diff --git a/0013-UTF8StringNormalize-overrun-on-zero-length-string-ITS-.dif b/0013-UTF8StringNormalize-overrun-on-zero-length-string-ITS-.dif new file mode 100644 index 0000000..ca01816 --- /dev/null +++ b/0013-UTF8StringNormalize-overrun-on-zero-length-string-ITS-.dif @@ -0,0 +1,59 @@ +From 48e44e993656a08424a020347a458148169196ce Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Thu, 6 Oct 2011 14:05:31 -0700 +Subject: UTF8StringNormalize overrun on zero-length string (ITS#7059) + +Detected by valgrind + +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index 67508fc..65a7e2e 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -1852,12 +1852,12 @@ UTF8StringNormalize( + } + nvalue.bv_val[nvalue.bv_len] = '\0'; + +- } else { ++ } else if ( tmp.bv_len ) { + /* string of all spaces is treated as one space */ + nvalue.bv_val[0] = ' '; + nvalue.bv_val[1] = '\0'; + nvalue.bv_len = 1; +- } ++ } /* should never be entered with 0-length val */ + + *normalized = nvalue; + return LDAP_SUCCESS; +@@ -2331,13 +2331,18 @@ postalAddressNormalize( + } + lines[l].bv_len = &val->bv_val[c] - lines[l].bv_val; + +- normalized->bv_len = l; ++ normalized->bv_len = c = l; + +- for ( l = 0; !BER_BVISNULL( &lines[l] ); l++ ) { ++ for ( l = 0; l <= c; l++ ) { + /* NOTE: we directly normalize each line, + * without unescaping the values, since the special + * values '\24' ('$') and '\5C' ('\') are not affected + * by normalization */ ++ if ( !lines[l].bv_len ) { ++ nlines[l].bv_len = 0; ++ nlines[l].bv_val = NULL; ++ continue; ++ } + rc = UTF8StringNormalize( usage, NULL, xmr, &lines[l], &nlines[l], ctx ); + if ( rc != LDAP_SUCCESS ) { + rc = LDAP_INVALID_SYNTAX; +@@ -2350,7 +2355,7 @@ postalAddressNormalize( + normalized->bv_val = slap_sl_malloc( normalized->bv_len + 1, ctx ); + + p = normalized->bv_val; +- for ( l = 0; !BER_BVISNULL( &nlines[l] ); l++ ) { ++ for ( l = 0; l <= c ; l++ ) { + p = lutil_strbvcopy( p, &nlines[l] ); + *p++ = '$'; + } +-- +1.7.6.4 + diff --git a/0014-ITS-7066-reworked-default-deny-ACL-for-cn-config.dif b/0014-ITS-7066-reworked-default-deny-ACL-for-cn-config.dif new file mode 100644 index 0000000..26ba050 --- /dev/null +++ b/0014-ITS-7066-reworked-default-deny-ACL-for-cn-config.dif @@ -0,0 +1,95 @@ +From 5d9026cf3f93f95dd6f80ad209013e30bbb0d8e6 Mon Sep 17 00:00:00 2001 +From: Ralf Haferkamp +Date: Tue, 18 Oct 2011 17:08:05 +0200 +Subject: ITS#7066 reworked default deny ACL for cn=config + +Dynamically adding ACL for cn=config didn't work correctly, when no +ACLs where present for that database upon startup. Delete the last +ACL from the DB could also lead to unexpected results. + +diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c +index 309668e..7097d72 100644 +--- a/servers/slapd/bconfig.c ++++ b/servers/slapd/bconfig.c +@@ -84,6 +84,7 @@ static char *logfileName; + #ifdef SLAP_AUTH_REWRITE + static BerVarray authz_rewrites; + #endif ++static AccessControl *defacl_parsed = NULL; + + static struct berval cfdir; + +@@ -1297,6 +1298,12 @@ config_generic(ConfigArgs *c) { + *prev = a->acl_next; + acl_free( a ); + } ++ if ( SLAP_CONFIG( c->be ) && !c->be->be_acl ) { ++ Debug( LDAP_DEBUG_CONFIG, "config_generic (CFG_ACL): " ++ "Last explicit ACL for back-config removed. " ++ "Using hardcoded default\n", 0, 0, 0 ); ++ c->be->be_acl = defacl_parsed; ++ } + break; + + case CFG_OC: { +@@ -1792,6 +1799,9 @@ sortval_reject: + break; + + case CFG_ACL: ++ if ( SLAP_CONFIG( c->be ) && c->be->be_acl == defacl_parsed) { ++ c->be->be_acl = NULL; ++ } + /* Don't append to the global ACL if we're on a specific DB */ + i = c->valx; + if ( c->valx == -1 ) { +@@ -1801,6 +1811,9 @@ sortval_reject: + i++; + } + if ( parse_acl(c->be, c->fname, c->lineno, c->argc, c->argv, i ) ) { ++ if ( SLAP_CONFIG( c->be ) && !c->be->be_acl) { ++ c->be->be_acl = defacl_parsed; ++ } + return 1; + } + break; +@@ -6637,14 +6650,23 @@ config_back_db_open( BackendDB *be, ConfigReply *cr ) + slap_callback cb = { NULL, slap_null_cb, NULL, NULL }; + SlapReply rs = {REP_RESULT}; + void *thrctx = NULL; ++ AccessControl *save_access; + + Debug( LDAP_DEBUG_TRACE, "config_back_db_open\n", 0, 0, 0); + + /* If we have no explicitly configured ACLs, don't just use + * the global ACLs. Explicitly deny access to everything. + */ +- if ( !be->bd_self->be_acl ) { +- parse_acl(be->bd_self, "config_back_db_open", 0, 6, (char **)defacl, 0 ); ++ save_access = be->bd_self->be_acl; ++ be->bd_self->be_acl = NULL; ++ parse_acl(be->bd_self, "config_back_db_open", 0, 6, (char **)defacl, 0 ); ++ defacl_parsed = be->bd_self->be_acl; ++ if ( save_access ) { ++ be->bd_self->be_acl = save_access; ++ } else { ++ Debug( LDAP_DEBUG_CONFIG, "config_back_db_open: " ++ "No explicit ACL for back-config configured. " ++ "Using hardcoded default\n", 0, 0, 0 ); + } + + thrctx = ldap_pvt_thread_pool_context(); +@@ -6889,6 +6911,11 @@ config_back_db_close( BackendDB *be, ConfigReply *cr ) + backend_shutdown( &cfb->cb_db ); + } + ++ if ( defacl_parsed && be->be_acl != defacl_parsed ) { ++ acl_free( defacl_parsed ); ++ defacl_parsed = NULL; ++ } ++ + return 0; + } + +-- +1.7.6.4 + diff --git a/DB_CONFIG b/DB_CONFIG index 714a8c2..a465400 100644 --- a/DB_CONFIG +++ b/DB_CONFIG @@ -1,5 +1,7 @@ set_cachesize 0 15000000 1 set_lg_regionmax 262144 set_lg_bsize 2097152 +set_lk_max_locks 30000 +set_lk_max_objects 30000 set_flags DB_LOG_AUTOREMOVE diff --git a/openldap2-client.changes b/openldap2-client.changes index 2c5df72..7b27a0d 100644 --- a/openldap2-client.changes +++ b/openldap2-client.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Mon Oct 24 13:57:45 UTC 2011 - rhafer@suse.de + +- ACL changes to the config database only got active after slapd + restart in certain cases (bnc#716895, ITS#7066). +- Adjusted default DB_CONFIG to increase max values for locks and + lock objects (bnc#719803) +- Fix UTF8StringNormalize overrun on zero-length string + (bnc#724201, ITS#7059) + ------------------------------------------------------------------- Thu Jul 7 14:43:05 UTC 2011 - rhafer@suse.de diff --git a/openldap2-client.spec b/openldap2-client.spec index 87d7b57..5844610 100644 --- a/openldap2-client.spec +++ b/openldap2-client.spec @@ -1,5 +1,5 @@ # -# spec file for package openldap2 +# spec file for package openldap2-client # # Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -19,7 +19,7 @@ %define run_test_suite 1 -Name: openldap2-client +Name: openldap2-client BuildRequires: cyrus-sasl-devel libopenssl-devel %if %sles_version == 9 || %sles_version == 10 BuildRequires: -libopenssl-devel -pwdutils openssl-devel @@ -33,11 +33,11 @@ BuildRequires: db-devel openslp-devel tcpd-devel unixODBC-devel %if %sles_version == 9 || %sles_version == 10 BuildRequires: -db-devel libdb-4_5-devel %endif -Group: Productivity/Networking/LDAP/Servers +Group: Productivity/Networking/LDAP/Clients Conflicts: openldap Requires: libldap-2_4-2 = %{version} PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep -Summary: OpenLDAP The OpenLDAP Server +Summary: The OpenLDAP commandline client tools %else Group: Productivity/Networking/LDAP/Clients Conflicts: openldap-client @@ -66,6 +66,8 @@ Patch9: 0009-unregister_supported_control-backport.dif Patch10: 0010-Fix-exposure-of-SSS-VLV-controls-ITS-6647.dif Patch11: 0011-config-delete-overlay-fixes.dif Patch12: 0012-backport-ConfigLDAPdel-callback-from-current-master.dif +Patch13: 0013-UTF8StringNormalize-overrun-on-zero-length-string-ITS-.dif +Patch14: 0014-ITS-7066-reworked-default-deny-ACL-for-cn-config.dif Patch100: openldap-2.3.37.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %if "%{name}" == "openldap2" @@ -82,6 +84,14 @@ Authors: -------- The OpenLDAP Project +This package contains the OpenLDAP client utilities. + + +Authors: +-------- + The OpenLDAP Project + + %package -n openldap2-back-perl License: BSD3c(or similar) ; openldap 2.8 Summary: OpenLDAP Perl Back-End @@ -157,6 +167,17 @@ Authors: %else %description +The Lightweight Directory Access Protocol (LDAP) is used to access +online directory services. It runs directly over TCP and can be used to +access a stand-alone LDAP directory service or to access a directory +service that has an X.500 back-end. + + + +Authors: +-------- + The OpenLDAP Project + This package contains the OpenLDAP client utilities. @@ -225,6 +246,8 @@ Authors: %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 cp %{SOURCE5} . cp %{SOURCE6} . cd ../openldap-2.3.37 diff --git a/openldap2.changes b/openldap2.changes index 2c5df72..7b27a0d 100644 --- a/openldap2.changes +++ b/openldap2.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Mon Oct 24 13:57:45 UTC 2011 - rhafer@suse.de + +- ACL changes to the config database only got active after slapd + restart in certain cases (bnc#716895, ITS#7066). +- Adjusted default DB_CONFIG to increase max values for locks and + lock objects (bnc#719803) +- Fix UTF8StringNormalize overrun on zero-length string + (bnc#724201, ITS#7059) + ------------------------------------------------------------------- Thu Jul 7 14:43:05 UTC 2011 - rhafer@suse.de diff --git a/openldap2.spec b/openldap2.spec index 3e31ba7..4d44faf 100644 --- a/openldap2.spec +++ b/openldap2.spec @@ -33,11 +33,11 @@ BuildRequires: db-devel openslp-devel tcpd-devel unixODBC-devel %if %sles_version == 9 || %sles_version == 10 BuildRequires: -db-devel libdb-4_5-devel %endif -Group: Productivity/Networking/LDAP/Servers +Group: Productivity/Networking/LDAP/Clients Conflicts: openldap Requires: libldap-2_4-2 = %{version} PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep -Summary: OpenLDAP The OpenLDAP Server +Summary: The OpenLDAP commandline client tools %else Group: Productivity/Networking/LDAP/Clients Conflicts: openldap-client @@ -66,6 +66,8 @@ Patch9: 0009-unregister_supported_control-backport.dif Patch10: 0010-Fix-exposure-of-SSS-VLV-controls-ITS-6647.dif Patch11: 0011-config-delete-overlay-fixes.dif Patch12: 0012-backport-ConfigLDAPdel-callback-from-current-master.dif +Patch13: 0013-UTF8StringNormalize-overrun-on-zero-length-string-ITS-.dif +Patch14: 0014-ITS-7066-reworked-default-deny-ACL-for-cn-config.dif Patch100: openldap-2.3.37.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %if "%{name}" == "openldap2" @@ -225,6 +227,8 @@ Authors: %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 cp %{SOURCE5} . cp %{SOURCE6} . cd ../openldap-2.3.37