Bug 23005 - 389-ds-base new security issue CVE-2018-1089
Summary: 389-ds-base new security issue CVE-2018-1089
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2018-05-08 16:08 CEST by David Walser
Modified: 2018-05-16 10:26 CEST (History)
4 users (show)

See Also:
Source RPM: 389-ds-base-1.3.5.19-5.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-05-08 16:08:51 CEST 
A security issue in 389-ds-base has been announced on May 7:
http://openwall.com/lists/oss-security/2018/05/07/2

Patches to fix the issue are attached to this message:
http://openwall.com/lists/oss-security/2018/05/07/3

Mageia 5 and Mageia 6 are probably also affected.
David Walser 2018-05-08 16:08:58 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-05-09 08:39:14 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing two committers.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, mrambo, smelror

Comment 2 David Walser 2018-05-09 23:37:21 CEST 
RedHat has issued an advisory for this today (May 9):
https://access.redhat.com/errata/RHSA-2018:1364
Comment 3 David Walser 2018-05-09 23:37:55 CEST 
Which confirms that Mageia 5 and Mageia 6 are affected (we'll only fix 6).
Comment 4 Mike Rambo 2018-05-12 19:46:12 CEST 
Patched packages uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated 389-ds-base package fixes security vulnerability:

389-ds-base did not properly handle characters needed to be escaped in
its query filter. This could result in buffer overflows, from the heap
or the stack, on larger filters.  An unauthenticated attacker could send
a specially crafted LDAP request and crash the server (CVE-2018-1089).


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1089
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1089
========================

Updated packages in core/updates_testing:
========================
389-ds-base-1.3.5.17-1.5.mga6
389-ds-base-snmp-1.3.5.17-1.5.mga6
lib64389-ds-base0-1.3.5.17-1.5.mga6
lib64389-ds-base-devel-1.3.5.17-1.5.mga6

from 389-ds-base-1.3.5.17-1.5.mga6.src.rpm


Testing procedures:
https://bugs.mageia.org/show_bug.cgi?id=11720#c7
https://bugs.mageia.org/show_bug.cgi?id=16928#c7

Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 6
Keywords: (none) => has_procedure
Whiteboard: MGA6TOO => (none)

Comment 5 Lewis Smith 2018-05-14 16:02:15 CEST 
Testing M6/64

BEFORE update
I have a problem with this. With the software already installed,
 # systemctl start dirsrv@localhost
did not work
 # systemctl status dirsrv@localhost
showed 'failure to start'. I un-installed, then re-installed and re-initialised the packages as in the cited procedures. Note that first you have to clean out:
"Error: the server already exists at '/etc/dirsrv/slapd-localhost'
Please remove it first if you really want to recreate it,"
 # rm -rf /etc/dirsrv/slapd-localhost

The result then worked as prescribed; also the test output.
-----------------------------------------------------------
AFTER applying the update and re-starting the service failed as before; even after a re-boot. I un-installed the 3 pkgs again, and directly from Updates Testing re-installed them:
 lib64389-ds-base0-1.3.5.17-1.5.mga6
 389-ds-base-1.3.5.17-1.5.mga6
 389-ds-base-snmp-1.3.5.17-1.5.mga6
and re-ran
 # rm -rf /etc/dirsrv/slapd-localhost
 # setup-ds.pl
 # systemctl start dirsrv@localhost
 # systemctl status dirsrv@localhost
which all worked OK. As was the prescribed test output from:
 # netstat -pant | grep 389
tcp6       0      0 :::389                  :::*                    LISTEN      14327/ns-slapd      

 # ldapsearch -x -h localhost -s base -b ""  "objectclass=*"
# extended LDIF
# LDAPv3
# base <> with scope baseObject
# filter: objectclass=*
# requesting: ALL
dn:
objectClass: top
defaultnamingcontext: dc=localdomain
dataversion: 020180514131125
netscapemdsuffix: cn=ldap://dc=localhost,dc=localdomain:389
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

I stopped & [re]started the service, it worked OK.
Since the failure to start the service on my system was already there, this update looks OK.
----------------
To cross-check, I disabled Updates Testing, and downgraded the three pkgs.
 # systemctl stop dirsrv@localhost
 # urpmi --downgrade 389-ds-base 389-ds-base-snmp lib64389-ds-base0
then ensured that the old version (1.4) worked - which it did:
 # systemctl start dirsrv@localhost
 # systemctl status dirsrv@localhost
 # netstat -pant | grep 389
 # ldapsearch -x -h localhost -s base -b ""  "objectclass=*"
then re-enabled Updates Testing, and re-updated them to 1.3.5.17-1.5
 # systemctl restart dirsrv@localhost
 # systemctl status dirsrv@localhost
 # netstat -pant | grep 389
 # ldapsearch -x -h localhost -s base -b ""  "objectclass=*"
which is all correct and how it should have been in the first place!

Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2018-05-16 10:26:34 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0245.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.