[PATCH] gnu: OpenLDAP: Update to 2.4.50 [fixes CVE-2019-{13057, 13565}].

DoneSubmitted by Leo Famulari.
Details
2 participants
  • Leo Famulari
  • Marius Bakke
Owner
unassigned
Severity
normal
L
L
Leo Famulari wrote on 28 Apr 22:22 +0200
(address . guix-patches@gnu.org)
c2af3e3e607ae0be38ca2e2336e6c249edf84291.1588105377.git.leo@famulari.name
* gnu/packages/openldap.scm (openldap)[replacement]: Use openldap-2.4.50.(openldap/fixed): Replace with ...(openldap-2.4.50): ... new variable.* gnu/packages/patches/openldap-CVE-2020-12243.patch: Delete file.* gnu/local.mk (dist_patch_DATA): Remove it.--- gnu/local.mk | 1 - gnu/packages/openldap.scm | 16 ++- .../patches/openldap-CVE-2020-12243.patch | 125 ------------------ 3 files changed, 11 insertions(+), 131 deletions(-) delete mode 100644 gnu/packages/patches/openldap-CVE-2020-12243.patch
Toggle diff (182 lines)diff --git a/gnu/local.mk b/gnu/local.mkindex 67bf04547c..9426ee30a0 100644--- a/gnu/local.mk+++ b/gnu/local.mk@@ -1276,7 +1276,6 @@ dist_patch_DATA = \ %D%/packages/patches/opencv-rgbd-aarch64-test-fix.patch \ %D%/packages/patches/openfoam-4.1-cleanup.patch \ %D%/packages/patches/openjdk-10-idlj-reproducibility.patch \- %D%/packages/patches/openldap-CVE-2020-12243.patch \ %D%/packages/patches/openmpi-mtl-priorities.patch \ %D%/packages/patches/openocd-nrf52.patch \ %D%/packages/patches/openssl-runpath.patch \diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scmindex aa51520654..53c57e846f 100644--- a/gnu/packages/openldap.scm+++ b/gnu/packages/openldap.scm@@ -58,8 +58,8 @@ (define-public openldap (package- (replacement openldap/fixed) (name "openldap")+ (replacement openldap-2.4.50) (version "2.4.47") (source (origin (method url-fetch)@@ -112,12 +112,18 @@ (license openldap2.8) (home-page "https://www.openldap.org/"))) -(define openldap/fixed+(define openldap-2.4.50 (package (inherit openldap)- (source- (origin (inherit (package-source openldap))- (patches (search-patches "openldap-CVE-2020-12243.patch"))))))+ (version "2.4.50")+ (source (origin+ (method url-fetch)+ (uri (string-append "https://www.openldap.org/software/download/"+ "OpenLDAP/openldap-release/openldap-" version+ ".tgz"))+ (sha256+ (base32+ "1f46nlfwmys110j36sifm7ah8m8f3s10c3vaiikmmigmifapvdaw")))))) (define-public nss-pam-ldapd (packagediff --git a/gnu/packages/patches/openldap-CVE-2020-12243.patch b/gnu/packages/patches/openldap-CVE-2020-12243.patchdeleted file mode 100644index 6321998198..0000000000--- a/gnu/packages/patches/openldap-CVE-2020-12243.patch+++ /dev/null@@ -1,125 +0,0 @@-From 98464c11df8247d6a11b52e294ba5dd4f0380440 Mon Sep 17 00:00:00 2001-From: Howard Chu <hyc@openldap.org>-Date: Thu, 16 Apr 2020 01:08:19 +0100-Subject: [PATCH] ITS#9202 limit depth of nested filters--Using a hardcoded limit for now; no reasonable apps-should ever run into it.----- servers/slapd/filter.c | 41 ++++++++++++++++++++++++++++++++---------- 1 file changed, 32 insertions(+), 9 deletions(-)--diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c-index 3252cf2a7..ed57bbd7b 100644---- a/servers/slapd/filter.c-+++ b/servers/slapd/filter.c-@@ -37,11 +37,16 @@- const Filter *slap_filter_objectClass_pres;- const struct berval *slap_filterstr_objectClass_pres;- -+#ifndef SLAPD_MAX_FILTER_DEPTH-+#define SLAPD_MAX_FILTER_DEPTH 5000-+#endif-+- static int get_filter_list(- Operation *op,- BerElement *ber,- Filter **f,-- const char **text );-+ const char **text,-+ int depth );- - static int get_ssa(- Operation *op,-@@ -80,12 +85,13 @@ filter_destroy( void )- return;- }- --int--get_filter(-+static int-+get_filter0(- Operation *op,- BerElement *ber,- Filter **filt,-- const char **text )-+ const char **text,-+ int depth )- {- ber_tag_t tag;- ber_len_t len;-@@ -126,6 +132,11 @@ get_filter(- *- */- -+ if( depth > SLAPD_MAX_FILTER_DEPTH ) {-+ *text = "filter nested too deeply";-+ return SLAPD_DISCONNECT;-+ }-+- tag = ber_peek_tag( ber, &len );- - if( tag == LBER_ERROR ) {-@@ -221,7 +232,7 @@ get_filter(- - case LDAP_FILTER_AND:- Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );-- err = get_filter_list( op, ber, &f.f_and, text );-+ err = get_filter_list( op, ber, &f.f_and, text, depth+1 );- if ( err != LDAP_SUCCESS ) {- break;- }-@@ -234,7 +245,7 @@ get_filter(- - case LDAP_FILTER_OR:- Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );-- err = get_filter_list( op, ber, &f.f_or, text );-+ err = get_filter_list( op, ber, &f.f_or, text, depth+1 );- if ( err != LDAP_SUCCESS ) {- break;- }-@@ -248,7 +259,7 @@ get_filter(- case LDAP_FILTER_NOT:- Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );- (void) ber_skip_tag( ber, &len );-- err = get_filter( op, ber, &f.f_not, text );-+ err = get_filter0( op, ber, &f.f_not, text, depth+1 );- if ( err != LDAP_SUCCESS ) {- break;- }-@@ -311,10 +322,22 @@ get_filter(- return( err );- }- -+int-+get_filter(-+ Operation *op,-+ BerElement *ber,-+ Filter **filt,-+ const char **text )-+{-+ return get_filter0( op, ber, filt, text, 0 );-+}-+-+- static int- get_filter_list( Operation *op, BerElement *ber,- Filter **f,-- const char **text )-+ const char **text,-+ int depth )- {- Filter **new;- int err;-@@ -328,7 +351,7 @@ get_filter_list( Operation *op, BerElement *ber,- tag != LBER_DEFAULT;- tag = ber_next_element( ber, &len, last ) )- {-- err = get_filter( op, ber, new, text );-+ err = get_filter0( op, ber, new, text, depth );- if ( err != LDAP_SUCCESS )- return( err );- new = &(*new)->f_next;--- -2.26.2--- 2.26.2
M
M
Marius Bakke wrote on 28 Apr 23:48 +0200
87k11z5ljj.fsf@devup.no
Leo Famulari <leo@famulari.name> writes:
Toggle quote (6 lines)> * gnu/packages/openldap.scm (openldap)[replacement]: Use openldap-2.4.50.> (openldap/fixed): Replace with ...> (openldap-2.4.50): ... new variable.> * gnu/packages/patches/openldap-CVE-2020-12243.patch: Delete file.> * gnu/local.mk (dist_patch_DATA): Remove it.
LGTM, assuming there are no ABI changes since 2.4.47.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl6opLAACgkQoqBt8qM6VPoDjwf/TTHfJHVA9n02eBFXJRIbD7UEzaC4wXhzG+K+euRUGa/3uq9FhH50LZQPqfjrsQvbtQC/oytiFDBTiGREFWvtAhAqaQWDfM99hcBXkoMoI6ZJGcxq/HuRjlVx7jC7fWTch900C5/vMz/BZWFU6Lg/3cYb/BrawZUh9tHgpfZ//tLW9laDryubKXWP6XBZvGhfTH3XNo/IgIyxleKut1rSXso25BtWmHwOX9nQOhOYsaVcknP5362g49LP9ClWzIF0ia4g47OS1VSBybwIiIwBepIw7REIinxzLSJEBUAMIpVmhaWtOE2SsOUd7jv/RytLlMRLYAduzN1ztzDv1FF5gg===CPkD-----END PGP SIGNATURE-----
L
L
Leo Famulari wrote on 29 Apr 19:49 +0200
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 40946-done@debbugs.gnu.org)
20200429174918.GA25738@jasmine.lan
On Tue, Apr 28, 2020 at 11:48:32PM +0200, Marius Bakke wrote:
Toggle quote (10 lines)> Leo Famulari <leo@famulari.name> writes:> > > * gnu/packages/openldap.scm (openldap)[replacement]: Use openldap-2.4.50.> > (openldap/fixed): Replace with ...> > (openldap-2.4.50): ... new variable.> > * gnu/packages/patches/openldap-CVE-2020-12243.patch: Delete file.> > * gnu/local.mk (dist_patch_DATA): Remove it.> > LGTM, assuming there are no ABI changes since 2.4.47.
Pushed as f224a8bb79cc3c9e5960227ffea5524eb666d34a
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAl6pvh4ACgkQJkb6MLrKfwg3Ng//X0rrGbAbIExxLO5X/Dl8bECPR8QMKJz01BynT2g+PbttppRrbUQTB4x/9e/OzgLUNgVDxAXQYDMJiLRp14U5q7UcmRSGjRQjZA2G811zxqocV01P2LBhWw2nDcvvBOcHhXffdtvq16LX/gGhNxoba4nb8R1tm2Px6+8natTx+7K7Bl5C1yX5XZAWCc831Pcqlr7rOGiA7grrsnqCO2wJ3+fZmJ46kaDFeS7bJFUdY/XS04vgpMvjgBhS6i2x/mKQQo+2a9qolV/5ugJnQp4lPy4aV0l+Fru0bN3j4D6D8fQlqTuW9axHA1k02NgU9EE0TEti2i67eiRt1qGj3AYYke/qJWzOsUXJhpuCeJr6YnI3F/4+vRhPlj+CsTnhSi+F+BPUF96U5LREPekL8uQMZHs9siL160mEovvMrHj/Raj9f7pr59PtVNCg+tju989Xx0CwYkQl6VtHBGT/WI0WxZUD2nlk3bFr/6RjknnPRiWSqCIJG+NuEaHO6SEjpeRJXz2VHhJPfLIz+h5ztUZeHvxLtqXITYccuV3MP7zGMXsMa7L6OKIC276PvuxKS/9c85SJbasl4ZsSZLaDDXwvzx/RnNnvqsTQDimGvZj2HyN8BisgvmGYr8TYlS5fnCQ3lCBOx62JYd8b35+tU88iTWZL9TkVUeViSIR/grBHTwQ==33OG-----END PGP SIGNATURE-----

Closed
?