This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 511112 - Password history limited to 25 values
Password history limited to 25 values
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Security - Password Policy (Show other bugs)
1.2.0
All Linux
high Severity medium
: ---
: ---
Assigned To: Nathan Kinder
Viktor Ashirov
:
Depends On:
Blocks: 434914 389_1.3.0
  Show dependency treegraph
 
Reported: 2009-07-13 14:02 EDT by Rob Crittenden
Modified: 2015-12-07 11:42 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-07 11:42:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Proposed Patch (3.48 KB, patch)
2009-11-09 14:55 EST, Nathan Kinder
no flags Details | Diff
git patch file (9.0) (1.26 KB, patch)
2010-05-25 20:30 EDT, Noriko Hosoi
nhosoi: review?
rmeggins: review+
Details | Diff

  None (edit)
Description Rob Crittenden 2009-07-13 14:02:21 EDT
Description of problem:

In ldap/servers/slapd/pw.c pw_in_history() a couple of fixed arrays of 25 values are used to store previous passwords before calling slapi_pw_find_sv(). It stores them so it can strip off the general time also stored with the password.

If somehow 26 passwords got into the password history bad things would happen.
Comment 1 Rob Crittenden 2009-07-13 15:02:23 EDT
Note that you'd have to go out of your way to do this because an attr check function is defined for this attribute:

{CONFIG_PW_INHISTORY_ATTRIBUTE, attr_check_minmax, 2, 24},
Comment 2 Nathan Kinder 2009-11-09 14:55:26 EST
Created attachment 368279 [details]
Proposed Patch

The password history code was using a fixed length array to store
the historical password values that are used to compare to the new
password.  The array was hardcoded to 25 values.  The server will
allow a maximum 24 password history values to be kept by limiting
the passwordInHistory configuration value, though it would be
possible to do something such as import an LDIF with more than 24
historical password values in an entry, causing the server to crash
when the next password change occurs.
    
This patch eliminates the fixed length array and dynamically
allocates the array based off of the number of values that exist
in the entry whose password is being modified.
Comment 3 Nathan Kinder 2009-11-09 15:04:07 EST
Patch from comment#2 pushed to master.

Counting objects: 11, done.
Delta compression using 2 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 1.26 KiB, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   07b5f94..45507e8  master -> master
Comment 4 Jenny Galipeau 2010-05-21 11:06:09 EDT
added the following user with

dn: uid=jgalipea,ou=People,dc=example,dc=com
uid: jgalipea
givenName: Jenny
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Galipeau
cn: Jenny Galipeau
userPassword: {MD5}OaYrKTECd0CwXtnoDZYJ+w==
creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
modifiersName: cn=server,cn=plugins,cn=config
createTimestamp: 20100521143329Z
modifyTimestamp: 20100521143542Z
nsUniqueId: cf24fb81-1dd111b2-80cfd07b-bc250000
passwordHistory: 20100521143343Z{MD5}9ujCKMT9pydeywJN6WqdJA==
passwordHistory: 20100521143352Z{MD5}xzfguKDwrTC9i5wyLhodDw==
passwordHistory: 20100521143400Z{MD5}qn5MhXu+tlneiCpJTwmfDw==
passwordHistory: 20100521143410Z{MD5}9pnwFu2hN2c3QqDPzNFK/Q==
passwordHistory: 20100521143418Z{MD5}LL/yMHyG7PfLlOtmyWjsCA==
passwordHistory: 20100521143429Z{MD5}E9al3M4521M2Rs77XzX0Ng==
passwordHistory: 20100521143438Z{MD5}WLyko+IOkzs5Q6gRBFUvBg==
passwordHistory: 20100521143446Z{MD5}BwqWFKx0WUjmNAZ7LBuuCw==
passwordHistory: 20100521143456Z{MD5}Rgo61DXG9hHz0RzMm0M2qQ==
passwordHistory: 20100521143504Z{MD5}f5T92rALf2mLYC1SQp0CdA==
passwordHistory: 20100521143513Z{MD5}m9UJ4qBjiZuwqSsPsQPx+Q==
passwordHistory: 20100521143521Z{MD5}evzNRvzhgq3+Gm60LqGbGg==
passwordHistory: 20100521143528Z{MD5}N6lmekPDF+LuNvYn2lQDtA==
passwordHistory: 20100521143535Z{MD5}zus0QIYENUIGHm6++stheg==
passwordHistory: 20100521143542Z{MD5}yyr+yPi7d7FdMuVBcJdspQ==
passwordHistory: 20100521142211Z{MD5}eYH9nbemWk4Dn321KHvo4Q==
passwordHistory: 20100521142225Z{MD5}FhPzbQY0IwP2lGn1obKcIQ==
passwordHistory: 20100521142234Z{MD5}CUv+ZkFhIT+iWRgNeoEv5Q==
passwordHistory: 20100521142244Z{MD5}JvaGV9o4EljYMJoWtcYs3w==
passwordHistory: 20100521142250Z{MD5}J5BtahGvkQp5+xzHSSNKMw==
passwordHistory: 20100521142305Z{MD5}SfNVfjQnjXQv5ovxCeMmiA==
passwordHistory: 20100521142314Z{MD5}HBoAvhbcYTpaY2462wj5TA==
passwordHistory: 20100521142319Z{MD5}C9PsYHtxtAXPS2CBlqQiXA==
passwordHistory: 20100521142329Z{MD5}dfN4s5iHbG/wZb2M7Fis+g==
passwordHistory: 20100521142336Z{MD5}bvigpuP0SYcepCy6R1MZCQ==
passwordHistory: 20100521142344Z{MD5}D2+sHZ07hZ8rwZ5xnEOMOg==
passwordHistory: 20100521142352Z{MD5}bTw1fCHDaHH+cU7jrgNj+g==
passwordHistory: 20100521142359Z{MD5}jCjXd/r9k64In6WtXbIPrQ==
passwordHistory: 20100521142411Z{MD5}K0vIzivdiY/lXyFDgf19Cw==
passwordHistory: 20100521143115Z{MD5}Yyff+pu4xwzleC2YzVdokg==
passwordGraceUserTime: 0




Server crashed trying to change password:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1376732256 (LWP 30853)]
normalize_mods2bvals (mods=0xadf06ab8) at ldap/servers/slapd/util.c:452
452                     vlen = strlen(*mvp);
(gdb) bt
#0  normalize_mods2bvals (mods=0xadf06ab8) at ldap/servers/slapd/util.c:452
#1  0x0098c051 in modify_internal_pb (pb=0xadf06ad0) at ldap/servers/slapd/modify.c:513
#2  0x009a142e in update_pw_info (pb=0xadf0afb0, old_pw=Variable "old_pw" is not available.
) at ldap/servers/slapd/pw.c:1139
#3  0x0098b86e in op_shared_modify (pb=0xadf0afb0, pw_change=1, old_pw=0x0) at ldap/servers/slapd/modify.c:849
#4  0x0098c191 in modify_internal_pb (pb=0xadf0afb0) at ldap/servers/slapd/modify.c:553
#5  0x080651bd in passwd_modify_extop (pb=0x870f168) at ldap/servers/slapd/passwd_extop.c:181
#6  0x0099705d in plugin_call_exop_plugins (pb=0x870f168, oid=0x86f0000 "1.3.6.1.4.1.4203.1.11.1") at ldap/servers/slapd/plugin.c:448
#7  0x0805deed in do_extended (pb=0x870f168) at ldap/servers/slapd/extendop.c:376
#8  0x08059e8d in connection_threadmain () at ldap/servers/slapd/connection.c:617
#9  0x035d78ad in PR_Select () from /usr/lib/libnspr4.so
#10 0x0024e5cc in start_thread () from /lib/tls/libpthread.so.0
#11 0x001e4fae in clone () from /lib/tls/libc.so.6
(gdb)
Comment 5 Noriko Hosoi 2010-05-24 19:00:35 EDT
The crash shares the same cause with this bug.
Bug 593453 - Creating password policy with ns-newpolicy.pl on Replicated Server Causes Crash

I tested w/ this test entry and did not observe the server crash.
dn: uid=tuser0,ou=People,dc=example,dc=com
uid: tuser0
givenName: test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: user0
cn: test user0
userPassword: {MD5}Cnqn6FiyZIXO12oB/kcyVA==
creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
modifiersName: cn=server,cn=plugins,cn=config
createTimestamp: 20100524224725Z
modifyTimestamp: 20100524224935Z
nsUniqueId: 3e207f85-678611df-a721e288-d9573427
passwordHistory: 20100524224739Z{MD5}RiWg//A7jg672e3yxVg49g==
passwordHistory: 20100524224754Z{MD5}I+Cj5wBRPjLdMU8u+8ysaQ==
passwordHistory: 20100524224809Z{MD5}4qz1jwLZhHk/4RK+tO29iA==
passwordHistory: 20100524224819Z{MD5}LFZD+sieDUAN7rYEIGVivg==
passwordHistory: 20100524224830Z{MD5}a8o52u7MkqFQio8uz7CfoQ==
passwordHistory: 20100524224842Z{MD5}Ey91UC1zzk01csCQz8UH5A==
passwordHistory: 20100524224855Z{MD5}gSrN/Q81DGX8edWlE3aFVg==
passwordHistory: 20100524224921Z{MD5}pVjOZrS1SN6D1N/kvYXscQ==
passwordHistory: 20100524224935Z{MD5}63Iazc52nOLi4ckSePvLUA==
passwordGraceUserTime: 0

# /usr/lib64/mozldap/ldapsearch -p 10389 -D 'cn=directory manager' -w Secret123 -b "dc=example,dc=com" "(uid=*)" passwordhistory
version: 1
dn: uid=tuser0,ou=People,dc=example,dc=com
passwordhistory: 20100524224739Z{MD5}RiWg//A7jg672e3yxVg49g==
passwordhistory: 20100524224754Z{MD5}I+Cj5wBRPjLdMU8u+8ysaQ==
passwordhistory: 20100524224809Z{MD5}4qz1jwLZhHk/4RK+tO29iA==
passwordhistory: 20100524224819Z{MD5}LFZD+sieDUAN7rYEIGVivg==
passwordhistory: 20100524224830Z{MD5}a8o52u7MkqFQio8uz7CfoQ==
passwordhistory: 20100524224842Z{MD5}Ey91UC1zzk01csCQz8UH5A==
passwordhistory: 20100524224855Z{MD5}gSrN/Q81DGX8edWlE3aFVg==
passwordhistory: 20100524224921Z{MD5}pVjOZrS1SN6D1N/kvYXscQ==
passwordhistory: 20100524224935Z{MD5}63Iazc52nOLi4ckSePvLUA==
Comment 6 Rich Megginson 2010-05-24 19:18:16 EDT
So can we close this bug as a duplicate of Bug 593453?
Comment 7 Noriko Hosoi 2010-05-24 19:33:29 EDT
(In reply to comment #6)
> So can we close this bug as a duplicate of Bug 593453?    

Well, it's a bit more complicated. :)  There was an original bug (511112), which Nathan fixed.  Then, I added another bug while I was working on the new DN format (593453).  It regressed this bug, but they were 2 separated bugs...
Comment 8 Noriko Hosoi 2010-05-25 11:49:20 EDT
May I ask why you changed the status to ON_DEV?

What I meant in the comment 7 is this bug should be verified by QE separately from bug 593453.  They are 2 different bugs.

Note: I tested the test case using the latest bit and the test has passed for me (see comment 5).
Comment 9 Chandrasekar Kannan 2010-05-25 14:58:53 EDT
noriko - shouldn't your test case in comment 5 have atleast 26 or more passwordhistory attr values ?. i'm counting only 9 there.
Comment 10 Jenny Galipeau 2010-05-25 16:13:06 EDT
I will try this again, but I think it will still crash as I verified the other bug against an earlier build than this one - that failed verification.  I'll let you know.  Thanks Jenny
Comment 11 Noriko Hosoi 2010-05-25 16:42:40 EDT
(In reply to comment #10)
> I will try this again, but I think it will still crash as I verified the other
> bug against an earlier build than this one - that failed verification.  I'll
> let you know.  Thanks Jenny    

Sorry...  I should have increased the count to 26.  Let me try it again...
Thanks...
Comment 12 Jenny Galipeau 2010-05-25 16:56:36 EDT
It took several failed password change attempts , was getting "invalid password syntax" trying to set the password to !online3 tried from command line and console and then attempted to change password to Secret123 for console and ...

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1387234400 (LWP 29124)]
normalize_mods2bvals (mods=0xad500e78) at ldap/servers/slapd/util.c:452
452	                vlen = strlen(*mvp);
(gdb) bt
#0  normalize_mods2bvals (mods=0xad500e78) at ldap/servers/slapd/util.c:452
#1  0x006d8051 in modify_internal_pb (pb=0xad500e90) at ldap/servers/slapd/modify.c:513
#2  0x006ed42e in update_pw_info (pb=0x8ae0ea0, old_pw=Variable "old_pw" is not available.
) at ldap/servers/slapd/pw.c:1139
#3  0x006d786e in op_shared_modify (pb=0x8ae0ea0, pw_change=1, old_pw=0x0) at ldap/servers/slapd/modify.c:849
#4  0x006d888a in do_modify (pb=0x8ae0ea0) at ldap/servers/slapd/modify.c:376
#5  0x08059f3c in connection_threadmain () at ldap/servers/slapd/connection.c:559
#6  0x035d78ad in PR_Select () from /usr/lib/libnspr4.so
#7  0x009875cc in start_thread () from /lib/tls/libpthread.so.0
#8  0x008f0fae in clone () from /lib/tls/libc.so.6
Comment 13 Noriko Hosoi 2010-05-25 20:30:57 EDT
Created attachment 416590 [details]
git patch file (9.0)

Thanks to Jenny for finding out this bug.  You found yet another bug in pw history.  Although the password history is limited to 24, you could add an entry already storing password histories more than 25.  Then, the next password modify attempt crashes the server.
Comment 14 Noriko Hosoi 2010-05-25 20:53:46 EDT
Thanks to Rich for reviewing the fix.

Pushed to master:
commit caaa2b7c5fdab6d3bf8c3155f32020eae8fc82ce
Author: Noriko Hosoi <nhosoi@redhat.com>
Date:   Tue May 25 17:47:47 2010 -0700

    511112 - Password history limited to 25 values
    
    https://bugzilla.redhat.com/show_bug.cgi?id=511112
    
    Fix Description: If an entry already having more than 25 password
    history attributes is added and password modify is performed on
    the entry, it overflows the fixed length values_replace array and
    crashes the server.  This patch protects the overflow.

$ git merge work
Updating 50d1c0a..caaa2b7
Fast forward
 ldap/servers/slapd/pw.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)
[nhosoi@kiki ldapserver 1253]$ git push
Counting objects: 11, done.
Delta compression using 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 764 bytes, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   50d1c0a..caaa2b7  master -> master

Pushed to Directory_Server_8_2_Branch, as well:
$ git push origin ds82-local:Directory_Server_8_2_Branch
Counting objects: 11, done.
Delta compression using 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 765 bytes, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   1ebcfd4..142fc25  ds82-local -> Directory_Server_8_2_Branch
Comment 15 Jenny Galipeau 2010-05-27 09:54:41 EDT
fix verified:

able to change password from both console and using ldappasswd

version:
redhat-ds-base-8.2.0-2010052704.el4dsrv

Note You need to log in before you can comment on or make changes to this bug.