Accepting request 651186 from network:ldap

OBS-URL: https://build.opensuse.org/request/show/651186
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openldap2?expand=0&rev=142

0017-Fix-segfault-in-nops.patch

@@ -0,0 +1,35 @@
+diff --git a/servers/slapd/overlays/memberof.c b/servers/slapd/overlays/memberof.c
+index 54c24682a..06945d811 100644
+--- a/servers/slapd/overlays/memberof.c
++++ b/servers/slapd/overlays/memberof.c
+@@ -360,10 +360,16 @@ memberof_value_modify(
+ 	unsigned long opid = op->o_opid;
+ 	SlapReply	rs2 = { REP_RESULT };
+ 	slap_callback	cb = { NULL, slap_null_cb, NULL, NULL };
+-	Modifications	mod[ 2 ] = { { { 0 } } }, *ml;
+-	struct berval	values[ 4 ], nvalues[ 4 ];
++	Modifications	*mod, *ml;
++	struct berval   *values, *nvalues;
+ 	int		mcnt = 0;
+ 
++	mod = (Modifications*)malloc(2 * sizeof(Modifications));
++	memset(mod, 0, 2 * sizeof(Modifications));
++
++	values = (struct berval*)malloc(4 * sizeof(struct berval));
++	nvalues = (struct berval*)malloc(4 * sizeof(struct berval));
++
+ 	op2.o_tag = LDAP_REQ_MODIFY;
+ 
+ 	op2.o_req_dn = *ndn;
+@@ -493,6 +499,11 @@ memberof_value_modify(
+ 	/* restore original opid */
+ 	op->o_opid = opid;
+ 
++
++	slap_mods_free( mod, 0 );
++	free(values);
++	free(nvalues);
++
+ 	/* FIXME: if old_group_ndn doesn't exist, both delete __and__
+ 	 * add will fail; better split in two operations, although
+ 	 * not optimal in terms of performance.  At least it would

openldap2.changes

@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Thu Nov 22 16:03:22 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
+
+- Replace old $RPM_* shell vars
+
+-------------------------------------------------------------------
+Tue Nov 20 13:32:36 UTC 2018 - ckowalczyk@suse.com
+
+- Fix CVE-2017-17740: when both the nops module and the memberof
+  overlay are enabled, attempts to free a buffer that was allocated
+  on the stack
+  * patch: 0017-Fix-segfault-in-nops.patch
+  (bsc#1073313)
+
 -------------------------------------------------------------------
 Mon Nov 12 14:25:52 UTC 2018 - Dominique Leuenberger <dleuenberger@suse.com>
 
@@ -37,6 +51,11 @@ Wed Jun 20 10:04:06 UTC 2018 - michael@stroeder.com
   used before constraint violation to the client
   0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch
 
+-------------------------------------------------------------------
+Tue Jun  5 13:24:09 UTC 2018 - varkoly@suse.com
+
+- bsc#1095816 libldap package does not contain and provide libldap anymore
+
 -------------------------------------------------------------------
 Thu May 24 11:59:02 CEST 2018 - kukuk@suse.de
 

openldap2.spec

@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
@@ -69,6 +69,7 @@ Patch12:        0012-ITS8051-sockdnpat.patch
 Patch14:        0014-ITS-8714-Send-out-EXTENDED-operation-message-from-back-sock.patch
 Patch15:        openldap-r-only.dif
 Patch16:        0016-Clear-shared-key-only-in-close-function.patch
+Patch17:        0017-Fix-segfault-in-nops.patch
 Source200:      %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz
 Source201:      %{name_ppolicy_check_module}.Makefile
 Source202:      %{name_ppolicy_check_module}.conf
@@ -268,6 +269,7 @@ gzip -k %{S:203}
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
+%patch17 -p1
 cp %{SOURCE5} .
 
 # Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/
@@ -350,36 +352,36 @@ make SLAPD_DEBUG=0 test
 %endif
 
 %install
-mkdir -p ${RPM_BUILD_ROOT}/%{_libdir}/openldap
-mkdir -p ${RPM_BUILD_ROOT}/usr/lib/openldap
-mkdir -p ${RPM_BUILD_ROOT}/usr/sbin
-mkdir -p ${RPM_BUILD_ROOT}/%{_unitdir}
-make STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
+mkdir -p %{buildroot}/%{_libdir}/openldap
+mkdir -p %{buildroot}/usr/lib/openldap
+mkdir -p %{buildroot}/usr/sbin
+mkdir -p %{buildroot}/%{_unitdir}
+make STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
 # Additional symbolic link to slapd executable in /usr/sbin/
-ln -s %{_libdir}/slapd ${RPM_BUILD_ROOT}/usr/sbin/slapd
+ln -s %{_libdir}/slapd %{buildroot}/usr/sbin/slapd
 # Install selected contrib overlays
 for SLAPO_NAME in addpartial allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace
 do
-  make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
+  make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
 done
 # slapo-smbk5pwd only for Samba password hashes
-make -C contrib/slapd-modules/smbk5pwd STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
-install -m 755 %{SOURCE13} ${RPM_BUILD_ROOT}/usr/lib/openldap/start
-install -m 644 %{SOURCE14} ${RPM_BUILD_ROOT}/%{_unitdir}
-mkdir -p ${RPM_BUILD_ROOT}/%{_sysconfdir}/openldap/slapd.d
-mkdir -p ${RPM_BUILD_ROOT}/%{_sysconfdir}/sasl2
-install -m 644 %{SOURCE4} ${RPM_BUILD_ROOT}/%{_sysconfdir}/sasl2/slapd.conf
-install -m 755 -d ${RPM_BUILD_ROOT}/var/lib/ldap
-chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/liblber.so*
-chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/libldap_r.so*
-install -m 755 %{SOURCE6} ${RPM_BUILD_ROOT}/usr/sbin/schema2ldif
-install -m 755 %{SOURCE17} ${RPM_BUILD_ROOT}/usr/sbin
-mkdir -p  ${RPM_BUILD_ROOT}/usr/lib/tmpfiles.d/
-install -m 644 %{SOURCE18} ${RPM_BUILD_ROOT}/usr/lib/tmpfiles.d/
-install -m 644 %{SOURCE3}  ${RPM_BUILD_ROOT}/%{_libexecdir}/openldap/
+make -C contrib/slapd-modules/smbk5pwd STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install
+install -m 755 %{SOURCE13} %{buildroot}/usr/lib/openldap/start
+install -m 644 %{SOURCE14} %{buildroot}/%{_unitdir}
+mkdir -p %{buildroot}/%{_sysconfdir}/openldap/slapd.d
+mkdir -p %{buildroot}/%{_sysconfdir}/sasl2
+install -m 644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/sasl2/slapd.conf
+install -m 755 -d %{buildroot}/var/lib/ldap
+chmod a+x %{buildroot}/%{_libdir}/liblber.so*
+chmod a+x %{buildroot}/%{_libdir}/libldap_r.so*
+install -m 755 %{SOURCE6} %{buildroot}/usr/sbin/schema2ldif
+install -m 755 %{SOURCE17} %{buildroot}/usr/sbin
+mkdir -p  %{buildroot}/usr/lib/tmpfiles.d/
+install -m 644 %{SOURCE18} %{buildroot}/usr/lib/tmpfiles.d/
+install -m 644 %{SOURCE3}  %{buildroot}/%{_libexecdir}/openldap/
 
 # Install ppolicy check module
-make -C contrib/slapd-modules/ppolicy-check-password STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libexecdir}" install
+make -C contrib/slapd-modules/ppolicy-check-password STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libexecdir}" install
 install -m 0644 %{S:202}  %{buildroot}%{_sysconfdir}/openldap/check_password.conf
 # Install ppolicy check module's doc files
 pushd contrib/slapd-modules/%{name_ppolicy_check_module}
@@ -390,58 +392,60 @@ popd
 # Install ppolicy check module's manual page
 install -m 0644 %{S:203}.gz %{buildroot}%{_mandir}/man5/
 
-mkdir -p ${RPM_BUILD_ROOT}%{_fillupdir}
-install -m 644 %{SOURCE16} ${RPM_BUILD_ROOT}%{_fillupdir}/sysconfig.openldap
-install -m 644 *.ldif ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema
-install -m 644 *.schema ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema
+mkdir -p %{buildroot}/%{_fillupdir}
+install -m 644 %{SOURCE16} %{buildroot}/%{_fillupdir}/sysconfig.openldap
+install -m 644 *.ldif %{buildroot}/%{_sysconfdir}/openldap/schema
+install -m 644 *.schema %{buildroot}/%{_sysconfdir}/openldap/schema
 # Install default and sample configuration files
-install -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap
-install -m 644 %{SOURCE2} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap
-install -m 644 %{SOURCE12} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap
-install -d ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/
-install -m 644 %{SOURCE15} ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/openldap
+install -m 644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/openldap
+install -m 644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/openldap
+install -m 644 %{SOURCE12} %{buildroot}/%{_sysconfdir}/openldap
+install -d %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/
+install -m 644 %{SOURCE15} %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/openldap
 find doc/guide '(' ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d ')' -delete
 rm -rf doc/guide/release
 
 %define DOCDIR %{_defaultdocdir}/%{name}
 # Install default database optimisation
-install -d ${RPM_BUILD_ROOT}/%{DOCDIR}/adminguide \
-           ${RPM_BUILD_ROOT}/%{DOCDIR}/images \
-           ${RPM_BUILD_ROOT}/%{DOCDIR}/drafts
-install -m 644 ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example ${RPM_BUILD_ROOT}/%{DOCDIR}/
-install -m 644 doc/guide/admin/* ${RPM_BUILD_ROOT}/%{DOCDIR}/adminguide
-install -m 644 doc/guide/images/*.gif ${RPM_BUILD_ROOT}/%{DOCDIR}/images
-install -m 644 doc/drafts/* ${RPM_BUILD_ROOT}/%{DOCDIR}/drafts
+install -d %{buildroot}/%{DOCDIR}/adminguide \
+           %{buildroot}/%{DOCDIR}/images \
+           %{buildroot}/%{DOCDIR}/drafts
+install -m 644 %{buildroot}/etc/openldap/DB_CONFIG.example %{buildroot}/%{DOCDIR}/
+install -m 644 doc/guide/admin/* %{buildroot}/%{DOCDIR}/adminguide
+install -m 644 doc/guide/images/*.gif %{buildroot}/%{DOCDIR}/images
+install -m 644 doc/drafts/* %{buildroot}/%{DOCDIR}/drafts
 install -m 644 ANNOUNCEMENT \
                COPYRIGHT \
                README \
                CHANGES \
                %{SOURCE5} \
-               ${RPM_BUILD_ROOT}/%{DOCDIR}
+               %{buildroot}/%{DOCDIR}
 install -m 644 servers/slapd/slapd.ldif \
-               ${RPM_BUILD_ROOT}/%{DOCDIR}/slapd.ldif.default
-rm -f ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example
-rm -f ${RPM_BUILD_ROOT}/etc/openldap/schema/README
-rm -f ${RPM_BUILD_ROOT}/etc/openldap/slapd.ldif*
-rm -f ${RPM_BUILD_ROOT}/%{_rundir}/openldap-data/DB_CONFIG.example
+               %{buildroot}/%{DOCDIR}/slapd.ldif.default
+rm -f %{buildroot}/etc/openldap/DB_CONFIG.example
+rm -f %{buildroot}/etc/openldap/schema/README
+rm -f %{buildroot}/etc/openldap/slapd.ldif*
+rm -f %{buildroot}/%{_rundir}/openldap-data/DB_CONFIG.example
 mv servers/slapd/back-sql/rdbms_depend servers/slapd/back-sql/examples
 
 ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcslapd
 
-rm -f ${RPM_BUILD_ROOT}/%{_libdir}/openldap/*.a
-rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-dnssrv.5
-rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-ndb.5
-rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-null.5
-rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-passwd.5
-rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-shell.5
-rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-tcl.5
+rm -f %{buildroot}/%{_libdir}/openldap/*.a
+rm -f %{buildroot}/usr/share/man/man5/slapd-dnssrv.5
+rm -f %{buildroot}/usr/share/man/man5/slapd-ndb.5
+rm -f %{buildroot}/usr/share/man/man5/slapd-null.5
+rm -f %{buildroot}/usr/share/man/man5/slapd-passwd.5
+rm -f %{buildroot}/usr/share/man/man5/slapd-shell.5
+rm -f %{buildroot}/usr/share/man/man5/slapd-tcl.5
 # Remove *.la files, libtool does not handle this correct
-rm -f  ${RPM_BUILD_ROOT}%{_libdir}/lib*.la
+rm -f  %{buildroot}/%{_libdir}/lib*.la
 
 # Make ldap_r the only copy in the system [rh#1370065].
 # libldap.so is only for `gcc/ld -lldap`. Make no libldap-2.4.so.2.
 rm -f "%{buildroot}/%{_libdir}"/libldap-2.4.so*
 ln -fs libldap_r.so "%{buildroot}/%{_libdir}/libldap.so"
+gcc -shared -o "%{buildroot}/%{_libdir}/libldap-2.4.so.2" -Wl,--no-as-needed \
+       -Wl,-soname -Wl,libldap-2.4.so.2 -L "%{buildroot}/%{_libdir}" -lldap_r
 
 %pre
 getent group ldap >/dev/null || /usr/sbin/groupadd -g 70 -o -r ldap