[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ITS#8866 (was: ITS review 6/14/2019)
- To: Howard Chu <hyc@symas.com>, openldap-devel@openldap.org
- Subject: Re: ITS#8866 (was: ITS review 6/14/2019)
- From: Michael Ströder <michael@stroeder.com>
- Date: Thu, 27 Jun 2019 19:55:31 +0200
- Autocrypt: addr=michael@stroeder.com; prefer-encrypt=mutual; keydata= mQENBFbdnRoBCADj0vYA4aRwKJ6AE4mf8oElLgMT/1eLNKpJ2FYBWcwj9d8dTk5/p9b8DRxy S/qQIUUZqt9xRFZwUCm0vFeQMRDeN9xzAKoRzrJifoDOacOjG1lhZTKYvVZGgUT89Ao3QeHh Q7gPzcAKNoueoR2y3FXStOYuRrbk5PlSjVAITjsotgc7PWE9mmVYpeu8a+byK/DBHKUyolOA 1UXYvDa7MbPhMtdNm8qnwtKs1Vsyk1VkErM+5cIe+zTT6WYQcmZMRjCtWGiFTzk9W6Mdlskk WRTKhKNgokTsgcy1ecaCBUZWxv/SyXgD81+rwRi9b8Px+1reg43ayxi8sV7jrI1feybbABEB AAG0J01pY2hhZWwgU3Ryw7ZkZXIgPG1pY2hhZWxAc3Ryb2VkZXIuY29tPokBNwQTAQgAIQUC Vt2dGgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRAH3HrjaovJOFpTCACjO773gcmJ KvzjiNpUFl/gANyaJgIq4VbMQ7VthRb1F9X6YbdJ6Z99ntyESjGFCpjofcSomr2vJDpv6ht+ lY33yo20YwsMpqe2OeId0jPybG+FtabKjgBNoAk7iqnBGUvE4t0dz0n1LQVCQR2jxyTKmcNq OYpsRZ3H+6kWwJMuVgsNZglINVZ8JgV5QuLYN5jhYz+pOuFnU11bV6nWREvzZXzebe7g7Zus 6AsWjtJ0lDvgBNzLlF3/eFrVch6Bejs0SvuFseIdZQk+4YU6Rb8xul/jDFXIfo7eTmijO3dV T5AmC1cUi8czncwpgAJnEH8vYv23RoN/aw2gSMCS2huIuQENBFbdnRoBCAC7L1cTVBVZZuM/ yxSUM5CsgGBlTD1Cr7C2ngZFsHSYXVLq6NUB8GZA2iLK96CrwnFw4/Jjz4llOjc50iVRMQKL RyFWOJAMrpPq2ew5T+Uoo524D//dwVbqkFVVuvM8NPiKIDyPGCjP+acM1D8hXwhOXgQ8Iz8Q 3/GRSYjitn9JrkF0ia2nhariznBKVu0LDffxF/hOCx45+QRR2/rYYlshfZMB7nEJX9P+hVfM CSzltz9Z8CldeUbiJvnyrISReR2XBw9oh8JkIUP0BtpIaify9A7EfzOk+W9BUnWe+YwdSUsB fJxOhSv+umyW5GMqZGFu+4oYnkzbe+1LUs1JarCtABEBAAGJAR8EGAEIAAkFAlbdnRoCGwwA CgkQB9x642qLyTjEUgf+JX6Atatl/QKe37yCj1OZYNPd3B0rPLJRF5mEmrADRXLZC9+uFeDS Wxxln040gnR6rjBHrRcvVmlTDiZY26iuL16+V+0/aZ9uyXNQSzk2cwDSiI/8gvr72Y+FN5fh cGXpeNHxHilYc9onzDhxyE76cwzqTKm4q2ULIH2u9IHQ5O86Fv6nHPYhe2fy1bhQapNwi/Xl 3G3i2WNH/w7m+1zWU1IddZOjmXzoxLT1BATwXGa0Tt5RjVb2mM1Wg3Zj6kqFkF2vvKcvrwj0 q0Ap5uyfN5m0uWzQMCMoaV9HQf7f5MkS1lnwBqDgnojjVAieX5uk7olUiRuPKHMfhvXulYP8 AA==
- Content-language: en-US
- In-reply-to: <678aa2f5-215b-1203-7e43-f8d1b7b4412e@symas.com>
- Openpgp: preference=signencrypt
- References: <75C436AED8239707278A1D62@[192.168.1.39]> <748a7925-8b5c-7bbd-9dd4-cafd4e65b3c8@stroeder.com> <dc97ce2b-8425-9d36-fac2-107a5ca63f63@symas.com> <8af78261-f4dc-4512-ada7-2d1f5d032c61@stroeder.com> <5ad967e3-6fb0-de23-0dc6-02a870d49cd0@stroeder.com> <678aa2f5-215b-1203-7e43-f8d1b7b4412e@symas.com>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
On 6/27/19 6:37 PM, Howard Chu wrote:
> Michael Ströder wrote:
>> On 6/27/19 6:23 PM, Michael Ströder wrote:
>>> On 6/27/19 6:18 PM, Howard Chu wrote:
>>>> Michael Ströder wrote:
>>>>> On 6/14/19 5:15 PM, Quanah Gibson-Mount wrote:
>>>>>> Thanks to Ondrej, this list is a bit shorter now. :)
>>>>>
>>>>> But one more I'd love to see in 2.4.48:
>>>>>
>>>>> ITS#8866: RFE: slapo-constraint to return filter used in diagnostic message
>>>>>
>>>>> https://www.openldap.org/its/index.cgi?findid=8866
>>>>
>>>> I don't believe the information disclosure issues have been
>>>> sufficiently answered there. Overall it's a bad idea and goes against
>>>> our standing policy of minimal disclosure.
>>> Sorry, you already have the disclosure.
>>>
>>> Citing from my old e-mail found here:
>>> https://www.openldap.org/lists/openldap-devel/201711/msg00003.html
>>>
>>>> But this problem exists anyway because an attacker can probe
>>>> values by adding entries with non-unique attributes and determine
>>>> whether an attribute value exists or not by distinguishing the result
>>>> code constraintViolation(19) vs. insufficientAccessRights(50).
>>>> Even worse this even works in case the attacker does not have read
>>>> access anywhere!
>
> Then that's a bug that should be fixed.
If you really want to fix this bug then you have to fully enforce access
control when processing the write operation *before* enforcing the
constraints. (I guess this is not easily done with the current overlay
stack processing.)
But if you fixed it then the disclosure will only happen if the user is
authorized to modify the entry. So same fix for the very same problem. ;-)
Conclusion:
1. Applying ITS#8866 patch to RE24 will not make things worse.
2. The real fix will also fix the disclosure issue.
Ciao, Michael.