Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:42.3:Update
389-ds
0006-Bug-1347760-CVE-2016-4992-389-ds-base-Info...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0006-Bug-1347760-CVE-2016-4992-389-ds-base-Information-di.patch of Package 389-ds
From 3f14747946660d0738fe7019216f00fe08507795 Mon Sep 17 00:00:00 2001 From: Ludwig Krispenz <lkrispen@redhat.com> Date: Thu, 4 Aug 2016 11:45:49 -0700 Subject: [PATCH 06/14] Bug 1347760 - CVE-2016-4992 389-ds-base: Information disclosure via repeated use of LDAP ADD operation, etc. Description: do not overwrite rc used to decide if bind was successful. When the bind is through ldapi/autobind, an entry does not exist to be checked with slapi_check_account_lock. In that case, a variable rc is not supposed to be modified which confuses the following code path. Reviewed by nhosoi@redhat.com. (cherry picked from commit caa351ae0cc81cbf2309a43c5f74b359cda152d0) --- ldap/servers/slapd/bind.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c index 8f5375a6d..399eaf7d3 100644 --- a/ldap/servers/slapd/bind.c +++ b/ldap/servers/slapd/bind.c @@ -775,10 +775,12 @@ do_bind( Slapi_PBlock *pb ) */ if (!slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) { bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn)); - rc = slapi_check_account_lock(pb, bind_target_entry, pw_response_requested, 1, 1); - if (1 == rc) { /* account is locked */ + myrc = slapi_check_account_lock(pb, bind_target_entry, pw_response_requested, 1, 1); + if (1 == myrc) { /* account is locked */ + rc = myrc; goto account_locked; } + myrc = 0; } if (!auto_bind) { /* -- 2.15.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor