From e488e6253c4640052d65055d492fc9cd09c5dc422d5b532d27375d338e2288c3 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Thu, 1 Jul 2010 13:38:00 +0000 Subject: [PATCH] Accepting request 42372 from home:rhafer:branches:network:ldap Copy from home:rhafer:branches:network:ldap/openldap2 via accept of submit request 42372 revision 2. Request was accepted with message: Reviewed ok OBS-URL: https://build.opensuse.org/request/show/42372 OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=38 --- Syncprov-might-lose-deletes-ITS-6555.dif | 38 +++++++++ openldap2-client.changes | 9 ++ openldap2-client.spec | 8 +- openldap2.changes | 9 ++ openldap2.spec | 4 + slapd-modrdn-crash-ITS-6570.dif | 100 +++++++++++++++++++++++ 6 files changed, 166 insertions(+), 2 deletions(-) create mode 100644 Syncprov-might-lose-deletes-ITS-6555.dif create mode 100644 slapd-modrdn-crash-ITS-6570.dif diff --git a/Syncprov-might-lose-deletes-ITS-6555.dif b/Syncprov-might-lose-deletes-ITS-6555.dif new file mode 100644 index 0000000..9e0bd94 --- /dev/null +++ b/Syncprov-might-lose-deletes-ITS-6555.dif @@ -0,0 +1,38 @@ +From e32aa64d19840a3b76da532d200fa1cb733e0672 Mon Sep 17 00:00:00 2001 +From: ralf +Date: Thu, 20 May 2010 15:08:28 +0000 +Subject: Syncprov might lose deletes (ITS#6555) + +During the refresh phase the sync filter needs to be adjusted (skipping +the "(entrycsn>=cookie)" part that was inserted) when checking whether a +change needs to be replicated, otherwise we lose DELETES that happen during +the refresh phase. + +bnc#606294 + + 1 files changed, 9 insertions(+), 1 deletions(-) + +diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c +index 675568e..030edf5 100644 +--- a/servers/slapd/overlays/syncprov.c ++++ b/servers/slapd/overlays/syncprov.c +@@ -1301,7 +1301,15 @@ syncprov_matchops( Operation *op, opcookie *opc, int saveit ) + op2.o_hdr = &oh; + op2.o_extra = op->o_extra; + op2.o_callback = NULL; +- rc = test_filter( &op2, e, ss->s_op->ors_filter ); ++ ldap_pvt_thread_mutex_lock( &ss->s_mutex ); ++ if (ss->s_flags & PS_FIX_FILTER) { ++ /* Skip the AND/GE clause that we stuck on in front. We ++ would lose deletes/mods that happen during the refresh ++ phase otherwise (ITS#6555) */ ++ op2.ors_filter = ss->s_op->ors_filter->f_and->f_next; ++ } ++ ldap_pvt_thread_mutex_unlock( &ss->s_mutex ); ++ rc = test_filter( &op2, e, op2.ors_filter ); + } + + Debug( LDAP_DEBUG_TRACE, "syncprov_matchops: sid %03x fscope %d rc %d\n", +-- +1.7.0.3 + diff --git a/openldap2-client.changes b/openldap2-client.changes index 2a80cef..58841dd 100644 --- a/openldap2-client.changes +++ b/openldap2-client.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu Jul 1 12:48:18 UTC 2010 - rhafer@novell.com + +- LDAP clients could crash the server by submitting a specially + crafted LDAP ModRDN operation. (bnc#612430, ITS#6570) +- Delete Operations happening during the "Refresh" phase of + "refreshAndPersist" replication failed to replicate under + certain circumstances (bnc#606294, ITS#6555) + ------------------------------------------------------------------- Mon May 10 13:35:59 UTC 2010 - rhafer@novell.com diff --git a/openldap2-client.spec b/openldap2-client.spec index 3e71f2e..664fe1f 100644 --- a/openldap2-client.spec +++ b/openldap2-client.spec @@ -1,5 +1,5 @@ # -# spec file for package openldap2-client (Version 2.4.21) +# spec file for package openldap2 (Version 2.4.21) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -19,7 +19,7 @@ %define run_test_suite 1 -Name: openldap2-client +Name: openldap2-client BuildRequires: cyrus-sasl-devel db-devel libopenssl-devel tcpd-devel %if %sles_version == 9 BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-devel @@ -60,6 +60,8 @@ Patch5: slapd-back-hdb-fortify.dif Patch6: libldap-gethostbyname_r.dif Patch7: pie-compile.dif Patch11: slapd-bconfig-del-db.dif +Patch12: Syncprov-might-lose-deletes-ITS-6555.dif +Patch13: slapd-modrdn-crash-ITS-6570.dif Patch100: openldap-2.3.37.dif Patch200: slapd_getaddrinfo_dupl.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -180,6 +182,8 @@ Authors: %patch7 %endif %patch11 +%patch12 -p1 +%patch13 -p1 %if %suse_version == 1100 %patch200 -p1 %endif diff --git a/openldap2.changes b/openldap2.changes index 2a80cef..58841dd 100644 --- a/openldap2.changes +++ b/openldap2.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu Jul 1 12:48:18 UTC 2010 - rhafer@novell.com + +- LDAP clients could crash the server by submitting a specially + crafted LDAP ModRDN operation. (bnc#612430, ITS#6570) +- Delete Operations happening during the "Refresh" phase of + "refreshAndPersist" replication failed to replicate under + certain circumstances (bnc#606294, ITS#6555) + ------------------------------------------------------------------- Mon May 10 13:35:59 UTC 2010 - rhafer@novell.com diff --git a/openldap2.spec b/openldap2.spec index 9434a1b..d8464f5 100644 --- a/openldap2.spec +++ b/openldap2.spec @@ -60,6 +60,8 @@ Patch5: slapd-back-hdb-fortify.dif Patch6: libldap-gethostbyname_r.dif Patch7: pie-compile.dif Patch11: slapd-bconfig-del-db.dif +Patch12: Syncprov-might-lose-deletes-ITS-6555.dif +Patch13: slapd-modrdn-crash-ITS-6570.dif Patch100: openldap-2.3.37.dif Patch200: slapd_getaddrinfo_dupl.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -180,6 +182,8 @@ Authors: %patch7 %endif %patch11 +%patch12 -p1 +%patch13 -p1 %if %suse_version == 1100 %patch200 -p1 %endif diff --git a/slapd-modrdn-crash-ITS-6570.dif b/slapd-modrdn-crash-ITS-6570.dif new file mode 100644 index 0000000..667950c --- /dev/null +++ b/slapd-modrdn-crash-ITS-6570.dif @@ -0,0 +1,100 @@ +From 6e229f5b94be41c4b9372914ae9bff90ccd81014 Mon Sep 17 00:00:00 2001 +From: hyc +Date: Sun, 6 Jun 2010 22:02:32 +0000 +Subject: slapd modrdn crash (ITS#6570) + +part #1 reject RDNs with binary BER values +part #2 reject RDNs with empty values + +Unauthenticated LDAP clients could crash the server by submitting a +specially crafted LDAP ModRDN operatoin. + +Part #1: +OpenLDAP crashes with segfault during the processing of a modrdn call with +maliciously formed destination rdn string. No authentication is required to +trigger this vulnerability. + +Part #2: +OpenLDAP crashes at a null pointer dereference during the processing of modrdn +call with maliciously formed destination rdn string. No authentication is +required to trigger this vulnerability. + + 3 files changed, 16 insertions(+), 7 deletions(-) + +diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c +index 3534e7f..75d2204 100644 +--- a/servers/slapd/dn.c ++++ b/servers/slapd/dn.c +@@ -302,16 +302,13 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx ) + ava->la_attr = ad->ad_cname; + + if( ava->la_flags & LDAP_AVA_BINARY ) { +- if( ava->la_value.bv_len == 0 ) { +- /* BER encoding is empty */ +- return LDAP_INVALID_SYNTAX; +- } ++ /* AVA is binary encoded, not supported */ ++ return LDAP_INVALID_SYNTAX; + + /* Do not allow X-ORDERED 'VALUES' naming attributes */ + } else if( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) { + return LDAP_INVALID_SYNTAX; + +- /* AVA is binary encoded, don't muck with it */ + } else if( flags & SLAP_LDAPDN_PRETTY ) { + transf = ad->ad_type->sat_syntax->ssyn_pretty; + if( !transf ) { +@@ -379,6 +376,10 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx ) + ava->la_value = bv; + ava->la_flags |= LDAP_AVA_FREE_VALUE; + } ++ /* reject empty values */ ++ if (!ava->la_value.bv_len) { ++ return LDAP_INVALID_SYNTAX; ++ } + } + rc = LDAP_SUCCESS; + +diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c +index e386ef9..e143a7b 100644 +--- a/servers/slapd/modrdn.c ++++ b/servers/slapd/modrdn.c +@@ -445,12 +445,19 @@ slap_modrdn2mods( + mod_tmp->sml_values[1].bv_val = NULL; + if( desc->ad_type->sat_equality->smr_normalize) { + mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) ); +- (void) (*desc->ad_type->sat_equality->smr_normalize)( ++ rs->sr_err = desc->ad_type->sat_equality->smr_normalize( + SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, + desc->ad_type->sat_syntax, + desc->ad_type->sat_equality, + &mod_tmp->sml_values[0], + &mod_tmp->sml_nvalues[0], NULL ); ++ if (rs->sr_err != LDAP_SUCCESS) { ++ ch_free(mod_tmp->sml_nvalues); ++ ch_free(mod_tmp->sml_values[0].bv_val); ++ ch_free(mod_tmp->sml_values); ++ ch_free(mod_tmp); ++ goto done; ++ } + mod_tmp->sml_nvalues[1].bv_val = NULL; + } else { + mod_tmp->sml_nvalues = NULL; +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index 68e6d28..d2f4708 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -1732,8 +1732,9 @@ UTF8StringNormalize( + ? LDAP_UTF8_APPROX : 0; + + val = UTF8bvnormalize( val, &tmp, flags, ctx ); ++ /* out of memory or syntax error, the former is unlikely */ + if( val == NULL ) { +- return LDAP_OTHER; ++ return LDAP_INVALID_SYNTAX; + } + + /* collapse spaces (in place) */ +-- +1.7.0.3 +