 Essentially identical.

Adding the 64-bit OK, validating, advisory to do.

Keywords: (none) => advisory, validated_update
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2018-04-07 00:55:35 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0193.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.