Fix CVE-2023-4727

(cherry picked from commit b46cfc39d739d796eac52be667e29cea5c196fbb)

backport-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch

@@ -0,0 +1,60 @@
+From aa7161ba378caf5cf0471aafb679a842679c8388 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Mon, 11 Sep 2023 15:40:32 -0500
+Subject: [PATCH] CVE-2023-4727 Fix token authentication bypass vulnerability
+
+Previously the LDAPSecurityDomainSessionTable.sessionExists()
+and getStringValue() were using user-provided session ID as
+is in an LDAP filter which could be exploited to bypass token
+authentication.
+
+To fix the problem the code has been modified to escape all
+special characters in the session ID before using it in the
+LDAP filter.
+
+Resolves: CVE-2023-4727
+---
+ .../session/LDAPSecurityDomainSessionTable.java     | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
+index 1783823..fa03c99 100644
+--- a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
++++ b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
+@@ -31,6 +31,7 @@ import com.netscape.cmscore.apps.EngineConfig;
+ import com.netscape.cmscore.ldapconn.LDAPConfig;
+ import com.netscape.cmscore.ldapconn.LdapBoundConnFactory;
+ import com.netscape.cmscore.ldapconn.PKISocketConfig;
++import com.netscape.cmsutil.ldap.LDAPUtil;
+ 
+ import netscape.ldap.LDAPAttribute;
+ import netscape.ldap.LDAPAttributeSet;
+@@ -179,7 +180,11 @@ public class LDAPSecurityDomainSessionTable
+         try {
+             String basedn = ldapConfig.getBaseDN();
+             String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
+-            String filter = "(cn=" + sessionId + ")";
++
++            // CVE-2023-4727
++            // escape session ID in LDAP search filter
++            String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
++
+             String[] attrs = { "cn" };
+ 
+             conn = mLdapConnFactory.getConn();
+@@ -262,7 +267,11 @@ public class LDAPSecurityDomainSessionTable
+         try {
+             String basedn = ldapConfig.getBaseDN();
+             String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
+-            String filter = "(cn=" + sessionId + ")";
++
++            // CVE-2023-4727
++            // escape session ID in LDAP search filter
++            String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
++
+             String[] attrs = { attr };
+ 
+             conn = mLdapConnFactory.getConn();
+-- 
+2.33.0
+

pki-core.spec

@@ -3,7 +3,7 @@
 
 Name:                pki-core
 Version:             11.0.0
-Release:             7
+Release:             8
 Summary:             The PKI Core Package
 License:             GPLv2 and LGPLv2
 URL:                 http://www.dogtagpki.org/
@@ -11,6 +11,7 @@ Source0:             https://github.com/dogtagpki/pki/archive/v%{version}/pki-v%
 Source1:             https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
 
 Patch0001: 	0001-Disable-access-to-external-entities-when-parsing-XML.patch
+Patch3000: 	backport-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch
 
 BuildRequires:       make cmake >= 2.8.9-1 gcc-c++ zip java-latest-openjdk-devel java-latest-openjdk-headless
 BuildRequires:       ldapjdk >= 4.21.0 apache-commons-cli apache-commons-codec apache-commons-io
@@ -456,6 +457,9 @@ fi
 %endif
 
 %changelog
+* Sun Oct 13 2024 liningjie <liningjie@xfusion.com> - 11.0.0-8
+- Fix CVE-2023-4727
+
 * Thu Apr 11 2024 liyanan <liyanan61@h-partners.com> - 11.0.0-7
 - Replace unrecognized macros