forked from pool/openldap2
Accepting request 89386 from home:rhafer:branches:network:ldap
bnc#716895, bnc#719803 and bnc#724201 OBS-URL: https://build.opensuse.org/request/show/89386 OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=71
This commit is contained in:
parent
212340f559
commit
a95d3a6076
@ -0,0 +1,59 @@
|
||||
From 48e44e993656a08424a020347a458148169196ce Mon Sep 17 00:00:00 2001
|
||||
From: Howard Chu <hyc@openldap.org>
|
||||
Date: Thu, 6 Oct 2011 14:05:31 -0700
|
||||
Subject: UTF8StringNormalize overrun on zero-length string (ITS#7059)
|
||||
|
||||
Detected by valgrind
|
||||
|
||||
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
|
||||
index 67508fc..65a7e2e 100644
|
||||
--- a/servers/slapd/schema_init.c
|
||||
+++ b/servers/slapd/schema_init.c
|
||||
@@ -1852,12 +1852,12 @@ UTF8StringNormalize(
|
||||
}
|
||||
nvalue.bv_val[nvalue.bv_len] = '\0';
|
||||
|
||||
- } else {
|
||||
+ } else if ( tmp.bv_len ) {
|
||||
/* string of all spaces is treated as one space */
|
||||
nvalue.bv_val[0] = ' ';
|
||||
nvalue.bv_val[1] = '\0';
|
||||
nvalue.bv_len = 1;
|
||||
- }
|
||||
+ } /* should never be entered with 0-length val */
|
||||
|
||||
*normalized = nvalue;
|
||||
return LDAP_SUCCESS;
|
||||
@@ -2331,13 +2331,18 @@ postalAddressNormalize(
|
||||
}
|
||||
lines[l].bv_len = &val->bv_val[c] - lines[l].bv_val;
|
||||
|
||||
- normalized->bv_len = l;
|
||||
+ normalized->bv_len = c = l;
|
||||
|
||||
- for ( l = 0; !BER_BVISNULL( &lines[l] ); l++ ) {
|
||||
+ for ( l = 0; l <= c; l++ ) {
|
||||
/* NOTE: we directly normalize each line,
|
||||
* without unescaping the values, since the special
|
||||
* values '\24' ('$') and '\5C' ('\') are not affected
|
||||
* by normalization */
|
||||
+ if ( !lines[l].bv_len ) {
|
||||
+ nlines[l].bv_len = 0;
|
||||
+ nlines[l].bv_val = NULL;
|
||||
+ continue;
|
||||
+ }
|
||||
rc = UTF8StringNormalize( usage, NULL, xmr, &lines[l], &nlines[l], ctx );
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
rc = LDAP_INVALID_SYNTAX;
|
||||
@@ -2350,7 +2355,7 @@ postalAddressNormalize(
|
||||
normalized->bv_val = slap_sl_malloc( normalized->bv_len + 1, ctx );
|
||||
|
||||
p = normalized->bv_val;
|
||||
- for ( l = 0; !BER_BVISNULL( &nlines[l] ); l++ ) {
|
||||
+ for ( l = 0; l <= c ; l++ ) {
|
||||
p = lutil_strbvcopy( p, &nlines[l] );
|
||||
*p++ = '$';
|
||||
}
|
||||
--
|
||||
1.7.6.4
|
||||
|
95
0014-ITS-7066-reworked-default-deny-ACL-for-cn-config.dif
Normal file
95
0014-ITS-7066-reworked-default-deny-ACL-for-cn-config.dif
Normal file
@ -0,0 +1,95 @@
|
||||
From 5d9026cf3f93f95dd6f80ad209013e30bbb0d8e6 Mon Sep 17 00:00:00 2001
|
||||
From: Ralf Haferkamp <ralf@openldap.org>
|
||||
Date: Tue, 18 Oct 2011 17:08:05 +0200
|
||||
Subject: ITS#7066 reworked default deny ACL for cn=config
|
||||
|
||||
Dynamically adding ACL for cn=config didn't work correctly, when no
|
||||
ACLs where present for that database upon startup. Delete the last
|
||||
ACL from the DB could also lead to unexpected results.
|
||||
|
||||
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
|
||||
index 309668e..7097d72 100644
|
||||
--- a/servers/slapd/bconfig.c
|
||||
+++ b/servers/slapd/bconfig.c
|
||||
@@ -84,6 +84,7 @@ static char *logfileName;
|
||||
#ifdef SLAP_AUTH_REWRITE
|
||||
static BerVarray authz_rewrites;
|
||||
#endif
|
||||
+static AccessControl *defacl_parsed = NULL;
|
||||
|
||||
static struct berval cfdir;
|
||||
|
||||
@@ -1297,6 +1298,12 @@ config_generic(ConfigArgs *c) {
|
||||
*prev = a->acl_next;
|
||||
acl_free( a );
|
||||
}
|
||||
+ if ( SLAP_CONFIG( c->be ) && !c->be->be_acl ) {
|
||||
+ Debug( LDAP_DEBUG_CONFIG, "config_generic (CFG_ACL): "
|
||||
+ "Last explicit ACL for back-config removed. "
|
||||
+ "Using hardcoded default\n", 0, 0, 0 );
|
||||
+ c->be->be_acl = defacl_parsed;
|
||||
+ }
|
||||
break;
|
||||
|
||||
case CFG_OC: {
|
||||
@@ -1792,6 +1799,9 @@ sortval_reject:
|
||||
break;
|
||||
|
||||
case CFG_ACL:
|
||||
+ if ( SLAP_CONFIG( c->be ) && c->be->be_acl == defacl_parsed) {
|
||||
+ c->be->be_acl = NULL;
|
||||
+ }
|
||||
/* Don't append to the global ACL if we're on a specific DB */
|
||||
i = c->valx;
|
||||
if ( c->valx == -1 ) {
|
||||
@@ -1801,6 +1811,9 @@ sortval_reject:
|
||||
i++;
|
||||
}
|
||||
if ( parse_acl(c->be, c->fname, c->lineno, c->argc, c->argv, i ) ) {
|
||||
+ if ( SLAP_CONFIG( c->be ) && !c->be->be_acl) {
|
||||
+ c->be->be_acl = defacl_parsed;
|
||||
+ }
|
||||
return 1;
|
||||
}
|
||||
break;
|
||||
@@ -6637,14 +6650,23 @@ config_back_db_open( BackendDB *be, ConfigReply *cr )
|
||||
slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
|
||||
SlapReply rs = {REP_RESULT};
|
||||
void *thrctx = NULL;
|
||||
+ AccessControl *save_access;
|
||||
|
||||
Debug( LDAP_DEBUG_TRACE, "config_back_db_open\n", 0, 0, 0);
|
||||
|
||||
/* If we have no explicitly configured ACLs, don't just use
|
||||
* the global ACLs. Explicitly deny access to everything.
|
||||
*/
|
||||
- if ( !be->bd_self->be_acl ) {
|
||||
- parse_acl(be->bd_self, "config_back_db_open", 0, 6, (char **)defacl, 0 );
|
||||
+ save_access = be->bd_self->be_acl;
|
||||
+ be->bd_self->be_acl = NULL;
|
||||
+ parse_acl(be->bd_self, "config_back_db_open", 0, 6, (char **)defacl, 0 );
|
||||
+ defacl_parsed = be->bd_self->be_acl;
|
||||
+ if ( save_access ) {
|
||||
+ be->bd_self->be_acl = save_access;
|
||||
+ } else {
|
||||
+ Debug( LDAP_DEBUG_CONFIG, "config_back_db_open: "
|
||||
+ "No explicit ACL for back-config configured. "
|
||||
+ "Using hardcoded default\n", 0, 0, 0 );
|
||||
}
|
||||
|
||||
thrctx = ldap_pvt_thread_pool_context();
|
||||
@@ -6889,6 +6911,11 @@ config_back_db_close( BackendDB *be, ConfigReply *cr )
|
||||
backend_shutdown( &cfb->cb_db );
|
||||
}
|
||||
|
||||
+ if ( defacl_parsed && be->be_acl != defacl_parsed ) {
|
||||
+ acl_free( defacl_parsed );
|
||||
+ defacl_parsed = NULL;
|
||||
+ }
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
||||
--
|
||||
1.7.6.4
|
||||
|
@ -1,5 +1,7 @@
|
||||
set_cachesize 0 15000000 1
|
||||
set_lg_regionmax 262144
|
||||
set_lg_bsize 2097152
|
||||
set_lk_max_locks 30000
|
||||
set_lk_max_objects 30000
|
||||
set_flags DB_LOG_AUTOREMOVE
|
||||
|
||||
|
@ -1,3 +1,13 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 24 13:57:45 UTC 2011 - rhafer@suse.de
|
||||
|
||||
- ACL changes to the config database only got active after slapd
|
||||
restart in certain cases (bnc#716895, ITS#7066).
|
||||
- Adjusted default DB_CONFIG to increase max values for locks and
|
||||
lock objects (bnc#719803)
|
||||
- Fix UTF8StringNormalize overrun on zero-length string
|
||||
(bnc#724201, ITS#7059)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jul 7 14:43:05 UTC 2011 - rhafer@suse.de
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# spec file for package openldap2
|
||||
# spec file for package openldap2-client
|
||||
#
|
||||
# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
#
|
||||
@ -33,11 +33,11 @@ BuildRequires: db-devel openslp-devel tcpd-devel unixODBC-devel
|
||||
%if %sles_version == 9 || %sles_version == 10
|
||||
BuildRequires: -db-devel libdb-4_5-devel
|
||||
%endif
|
||||
Group: Productivity/Networking/LDAP/Servers
|
||||
Group: Productivity/Networking/LDAP/Clients
|
||||
Conflicts: openldap
|
||||
Requires: libldap-2_4-2 = %{version}
|
||||
PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep
|
||||
Summary: OpenLDAP The OpenLDAP Server
|
||||
Summary: The OpenLDAP commandline client tools
|
||||
%else
|
||||
Group: Productivity/Networking/LDAP/Clients
|
||||
Conflicts: openldap-client
|
||||
@ -66,6 +66,8 @@ Patch9: 0009-unregister_supported_control-backport.dif
|
||||
Patch10: 0010-Fix-exposure-of-SSS-VLV-controls-ITS-6647.dif
|
||||
Patch11: 0011-config-delete-overlay-fixes.dif
|
||||
Patch12: 0012-backport-ConfigLDAPdel-callback-from-current-master.dif
|
||||
Patch13: 0013-UTF8StringNormalize-overrun-on-zero-length-string-ITS-.dif
|
||||
Patch14: 0014-ITS-7066-reworked-default-deny-ACL-for-cn-config.dif
|
||||
Patch100: openldap-2.3.37.dif
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
%if "%{name}" == "openldap2"
|
||||
@ -82,6 +84,14 @@ Authors:
|
||||
--------
|
||||
The OpenLDAP Project <project@openldap.org>
|
||||
|
||||
This package contains the OpenLDAP client utilities.
|
||||
|
||||
|
||||
Authors:
|
||||
--------
|
||||
The OpenLDAP Project <project@openldap.org>
|
||||
|
||||
|
||||
%package -n openldap2-back-perl
|
||||
License: BSD3c(or similar) ; openldap 2.8
|
||||
Summary: OpenLDAP Perl Back-End
|
||||
@ -157,6 +167,17 @@ Authors:
|
||||
%else
|
||||
|
||||
%description
|
||||
The Lightweight Directory Access Protocol (LDAP) is used to access
|
||||
online directory services. It runs directly over TCP and can be used to
|
||||
access a stand-alone LDAP directory service or to access a directory
|
||||
service that has an X.500 back-end.
|
||||
|
||||
|
||||
|
||||
Authors:
|
||||
--------
|
||||
The OpenLDAP Project <project@openldap.org>
|
||||
|
||||
This package contains the OpenLDAP client utilities.
|
||||
|
||||
|
||||
@ -225,6 +246,8 @@ Authors:
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
cp %{SOURCE5} .
|
||||
cp %{SOURCE6} .
|
||||
cd ../openldap-2.3.37
|
||||
|
@ -1,3 +1,13 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 24 13:57:45 UTC 2011 - rhafer@suse.de
|
||||
|
||||
- ACL changes to the config database only got active after slapd
|
||||
restart in certain cases (bnc#716895, ITS#7066).
|
||||
- Adjusted default DB_CONFIG to increase max values for locks and
|
||||
lock objects (bnc#719803)
|
||||
- Fix UTF8StringNormalize overrun on zero-length string
|
||||
(bnc#724201, ITS#7059)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jul 7 14:43:05 UTC 2011 - rhafer@suse.de
|
||||
|
||||
|
@ -33,11 +33,11 @@ BuildRequires: db-devel openslp-devel tcpd-devel unixODBC-devel
|
||||
%if %sles_version == 9 || %sles_version == 10
|
||||
BuildRequires: -db-devel libdb-4_5-devel
|
||||
%endif
|
||||
Group: Productivity/Networking/LDAP/Servers
|
||||
Group: Productivity/Networking/LDAP/Clients
|
||||
Conflicts: openldap
|
||||
Requires: libldap-2_4-2 = %{version}
|
||||
PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep
|
||||
Summary: OpenLDAP The OpenLDAP Server
|
||||
Summary: The OpenLDAP commandline client tools
|
||||
%else
|
||||
Group: Productivity/Networking/LDAP/Clients
|
||||
Conflicts: openldap-client
|
||||
@ -66,6 +66,8 @@ Patch9: 0009-unregister_supported_control-backport.dif
|
||||
Patch10: 0010-Fix-exposure-of-SSS-VLV-controls-ITS-6647.dif
|
||||
Patch11: 0011-config-delete-overlay-fixes.dif
|
||||
Patch12: 0012-backport-ConfigLDAPdel-callback-from-current-master.dif
|
||||
Patch13: 0013-UTF8StringNormalize-overrun-on-zero-length-string-ITS-.dif
|
||||
Patch14: 0014-ITS-7066-reworked-default-deny-ACL-for-cn-config.dif
|
||||
Patch100: openldap-2.3.37.dif
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
%if "%{name}" == "openldap2"
|
||||
@ -225,6 +227,8 @@ Authors:
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
cp %{SOURCE5} .
|
||||
cp %{SOURCE6} .
|
||||
cd ../openldap-2.3.37
|
||||
|
Loading…
Reference in New Issue
Block a user