From ddbe3c8fef93364581c9b189c49e125856d49505 Mon Sep 17 00:00:00 2001 From: Mark Reynolds <mreynolds@redhat.com> Date: Nov 13 2019 17:34:54 +0000 Subject: Issue 50716 - CVE-2019-14824 (BZ#1748199) - deref plugin displays restricted attributes Bug Description: If there is an ACI that allows "search" access to an attribute, the deref plugin access control checks sees this is a "read" privilege and returns the attribute's value. Fix description: For deref plugin we are only concerned with "read" access, not "search" access. Removed the SLAPI_ACL_SEARCH right flag when checking access for an attribute. relates: https://pagure.io/389-ds-base/issue/50716 Reviewed by: lkrispen & tbordaz(Thanks!) --- diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c index cb5ebb8..ec1884b 100644 --- a/ldap/servers/plugins/deref/deref.c +++ b/ldap/servers/plugins/deref/deref.c @@ -573,7 +573,7 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn, Slapi_Entry **entries = NULL; int rc; - /* If the access check on the attributes is done without retrieveing the entry + /* If the access check on the attributes is done without retrieving the entry * it cannot handle acis which need teh entry, eg to apply a targetfilter rule * So the determination of attrs which can be dereferenced is delayed */ @@ -596,7 +596,7 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn, int ii; int needattrvals = 1; /* need attrvals sequence? */ if (deref_check_access(pb, entries[0], derefdn, attrs, &retattrs, - (SLAPI_ACL_SEARCH | SLAPI_ACL_READ))) { + SLAPI_ACL_READ)) { slapi_log_err(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM, "deref_do_deref_attr - The client does not have permission to read the requested " "attributes in entry %s\n", @@ -714,7 +714,7 @@ deref_pre_entry(Slapi_PBlock *pb) attrs[1] = NULL; if (deref_check_access(pb, ent, NULL, attrs, &retattrs, - (SLAPI_ACL_SEARCH | SLAPI_ACL_READ))) { + SLAPI_ACL_READ)) { slapi_log_err(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM, "deref_pre_entry - The client does not have permission to read attribute %s in entry %s\n", spec->derefattr, slapi_entry_get_dn_const(ent));