diff --git a/0017-Fix-segfault-in-nops.patch b/0017-Fix-segfault-in-nops.patch new file mode 100644 index 0000000..7a6adc8 --- /dev/null +++ b/0017-Fix-segfault-in-nops.patch @@ -0,0 +1,35 @@ +diff --git a/servers/slapd/overlays/memberof.c b/servers/slapd/overlays/memberof.c +index 54c24682a..06945d811 100644 +--- a/servers/slapd/overlays/memberof.c ++++ b/servers/slapd/overlays/memberof.c +@@ -360,10 +360,16 @@ memberof_value_modify( + unsigned long opid = op->o_opid; + SlapReply rs2 = { REP_RESULT }; + slap_callback cb = { NULL, slap_null_cb, NULL, NULL }; +- Modifications mod[ 2 ] = { { { 0 } } }, *ml; +- struct berval values[ 4 ], nvalues[ 4 ]; ++ Modifications *mod, *ml; ++ struct berval *values, *nvalues; + int mcnt = 0; + ++ mod = (Modifications*)malloc(2 * sizeof(Modifications)); ++ memset(mod, 0, 2 * sizeof(Modifications)); ++ ++ values = (struct berval*)malloc(4 * sizeof(struct berval)); ++ nvalues = (struct berval*)malloc(4 * sizeof(struct berval)); ++ + op2.o_tag = LDAP_REQ_MODIFY; + + op2.o_req_dn = *ndn; +@@ -493,6 +499,11 @@ memberof_value_modify( + /* restore original opid */ + op->o_opid = opid; + ++ ++ slap_mods_free( mod, 0 ); ++ free(values); ++ free(nvalues); ++ + /* FIXME: if old_group_ndn doesn't exist, both delete __and__ + * add will fail; better split in two operations, although + * not optimal in terms of performance. At least it would diff --git a/openldap2.changes b/openldap2.changes index 5cf51fd..4957964 100644 --- a/openldap2.changes +++ b/openldap2.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Thu Nov 22 16:03:22 UTC 2018 - Jan Engelhardt + +- Replace old $RPM_* shell vars + +------------------------------------------------------------------- +Tue Nov 20 13:32:36 UTC 2018 - ckowalczyk@suse.com + +- Fix CVE-2017-17740: when both the nops module and the memberof + overlay are enabled, attempts to free a buffer that was allocated + on the stack + * patch: 0017-Fix-segfault-in-nops.patch + (bsc#1073313) + ------------------------------------------------------------------- Mon Nov 12 14:25:52 UTC 2018 - Dominique Leuenberger @@ -37,6 +51,11 @@ Wed Jun 20 10:04:06 UTC 2018 - michael@stroeder.com used before constraint violation to the client 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch +------------------------------------------------------------------- +Tue Jun 5 13:24:09 UTC 2018 - varkoly@suse.com + +- bsc#1095816 libldap package does not contain and provide libldap anymore + ------------------------------------------------------------------- Thu May 24 11:59:02 CEST 2018 - kukuk@suse.de diff --git a/openldap2.spec b/openldap2.spec index 64b365b..40652c6 100644 --- a/openldap2.spec +++ b/openldap2.spec @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -69,6 +69,7 @@ Patch12: 0012-ITS8051-sockdnpat.patch Patch14: 0014-ITS-8714-Send-out-EXTENDED-operation-message-from-back-sock.patch Patch15: openldap-r-only.dif Patch16: 0016-Clear-shared-key-only-in-close-function.patch +Patch17: 0017-Fix-segfault-in-nops.patch Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz Source201: %{name_ppolicy_check_module}.Makefile Source202: %{name_ppolicy_check_module}.conf @@ -268,6 +269,7 @@ gzip -k %{S:203} %patch14 -p1 %patch15 -p1 %patch16 -p1 +%patch17 -p1 cp %{SOURCE5} . # Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/ @@ -350,36 +352,36 @@ make SLAPD_DEBUG=0 test %endif %install -mkdir -p ${RPM_BUILD_ROOT}/%{_libdir}/openldap -mkdir -p ${RPM_BUILD_ROOT}/usr/lib/openldap -mkdir -p ${RPM_BUILD_ROOT}/usr/sbin -mkdir -p ${RPM_BUILD_ROOT}/%{_unitdir} -make STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install +mkdir -p %{buildroot}/%{_libdir}/openldap +mkdir -p %{buildroot}/usr/lib/openldap +mkdir -p %{buildroot}/usr/sbin +mkdir -p %{buildroot}/%{_unitdir} +make STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install # Additional symbolic link to slapd executable in /usr/sbin/ -ln -s %{_libdir}/slapd ${RPM_BUILD_ROOT}/usr/sbin/slapd +ln -s %{_libdir}/slapd %{buildroot}/usr/sbin/slapd # Install selected contrib overlays for SLAPO_NAME in addpartial allowed allop autogroup lastbind nops denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace do - make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install + make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install done # slapo-smbk5pwd only for Samba password hashes -make -C contrib/slapd-modules/smbk5pwd STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install -install -m 755 %{SOURCE13} ${RPM_BUILD_ROOT}/usr/lib/openldap/start -install -m 644 %{SOURCE14} ${RPM_BUILD_ROOT}/%{_unitdir} -mkdir -p ${RPM_BUILD_ROOT}/%{_sysconfdir}/openldap/slapd.d -mkdir -p ${RPM_BUILD_ROOT}/%{_sysconfdir}/sasl2 -install -m 644 %{SOURCE4} ${RPM_BUILD_ROOT}/%{_sysconfdir}/sasl2/slapd.conf -install -m 755 -d ${RPM_BUILD_ROOT}/var/lib/ldap -chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/liblber.so* -chmod a+x ${RPM_BUILD_ROOT}/%{_libdir}/libldap_r.so* -install -m 755 %{SOURCE6} ${RPM_BUILD_ROOT}/usr/sbin/schema2ldif -install -m 755 %{SOURCE17} ${RPM_BUILD_ROOT}/usr/sbin -mkdir -p ${RPM_BUILD_ROOT}/usr/lib/tmpfiles.d/ -install -m 644 %{SOURCE18} ${RPM_BUILD_ROOT}/usr/lib/tmpfiles.d/ -install -m 644 %{SOURCE3} ${RPM_BUILD_ROOT}/%{_libexecdir}/openldap/ +make -C contrib/slapd-modules/smbk5pwd STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install +install -m 755 %{SOURCE13} %{buildroot}/usr/lib/openldap/start +install -m 644 %{SOURCE14} %{buildroot}/%{_unitdir} +mkdir -p %{buildroot}/%{_sysconfdir}/openldap/slapd.d +mkdir -p %{buildroot}/%{_sysconfdir}/sasl2 +install -m 644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/sasl2/slapd.conf +install -m 755 -d %{buildroot}/var/lib/ldap +chmod a+x %{buildroot}/%{_libdir}/liblber.so* +chmod a+x %{buildroot}/%{_libdir}/libldap_r.so* +install -m 755 %{SOURCE6} %{buildroot}/usr/sbin/schema2ldif +install -m 755 %{SOURCE17} %{buildroot}/usr/sbin +mkdir -p %{buildroot}/usr/lib/tmpfiles.d/ +install -m 644 %{SOURCE18} %{buildroot}/usr/lib/tmpfiles.d/ +install -m 644 %{SOURCE3} %{buildroot}/%{_libexecdir}/openldap/ # Install ppolicy check module -make -C contrib/slapd-modules/ppolicy-check-password STRIP="" "DESTDIR=${RPM_BUILD_ROOT}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libexecdir}" install +make -C contrib/slapd-modules/ppolicy-check-password STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libexecdir}" install install -m 0644 %{S:202} %{buildroot}%{_sysconfdir}/openldap/check_password.conf # Install ppolicy check module's doc files pushd contrib/slapd-modules/%{name_ppolicy_check_module} @@ -390,58 +392,60 @@ popd # Install ppolicy check module's manual page install -m 0644 %{S:203}.gz %{buildroot}%{_mandir}/man5/ -mkdir -p ${RPM_BUILD_ROOT}%{_fillupdir} -install -m 644 %{SOURCE16} ${RPM_BUILD_ROOT}%{_fillupdir}/sysconfig.openldap -install -m 644 *.ldif ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema -install -m 644 *.schema ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap/schema +mkdir -p %{buildroot}/%{_fillupdir} +install -m 644 %{SOURCE16} %{buildroot}/%{_fillupdir}/sysconfig.openldap +install -m 644 *.ldif %{buildroot}/%{_sysconfdir}/openldap/schema +install -m 644 *.schema %{buildroot}/%{_sysconfdir}/openldap/schema # Install default and sample configuration files -install -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap -install -m 644 %{SOURCE2} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap -install -m 644 %{SOURCE12} ${RPM_BUILD_ROOT}%{_sysconfdir}/openldap -install -d ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/ -install -m 644 %{SOURCE15} ${RPM_BUILD_ROOT}/etc/sysconfig/SuSEfirewall2.d/services/openldap +install -m 644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/openldap +install -m 644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/openldap +install -m 644 %{SOURCE12} %{buildroot}/%{_sysconfdir}/openldap +install -d %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/ +install -m 644 %{SOURCE15} %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/openldap find doc/guide '(' ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d ')' -delete rm -rf doc/guide/release %define DOCDIR %{_defaultdocdir}/%{name} # Install default database optimisation -install -d ${RPM_BUILD_ROOT}/%{DOCDIR}/adminguide \ - ${RPM_BUILD_ROOT}/%{DOCDIR}/images \ - ${RPM_BUILD_ROOT}/%{DOCDIR}/drafts -install -m 644 ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example ${RPM_BUILD_ROOT}/%{DOCDIR}/ -install -m 644 doc/guide/admin/* ${RPM_BUILD_ROOT}/%{DOCDIR}/adminguide -install -m 644 doc/guide/images/*.gif ${RPM_BUILD_ROOT}/%{DOCDIR}/images -install -m 644 doc/drafts/* ${RPM_BUILD_ROOT}/%{DOCDIR}/drafts +install -d %{buildroot}/%{DOCDIR}/adminguide \ + %{buildroot}/%{DOCDIR}/images \ + %{buildroot}/%{DOCDIR}/drafts +install -m 644 %{buildroot}/etc/openldap/DB_CONFIG.example %{buildroot}/%{DOCDIR}/ +install -m 644 doc/guide/admin/* %{buildroot}/%{DOCDIR}/adminguide +install -m 644 doc/guide/images/*.gif %{buildroot}/%{DOCDIR}/images +install -m 644 doc/drafts/* %{buildroot}/%{DOCDIR}/drafts install -m 644 ANNOUNCEMENT \ COPYRIGHT \ README \ CHANGES \ %{SOURCE5} \ - ${RPM_BUILD_ROOT}/%{DOCDIR} + %{buildroot}/%{DOCDIR} install -m 644 servers/slapd/slapd.ldif \ - ${RPM_BUILD_ROOT}/%{DOCDIR}/slapd.ldif.default -rm -f ${RPM_BUILD_ROOT}/etc/openldap/DB_CONFIG.example -rm -f ${RPM_BUILD_ROOT}/etc/openldap/schema/README -rm -f ${RPM_BUILD_ROOT}/etc/openldap/slapd.ldif* -rm -f ${RPM_BUILD_ROOT}/%{_rundir}/openldap-data/DB_CONFIG.example + %{buildroot}/%{DOCDIR}/slapd.ldif.default +rm -f %{buildroot}/etc/openldap/DB_CONFIG.example +rm -f %{buildroot}/etc/openldap/schema/README +rm -f %{buildroot}/etc/openldap/slapd.ldif* +rm -f %{buildroot}/%{_rundir}/openldap-data/DB_CONFIG.example mv servers/slapd/back-sql/rdbms_depend servers/slapd/back-sql/examples ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcslapd -rm -f ${RPM_BUILD_ROOT}/%{_libdir}/openldap/*.a -rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-dnssrv.5 -rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-ndb.5 -rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-null.5 -rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-passwd.5 -rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-shell.5 -rm -f ${RPM_BUILD_ROOT}/usr/share/man/man5/slapd-tcl.5 +rm -f %{buildroot}/%{_libdir}/openldap/*.a +rm -f %{buildroot}/usr/share/man/man5/slapd-dnssrv.5 +rm -f %{buildroot}/usr/share/man/man5/slapd-ndb.5 +rm -f %{buildroot}/usr/share/man/man5/slapd-null.5 +rm -f %{buildroot}/usr/share/man/man5/slapd-passwd.5 +rm -f %{buildroot}/usr/share/man/man5/slapd-shell.5 +rm -f %{buildroot}/usr/share/man/man5/slapd-tcl.5 # Remove *.la files, libtool does not handle this correct -rm -f ${RPM_BUILD_ROOT}%{_libdir}/lib*.la +rm -f %{buildroot}/%{_libdir}/lib*.la # Make ldap_r the only copy in the system [rh#1370065]. # libldap.so is only for `gcc/ld -lldap`. Make no libldap-2.4.so.2. rm -f "%{buildroot}/%{_libdir}"/libldap-2.4.so* ln -fs libldap_r.so "%{buildroot}/%{_libdir}/libldap.so" +gcc -shared -o "%{buildroot}/%{_libdir}/libldap-2.4.so.2" -Wl,--no-as-needed \ + -Wl,-soname -Wl,libldap-2.4.so.2 -L "%{buildroot}/%{_libdir}" -lldap_r %pre getent group ldap >/dev/null || /usr/sbin/groupadd -g 70 -o -r ldap