IssueDescription: It was found that when replication was enabled for each attribute in Red Hat Directory Server / 389 Directory Server, which is the default configuration, the server returned replicated metadata when the directory was searched while debugging was enabled. A remote attacker could use this flaw to disclose potentially sensitive information. Acknowledgements: This issue was discovered by Ludwig Krispenz of Red Hat.
Created attachment 921040 [details] patch to correct the flaw
Comment on attachment 921040 [details] patch to correct the flaw It would be better if the new int rootonly structure member were added at the end. This is a private structure, but just to be safe to ensure ABI compatibility. Otherwise, ack
Adding mkosek since this affects IPA/IdM.
Created attachment 921712 [details] schema and aci change for workaround
adding an nscpenntrywss attributetypes to the schema makes the aci work
JFTR, this issue should not affect FreeIPA 4.0 and later as we no longer allow all attributes (except defined blacklist) as we did in pre-4.0, but rather only allow specified attributes (feature page: http://www.freeipa.org/page/V4/Permissions_V2).
Created attachment 921835 [details] Updated the Ludwig's patch following the review comments by Rich.
Steps to verify: 1. set up 2-way MMR 2. do some add/modify/delete 3. run search as Directory Manager with attribute list "nscpEntryWSI". ldapsearch [...] -D "cn=directory manager" -w <pw> -b <suffix> nscpEntryWSI Expected result: dn: <some rdn>,<suffix> nscpEntryWSI: dn: <some rdn>,<suffix> nscpEntryWSI: objectClass;vucsn-53d6ebef000000010000: organization nscpEntryWSI: objectClass;vucsn-53d6ebef000000010000: top [...] nscpEntryWSI: tombstoneNumSubordinates: 1 4. run search as an ordinary user with attribute list "nscpEntryWSI". ldapsearch [...] -D "uid=testuser,<suffix>" -w <pw> -b <suffix> nscpEntryWSI Expected result: dn: <some rdn>,<suffix> 5. run search as nobody with attribute list "nscpEntryWSI". ldapsearch [...] -b <suffix> nscpEntryWSI Expected result: dn: <some rdn>,<suffix> If only searching as the Directory Manager returns nscpEntryWSI values, this bug is verified.
Created 389-ds-base tracking bugs for this issue: Affects: fedora-all [bug 1127833] Affects: epel-5 [bug 1127834]
This issue has been addressed in following products: Red Hat Directory Server 8 for RHEL 5 Via RHSA-2014:1032 https://rhn.redhat.com/errata/RHSA-2014-1032.html
This issue has been addressed in following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2014:1031 https://rhn.redhat.com/errata/RHSA-2014-1031.html