- Fix CVE-2017-17740: when both the nops module and the memberof

overlay are enabled, attempts to free a buffer that was allocated on the stack * patch: 0017-Fix-segfault-in-nops.patch (bsc#1073313) OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=233
2018-11-21 15:17:38 +00:00 · 2018-11-21 15:17:38 +00:00 · e604505058
commit e604505058
parent 7fcf270ced
3 changed files with 46 additions and 0 deletions
--- a/0017-Fix-segfault-in-nops.patch
+++ b/0017-Fix-segfault-in-nops.patch
@ -0,0 +1,35 @@
+diff --git a/servers/slapd/overlays/memberof.c b/servers/slapd/overlays/memberof.c
+index 54c24682a..06945d811 100644
+--- a/servers/slapd/overlays/memberof.c
+++ b/servers/slapd/overlays/memberof.c
+@@ -360,10 +360,16 @@ memberof_value_modify(
+ 	unsigned long opid = op->o_opid;
+ 	SlapReply	rs2 = { REP_RESULT };
+ 	slap_callback	cb = { NULL, slap_null_cb, NULL, NULL };
+-	Modifications	mod[ 2 ] = { { { 0 } } }, *ml;
+-	struct berval	values[ 4 ], nvalues[ 4 ];
+	Modifications	*mod, *ml;
+	struct berval   *values, *nvalues;
+ 	int		mcnt = 0;
+ 
+	mod = (Modifications*)malloc(2 * sizeof(Modifications));
+	memset(mod, 0, 2 * sizeof(Modifications));
+
+	values = (struct berval*)malloc(4 * sizeof(struct berval));
+	nvalues = (struct berval*)malloc(4 * sizeof(struct berval));
+
+ 	op2.o_tag = LDAP_REQ_MODIFY;
+ 
+ 	op2.o_req_dn = *ndn;
+@@ -493,6 +499,11 @@ memberof_value_modify(
+ 	/* restore original opid */
+ 	op->o_opid = opid;
+ 
+
+	slap_mods_free( mod, 0 );
+	free(values);
+	free(nvalues);
+
+ 	/* FIXME: if old_group_ndn doesn't exist, both delete __and__
+ 	 * add will fail; better split in two operations, although
+ 	 * not optimal in terms of performance.  At least it would
--- a/openldap2.changes
+++ b/openldap2.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue Nov 20 13:32:36 UTC 2018 - ckowalczyk@suse.com
+
+- Fix CVE-2017-17740: when both the nops module and the memberof
+  overlay are enabled, attempts to free a buffer that was allocated
+  on the stack
+  * patch: 0017-Fix-segfault-in-nops.patch
+  (bsc#1073313)
+
 -------------------------------------------------------------------
 Mon Nov 12 14:25:52 UTC 2018 - Dominique Leuenberger <dleuenberger@suse.com>

--- a/openldap2.spec
+++ b/openldap2.spec
@ -69,6 +69,7 @@ Patch12:        0012-ITS8051-sockdnpat.patch
 Patch14:        0014-ITS-8714-Send-out-EXTENDED-operation-message-from-back-sock.patch
 Patch15:        openldap-r-only.dif
 Patch16:        0016-Clear-shared-key-only-in-close-function.patch
+Patch17:        0017-Fix-segfault-in-nops.patch
 Source200:      %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz
 Source201:      %{name_ppolicy_check_module}.Makefile
 Source202:      %{name_ppolicy_check_module}.conf
@ -268,6 +269,7 @@ gzip -k %{S:203}
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
+%patch17 -p1
 cp %{SOURCE5} .

 # Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/