Ok, many many thanks!
I will pass the info to my sysadmin.
Best Regards.

> The CVEs you refer to are very old and have been fixed a long time ago.
> 
> Please refer to:
> https://www.tenable.com/security/research/tra-2019-53
> 
> This report states that all the reported problems are fixed as of ELOG 3.1.4-283534d or later.
> 
> Note that the elog git history does not refer to these CVEs because
> they were fixed before the CVE number was assigned, per "Disclosure Timeline"
> in the above document. The relevant commits are listed under "Additional References".
> 
> K.O.

The CVEs you refer to are very old and have been fixed a long time ago.

Please refer to:
https://www.tenable.com/security/research/tra-2019-53

This report states that all the reported problems are fixed as of ELOG 3.1.4-283534d or later.

Note that the elog git history does not refer to these CVEs because
they were fixed before the CVE number was assigned, per "Disclosure Timeline"
in the above document. The relevant commits are listed under "Additional References".

K.O.

Hi, I have been using elog for years at CERN.

Now I installed in my local workstation at my home inistitue

and sysadmin reported the following vulnerabilities:

  - Configuration File Disclosure (CVE-2019-3992)

  - Password Hash Disclosure (CVE-2019-3993)

  - Use After Free (CVE-2019-3994)

  - NULL Pointer Dereference (CVE-2019-3995)

  - Unintended Proxy (CVE-2019-3996)

Am I doing soimething wrong?

sysadmin will not allow me to use it until it is fixed....

Any help is welcome.

> Something is not right with the elog account activation...

I did a test:
- register as new user "test", web page says "request for approval sent..." (good)
- check elog config, user "test" is present, "active" set to "no" (good)
- open the "approve/activate" URL, get "Invalid activation code" (should say: "activated successfully!")
- check elog config, user "test" now has "active" set to "yes" (good, "approve/activate" URL worked)
- open the "approve/activate" URL again, again "Invalid activation code" (should say: "already activated!")

additional test:
- from the elog config, user "test", set active to "no", save.
- open the "approve/activate" URL, get "Invalid activation code" (good, this time)
- check elog config, user "test" is still inactive (good)

So it looks like the "approve/activate" URL works correctly - only the first time it is accessed - but
returns wrong message "invalid activation code" instead of "success".

K.O.
 

we had an elog with only one logbook and one password file,
we added a second logbook with a second password file and everything broke.

specifically, login to the original logbook stopped working,
username and password is accepted, elog.log says "user accepted", but I am presented
with the login dialog again, ad infinitum, and cannot access the elog.

solution seems to be to "delete all cookies" (which is excessive,
google chrome wants to delete all cookies for *.triumf.ca,
which will log me out from everywhere I am logged in and probably
erase/reset web site preferences everywhere).

manually deleting just the elog session cookie also seems to work, though.

this suggests that there is a bug in elog, where on successful login,
it fails to create a new authentication cookie, but reuses an old
cookie, which is no longer valid, for whatever reason (that would
be a different bug, why adding one more logbook invalidates
existing logins?).

K.O.

Something is not right with the elog account activation, I get the email
for "Registration request for ELOG logbook "haicu"", but when I follow the given URL,
I get "Invalid activation code". Account activation requests go to two people,
so maybe the other one already activate this user, in which case I expect a message "user already active".
When I check the elog config, I see that the user indeed is already active. And if I rerun
this URL I still get "Invalid activation code", and this time I definitely expect "user already active".

https://daq00.triumf.ca/elog-haicu/haicu/?cmd=Activate&new_user_name=fujiwara&code=-1904103410&unm=Olchansk

K.O.

Hi Stefan,

I've seen that ELOG is build now with gcc-c++ now, so i tried to check rpmbuild script with all options. It seems that ldap api is different with c++ (quick search : https://www.openldap.org/lists/openldap-software/200706/msg00177.html) and elogd can not been build anymore with ldap support. :-(

# make
c++ -O3 -funroll-loops -fomit-frame-pointer -W -Wall -Wno-deprecated-declarations -Wno-unused-result -Imxml -DHAVE_SSL -DHAVE_KRB5 -DHAVE_LDAP -DHAVE_PAM -c -o mxml.o mxml/mxml.cxx
c++ -O3 -funroll-loops -fomit-frame-pointer -W -Wall -Wno-deprecated-declarations -Wno-unused-result -Imxml -DHAVE_SSL -DHAVE_KRB5 -DHAVE_LDAP -DHAVE_PAM -w -c -o crypt.o src/crypt.cxx
c++ -O3 -funroll-loops -fomit-frame-pointer -W -Wall -Wno-deprecated-declarations -Wno-unused-result -Imxml -DHAVE_SSL -DHAVE_KRB5 -DHAVE_LDAP -DHAVE_PAM -c -o strlcpy.o mxml/strlcpy.cxx
c++ -O3 -funroll-loops -fomit-frame-pointer -W -Wall -Wno-deprecated-declarations -Wno-unused-result -Imxml -DHAVE_SSL -DHAVE_KRB5 -DHAVE_LDAP -DHAVE_PAM -o elog src/elog.cxx mxml.o crypt.o strlcpy.o -lssl -lkrb5 -lldap -llber -lpam -llber
c++ -O3 -funroll-loops -fomit-frame-pointer -W -Wall -Wno-deprecated-declarations -Wno-unused-result -Imxml -DHAVE_SSL -DHAVE_KRB5 -DHAVE_LDAP -DHAVE_PAM -w -c -o auth.o src/auth.cxx
src/auth.cxx: In function ‘int auth_verify_password_ldap(LOGBOOK*, const char*, const char*, char*, int)’:
src/auth.cxx:283:60: erreur: ‘ldap_simple_bind_s’ was not declared in this scope
    bind = ldap_simple_bind_s(ldap_ld, ldap_bindDN, password);
                                                            ^
src/auth.cxx:290:26: erreur: ‘ldap_unbind’ was not declared in this scope
       ldap_unbind(ldap_ld);
                          ^
src/auth.cxx:295:23: erreur: ‘ldap_unbind’ was not declared in this scope
    ldap_unbind(ldap_ld);
                       ^
src/auth.cxx: In function ‘int ldap_adduser_file(LOGBOOK*, const char*, const char*, char*, int)’:
src/auth.cxx:323:60: erreur: ‘ldap_simple_bind_s’ was not declared in this scope
    bind = ldap_simple_bind_s(ldap_ld, ldap_bindDN, password);
                                                            ^
src/auth.cxx:330:26: erreur: ‘ldap_unbind’ was not declared in this scope
       ldap_unbind(ldap_ld);
                          ^
src/auth.cxx:358:26: erreur: ‘ldap_unbind’ was not declared in this scope
       ldap_unbind(ldap_ld);
                          ^
src/auth.cxx:369:62: erreur: ‘ldap_get_values’ was not declared in this scope
          if((values = ldap_get_values(ldap_ld,entry,attribute)) != NULL ) {
                                                              ^
src/auth.cxx:378:35: erreur: ‘ldap_value_free’ was not declared in this scope
             ldap_value_free(values);
                                   ^
src/auth.cxx:386:23: erreur: ‘ldap_unbind’ was not declared in this scope
    ldap_unbind(ldap_ld);
                       ^
src/auth.cxx: In function ‘int elog_conv(int, const pam_message**, pam_response**, void*)’:
src/auth.cxx:451:59: erreur: invalid conversion from ‘void*’ to ‘pam_response*’ [-fpermissive]
    if((*resp = calloc(num_msg, sizeof(struct pam_response))) == NULL)
                                                           ^
src/auth.cxx:456:33: erreur: invalid conversion from ‘void*’ to ‘const char*’ [-fpermissive]
    if(!(resptok = strdup(my_data))) {
                                 ^
In file included from src/elogd.h:46:0,
                 from src/auth.cxx:30:
/usr/include/string.h:172:14: erreur:   initializing argument 1 of ‘char* strdup(const char*)’ [-fpermissive]
 extern char *strdup (const char *__s)
              ^
src/auth.cxx: In function ‘int auth_verify_password(LOGBOOK*, const char*, const char*, char*, int)’:
src/auth.cxx:593:73: erreur: invalid conversion from ‘const char*’ to ‘char*’ [-fpermissive]
          if (get_user_line(lbs, user, NULL, NULL, NULL, NULL, NULL, NULL) == 2) {
                                                                         ^
In file included from src/auth.cxx:30:0:
src/elogd.h:282:5: erreur:   initializing argument 2 of ‘int get_user_line(LOGBOOK*, char*, char*, char*, char*, BOOL*, time_t*, int*)’ [-fpermissive]
 int get_user_line(LOGBOOK * lbs, char *user, char *password, char *full_name, char *email,
     ^
make: *** [auth.o] Erreur 1
 

Regards,

Laurent

> I fixed these as well, please have a look again. BTW, midas had a few of these as well.

confirmed. elog commit d828aa58305ee8ce2ae882c0ff3c34cfa66650e5

K.O.