3.0-dev - vitess address CVE-2017-14623 (#9535)

Co-authored-by: CBL-Mariner Servicing Account <cblmargh@microsoft.com>
2024-07-01 08:01:16 -04:00 · 2024-07-01 08:01:16 -04:00 · bb1a9f790a
--- a/SPECS/vitess/CVE-2017-14623.patch
+++ b/SPECS/vitess/CVE-2017-14623.patch
@ -0,0 +1,144 @@
+Backport of bb09d4b178012d5af4dd3ef600c6ef2b74b639a1
+(https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66)
+
+diff --git a/vendor/gopkg.in/ldap.v2/bind.go b/vendor/gopkg.in/ldap.v2/bind.go
+index 26b3cc72..432efa78 100644
+--- a/vendor/gopkg.in/ldap.v2/bind.go
+++ b/vendor/gopkg.in/ldap.v2/bind.go
+@@ -7,7 +7,7 @@ package ldap
+ import (
+ 	"errors"
+ 
+-	"gopkg.in/asn1-ber.v1"
+	ber "gopkg.in/asn1-ber.v1"
+ )
+ 
+ // SimpleBindRequest represents a username/password bind operation
+@@ -18,6 +18,9 @@ type SimpleBindRequest struct {
+ 	Password string
+ 	// Controls are optional controls to send with the bind request
+ 	Controls []Control
+	// AllowEmptyPassword sets whether the client allows binding with an empty password
+	// (normally used for unauthenticated bind).
+	AllowEmptyPassword bool
+ }
+ 
+ // SimpleBindResult contains the response from the server
+@@ -28,9 +31,10 @@ type SimpleBindResult struct {
+ // NewSimpleBindRequest returns a bind request
+ func NewSimpleBindRequest(username string, password string, controls []Control) *SimpleBindRequest {
+ 	return &SimpleBindRequest{
+-		Username: username,
+-		Password: password,
+-		Controls: controls,
+		Username:           username,
+		Password:           password,
+		Controls:           controls,
+		AllowEmptyPassword: false,
+ 	}
+ }
+ 
+@@ -47,6 +51,10 @@ func (bindRequest *SimpleBindRequest) encode() *ber.Packet {
+ 
+ // SimpleBind performs the simple bind operation defined in the given request
+ func (l *Conn) SimpleBind(simpleBindRequest *SimpleBindRequest) (*SimpleBindResult, error) {
+	if simpleBindRequest.Password == "" && !simpleBindRequest.AllowEmptyPassword {
+		return nil, NewError(ErrorEmptyPassword, errors.New("ldap: empty password not allowed by the client"))
+	}
+
+ 	packet := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "LDAP Request")
+ 	packet.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, l.nextMessageID(), "MessageID"))
+ 	encodedBindRequest := simpleBindRequest.encode()
+@@ -97,47 +105,33 @@ func (l *Conn) SimpleBind(simpleBindRequest *SimpleBindRequest) (*SimpleBindResu
+ 	return result, nil
+ }
+ 
+-// Bind performs a bind with the given username and password
+// Bind performs a bind with the given username and password.
+//
+// It does not allow unauthenticated bind (i.e. empty password). Use the UnauthenticatedBind method
+// for that.
+ func (l *Conn) Bind(username, password string) error {
+-	packet := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "LDAP Request")
+-	packet.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, l.nextMessageID(), "MessageID"))
+-	bindRequest := ber.Encode(ber.ClassApplication, ber.TypeConstructed, ApplicationBindRequest, nil, "Bind Request")
+-	bindRequest.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, 3, "Version"))
+-	bindRequest.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, username, "User Name"))
+-	bindRequest.AppendChild(ber.NewString(ber.ClassContext, ber.TypePrimitive, 0, password, "Password"))
+-	packet.AppendChild(bindRequest)
+-
+-	if l.Debug {
+-		ber.PrintPacket(packet)
+-	}
+-
+-	msgCtx, err := l.sendMessage(packet)
+-	if err != nil {
+-		return err
+-	}
+-	defer l.finishMessage(msgCtx)
+-
+-	packetResponse, ok := <-msgCtx.responses
+-	if !ok {
+-		return NewError(ErrorNetwork, errors.New("ldap: response channel closed"))
+-	}
+-	packet, err = packetResponse.ReadPacket()
+-	l.Debug.Printf("%d: got response %p", msgCtx.id, packet)
+-	if err != nil {
+-		return err
+-	}
+-
+-	if l.Debug {
+-		if err := addLDAPDescriptions(packet); err != nil {
+-			return err
+-		}
+-		ber.PrintPacket(packet)
+	req := &SimpleBindRequest{
+		Username:           username,
+		Password:           password,
+		AllowEmptyPassword: false,
+ 	}
+	_, err := l.SimpleBind(req)
+	return err
+}
+ 
+-	resultCode, resultDescription := getLDAPResultCode(packet)
+-	if resultCode != 0 {
+-		return NewError(resultCode, errors.New(resultDescription))
+// UnauthenticatedBind performs an unauthenticated bind.
+//
+// A username may be provided for trace (e.g. logging) purpose only, but it is normally not
+// authenticated or otherwise validated by the LDAP server.
+//
+// See https://tools.ietf.org/html/rfc4513#section-5.1.2 .
+// See https://tools.ietf.org/html/rfc4513#section-6.3.1 .
+func (l *Conn) UnauthenticatedBind(username string) error {
+	req := &SimpleBindRequest{
+		Username:           username,
+		Password:           "",
+		AllowEmptyPassword: true,
+ 	}
+-
+-	return nil
+	_, err := l.SimpleBind(req)
+	return err
+ }
+diff --git a/vendor/gopkg.in/ldap.v2/error.go b/vendor/gopkg.in/ldap.v2/error.go
+index 4cccb537..6e1277fd 100644
+--- a/vendor/gopkg.in/ldap.v2/error.go
+++ b/vendor/gopkg.in/ldap.v2/error.go
+@@ -54,6 +54,7 @@ const (
+ 	ErrorDebugging          = 203
+ 	ErrorUnexpectedMessage  = 204
+ 	ErrorUnexpectedResponse = 205
+	ErrorEmptyPassword      = 206
+ )
+ 
+ // LDAPResultCodeMap contains string descriptions for LDAP error codes
+@@ -104,6 +105,7 @@ var LDAPResultCodeMap = map[uint8]string{
+ 	ErrorDebugging:          "Debugging Error",
+ 	ErrorUnexpectedMessage:  "Unexpected Message",
+ 	ErrorUnexpectedResponse: "Unexpected Response",
+	ErrorEmptyPassword:      "Empty password not allowed by the client",
+ }
+ 
+ func getLDAPResultCode(packet *ber.Packet) (code uint8, description string) {
--- a/SPECS/vitess/vitess.spec
+++ b/SPECS/vitess/vitess.spec
@ -3,7 +3,7 @@

 Name:           vitess
 Version:        19.0.4
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Database clustering system for horizontal scaling of MySQL
 # Upstream license specification: MIT and Apache-2.0
 License:        MIT and ASL 2.0
@ -25,7 +25,8 @@ Source0:        %{name}-%{version}.tar.gz
 #           --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \
 #           -cf %%{name}-%%{version}-vendor.tar.gz vendor
 #
-Source1:        %{name}-%{version}-vendor.tar.gz 
+Source1:        %{name}-%{version}-vendor.tar.gz
+Patch0:         CVE-2017-14623.patch 
 BuildRequires: golang

 %description
@ -39,7 +40,10 @@ with an atomic cutover step that takes only a few seconds.


 %prep
-%autosetup -p1
+%autosetup -N
+# Apply vendor before patching
+tar --no-same-owner -xf %{SOURCE1}
+%autopatch -p1

 # sed in Mariner does not work on a group of files; use for-loop to apply
 # to apply to individual file
@ -52,10 +56,6 @@ rm -rf go/trace/plugin_datadog.go
 mv go/README.md README-go.md

 %build
-
-# create vendor folder from the vendor tarball and set vendor mode
-tar -xf %{SOURCE1} --no-same-owner
-
 export VERSION=%{version}

 for cmd in $(find go/cmd/* -maxdepth 0 -type d); do
@ -104,6 +104,9 @@ go check -t go/cmd \
 %{_bindir}/*

 %changelog
+* Thu Jun 27 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 19.0.4-2
+- Address CVE-2017-14623
+
 * Tue Jun 25 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 19.0.4-1
 - Auto-upgrade to 17.0.2 - Azure Linux 3.0 - package upgrades