!123 [sync] PR-122: Fix CVE-2025-2487

From: @openeuler-sync-bot Reviewed-by: @wk333 Signed-off-by: @wk333
Fix CVE-2025-2487
2025-04-01 00:58:24 +00:00 · 2025-03-31 14:08:08 +08:00 · 2025-02-06 11:35:23 +00:00 · 2025-02-06 18:45:15 +08:00 · 2024-11-29 06:15:18 +00:00 · 2024-11-29 11:29:33 +08:00
5 changed files with 334 additions and 2 deletions
--- a/389-ds-base.spec
+++ b/389-ds-base.spec
@ -6,8 +6,8 @@ ExcludeArch:   i686
 Name:          389-ds-base
 Summary:       Base 389 Directory Server
 Version:       3.1.1
-Release:       1
-License:       GPLv3+
+Release:       6
+License:       GPL-3.0-or-later
 URL:           https://www.port389.org
 Source0:       https://releases.pagure.org/389-ds-base/389-ds-base-%{version}.tar.bz2
 Source1:       389-ds-base-git.sh
@ -15,6 +15,11 @@ Source2:       389-ds-base-devel.README

 # Refer: https://github.com/389ds/389-ds-base/pull/5374
 Patch0:        fix-dsidm-posixgroup-get_dn-fails-with-search_ext.patch
+Patch1:        remove-where-cockpit_present-is-called.patch
+Patch2:        fix-dsidm-role-subtree-status-fails-with-TypeError.patch
+# https://github.com/sfackler/rust-openssl/commit/f014afb230de4d77bc79dea60e7e58c2f47b60f2
+Patch3:        CVE-2025-24898.patch
+Patch4:        CVE-2025-2487.patch

 BuildRequires: nspr-devel nss-devel >= 3.34 perl-generators openldap-devel libdb-devel cyrus-sasl-devel icu
 BuildRequires: libicu-devel pcre-devel cracklib-devel gcc-c++ net-snmp-devel lm_sensors-devel bzip2-devel
@ -95,6 +100,9 @@ Documentation for 389 Directory Server.
 %prep
 %autosetup -n 389-ds-base-%{version} -p1

+# fix typo
+sed -i 's/sucessfully/successfully/g' src/lib389/lib389/cli_conf/backend.py
+
 cp %{SOURCE2} README.devel

 %build
@ -321,6 +329,21 @@ exit 0
 %{_mandir}/*/*

 %changelog
+* Mon Mar 31 2025 wangkai <13474090681@163.com> - 3.1.1-6
+- Fix CVE-2025-2487
+
+* Thu Feb 06 2025 yaoxin <1024769339@qq.com> - 3.1.1-5
+- Fix CVE-2025-24898
+
+* Fri Nov 29 2024 wangkai <13474090681@163.com> - 3.1.1-4
+- Fix typo sucessfully
+
+* Tue Nov 26 2024 wangkai <13474090681@163.com> - 3.1.1-3
+- Fix dsidm role subtree-status fails with TypeError
+
+* Mon Nov 25 2024 xu_ping <707078654@qq.com> - 3.1.1-2
+- fix name cockpit_present is not defined.
+
 * Thu Aug 01 2024 yaoxin <yao_xin001@hoperun.com> - 3.1.1-1
 - Update to 3.1.1
  * Security fix for CVE-2024-6237,CVE-2024-5953,CVE-2024-3657,CVE-2024-2199
--- a/CVE-2025-2487.patch
+++ b/CVE-2025-2487.patch
@ -0,0 +1,215 @@
+From 7fbd4526c42806826ca1b335c5686b054486e613 Mon Sep 17 00:00:00 2001
+From: Pierre Rogier <progier@redhat.com>
+Date: Thu, 27 Feb 2025 16:36:48 +0100
+Subject: [PATCH] Security fix for CVE-2025-2487
+
+Origin: https://github.com/389ds/389-ds-base/commit/40e752922e6160356399cd07169ec1f76dd7db99
+
+Description:
+A denial of service vulnerability was found in the 389 Directory Server.
+The 389 Directory Server may crash (Null Pointer Exception) after some
+failed rename subtree operations (i.e. MODDN) issued by a user having enough
+privileges to do so.
+
+References:
+- https://access.redhat.com/security/cve/CVE-2025-2487
+- https://bugzilla.redhat.com/show_bug.cgi?id=2353071
+---
+ ldap/servers/slapd/back-ldbm/findentry.c   | 36 +++++++++++++++++-----
+ ldap/servers/slapd/back-ldbm/ldbm_add.c    |  2 ++
+ ldap/servers/slapd/back-ldbm/ldbm_modify.c |  6 ++++
+ ldap/servers/slapd/back-ldbm/ldbm_modrdn.c | 13 ++++++--
+ 4 files changed, 48 insertions(+), 9 deletions(-)
+
+diff --git a/ldap/servers/slapd/back-ldbm/findentry.c b/ldap/servers/slapd/back-ldbm/findentry.c
+index 7bb56ef2c4..907b4367a1 100644
+--- a/ldap/servers/slapd/back-ldbm/findentry.c
+++ b/ldap/servers/slapd/back-ldbm/findentry.c
+@@ -99,6 +99,7 @@ find_entry_internal_dn(
+     int isroot = 0;
+     int op_type;
+     int reverted_entry = 0;
+    int return_err = LDAP_SUCCESS;
+ 
+     /* get the managedsait ldap message control */
+     slapi_pblock_get(pb, SLAPI_MANAGEDSAIT, &managedsait);
+@@ -121,6 +122,7 @@ find_entry_internal_dn(
+                 if (rc) { /* if check_entry_for_referral returns non-zero, result is sent. */
+                     *rc = FE_RC_SENT_RESULT;
+                 }
+                slapi_set_ldap_result(pb, LDAP_REFERRAL, NULL, NULL, 0, NULL);
+                 return (NULL);
+             }
+         }
+@@ -153,7 +155,12 @@ find_entry_internal_dn(
+         slapi_log_err(SLAPI_LOG_ERR, "find_entry_internal_dn", "Retry count exceeded (%s)\n", slapi_sdn_get_dn(sdn));
+     }
+     if (reverted_entry) {
+        CACHE_RETURN(&inst->inst_cache, &e);
+        slapi_set_ldap_result(pb, LDAP_BUSY, NULL, NULL, 0, NULL);
+         slapi_send_ldap_result(pb, LDAP_BUSY, NULL, "target entry busy because of a canceled operation", 0, NULL);
+        if (rc) {
+            *rc = FE_RC_SENT_RESULT;  /* Result is sent */
+        }
+         return (NULL);
+     }
+     /*
+@@ -179,6 +186,7 @@ find_entry_internal_dn(
+                 if (rc) { /* if check_entry_for_referral returns non-zero, result is sent. */
+                     *rc = FE_RC_SENT_RESULT;
+                 }
+                slapi_set_ldap_result(pb, LDAP_REFERRAL, NULL, NULL, 0, NULL);
+                 return (NULL);
+             }
+             /* else fall through to no such object */
+@@ -189,7 +197,7 @@ find_entry_internal_dn(
+             if (me && !isroot) {
+                 /* If not root, you may not want to reveal it. */
+                 int acl_type = -1;
+-                int return_err = LDAP_NO_SUCH_OBJECT;
+                return_err = LDAP_NO_SUCH_OBJECT;
+                 err = LDAP_SUCCESS;
+                 switch (op_type) {
+                 case SLAPI_OPERATION_ADD:
+@@ -230,18 +238,22 @@ find_entry_internal_dn(
+                      * do not return the "matched" DN.
+                      * Plus, the bind case returns LDAP_INAPPROPRIATE_AUTH.
+                      */
+                    slapi_set_ldap_result(pb, return_err, NULL, NULL, 0, NULL);
+                     slapi_send_ldap_result(pb, return_err, NULL, NULL, 0, NULL);
+                 } else {
+                slapi_set_ldap_result(pb, LDAP_NO_SUCH_OBJECT, NULL, NULL, 0, NULL);
+                     slapi_send_ldap_result(pb, LDAP_NO_SUCH_OBJECT,
+                                            (char *)slapi_sdn_get_dn(&ancestorsdn), NULL, 0, NULL);
+                 }
+             } else {
+                slapi_set_ldap_result(pb, LDAP_NO_SUCH_OBJECT, NULL, NULL, 0, NULL);
+                 slapi_send_ldap_result(pb, LDAP_NO_SUCH_OBJECT,
+                                        (char *)slapi_sdn_get_dn(&ancestorsdn), NULL, 0, NULL);
+             }
+         } else {
+-            slapi_send_ldap_result(pb, (LDAP_INVALID_DN_SYNTAX == err) ? LDAP_INVALID_DN_SYNTAX : LDAP_OPERATIONS_ERROR,
+-                                   (char *)slapi_sdn_get_dn(&ancestorsdn), NULL, 0, NULL);
+            return_err = (LDAP_INVALID_DN_SYNTAX == err) ? LDAP_INVALID_DN_SYNTAX : LDAP_OPERATIONS_ERROR;
+            slapi_set_ldap_result(pb, return_err, NULL, NULL, 0, NULL);
+            slapi_send_ldap_result(pb, return_err, (char *)slapi_sdn_get_dn(&ancestorsdn), NULL, 0, NULL);
+         }
+         if (rc) {
+             *rc = FE_RC_SENT_RESULT;
+@@ -265,13 +277,15 @@ find_entry_internal_uniqueid(
+     backend *be,
+     const char *uniqueid,
+     int lock,
+-    back_txn *txn)
+    back_txn *txn,
+    int *rc)
+ {
+     ldbm_instance *inst = (ldbm_instance *)be->be_instance_info;
+     struct backentry *e;
+     int err;
+     size_t tries = 0;
+     int reverted_entry = 0;
+    int return_err = 0;
+ 
+     while ((tries < LDBM_CACHE_RETRY_COUNT) &&
+            (e = uniqueid2entry(be, uniqueid, txn, &err)) != NULL) {
+@@ -307,12 +321,20 @@ find_entry_internal_uniqueid(
+     }
+ 
+     if (reverted_entry) {
+        slapi_set_ldap_result(pb, LDAP_BUSY, NULL, NULL, 0, NULL);
+         slapi_send_ldap_result(pb, LDAP_BUSY, NULL, "target entry busy because of a canceled operation", 0, NULL);
+        if (rc) {
+            *rc = FE_RC_SENT_RESULT;  /* Result is sent */
+        }
+         return (NULL);
+     } else {
+         /* entry not found */
+-        slapi_send_ldap_result(pb, (0 == err || DBI_RC_NOTFOUND == err) ? LDAP_NO_SUCH_OBJECT : LDAP_OPERATIONS_ERROR, NULL /* matched */, NULL,
+-                               0, NULL);
+        return_err = (0 == err || DBI_RC_NOTFOUND == err) ? LDAP_NO_SUCH_OBJECT : LDAP_OPERATIONS_ERROR;
+        slapi_set_ldap_result(pb, return_err, NULL, NULL, 0, NULL);
+        slapi_send_ldap_result(pb, return_err, NULL /* matched */, NULL, 0, NULL);
+        if (rc) {
+            *rc = FE_RC_SENT_RESULT;  /* Result is sent */
+        }
+     }
+     slapi_log_err(SLAPI_LOG_TRACE,
+                   "find_entry_internal_uniqueid", "<= not found; uniqueid = (%s)\n",
+@@ -334,7 +356,7 @@ find_entry_internal(
+     if (addr->uniqueid != NULL) {
+         slapi_log_err(SLAPI_LOG_TRACE, "find_entry_internal", "=> (uniqueid=%s) lock %d\n",
+                       addr->uniqueid, lock);
+-        return (find_entry_internal_uniqueid(pb, be, addr->uniqueid, lock, txn));
+        return (find_entry_internal_uniqueid(pb, be, addr->uniqueid, lock, txn, rc));
+     } else {
+         struct backentry *entry = NULL;
+ 
+diff --git a/ldap/servers/slapd/back-ldbm/ldbm_add.c b/ldap/servers/slapd/back-ldbm/ldbm_add.c
+index 4a5ed025ee..6a41740524 100644
+--- a/ldap/servers/slapd/back-ldbm/ldbm_add.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_add.c
+@@ -435,6 +435,8 @@ ldbm_back_add(Slapi_PBlock *pb)
+                     slapi_log_err(SLAPI_LOG_BACKLDBM, "ldbm_back_add",
+                                   "find_entry2modify_only returned NULL parententry pdn: %s, uniqueid: %s\n",
+                                   slapi_sdn_get_dn(&parentsdn), addr.uniqueid ? addr.uniqueid : "none");
+                    slapi_pblock_get(pb, SLAPI_RESULT_CODE, &ldap_result_code);
+                    goto error_return;
+                 }
+                 modify_init(&parent_modify_c, parententry);
+             }
+diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
+index 6c90389f5a..ea49a4c567 100644
+--- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
+@@ -177,6 +177,12 @@ modify_update_all(backend *be, Slapi_PBlock *pb, modify_context *mc, back_txn *t
+         slapi_pblock_get(pb, SLAPI_OPERATION, &operation);
+         is_ruv = operation_is_flag_set(operation, OP_FLAG_REPL_RUV);
+     }
+    if (NULL == mc->new_entry) {
+        /* test entry to avoid crashing in id2entry_add_ext */
+        slapi_log_err(SLAPI_LOG_BACKLDBM, "modify_update_all",
+                      "No entry in modify_context ==> operation is aborted.\n");
+        return -1;
+    }
+     /*
+      * Update the ID to Entry index.
+      * Note that id2entry_add replaces the entry, so the Entry ID stays the same.
+diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
+index 78d01fa4e0..066f53ad67 100644
+--- a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
+@@ -485,8 +485,8 @@ ldbm_back_modrdn(Slapi_PBlock *pb)
+             slapi_pblock_get(pb, SLAPI_TARGET_ADDRESS, &old_addr);
+             e = find_entry2modify(pb, be, old_addr, &txn, &result_sent);
+             if (e == NULL) {
+-                ldap_result_code = -1;
+-                goto error_return; /* error result sent by find_entry2modify() */
+                slapi_pblock_get(pb, SLAPI_RESULT_CODE, &ldap_result_code);
+                goto error_return; /* error result set and sent by find_entry2modify() */
+             }
+             if (slapi_entry_flag_is_set(e->ep_entry, SLAPI_ENTRY_FLAG_TOMBSTONE) &&
+                 !is_resurect_operation) {
+@@ -518,6 +518,11 @@ ldbm_back_modrdn(Slapi_PBlock *pb)
+                 oldparent_addr.uniqueid = NULL;
+             }
+             parententry = find_entry2modify_only(pb, be, &oldparent_addr, &txn, &result_sent);
+            if (parententry == NULL) {
+                slapi_pblock_get(pb, SLAPI_RESULT_CODE, &ldap_result_code);
+                goto error_return; /* error result set and sent by find_entry2modify() */
+            }
+
+             modify_init(&parent_modify_context, parententry);
+ 
+             /* Fetch and lock the new parent of the entry that is moving */
+@@ -528,6 +533,10 @@ ldbm_back_modrdn(Slapi_PBlock *pb)
+                 }
+                 newparententry = find_entry2modify_only(pb, be, newsuperior_addr, &txn, &result_sent);
+                 slapi_ch_free_string(&newsuperior_addr->uniqueid);
+                if (newparententry == NULL) {
+                    slapi_pblock_get(pb, SLAPI_RESULT_CODE, &ldap_result_code);
+                    goto error_return; /* error result set and sent by find_entry2modify() */
+                }
+                 modify_init(&newparent_modify_context, newparententry);
+             }
+ 
--- a/CVE-2025-24898.patch
+++ b/CVE-2025-24898.patch
--- a/fix-dsidm-role-subtree-status-fails-with-TypeError.patch
+++ b/fix-dsidm-role-subtree-status-fails-with-TypeError.patch
@ -0,0 +1,11 @@
+--- 389-ds-base-3.1.1/src/lib389/lib389/cli_idm/role.py	2024-11-26 14:12:42.805280521 +0800
+++ 389-ds-base-3.1.1/src/lib389/lib389/cli_idm/role.py	2024-11-26 14:13:08.157340335 +0800
+@@ -109,7 +109,7 @@
+     filter = ""
+     scope = ldap.SCOPE_SUBTREE
+ 
+-    role_list = Roles(inst, basedn).filter(filter, scope)
+    role_list = Roles(inst, basedn).filter(filter, scope=scope)
+     if not role_list:
+         raise ValueError(f"No entries were found under {basedn} or the user doesn't have an access")
+ 
--- a/remove-where-cockpit_present-is-called.patch
+++ b/remove-where-cockpit_present-is-called.patch
@ -0,0 +1,47 @@
+From d1f5ab91be74f0c599e619d2ffbf5aa59d389e7c Mon Sep 17 00:00:00 2001
+From: cherry530 <707078654@qq.com>
+Date: Mon, 25 Nov 2024 15:38:27 +0800
+Subject: [PATCH] Remove where cockpit_present is called
+
+Signed-off-by: cherry530 <707078654@qq.com>
+---
+ src/lib389/lib389/cli_ctl/cockpit.py | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/src/lib389/lib389/cli_ctl/cockpit.py b/src/lib389/lib389/cli_ctl/cockpit.py
+index afc7247..13a3eae 100644
+--- a/src/lib389/lib389/cli_ctl/cockpit.py
+++ b/src/lib389/lib389/cli_ctl/cockpit.py
+@@ -27,9 +27,6 @@ def open_firewall(inst, log, args):
+     """
+     Open the firewall for Cockpit service
+     """
+-    if not cockpit_present():
+-        raise ValueError("The 'cockpit' package is not installed on this system")
+-
+     OPEN_CMD = ['sudo', 'firewall-cmd', '--add-service=cockpit', '--permanent']
+     if args.zone is not None:
+         OPEN_CMD.append(f' --zone={args.zone}')
+@@ -43,9 +40,6 @@ def disable_cockpit(inst, log, args):
+     """
+     Disable Cockpit socket
+     """
+-    if not cockpit_present():
+-        raise ValueError("The 'cockpit' package is not installed on this system")
+-
+     DISABLE_CMD = ['sudo', 'systemctl', 'disable', '--now', 'cockpit.socket']
+     try:
+         subprocess.run(DISABLE_CMD)
+@@ -57,9 +51,6 @@ def close_firewall(inst, log, args):
+     """
+     Close firewall for Cockpit service
+     """
+-    if not cockpit_present():
+-        raise ValueError("The 'cockpit' package is not installed on this system")
+-
+     CLOSE_CMD = ['sudo', 'firewall-cmd', '--remove-service=cockpit', '--permanent']
+     try:
+         subprocess.run(CLOSE_CMD)
+-- 
+2.43.0
+
Author	SHA1	Message	Date
openeuler-ci-bot	041305941f	!123 [sync] PR-122: Fix CVE-2025-2487 From: @openeuler-sync-bot Reviewed-by: @wk333 Signed-off-by: @wk333	2025-04-01 00:58:24 +00:00
wk333	db1fcfefbd	Fix CVE-2025-2487 (cherry picked from commit 114a7ad334d80b5087b7d1a529c50d57568f907f)	2025-03-31 14:08:08 +08:00
openeuler-ci-bot	83508b9d84	!115 [sync] PR-114: Fix CVE-2025-24898 From: @openeuler-sync-bot Reviewed-by: @starlet-dx Signed-off-by: @starlet-dx	2025-02-06 11:35:23 +00:00
starlet-dx	652e2fbf39	Fix CVE-2025-24898 (cherry picked from commit 7ff722cdfac8f38b86c5d497164e24fbca1d246d)	2025-02-06 18:45:15 +08:00
openeuler-ci-bot	670e0343f3	!109 [sync] PR-107: Fix typo sucessfully From: @openeuler-sync-bot Reviewed-by: @wk333 Signed-off-by: @wk333	2024-11-29 06:15:18 +00:00
wk333	10abfcc419	Fix typo sucessfully (cherry picked from commit 2a90b4cadc4e853bf54a3e9a33401c141ddd73f0)	2024-11-29 11:29:33 +08:00
openeuler-ci-bot	a2be2b7446	!104 [sync] PR-102: Fix dsidm role subtree-status fails with TypeError From: @openeuler-sync-bot Reviewed-by: @wk333 Signed-off-by: @wk333	2024-11-26 07:46:07 +00:00
wk333	82d0e3d002	Fix dsidm role subtree-status fails with TypeError (cherry picked from commit 34db80c93948dc5925b2c4b46182a23a33b66cab)	2024-11-26 14:54:19 +08:00
openeuler-ci-bot	1d4ca32311	!101 [sync] PR-98: fix name cockpit_present is not defined. From: @openeuler-sync-bot Reviewed-by: @wk333 Signed-off-by: @wk333	2024-11-26 01:25:15 +00:00
cherry530	dae37ee649	fix name cockpit_present is not defined. Signed-off-by: cherry530 <707078654@qq.com> (cherry picked from commit 1fd3cc3ed559ca9cade375c61b4f58088421960f)	2024-11-25 17:26:35 +08:00