1 |
lxnay 12/10/02 20:23:36 |
2 |
|
3 |
Added: 389-ds-base-1.2.11.16-cve-2012-4450.patch |
4 |
389-ds-base-1.2.11-fix-mozldap.patch |
5 |
Log: |
6 |
version bump, closes #405127, #428178, #436768 |
7 |
|
8 |
(Portage version: 2.2.0_alpha123/cvs/Linux x86_64) |
9 |
|
10 |
Revision Changes Path |
11 |
1.1 net-nds/389-ds-base/files/389-ds-base-1.2.11.16-cve-2012-4450.patch |
12 |
|
13 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-nds/389-ds-base/files/389-ds-base-1.2.11.16-cve-2012-4450.patch?rev=1.1&view=markup |
14 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-nds/389-ds-base/files/389-ds-base-1.2.11.16-cve-2012-4450.patch?rev=1.1&content-type=text/plain |
15 |
|
16 |
Index: 389-ds-base-1.2.11.16-cve-2012-4450.patch |
17 |
=================================================================== |
18 |
From 5beb93d42efb807838c09c5fab898876876f8d09 Mon Sep 17 00:00:00 2001 |
19 |
From: Noriko Hosoi <nhosoi@×××××××××××××××××××××.com> |
20 |
Date: Fri, 21 Sep 2012 19:35:18 +0000 |
21 |
Subject: Trac Ticket #340 - Change on SLAPI_MODRDN_NEWSUPERIOR is not |
22 |
|
23 |
evaluated in acl |
24 |
|
25 |
https://fedorahosted.org/389/ticket/340 |
26 |
|
27 |
Bug Description: When modrdn operation was executed, only newrdn |
28 |
change was passed to the acl plugin. Also, the change was used |
29 |
only for the acl search, but not for the acl target in the items |
30 |
in the acl cache. |
31 |
|
32 |
Fix Description: This patch also passes the newsuperior update |
33 |
to the acl plugin. And the modrdn updates are applied to the |
34 |
acl target in the acl cache. |
35 |
--- |
36 |
diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c |
37 |
index 15e474e..3389404 100644 |
38 |
--- a/ldap/servers/plugins/acl/acl.c |
39 |
+++ b/ldap/servers/plugins/acl/acl.c |
40 |
@@ -170,9 +170,9 @@ acl_access_allowed_modrdn( |
41 |
* Test if have access to make the first rdn of dn in entry e. |
42 |
*/ |
43 |
|
44 |
-static int check_rdn_access( Slapi_PBlock *pb, Slapi_Entry *e, const char *dn, |
45 |
- int access) { |
46 |
- |
47 |
+static int |
48 |
+check_rdn_access( Slapi_PBlock *pb, Slapi_Entry *e, const char *dn, int access) |
49 |
+{ |
50 |
char **dns; |
51 |
char **rdns; |
52 |
int retCode = LDAP_INSUFFICIENT_ACCESS; |
53 |
@@ -655,7 +655,8 @@ cleanup_and_ret: |
54 |
|
55 |
} |
56 |
|
57 |
-static void print_access_control_summary( char *source, int ret_val, char *clientDn, |
58 |
+static void |
59 |
+print_access_control_summary( char *source, int ret_val, char *clientDn, |
60 |
struct acl_pblock *aclpb, |
61 |
char *right, |
62 |
char *attr, |
63 |
@@ -1524,11 +1525,12 @@ acl_check_mods( |
64 |
* |
65 |
**************************************************************************/ |
66 |
extern void |
67 |
-acl_modified (Slapi_PBlock *pb, int optype, char *n_dn, void *change) |
68 |
+acl_modified (Slapi_PBlock *pb, int optype, Slapi_DN *e_sdn, void *change) |
69 |
{ |
70 |
struct berval **bvalue; |
71 |
char **value; |
72 |
int rv=0; /* returned value */ |
73 |
+ const char* n_dn; |
74 |
char* new_RDN; |
75 |
char* parent_DN; |
76 |
char* new_DN; |
77 |
@@ -1537,10 +1539,12 @@ acl_modified (Slapi_PBlock *pb, int optype, char *n_dn, void *change) |
78 |
int j; |
79 |
Slapi_Attr *attr = NULL; |
80 |
Slapi_Entry *e = NULL; |
81 |
- Slapi_DN *e_sdn; |
82 |
aclUserGroup *ugroup = NULL; |
83 |
|
84 |
- e_sdn = slapi_sdn_new_normdn_byval ( n_dn ); |
85 |
+ if (NULL == e_sdn) { |
86 |
+ return; |
87 |
+ } |
88 |
+ n_dn = slapi_sdn_get_dn(e_sdn); |
89 |
/* Before we proceed, Let's first check if we are changing any groups. |
90 |
** If we are, then we need to change the signature |
91 |
*/ |
92 |
@@ -1768,45 +1772,64 @@ acl_modified (Slapi_PBlock *pb, int optype, char *n_dn, void *change) |
93 |
} |
94 |
|
95 |
break; |
96 |
- }/* case op is modify*/ |
97 |
+ }/* case op is modify*/ |
98 |
|
99 |
- case SLAPI_OPERATION_MODRDN: |
100 |
- |
101 |
- new_RDN = (char*) change; |
102 |
- slapi_log_error (SLAPI_LOG_ACL, plugin_name, |
103 |
- "acl_modified (MODRDN %s => \"%s\"\n", |
104 |
- n_dn, new_RDN); |
105 |
+ case SLAPI_OPERATION_MODRDN: |
106 |
+ { |
107 |
+ char **rdn_parent; |
108 |
+ rdn_parent = (char **)change; |
109 |
+ new_RDN = rdn_parent[0]; |
110 |
+ parent_DN = rdn_parent[1]; |
111 |
|
112 |
/* compute new_DN: */ |
113 |
- parent_DN = slapi_dn_parent (n_dn); |
114 |
- if (parent_DN == NULL) { |
115 |
- new_DN = new_RDN; |
116 |
+ if (NULL == parent_DN) { |
117 |
+ parent_DN = slapi_dn_parent(n_dn); |
118 |
+ } |
119 |
+ if (NULL == parent_DN) { |
120 |
+ if (NULL == new_RDN) { |
121 |
+ slapi_log_error (SLAPI_LOG_ACL, plugin_name, |
122 |
+ "acl_modified (MODRDN %s => \"no change\"\n", |
123 |
+ n_dn); |
124 |
+ break; |
125 |
+ } else { |
126 |
+ new_DN = new_RDN; |
127 |
+ } |
128 |
} else { |
129 |
- new_DN = slapi_create_dn_string("%s,%s", new_RDN, parent_DN); |
130 |
+ if (NULL == new_RDN) { |
131 |
+ Slapi_RDN *rdn= slapi_rdn_new(); |
132 |
+ slapi_sdn_get_rdn(e_sdn, rdn); |
133 |
+ new_DN = slapi_create_dn_string("%s,%s", slapi_rdn_get_rdn(rdn), |
134 |
+ parent_DN); |
135 |
+ slapi_rdn_free(&rdn); |
136 |
+ } else { |
137 |
+ new_DN = slapi_create_dn_string("%s,%s", new_RDN, parent_DN); |
138 |
+ } |
139 |
} |
140 |
+ slapi_log_error (SLAPI_LOG_ACL, plugin_name, |
141 |
+ "acl_modified (MODRDN %s => \"%s\"\n", n_dn, new_RDN); |
142 |
|
143 |
/* Change the acls */ |
144 |
- acllist_acicache_WRITE_LOCK(); |
145 |
+ acllist_acicache_WRITE_LOCK(); |
146 |
/* acllist_moddn_aci_needsLock expects normalized new_DN, |
147 |
* which is no need to be case-ignored */ |
148 |
acllist_moddn_aci_needsLock ( e_sdn, new_DN ); |
149 |
acllist_acicache_WRITE_UNLOCK(); |
150 |
|
151 |
/* deallocat the parent_DN */ |
152 |
- if (parent_DN != NULL) { |
153 |
- slapi_ch_free ( (void **) &new_DN ); |
154 |
- slapi_ch_free ( (void **) &parent_DN ); |
155 |
+ if (parent_DN != NULL) { |
156 |
+ slapi_ch_free_string(&new_DN); |
157 |
+ if (parent_DN != rdn_parent[1]) { |
158 |
+ slapi_ch_free_string(&parent_DN); |
159 |
+ } |
160 |
} |
161 |
break; |
162 |
- |
163 |
- default: |
164 |
+ } /* case op is modrdn */ |
165 |
+ default: |
166 |
/* print ERROR */ |
167 |
break; |
168 |
} /*optype switch */ |
169 |
- |
170 |
- slapi_sdn_free ( &e_sdn ); |
171 |
- |
172 |
} |
173 |
+ |
174 |
/*************************************************************************** |
175 |
* |
176 |
* acl__scan_for_acis |
177 |
diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h |
178 |
index 4fa3e3f..28c38e7 100644 |
179 |
--- a/ldap/servers/plugins/acl/acl.h |
180 |
+++ b/ldap/servers/plugins/acl/acl.h |
181 |
@@ -796,7 +796,8 @@ int acl_read_access_allowed_on_attr ( Slapi_PBlock *pb, Slapi_Entry *e, char |
182 |
struct berval *val, int access); |
183 |
void acl_set_acllist (Slapi_PBlock *pb, int scope, char *base); |
184 |
void acl_gen_err_msg(int access, char *edn, char *attr, char **errbuf); |
185 |
-void acl_modified ( Slapi_PBlock *pb, int optype, char *dn, void *change); |
186 |
+void acl_modified (Slapi_PBlock *pb, int optype, Slapi_DN *e_sdn, void *change); |
187 |
+ |
188 |
int acl_access_allowed_disjoint_resource( Slapi_PBlock *pb, Slapi_Entry *e, |
189 |
char *attr, struct berval *val, int access ); |
190 |
int acl_access_allowed_main ( Slapi_PBlock *pb, Slapi_Entry *e, char **attrs, |
191 |
@@ -866,7 +867,7 @@ void acllist_print_tree ( Avlnode *root, int *depth, char *start, char *side); |
192 |
AciContainer *acllist_get_aciContainer_new ( ); |
193 |
void acllist_done_aciContainer ( AciContainer *); |
194 |
|
195 |
-aclUserGroup* aclg_find_userGroup (char *n_dn); |
196 |
+aclUserGroup* aclg_find_userGroup (const char *n_dn); |
197 |
void aclg_regen_ugroup_signature( aclUserGroup *ugroup); |
198 |
void aclg_markUgroupForRemoval ( aclUserGroup *u_group ); |
199 |
void aclg_reader_incr_ugroup_refcnt(aclUserGroup* u_group); |
200 |
diff --git a/ldap/servers/plugins/acl/aclgroup.c b/ldap/servers/plugins/acl/aclgroup.c |
201 |
index c694293..2231304 100644 |
202 |
--- a/ldap/servers/plugins/acl/aclgroup.c |
203 |
+++ b/ldap/servers/plugins/acl/aclgroup.c |
204 |
@@ -213,7 +213,7 @@ aclg_reset_userGroup ( struct acl_pblock *aclpb ) |
205 |
*/ |
206 |
|
207 |
aclUserGroup* |
208 |
-aclg_find_userGroup(char *n_dn) |
209 |
+aclg_find_userGroup(const char *n_dn) |
210 |
{ |
211 |
aclUserGroup *u_group = NULL; |
212 |
int i; |
213 |
diff --git a/ldap/servers/plugins/acl/acllist.c b/ldap/servers/plugins/acl/acllist.c |
214 |
index 9b5363a..e8198af 100644 |
215 |
--- a/ldap/servers/plugins/acl/acllist.c |
216 |
+++ b/ldap/servers/plugins/acl/acllist.c |
217 |
@@ -600,7 +600,6 @@ void |
218 |
acllist_init_scan (Slapi_PBlock *pb, int scope, const char *base) |
219 |
{ |
220 |
Acl_PBlock *aclpb; |
221 |
- int i; |
222 |
AciContainer *root; |
223 |
char *basedn = NULL; |
224 |
int index; |
225 |
@@ -671,11 +670,6 @@ acllist_init_scan (Slapi_PBlock *pb, int scope, const char *base) |
226 |
aclpb->aclpb_state &= ~ACLPB_SEARCH_BASED_ON_LIST ; |
227 |
|
228 |
acllist_acicache_READ_UNLOCK(); |
229 |
- |
230 |
- i = 0; |
231 |
- while ( i < aclpb_max_selected_acls && aclpb->aclpb_base_handles_index[i] != -1 ) { |
232 |
- i++; |
233 |
- } |
234 |
} |
235 |
|
236 |
/* |
237 |
@@ -893,34 +887,50 @@ acllist_acicache_WRITE_LOCK( ) |
238 |
int |
239 |
acllist_moddn_aci_needsLock ( Slapi_DN *oldsdn, char *newdn ) |
240 |
{ |
241 |
- |
242 |
- |
243 |
AciContainer *aciListHead; |
244 |
AciContainer *head; |
245 |
+ aci_t *acip; |
246 |
+ const char *oldndn; |
247 |
|
248 |
/* first get the container */ |
249 |
|
250 |
aciListHead = acllist_get_aciContainer_new ( ); |
251 |
slapi_sdn_free(&aciListHead->acic_sdn); |
252 |
- aciListHead->acic_sdn = oldsdn; |
253 |
- |
254 |
+ aciListHead->acic_sdn = oldsdn; |
255 |
|
256 |
if ( NULL == (head = (AciContainer *) avl_find( acllistRoot, aciListHead, |
257 |
- (IFP) __acllist_aciContainer_node_cmp ) ) ) { |
258 |
+ (IFP) __acllist_aciContainer_node_cmp ) ) ) { |
259 |
|
260 |
slapi_log_error ( SLAPI_PLUGIN_ACL, plugin_name, |
261 |
- "Can't find the acl in the tree for moddn operation:olddn%s\n", |
262 |
- slapi_sdn_get_ndn ( oldsdn )); |
263 |
+ "Can't find the acl in the tree for moddn operation:olddn%s\n", |
264 |
+ slapi_sdn_get_ndn ( oldsdn )); |
265 |
aciListHead->acic_sdn = NULL; |
266 |
__acllist_free_aciContainer ( &aciListHead ); |
267 |
- return 1; |
268 |
+ return 1; |
269 |
} |
270 |
|
271 |
- |
272 |
- /* Now set the new DN */ |
273 |
- slapi_sdn_done ( head->acic_sdn ); |
274 |
- slapi_sdn_set_normdn_byval ( head->acic_sdn, newdn ); |
275 |
- |
276 |
+ /* Now set the new DN */ |
277 |
+ slapi_sdn_set_normdn_byval(head->acic_sdn, newdn); |
278 |
+ |
279 |
+ /* If necessary, reset the target DNs, as well. */ |
280 |
+ oldndn = slapi_sdn_get_ndn(oldsdn); |
281 |
+ for (acip = head->acic_list; acip; acip = acip->aci_next) { |
282 |
+ const char *ndn = slapi_sdn_get_ndn(acip->aci_sdn); |
283 |
+ char *p = PL_strstr(ndn, oldndn); |
284 |
+ if (p) { |
285 |
+ if (p == ndn) { |
286 |
+ /* target dn is identical, replace it with new DN*/ |
287 |
+ slapi_sdn_set_normdn_byval(acip->aci_sdn, newdn); |
288 |
+ } else { |
289 |
+ /* target dn is a descendent of olddn, merge it with new DN*/ |
290 |
+ char *mynewdn; |
291 |
+ *p = '\0'; |
292 |
+ mynewdn = slapi_ch_smprintf("%s%s", ndn, newdn); |
293 |
+ slapi_sdn_set_normdn_passin(acip->aci_sdn, mynewdn); |
294 |
+ } |
295 |
+ } |
296 |
+ } |
297 |
+ |
298 |
aciListHead->acic_sdn = NULL; |
299 |
__acllist_free_aciContainer ( &aciListHead ); |
300 |
|
301 |
diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c |
302 |
index 11e56a9..b79d0f2 100644 |
303 |
--- a/ldap/servers/slapd/dn.c |
304 |
+++ b/ldap/servers/slapd/dn.c |
305 |
@@ -2097,7 +2097,7 @@ slapi_sdn_set_normdn_byval(Slapi_DN *sdn, const char *normdn) |
306 |
slapi_sdn_done(sdn); |
307 |
sdn->flag = slapi_setbit_uchar(sdn->flag, FLAG_DN); |
308 |
if(normdn == NULL) { |
309 |
- sdn->dn = slapi_ch_strdup(normdn); |
310 |
+ sdn->dn = NULL; |
311 |
sdn->ndn_len = 0; |
312 |
} else { |
313 |
sdn->dn = slapi_ch_strdup(normdn); |
314 |
diff --git a/ldap/servers/slapd/plugin_acl.c b/ldap/servers/slapd/plugin_acl.c |
315 |
index b878156..3bc3f21 100644 |
316 |
--- a/ldap/servers/slapd/plugin_acl.c |
317 |
+++ b/ldap/servers/slapd/plugin_acl.c |
318 |
@@ -134,11 +134,10 @@ int |
319 |
plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype ) |
320 |
{ |
321 |
struct slapdplugin *p; |
322 |
- char *dn; |
323 |
int rc = 0; |
324 |
- void *change = NULL; |
325 |
- Slapi_Entry *te = NULL; |
326 |
- Slapi_DN *sdn = NULL; |
327 |
+ void *change = NULL; |
328 |
+ Slapi_Entry *te = NULL; |
329 |
+ Slapi_DN *sdn = NULL; |
330 |
Operation *operation; |
331 |
|
332 |
slapi_pblock_get (pb, SLAPI_OPERATION, &operation); |
333 |
@@ -146,7 +145,7 @@ plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype ) |
334 |
(void)slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn ); |
335 |
|
336 |
switch ( optype ) { |
337 |
- case SLAPI_OPERATION_MODIFY: |
338 |
+ case SLAPI_OPERATION_MODIFY: |
339 |
(void)slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &change ); |
340 |
break; |
341 |
case SLAPI_OPERATION_ADD: |
342 |
@@ -158,11 +157,27 @@ plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype ) |
343 |
} |
344 |
break; |
345 |
case SLAPI_OPERATION_MODRDN: |
346 |
+ { |
347 |
+ void *mychange[2]; |
348 |
+ char *newrdn = NULL; |
349 |
+ Slapi_DN *psdn = NULL; |
350 |
+ char *pdn = NULL; |
351 |
+ |
352 |
/* newrdn: "change" is normalized but not case-ignored */ |
353 |
/* The acl plugin expects normalized newrdn, but no need to be case- |
354 |
* ignored. */ |
355 |
- (void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &change ); |
356 |
+ (void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &newrdn ); |
357 |
+ (void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &psdn ); |
358 |
+ if (psdn) { |
359 |
+ pdn = (char *)slapi_sdn_get_dn(psdn); |
360 |
+ } else { |
361 |
+ (void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR, &pdn ); |
362 |
+ } |
363 |
+ mychange[0] = newrdn; |
364 |
+ mychange[1] = pdn; |
365 |
+ change = mychange; |
366 |
break; |
367 |
+ } |
368 |
} |
369 |
|
370 |
if (NULL == sdn) { |
371 |
@@ -172,10 +187,9 @@ plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype ) |
372 |
} |
373 |
|
374 |
/* call the global plugins first and then the backend specific */ |
375 |
- dn = (char*)slapi_sdn_get_ndn(sdn); /* jcm - Had to cast away const */ |
376 |
for ( p = get_plugin_list(PLUGIN_LIST_ACL); p != NULL; p = p->plg_next ) { |
377 |
if (plugin_invoke_plugin_sdn(p, SLAPI_PLUGIN_ACL_MODS_UPDATE, pb, sdn)){ |
378 |
- rc = (*p->plg_acl_mods_update)(pb, optype, dn, change ); |
379 |
+ rc = (*p->plg_acl_mods_update)(pb, optype, sdn, change ); |
380 |
if ( rc != LDAP_SUCCESS ) break; |
381 |
} |
382 |
} |
383 |
-- |
384 |
cgit v0.9.0.2 |
385 |
|
386 |
|
387 |
|
388 |
1.1 net-nds/389-ds-base/files/389-ds-base-1.2.11-fix-mozldap.patch |
389 |
|
390 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-nds/389-ds-base/files/389-ds-base-1.2.11-fix-mozldap.patch?rev=1.1&view=markup |
391 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-nds/389-ds-base/files/389-ds-base-1.2.11-fix-mozldap.patch?rev=1.1&content-type=text/plain |
392 |
|
393 |
Index: 389-ds-base-1.2.11-fix-mozldap.patch |
394 |
=================================================================== |
395 |
commit f5bd0ed47523b39aedb6bcc1f9c0754371159a77 |
396 |
Author: Rich Megginson <rmeggins at redhat.com> |
397 |
Date: Fri Sep 14 09:20:18 2012 -0600 |
398 |
|
399 |
Ticket #461 - fix build problem with mozldap c sdk |
400 |
|
401 |
https://fedorahosted.org/389/ticket/461 |
402 |
Reviewed by: rmeggins |
403 |
Fixed by: cgrzemba |
404 |
Branch: master |
405 |
Fix Description: mozldap does not define LDAP_MOD_OP so define it |
406 |
Platforms tested: RHEL6 x86_64 |
407 |
Flag Day: no |
408 |
Doc impact: no |
409 |
|
410 |
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c |
411 |
index bfd48b1..4736e82 100644 |
412 |
--- a/ldap/servers/slapd/pw.c |
413 |
+++ b/ldap/servers/slapd/pw.c |
414 |
@@ -61,6 +61,9 @@ |
415 |
#if defined( _WIN32 ) |
416 |
#undef LDAPDebug |
417 |
#endif /* _WIN32 */ |
418 |
+#if defined( USE_MOZLDAP ) |
419 |
+#define LDAP_MOD_OP (0x0007) |
420 |
+#endif /* USE_MOZLDAP */ |
421 |
|
422 |
#include "slap.h" |