Accepting request 42372 from home:rhafer:branches:network:ldap

Copy from home:rhafer:branches:network:ldap/openldap2 via accept of submit request 42372 revision 2.
Request was accepted with message:
Reviewed ok

OBS-URL: https://build.opensuse.org/request/show/42372
OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=38

Syncprov-might-lose-deletes-ITS-6555.dif

@@ -0,0 +1,38 @@
+From e32aa64d19840a3b76da532d200fa1cb733e0672 Mon Sep 17 00:00:00 2001
+From: ralf <ralf>
+Date: Thu, 20 May 2010 15:08:28 +0000
+Subject: Syncprov might lose deletes (ITS#6555)
+
+During the refresh phase the sync filter needs to be adjusted (skipping
+the "(entrycsn>=cookie)" part that was inserted) when checking whether a
+change needs to be replicated, otherwise we lose DELETES that happen during
+the refresh phase.
+
+bnc#606294
+
+ 1 files changed, 9 insertions(+), 1 deletions(-)
+
+diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c
+index 675568e..030edf5 100644
+--- a/servers/slapd/overlays/syncprov.c
++++ b/servers/slapd/overlays/syncprov.c
+@@ -1301,7 +1301,15 @@ syncprov_matchops( Operation *op, opcookie *opc, int saveit )
+ 			op2.o_hdr = &oh;
+ 			op2.o_extra = op->o_extra;
+ 			op2.o_callback = NULL;
+-			rc = test_filter( &op2, e, ss->s_op->ors_filter );
++			ldap_pvt_thread_mutex_lock( &ss->s_mutex );
++			if (ss->s_flags & PS_FIX_FILTER) {
++				/* Skip the AND/GE clause that we stuck on in front. We
++				   would lose deletes/mods that happen during the refresh
++				   phase otherwise (ITS#6555) */
++				op2.ors_filter = ss->s_op->ors_filter->f_and->f_next;
++			}
++			ldap_pvt_thread_mutex_unlock( &ss->s_mutex );
++			rc = test_filter( &op2, e, op2.ors_filter );
+ 		}
+ 
+ 		Debug( LDAP_DEBUG_TRACE, "syncprov_matchops: sid %03x fscope %d rc %d\n",
+-- 
+1.7.0.3
+

openldap2-client.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Thu Jul  1 12:48:18 UTC 2010 - rhafer@novell.com
+
+- LDAP clients could crash the server by submitting a specially
+  crafted LDAP ModRDN operation.  (bnc#612430, ITS#6570)
+- Delete Operations happening during the "Refresh" phase of 
+  "refreshAndPersist" replication failed to replicate under
+  certain circumstances (bnc#606294, ITS#6555) 
+
 -------------------------------------------------------------------
 Mon May 10 13:35:59 UTC 2010 - rhafer@novell.com
 

openldap2-client.spec

@@ -1,5 +1,5 @@
 #
-# spec file for package openldap2-client (Version 2.4.21)
+# spec file for package openldap2 (Version 2.4.21)
 #
 # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@@ -19,7 +19,7 @@
 
 %define run_test_suite 1
 
-Name:           openldap2-client
+Name:         openldap2-client
 BuildRequires:  cyrus-sasl-devel db-devel libopenssl-devel tcpd-devel
 %if %sles_version == 9
 BuildRequires:  -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-devel
@@ -60,6 +60,8 @@ Patch5:         slapd-back-hdb-fortify.dif
 Patch6:         libldap-gethostbyname_r.dif
 Patch7:         pie-compile.dif
 Patch11:        slapd-bconfig-del-db.dif
+Patch12:        Syncprov-might-lose-deletes-ITS-6555.dif
+Patch13:        slapd-modrdn-crash-ITS-6570.dif
 Patch100:       openldap-2.3.37.dif
 Patch200:       slapd_getaddrinfo_dupl.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -180,6 +182,8 @@ Authors:
 %patch7
 %endif
 %patch11
+%patch12 -p1
+%patch13 -p1
 %if %suse_version == 1100
 %patch200 -p1
 %endif

openldap2.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Thu Jul  1 12:48:18 UTC 2010 - rhafer@novell.com
+
+- LDAP clients could crash the server by submitting a specially
+  crafted LDAP ModRDN operation.  (bnc#612430, ITS#6570)
+- Delete Operations happening during the "Refresh" phase of 
+  "refreshAndPersist" replication failed to replicate under
+  certain circumstances (bnc#606294, ITS#6555) 
+
 -------------------------------------------------------------------
 Mon May 10 13:35:59 UTC 2010 - rhafer@novell.com
 

openldap2.spec

@@ -60,6 +60,8 @@ Patch5:         slapd-back-hdb-fortify.dif
 Patch6:         libldap-gethostbyname_r.dif
 Patch7:         pie-compile.dif
 Patch11:        slapd-bconfig-del-db.dif
+Patch12:        Syncprov-might-lose-deletes-ITS-6555.dif
+Patch13:        slapd-modrdn-crash-ITS-6570.dif
 Patch100:       openldap-2.3.37.dif
 Patch200:       slapd_getaddrinfo_dupl.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -180,6 +182,8 @@ Authors:
 %patch7
 %endif
 %patch11
+%patch12 -p1
+%patch13 -p1
 %if %suse_version == 1100
 %patch200 -p1
 %endif

slapd-modrdn-crash-ITS-6570.dif

@@ -0,0 +1,100 @@
+From 6e229f5b94be41c4b9372914ae9bff90ccd81014 Mon Sep 17 00:00:00 2001
+From: hyc <hyc>
+Date: Sun, 6 Jun 2010 22:02:32 +0000
+Subject: slapd modrdn crash (ITS#6570)
+
+part #1 reject RDNs with binary BER values
+part #2 reject RDNs with empty values
+
+Unauthenticated LDAP clients could crash the server by submitting a
+specially crafted LDAP ModRDN operatoin.
+
+Part #1:
+OpenLDAP crashes with segfault during the processing of a modrdn call with
+maliciously formed destination rdn string. No authentication is required to
+trigger this vulnerability.
+
+Part #2:
+OpenLDAP crashes at a null pointer dereference during the processing of modrdn
+call with maliciously formed destination rdn string. No authentication is
+required to trigger this vulnerability.
+
+ 3 files changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c
+index 3534e7f..75d2204 100644
+--- a/servers/slapd/dn.c
++++ b/servers/slapd/dn.c
+@@ -302,16 +302,13 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx )
+ 		ava->la_attr = ad->ad_cname;
+ 
+ 		if( ava->la_flags & LDAP_AVA_BINARY ) {
+-			if( ava->la_value.bv_len == 0 ) {
+-				/* BER encoding is empty */
+-				return LDAP_INVALID_SYNTAX;
+-			}
++			/* AVA is binary encoded, not supported */
++			return LDAP_INVALID_SYNTAX;
+ 
+ 			/* Do not allow X-ORDERED 'VALUES' naming attributes */
+ 		} else if( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) {
+ 			return LDAP_INVALID_SYNTAX;
+ 
+-			/* AVA is binary encoded, don't muck with it */
+ 		} else if( flags & SLAP_LDAPDN_PRETTY ) {
+ 			transf = ad->ad_type->sat_syntax->ssyn_pretty;
+ 			if( !transf ) {
+@@ -379,6 +376,10 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx )
+ 			ava->la_value = bv;
+ 			ava->la_flags |= LDAP_AVA_FREE_VALUE;
+ 		}
++		/* reject empty values */
++		if (!ava->la_value.bv_len) {
++			return LDAP_INVALID_SYNTAX;
++		}
+ 	}
+ 	rc = LDAP_SUCCESS;
+ 
+diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c
+index e386ef9..e143a7b 100644
+--- a/servers/slapd/modrdn.c
++++ b/servers/slapd/modrdn.c
+@@ -445,12 +445,19 @@ slap_modrdn2mods(
+ 		mod_tmp->sml_values[1].bv_val = NULL;
+ 		if( desc->ad_type->sat_equality->smr_normalize) {
+ 			mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) );
+-			(void) (*desc->ad_type->sat_equality->smr_normalize)(
++			rs->sr_err = desc->ad_type->sat_equality->smr_normalize(
+ 				SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
+ 				desc->ad_type->sat_syntax,
+ 				desc->ad_type->sat_equality,
+ 				&mod_tmp->sml_values[0],
+ 				&mod_tmp->sml_nvalues[0], NULL );
++			if (rs->sr_err != LDAP_SUCCESS) {
++				ch_free(mod_tmp->sml_nvalues);
++				ch_free(mod_tmp->sml_values[0].bv_val);
++				ch_free(mod_tmp->sml_values);
++				ch_free(mod_tmp);
++				goto done;
++			}
+ 			mod_tmp->sml_nvalues[1].bv_val = NULL;
+ 		} else {
+ 			mod_tmp->sml_nvalues = NULL;
+diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
+index 68e6d28..d2f4708 100644
+--- a/servers/slapd/schema_init.c
++++ b/servers/slapd/schema_init.c
+@@ -1732,8 +1732,9 @@ UTF8StringNormalize(
+ 		? LDAP_UTF8_APPROX : 0;
+ 
+ 	val = UTF8bvnormalize( val, &tmp, flags, ctx );
++	/* out of memory or syntax error, the former is unlikely */
+ 	if( val == NULL ) {
+-		return LDAP_OTHER;
++		return LDAP_INVALID_SYNTAX;
+ 	}
+ 	
+ 	/* collapse spaces (in place) */
+-- 
+1.7.0.3
+