microsoft
/
CBL-Mariner
зеркало из https://github.com/microsoft/CBL-Mariner.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

3.0-dev - vitess address CVE-2017-14623 (#9535) 

Co-authored-by: CBL-Mariner Servicing Account <cblmargh@microsoft.com>
This commit is contained in:
nicolas guibourge 2024-07-01 08:01:16 -04:00 коммит произвёл GitHub
Родитель 9769421771
Коммит bb1a9f790a
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
2 изменённых файлов: 154 добавлений и 7 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

144
SPECS/vitess/CVE-2017-14623.patch Normal file
Просмотреть файл

@ -0,0 +1,144 @@
Backport of bb09d4b178012d5af4dd3ef600c6ef2b74b639a1
(https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66)
diff --git a/vendor/gopkg.in/ldap.v2/bind.go b/vendor/gopkg.in/ldap.v2/bind.go
index 26b3cc72..432efa78 100644
--- a/vendor/gopkg.in/ldap.v2/bind.go
+++ b/vendor/gopkg.in/ldap.v2/bind.go
@@ -7,7 +7,7 @@ package ldap
import (
"errors"
- "gopkg.in/asn1-ber.v1"
+ ber "gopkg.in/asn1-ber.v1"
)
// SimpleBindRequest represents a username/password bind operation
@@ -18,6 +18,9 @@ type SimpleBindRequest struct {
Password string
// Controls are optional controls to send with the bind request
Controls []Control
+ // AllowEmptyPassword sets whether the client allows binding with an empty password
+ // (normally used for unauthenticated bind).
+ AllowEmptyPassword bool
}
// SimpleBindResult contains the response from the server
@@ -28,9 +31,10 @@ type SimpleBindResult struct {
// NewSimpleBindRequest returns a bind request
func NewSimpleBindRequest(username string, password string, controls []Control) *SimpleBindRequest {
return &SimpleBindRequest{
- Username: username,
- Password: password,
- Controls: controls,
+ Username: username,
+ Password: password,
+ Controls: controls,
+ AllowEmptyPassword: false,
}
}
@@ -47,6 +51,10 @@ func (bindRequest *SimpleBindRequest) encode() *ber.Packet {
// SimpleBind performs the simple bind operation defined in the given request
func (l *Conn) SimpleBind(simpleBindRequest *SimpleBindRequest) (*SimpleBindResult, error) {
+ if simpleBindRequest.Password == "" && !simpleBindRequest.AllowEmptyPassword {
+ return nil, NewError(ErrorEmptyPassword, errors.New("ldap: empty password not allowed by the client"))
+ }
+
packet := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "LDAP Request")
packet.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, l.nextMessageID(), "MessageID"))
encodedBindRequest := simpleBindRequest.encode()
@@ -97,47 +105,33 @@ func (l *Conn) SimpleBind(simpleBindRequest *SimpleBindRequest) (*SimpleBindResu
return result, nil
}
-// Bind performs a bind with the given username and password
+// Bind performs a bind with the given username and password.
+//
+// It does not allow unauthenticated bind (i.e. empty password). Use the UnauthenticatedBind method
+// for that.
func (l *Conn) Bind(username, password string) error {
- packet := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "LDAP Request")
- packet.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, l.nextMessageID(), "MessageID"))
- bindRequest := ber.Encode(ber.ClassApplication, ber.TypeConstructed, ApplicationBindRequest, nil, "Bind Request")
- bindRequest.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, 3, "Version"))
- bindRequest.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, username, "User Name"))
- bindRequest.AppendChild(ber.NewString(ber.ClassContext, ber.TypePrimitive, 0, password, "Password"))
- packet.AppendChild(bindRequest)
-
- if l.Debug {
- ber.PrintPacket(packet)
- }
-
- msgCtx, err := l.sendMessage(packet)
- if err != nil {
- return err
- }
- defer l.finishMessage(msgCtx)
-
- packetResponse, ok := <-msgCtx.responses
- if !ok {
- return NewError(ErrorNetwork, errors.New("ldap: response channel closed"))
- }
- packet, err = packetResponse.ReadPacket()
- l.Debug.Printf("%d: got response %p", msgCtx.id, packet)
- if err != nil {
- return err
- }
-
- if l.Debug {
- if err := addLDAPDescriptions(packet); err != nil {
- return err
- }
- ber.PrintPacket(packet)
+ req := &SimpleBindRequest{
+ Username: username,
+ Password: password,
+ AllowEmptyPassword: false,
}
+ _, err := l.SimpleBind(req)
+ return err
+}
- resultCode, resultDescription := getLDAPResultCode(packet)
- if resultCode != 0 {
- return NewError(resultCode, errors.New(resultDescription))
+// UnauthenticatedBind performs an unauthenticated bind.
+//
+// A username may be provided for trace (e.g. logging) purpose only, but it is normally not
+// authenticated or otherwise validated by the LDAP server.
+//
+// See https://tools.ietf.org/html/rfc4513#section-5.1.2 .
+// See https://tools.ietf.org/html/rfc4513#section-6.3.1 .
+func (l *Conn) UnauthenticatedBind(username string) error {
+ req := &SimpleBindRequest{
+ Username: username,
+ Password: "",
+ AllowEmptyPassword: true,
}
-
- return nil
+ _, err := l.SimpleBind(req)
+ return err
}
diff --git a/vendor/gopkg.in/ldap.v2/error.go b/vendor/gopkg.in/ldap.v2/error.go
index 4cccb537..6e1277fd 100644
--- a/vendor/gopkg.in/ldap.v2/error.go
+++ b/vendor/gopkg.in/ldap.v2/error.go
@@ -54,6 +54,7 @@ const (
ErrorDebugging = 203
ErrorUnexpectedMessage = 204
ErrorUnexpectedResponse = 205
+ ErrorEmptyPassword = 206
)
// LDAPResultCodeMap contains string descriptions for LDAP error codes
@@ -104,6 +105,7 @@ var LDAPResultCodeMap = map[uint8]string{
ErrorDebugging: "Debugging Error",
ErrorUnexpectedMessage: "Unexpected Message",
ErrorUnexpectedResponse: "Unexpected Response",
+ ErrorEmptyPassword: "Empty password not allowed by the client",
}
func getLDAPResultCode(packet *ber.Packet) (code uint8, description string) {

17
SPECS/vitess/vitess.spec
Просмотреть файл

@ -3,7 +3,7 @@
Name: vitess Name: vitess
Version: 19.0.4 Version: 19.0.4
Release: 1%{?dist} Release: 2%{?dist}
Summary: Database clustering system for horizontal scaling of MySQL Summary: Database clustering system for horizontal scaling of MySQL
# Upstream license specification: MIT and Apache-2.0 # Upstream license specification: MIT and Apache-2.0
License: MIT and ASL 2.0 License: MIT and ASL 2.0
@ -25,7 +25,8 @@ Source0: %{name}-%{version}.tar.gz
# --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \ # --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \
# -cf %%{name}-%%{version}-vendor.tar.gz vendor # -cf %%{name}-%%{version}-vendor.tar.gz vendor
# #
Source1: %{name}-%{version}-vendor.tar.gz Source1: %{name}-%{version}-vendor.tar.gz
Patch0: CVE-2017-14623.patch
BuildRequires: golang BuildRequires: golang
%description %description
@ -39,7 +40,10 @@ with an atomic cutover step that takes only a few seconds.
%prep %prep
%autosetup -p1 %autosetup -N
# Apply vendor before patching
tar --no-same-owner -xf %{SOURCE1}
%autopatch -p1
# sed in Mariner does not work on a group of files; use for-loop to apply # sed in Mariner does not work on a group of files; use for-loop to apply
# to apply to individual file # to apply to individual file
@ -52,10 +56,6 @@ rm -rf go/trace/plugin_datadog.go
mv go/README.md README-go.md mv go/README.md README-go.md
%build %build
# create vendor folder from the vendor tarball and set vendor mode
tar -xf %{SOURCE1} --no-same-owner
export VERSION=%{version} export VERSION=%{version}
for cmd in $(find go/cmd/* -maxdepth 0 -type d); do for cmd in $(find go/cmd/* -maxdepth 0 -type d); do
@ -104,6 +104,9 @@ go check -t go/cmd \
%{_bindir}/* %{_bindir}/*
%changelog %changelog
* Thu Jun 27 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 19.0.4-2
- Address CVE-2017-14623
* Tue Jun 25 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 19.0.4-1 * Tue Jun 25 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 19.0.4-1
- Auto-upgrade to 17.0.2 - Azure Linux 3.0 - package upgrades - Auto-upgrade to 17.0.2 - Azure Linux 3.0 - package upgrades