From 852740c235ef2d1b1885b77890c4e4c162dd2430beeb89b973e74b7b117d2c15 Mon Sep 17 00:00:00 2001 From: Howard Guo Date: Mon, 30 Nov 2015 10:24:53 +0000 Subject: [PATCH 1/4] - Introduce patch 0009-Fix-ldap-host-lookup-ipv6.patch and openldap-2.3.37-Fix-ldap-host-lookup-ipv6.patch to fix an issue with unresponsive LDAP host lookups in IPv6 environment. (bsc#955210) OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=141 --- 0009-Fix-ldap-host-lookup-ipv6.patch | 73 ++++++++++++++++++++++++++++ openldap2-client.spec | 2 + openldap2.changes | 8 +++ openldap2.spec | 2 + 4 files changed, 85 insertions(+) create mode 100644 0009-Fix-ldap-host-lookup-ipv6.patch diff --git a/0009-Fix-ldap-host-lookup-ipv6.patch b/0009-Fix-ldap-host-lookup-ipv6.patch new file mode 100644 index 0000000..247f5c0 --- /dev/null +++ b/0009-Fix-ldap-host-lookup-ipv6.patch @@ -0,0 +1,73 @@ +The patch was written by Christian Kornacker on 2014-01-08 to fix an issue with unresponsive +LDAP host lookups in IPv6 environment. + +--- + libraries/libldap/util-int.c | 39 +++++++++++++++++++++++++++++++++++++-- + 1 file changed, 37 insertions(+), 2 deletions(-) + +Index: openldap-2.4.41/libraries/libldap/util-int.c +=================================================================== +--- openldap-2.4.41.orig/libraries/libldap/util-int.c ++++ openldap-2.4.41/libraries/libldap/util-int.c +@@ -731,10 +731,16 @@ static char *safe_realloc( char **buf, i + + char * ldap_pvt_get_fqdn( char *name ) + { +- char *fqdn, *ha_buf; ++ int rc; ++ char *fqdn; + char hostbuf[MAXHOSTNAMELEN+1]; ++#ifdef HAVE_GETADDRINFO ++ struct addrinfo hints, *res; ++#else ++ char *ha_buf; + struct hostent *hp, he_buf; +- int rc, local_h_errno; ++ int local_h_errno; ++#endif + + if( name == NULL ) { + if( gethostname( hostbuf, MAXHOSTNAMELEN ) == 0 ) { +@@ -745,6 +751,33 @@ char * ldap_pvt_get_fqdn( char *name ) + } + } + ++#ifdef HAVE_GETADDRINFO ++ memset( &hints, '\0', sizeof( hints ) ); ++ hints.ai_family = AF_UNSPEC; ++ hints.ai_socktype = SOCK_STREAM; ++ hints.ai_flags |= AI_CANONNAME; ++ ++ /* most getaddrinfo(3) use non-threadsafe resolver libraries */ ++ LDAP_MUTEX_LOCK(&ldap_int_resolv_mutex); ++ ++ rc = getaddrinfo( name, NULL, &hints, &res ); ++ ++ LDAP_MUTEX_UNLOCK(&ldap_int_resolv_mutex); ++ ++ if ( rc != 0 ) { ++ fqdn = LDAP_STRDUP( name ); ++ } else { ++ while ( res ) { ++ if ( res->ai_canonname ) { ++ fqdn = LDAP_STRDUP ( res->ai_canonname ); ++ break; ++ } ++ res = res->ai_next; ++ } ++ freeaddrinfo( res ); ++ } ++#else ++ + rc = ldap_pvt_gethostbyname_a( name, + &he_buf, &ha_buf, &hp, &local_h_errno ); + +@@ -755,6 +788,8 @@ char * ldap_pvt_get_fqdn( char *name ) + } + + LDAP_FREE( ha_buf ); ++#endif ++ + return fqdn; + } + diff --git a/openldap2-client.spec b/openldap2-client.spec index aac2bc1..dfc70cc 100644 --- a/openldap2-client.spec +++ b/openldap2-client.spec @@ -46,6 +46,7 @@ Patch5: 0005-pie-compile.dif Patch6: 0006-No-Build-date-and-time-in-binaries.dif Patch7: 0007-Recover-on-DB-version-change.dif Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch +Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: cyrus-sasl-devel BuildRequires: groff @@ -177,6 +178,7 @@ This package contains the OpenLDAP client libraries. %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 cp %{SOURCE5} . %build diff --git a/openldap2.changes b/openldap2.changes index 9325512..edeb45d 100644 --- a/openldap2.changes +++ b/openldap2.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Mon Nov 30 10:16:57 UTC 2015 - hguo@suse.com + +- Introduce patch 0009-Fix-ldap-host-lookup-ipv6.patch + and openldap-2.3.37-Fix-ldap-host-lookup-ipv6.patch + to fix an issue with unresponsive LDAP host lookups in IPv6 environment. + (bsc#955210) + ------------------------------------------------------------------- Fri Oct 9 09:19:35 UTC 2015 - hguo@suse.com diff --git a/openldap2.spec b/openldap2.spec index 6e9f5d6..8df31f0 100644 --- a/openldap2.spec +++ b/openldap2.spec @@ -46,6 +46,7 @@ Patch5: 0005-pie-compile.dif Patch6: 0006-No-Build-date-and-time-in-binaries.dif Patch7: 0007-Recover-on-DB-version-change.dif Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch +Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: cyrus-sasl-devel BuildRequires: groff @@ -177,6 +178,7 @@ This package contains the OpenLDAP client libraries. %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 cp %{SOURCE5} . %build From 48315a6a036c2943452cf5e0610c1a2ad576dd4bf7270f3e97bc8fc6c7faedf2 Mon Sep 17 00:00:00 2001 From: Howard Guo Date: Mon, 30 Nov 2015 12:29:15 +0000 Subject: [PATCH 2/4] changelog entries for the one new patch OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=142 --- openldap2-client.changes | 7 +++++++ openldap2.changes | 1 - 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/openldap2-client.changes b/openldap2-client.changes index 295da2f..9b75618 100644 --- a/openldap2-client.changes +++ b/openldap2-client.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Nov 30 10:16:57 UTC 2015 - hguo@suse.com + +- Introduce patch 0009-Fix-ldap-host-lookup-ipv6.patch + to fix an issue with unresponsive LDAP host lookups in IPv6 environment. + (bsc#955210) + ------------------------------------------------------------------- Fri Oct 9 09:19:35 UTC 2015 - hguo@suse.com diff --git a/openldap2.changes b/openldap2.changes index edeb45d..8d7211c 100644 --- a/openldap2.changes +++ b/openldap2.changes @@ -2,7 +2,6 @@ Mon Nov 30 10:16:57 UTC 2015 - hguo@suse.com - Introduce patch 0009-Fix-ldap-host-lookup-ipv6.patch - and openldap-2.3.37-Fix-ldap-host-lookup-ipv6.patch to fix an issue with unresponsive LDAP host lookups in IPv6 environment. (bsc#955210) From dc3d146869d955d81cce1d89081a557b01d8404f121185071e1da983fc736844 Mon Sep 17 00:00:00 2001 From: Howard Guo Date: Wed, 2 Dec 2015 12:58:25 +0000 Subject: [PATCH 3/4] - Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch to fix CVE-2015-6908. (bsc#945582) - Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch to address weak DH size vulnerability (bsc#937766) - Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch to fix CVE-2015-6908. (bsc#945582) - Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch to address weak DH size vulnerability (bsc#937766) OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=143 --- ...vert-ITS-8240-remove-obsolete-assert.patch | 27 +++++++++++++++++++ 0011-Enforce-minimum-DH-size-of-1024.patch | 24 +++++++++++++++++ openldap2-client.changes | 8 ++++++ openldap2-client.spec | 4 +++ openldap2.changes | 8 ++++++ openldap2.spec | 2 ++ 6 files changed, 73 insertions(+) create mode 100644 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch create mode 100644 0011-Enforce-minimum-DH-size-of-1024.patch diff --git a/0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch b/0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch new file mode 100644 index 0000000..a85b81a --- /dev/null +++ b/0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch @@ -0,0 +1,27 @@ +From 844ee7df820fa397249ce76984d2e7094746cd93 Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Sat, 12 Sep 2015 22:18:22 +0100 +Subject: [PATCH] Revert "Revert "ITS#8240 remove obsolete assert"" + +We have never documented our use of assert, so can't expect +builders to do the right thing. +This reverts commit 55dd4d3275d24c5190fdfada8dfae0320628b993. + +The commit fixes CVE-2015-6908. + +diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c +index 85c3e23..c05dcf8 100644 +--- a/libraries/liblber/io.c ++++ b/libraries/liblber/io.c +@@ -679,7 +679,7 @@ done: + return (ber->ber_tag); + } + +- assert( 0 ); /* ber structure is messed up ?*/ ++ /* invalid input */ + return LBER_DEFAULT; + } + +-- +2.6.3 + diff --git a/0011-Enforce-minimum-DH-size-of-1024.patch b/0011-Enforce-minimum-DH-size-of-1024.patch new file mode 100644 index 0000000..db4b18c --- /dev/null +++ b/0011-Enforce-minimum-DH-size-of-1024.patch @@ -0,0 +1,24 @@ +The patch was authored by Marcus Meissner on 2015-07-13 +to address weak DH size vulnerability. + +--- openldap-2.4.26.orig/libraries/libldap/tls_o.c ++++ openldap-2.4.26/libraries/libldap/tls_o.c +@@ -1190,7 +1190,6 @@ jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7t + -----END DH PARAMETERS-----\n"; + + static const struct dhinfo tlso_dhpem[] = { +- { 512, tlso_dhpem512, sizeof(tlso_dhpem512) }, + { 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) }, + { 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) }, + { 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) }, +@@ -1205,6 +1204,9 @@ tlso_tmp_dh_cb( SSL *ssl, int is_export, + DH *dh = NULL; + int i; + ++ /* for Logjam, rev up the minimum DH group size to 1024 bit */ ++ if (key_length < 1024) key_length = 1024; ++ + /* Do we have params of this length already? */ + LDAP_MUTEX_LOCK( &tlso_dh_mutex ); + for ( p = tlso_dhparams; p; p=p->next ) { + diff --git a/openldap2-client.changes b/openldap2-client.changes index 9b75618..c45cbc2 100644 --- a/openldap2-client.changes +++ b/openldap2-client.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Dec 2 12:51:10 UTC 2015 - hguo@suse.com + +- Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch + to fix CVE-2015-6908. (bsc#945582) +- Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch + to address weak DH size vulnerability (bsc#937766) + ------------------------------------------------------------------- Mon Nov 30 10:16:57 UTC 2015 - hguo@suse.com diff --git a/openldap2-client.spec b/openldap2-client.spec index dfc70cc..d613e96 100644 --- a/openldap2-client.spec +++ b/openldap2-client.spec @@ -47,6 +47,8 @@ Patch6: 0006-No-Build-date-and-time-in-binaries.dif Patch7: 0007-Recover-on-DB-version-change.dif Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch +Patch10: 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch +Patch11: 0011-Enforce-minimum-DH-size-of-1024.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: cyrus-sasl-devel BuildRequires: groff @@ -179,6 +181,8 @@ This package contains the OpenLDAP client libraries. %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 cp %{SOURCE5} . %build diff --git a/openldap2.changes b/openldap2.changes index 8d7211c..d854536 100644 --- a/openldap2.changes +++ b/openldap2.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Dec 2 12:50:47 UTC 2015 - hguo@suse.com + +- Introduce patch 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch + to fix CVE-2015-6908. (bsc#945582) +- Introduce patch 0011-Enforce-minimum-DH-size-of-1024.patch + to address weak DH size vulnerability (bsc#937766) + ------------------------------------------------------------------- Mon Nov 30 10:16:57 UTC 2015 - hguo@suse.com diff --git a/openldap2.spec b/openldap2.spec index 8df31f0..652e253 100644 --- a/openldap2.spec +++ b/openldap2.spec @@ -47,6 +47,8 @@ Patch6: 0006-No-Build-date-and-time-in-binaries.dif Patch7: 0007-Recover-on-DB-version-change.dif Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch +Patch10: 0010-Revert-Revert-ITS-8240-remove-obsolete-assert.patch +Patch11: 0011-Enforce-minimum-DH-size-of-1024.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: cyrus-sasl-devel BuildRequires: groff From 429b456698a4828d20b9cf3d9dca6377896cd4301cae9ecbefd79d0c89e346bc Mon Sep 17 00:00:00 2001 From: Howard Guo Date: Wed, 2 Dec 2015 13:05:32 +0000 Subject: [PATCH 4/4] add missing patch statements OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=144 --- openldap2.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openldap2.spec b/openldap2.spec index 652e253..e9a91c9 100644 --- a/openldap2.spec +++ b/openldap2.spec @@ -181,6 +181,8 @@ This package contains the OpenLDAP client libraries. %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 cp %{SOURCE5} . %build