[Freeipa-devel] [PATCH] FreeIPA 4.1.4 release and fixes for CVE-2015-1827 and CVE-2015-0283
Alexander Bokovoy
abokovoy at redhat.com
Thu Mar 26 13:20:12 UTC 2015
Hi,
I've released slapi-nis 0.54.2 this morning as a fix for CVE-2015-0283,
packages are built for Fedora and RHEL7.1. However, to complete the
cycle, we need to release FreeIPA 4.1.4 to fix CVE-2015-1827.
Both CVEs are for processing of group membership when dealing with users
from trusted AD domains. Fix in FreeIPA is in extdom plugin which is in
use by sssd 1.12.x, while slapi-nis fix is for legacy clients.
We need to commit attached patches to FreeIPA and make a release of
FreeIPA 4.1.4 today. Then I can do Fedora builds and a combined update
push for slapi-nis+freeipa packages in Fedora.
Patch 1 is actual CVE-2015-1827 fix.
Patch 2 is to remove wrong values from Makefile.am files that actually
prevent regenerating Makefiles in daemons/ subdirectory, causing
non-working RHEL build. We fixed 4.1.0 base with this patch in RHEL and
we just need to bring upstream in sync with downstream on this.
Patch 3 raises requirement of slapi-nis to the fixed version.
--
/ Alexander Bokovoy
-------------- next part --------------
From 175a63357354ae3b4c04fa9cbef0cbe6084f0bee Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Wed, 25 Feb 2015 10:28:22 +0100
Subject: [PATCH 1/3] extdom: fix wrong realloc size
---
daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index 47bcb17..686128e 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -386,7 +386,7 @@ static int get_user_grouplist(const char *name, gid_t gid,
ret = getgrouplist(name, gid, groups, &ngroups);
if (ret == -1) {
- new_groups = realloc(groups, ngroups);
+ new_groups = realloc(groups, ngroups * sizeof(gid_t));
if (new_groups == NULL) {
free(groups);
return LDAP_OPERATIONS_ERROR;
--
2.1.0
-------------- next part --------------
From 3811fee25fff1074e39cf541a5fa0c411255e9f4 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 18 Mar 2015 17:09:06 +0000
Subject: [PATCH 2/3] fix Makefile.am for daemons
---
daemons/Makefile.am | 2 +-
daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am | 1 -
daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am | 1 -
daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am | 1 -
4 files changed, 1 insertion(+), 4 deletions(-)
diff --git a/daemons/Makefile.am b/daemons/Makefile.am
index 956f399..f919429 100644
--- a/daemons/Makefile.am
+++ b/daemons/Makefile.am
@@ -1,6 +1,6 @@
# This file will be processed with automake-1.7 to create Makefile.in
#
-AUTOMAKE_OPTIONS = 1.7
+AUTOMAKE_OPTIONS = 1.7 subdir-objects
NULL =
diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am b/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am
index 8e35cdb..fba5b08 100644
--- a/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am
@@ -6,7 +6,6 @@ AM_CPPFLAGS = \
-I. \
-I$(srcdir) \
-I$(PLUGIN_COMMON_DIR) \
- -I$(COMMON_BER_DIR) \
-DPREFIX=\""$(prefix)"\" \
-DBINDIR=\""$(bindir)"\" \
-DLIBDIR=\""$(libdir)"\" \
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
index a167981..8ee26a7 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
@@ -7,7 +7,6 @@ AM_CPPFLAGS = \
-I$(srcdir) \
-I$(PLUGIN_COMMON_DIR) \
-I$(KRB5_UTIL_DIR) \
- -I$(COMMON_BER_DIR) \
-DPREFIX=\""$(prefix)"\" \
-DBINDIR=\""$(bindir)"\" \
-DLIBDIR=\""$(libdir)"\" \
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
index 1ab6c67..078ff9c 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
@@ -14,7 +14,6 @@ AM_CPPFLAGS = \
-I$(PLUGIN_COMMON_DIR) \
-I$(KRB5_UTIL_DIR) \
-I$(ASN1_UTIL_DIR) \
- -I$(COMMON_BER_DIR) \
-DPREFIX=\""$(prefix)"\" \
-DBINDIR=\""$(bindir)"\" \
-DLIBDIR=\""$(libdir)"\" \
--
2.1.0
-------------- next part --------------
From ab679d2d95ec8105f8c32159f4ef4b22a2e9feac Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Thu, 26 Mar 2015 14:59:03 +0200
Subject: [PATCH 3/3] slapi-nis: require 0.54.2 for CVE-2015-0283 fixes
---
freeipa.spec.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cb104f4..1a444dc 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -129,7 +129,7 @@ Requires(pre): systemd-units
Requires(post): systemd-units
Requires: selinux-policy >= %{selinux_policy_version}
Requires(post): selinux-policy-base
-Requires: slapi-nis >= 0.54.1-1
+Requires: slapi-nis >= 0.54.2-1
%if (0%{?fedora} <= 20 || 0%{?rhel})
# pki-ca 10.1.2-4 contains patches required by FreeIPA 4.1
# The goal is to lower the requirement of pki-ca in Fedora 20
--
2.1.0
More information about the Freeipa-devel
mailing list