[PATCH] gnu: OpenLDAP: Update to 2.4.50 [fixes CVE-2019-{13057, 13565}].

  • Done
  • quality assurance status badge
Details
2 participants
  • Leo Famulari
  • Marius Bakke
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 28 Apr 2020 22:22
(address . guix-patches@gnu.org)
c2af3e3e607ae0be38ca2e2336e6c249edf84291.1588105377.git.leo@famulari.name
* gnu/packages/openldap.scm (openldap)[replacement]: Use openldap-2.4.50.
(openldap/fixed): Replace with ...
(openldap-2.4.50): ... new variable.
* gnu/packages/patches/openldap-CVE-2020-12243.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
---
gnu/local.mk | 1 -
gnu/packages/openldap.scm | 16 ++-
.../patches/openldap-CVE-2020-12243.patch | 125 ------------------
3 files changed, 11 insertions(+), 131 deletions(-)
delete mode 100644 gnu/packages/patches/openldap-CVE-2020-12243.patch

Toggle diff (182 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 67bf04547c..9426ee30a0 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1276,7 +1276,6 @@ dist_patch_DATA = \
%D%/packages/patches/opencv-rgbd-aarch64-test-fix.patch \
%D%/packages/patches/openfoam-4.1-cleanup.patch \
%D%/packages/patches/openjdk-10-idlj-reproducibility.patch \
- %D%/packages/patches/openldap-CVE-2020-12243.patch \
%D%/packages/patches/openmpi-mtl-priorities.patch \
%D%/packages/patches/openocd-nrf52.patch \
%D%/packages/patches/openssl-runpath.patch \
diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm
index aa51520654..53c57e846f 100644
--- a/gnu/packages/openldap.scm
+++ b/gnu/packages/openldap.scm
@@ -58,8 +58,8 @@
(define-public openldap
(package
- (replacement openldap/fixed)
(name "openldap")
+ (replacement openldap-2.4.50)
(version "2.4.47")
(source (origin
(method url-fetch)
@@ -112,12 +112,18 @@
(license openldap2.8)
(home-page "https://www.openldap.org/")))
-(define openldap/fixed
+(define openldap-2.4.50
(package
(inherit openldap)
- (source
- (origin (inherit (package-source openldap))
- (patches (search-patches "openldap-CVE-2020-12243.patch"))))))
+ (version "2.4.50")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "https://www.openldap.org/software/download/"
+ "OpenLDAP/openldap-release/openldap-" version
+ ".tgz"))
+ (sha256
+ (base32
+ "1f46nlfwmys110j36sifm7ah8m8f3s10c3vaiikmmigmifapvdaw"))))))
(define-public nss-pam-ldapd
(package
diff --git a/gnu/packages/patches/openldap-CVE-2020-12243.patch b/gnu/packages/patches/openldap-CVE-2020-12243.patch
deleted file mode 100644
index 6321998198..0000000000
--- a/gnu/packages/patches/openldap-CVE-2020-12243.patch
+++ /dev/null
@@ -1,125 +0,0 @@
-From 98464c11df8247d6a11b52e294ba5dd4f0380440 Mon Sep 17 00:00:00 2001
-From: Howard Chu <hyc@openldap.org>
-Date: Thu, 16 Apr 2020 01:08:19 +0100
-Subject: [PATCH] ITS#9202 limit depth of nested filters
-
-Using a hardcoded limit for now; no reasonable apps
-should ever run into it.
----
- servers/slapd/filter.c | 41 ++++++++++++++++++++++++++++++++---------
- 1 file changed, 32 insertions(+), 9 deletions(-)
-
-diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c
-index 3252cf2a7..ed57bbd7b 100644
---- a/servers/slapd/filter.c
-+++ b/servers/slapd/filter.c
-@@ -37,11 +37,16 @@
- const Filter *slap_filter_objectClass_pres;
- const struct berval *slap_filterstr_objectClass_pres;
-
-+#ifndef SLAPD_MAX_FILTER_DEPTH
-+#define SLAPD_MAX_FILTER_DEPTH 5000
-+#endif
-+
- static int get_filter_list(
- Operation *op,
- BerElement *ber,
- Filter **f,
-- const char **text );
-+ const char **text,
-+ int depth );
-
- static int get_ssa(
- Operation *op,
-@@ -80,12 +85,13 @@ filter_destroy( void )
- return;
- }
-
--int
--get_filter(
-+static int
-+get_filter0(
- Operation *op,
- BerElement *ber,
- Filter **filt,
-- const char **text )
-+ const char **text,
-+ int depth )
- {
- ber_tag_t tag;
- ber_len_t len;
-@@ -126,6 +132,11 @@ get_filter(
- *
- */
-
-+ if( depth > SLAPD_MAX_FILTER_DEPTH ) {
-+ *text = "filter nested too deeply";
-+ return SLAPD_DISCONNECT;
-+ }
-+
- tag = ber_peek_tag( ber, &len );
-
- if( tag == LBER_ERROR ) {
-@@ -221,7 +232,7 @@ get_filter(
-
- case LDAP_FILTER_AND:
- Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
-- err = get_filter_list( op, ber, &f.f_and, text );
-+ err = get_filter_list( op, ber, &f.f_and, text, depth+1 );
- if ( err != LDAP_SUCCESS ) {
- break;
- }
-@@ -234,7 +245,7 @@ get_filter(
-
- case LDAP_FILTER_OR:
- Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
-- err = get_filter_list( op, ber, &f.f_or, text );
-+ err = get_filter_list( op, ber, &f.f_or, text, depth+1 );
- if ( err != LDAP_SUCCESS ) {
- break;
- }
-@@ -248,7 +259,7 @@ get_filter(
- case LDAP_FILTER_NOT:
- Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
- (void) ber_skip_tag( ber, &len );
-- err = get_filter( op, ber, &f.f_not, text );
-+ err = get_filter0( op, ber, &f.f_not, text, depth+1 );
- if ( err != LDAP_SUCCESS ) {
- break;
- }
-@@ -311,10 +322,22 @@ get_filter(
- return( err );
- }
-
-+int
-+get_filter(
-+ Operation *op,
-+ BerElement *ber,
-+ Filter **filt,
-+ const char **text )
-+{
-+ return get_filter0( op, ber, filt, text, 0 );
-+}
-+
-+
- static int
- get_filter_list( Operation *op, BerElement *ber,
- Filter **f,
-- const char **text )
-+ const char **text,
-+ int depth )
- {
- Filter **new;
- int err;
-@@ -328,7 +351,7 @@ get_filter_list( Operation *op, BerElement *ber,
- tag != LBER_DEFAULT;
- tag = ber_next_element( ber, &len, last ) )
- {
-- err = get_filter( op, ber, new, text );
-+ err = get_filter0( op, ber, new, text, depth );
- if ( err != LDAP_SUCCESS )
- return( err );
- new = &(*new)->f_next;
---
-2.26.2
-
--
2.26.2
M
M
Marius Bakke wrote on 28 Apr 2020 23:48
87k11z5ljj.fsf@devup.no
Leo Famulari <leo@famulari.name> writes:

Toggle quote (6 lines)
> * gnu/packages/openldap.scm (openldap)[replacement]: Use openldap-2.4.50.
> (openldap/fixed): Replace with ...
> (openldap-2.4.50): ... new variable.
> * gnu/packages/patches/openldap-CVE-2020-12243.patch: Delete file.
> * gnu/local.mk (dist_patch_DATA): Remove it.

LGTM, assuming there are no ABI changes since 2.4.47.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl6opLAACgkQoqBt8qM6
VPoDjwf/TTHfJHVA9n02eBFXJRIbD7UEzaC4wXhzG+K+euRUGa/3uq9FhH50LZQP
qfjrsQvbtQC/oytiFDBTiGREFWvtAhAqaQWDfM99hcBXkoMoI6ZJGcxq/HuRjlVx
7jC7fWTch900C5/vMz/BZWFU6Lg/3cYb/BrawZUh9tHgpfZ//tLW9laDryubKXWP
6XBZvGhfTH3XNo/IgIyxleKut1rSXso25BtWmHwOX9nQOhOYsaVcknP5362g49LP
9ClWzIF0ia4g47OS1VSBybwIiIwBepIw7REIinxzLSJEBUAMIpVmhaWtOE2SsOUd
7jv/RytLlMRLYAduzN1ztzDv1FF5gg==
=CPkD
-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 29 Apr 2020 19:49
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 40946-done@debbugs.gnu.org)
20200429174918.GA25738@jasmine.lan
On Tue, Apr 28, 2020 at 11:48:32PM +0200, Marius Bakke wrote:
Toggle quote (10 lines)
> Leo Famulari <leo@famulari.name> writes:
>
> > * gnu/packages/openldap.scm (openldap)[replacement]: Use openldap-2.4.50.
> > (openldap/fixed): Replace with ...
> > (openldap-2.4.50): ... new variable.
> > * gnu/packages/patches/openldap-CVE-2020-12243.patch: Delete file.
> > * gnu/local.mk (dist_patch_DATA): Remove it.
>
> LGTM, assuming there are no ABI changes since 2.4.47.

Pushed as f224a8bb79cc3c9e5960227ffea5524eb666d34a
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAl6pvh4ACgkQJkb6MLrK
fwg3Ng//X0rrGbAbIExxLO5X/Dl8bECPR8QMKJz01BynT2g+PbttppRrbUQTB4x/
9e/OzgLUNgVDxAXQYDMJiLRp14U5q7UcmRSGjRQjZA2G811zxqocV01P2LBhWw2n
DcvvBOcHhXffdtvq16LX/gGhNxoba4nb8R1tm2Px6+8natTx+7K7Bl5C1yX5XZAW
Cc831Pcqlr7rOGiA7grrsnqCO2wJ3+fZmJ46kaDFeS7bJFUdY/XS04vgpMvjgBhS
6i2x/mKQQo+2a9qolV/5ugJnQp4lPy4aV0l+Fru0bN3j4D6D8fQlqTuW9axHA1k0
2NgU9EE0TEti2i67eiRt1qGj3AYYke/qJWzOsUXJhpuCeJr6YnI3F/4+vRhPlj+C
sTnhSi+F+BPUF96U5LREPekL8uQMZHs9siL160mEovvMrHj/Raj9f7pr59PtVNCg
+tju989Xx0CwYkQl6VtHBGT/WI0WxZUD2nlk3bFr/6RjknnPRiWSqCIJG+NuEaHO
6SEjpeRJXz2VHhJPfLIz+h5ztUZeHvxLtqXITYccuV3MP7zGMXsMa7L6OKIC276P
vuxKS/9c85SJbasl4ZsSZLaDDXwvzx/RnNnvqsTQDimGvZj2HyN8BisgvmGYr8TY
lS5fnCQ3lCBOx62JYd8b35+tU88iTWZL9TkVUeViSIR/grBHTwQ=
=33OG
-----END PGP SIGNATURE-----


Closed
?