Bug#316972: libpam-ldap DSA-785 fixed CAN-2005-2069 w/o mentioning it

Wed, 14 Sep 2005 15:48:18 -0700 

Dear Joey/security team,
when preparing a patch for #316972 in sid I noticed that the sid
version (which is identical to the Sarge version from DSA-785)
already contained the required patch. But it isn't mentioned
neither in the changelog nor in the DSA-785. Can you please fix
it in the web version of the DSA?
I've attached an interdiff between 178-1 and 178-1sarge1 for easy
review. The first two chunks relate to CAN-2005-2069.

Cheers,
        Moritz

diff -u libpam-ldap-178/pam_ldap.c libpam-ldap-178/pam_ldap.c
--- libpam-ldap-178/pam_ldap.c
+++ libpam-ldap-178/pam_ldap.c
@@ -1587,6 +1587,7 @@
   pam_ldap_session_t *session = global_session;
 #endif
   char *who, *cred;
+  int rc;
 
   if (session->info != NULL && session->info->bound_as_user == 1)
     {
@@ -1607,6 +1608,17 @@
        }
     }
 
+  if (session->conf->ssl_on == SSL_START_TLS)
+    {
+      rc = ldap_start_tls_s (session->ld, NULL, NULL);
+      if (rc != LDAP_SUCCESS)
+       {
+         syslog (LOG_ERR, "pam_ldap: ldap_starttls_s: %s",
+                 ldap_err2string (rc));
+          return PAM_SERVICE_ERR;
+       }
+    }
+
   return ldap_simple_bind_s (ld, who, cred);
 }
 #else
@@ -2042,8 +2054,24 @@
            }
          else if (!strcmp ((*ctlp)->ldctl_oid, 
LDAP_CONTROL_PASSWORDPOLICYRESPONSE))
            {
-             rc = _get_password_policy_response_value (&(*ctlp)->ldctl_value,
-                                                       session);
+             int rc2;
+
+             rc2 = _get_password_policy_response_value (&(*ctlp)->ldctl_value,
+                                                        session);
+
+             if (rc2 != LDAP_SUCCESS ||
+                 session->info->policy_error != POLICY_ERROR_SUCCESS)
+               {
+                 /*
+                  * If decoding policy control failed, return the error.
+                  *
+                  * If decoding policy control succeeded, and there is a
+                  * policy error, return LDAP_SUCCESS so that the error
+                  * will be handled in the account management step (see
+                  * above).
+                  */
+                 rc = rc2;
+               }
            }
        }
       ldap_controls_free (controls);
diff -u libpam-ldap-178/debian/changelog libpam-ldap-178/debian/changelog
--- libpam-ldap-178/debian/changelog
+++ libpam-ldap-178/debian/changelog
@@ -1,3 +1,11 @@
+libpam-ldap (178-1sarge1) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team
+  * Applied upstream patch to fix authentication bypass [pam_ldap.c,
+    VU#778916, CAN-2005-2641]
+
+ -- Martin Schulze <[EMAIL PROTECTED]>  Sat, 20 Aug 2005 13:39:14 +0200
+
 libpam-ldap (178-1) unstable; urgency=low
 
   * New upstream release

Reply via email to