From e604505058a4075880ddf31a64634d9e5c3f6c2f4a9fb38c47ccf70637225d87 Mon Sep 17 00:00:00 2001
From: Peter Varkoly <varkoly@suse.com>
Date: Wed, 21 Nov 2018 15:17:38 +0000
Subject: [PATCH] - Fix CVE-2017-17740: when both the nops module and the
 memberof   overlay are enabled, attempts to free a buffer that was allocated 
  on the stack   * patch: 0017-Fix-segfault-in-nops.patch   (bsc#1073313)

OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=233
---
 0017-Fix-segfault-in-nops.patch | 35 +++++++++++++++++++++++++++++++++
 openldap2.changes               |  9 +++++++++
 openldap2.spec                  |  2 ++
 3 files changed, 46 insertions(+)
 create mode 100644 0017-Fix-segfault-in-nops.patch

diff --git a/0017-Fix-segfault-in-nops.patch b/0017-Fix-segfault-in-nops.patch
new file mode 100644
index 0000000..7a6adc8
--- /dev/null
+++ b/0017-Fix-segfault-in-nops.patch
@@ -0,0 +1,35 @@
+diff --git a/servers/slapd/overlays/memberof.c b/servers/slapd/overlays/memberof.c
+index 54c24682a..06945d811 100644
+--- a/servers/slapd/overlays/memberof.c
++++ b/servers/slapd/overlays/memberof.c
+@@ -360,10 +360,16 @@ memberof_value_modify(
+ 	unsigned long opid = op->o_opid;
+ 	SlapReply	rs2 = { REP_RESULT };
+ 	slap_callback	cb = { NULL, slap_null_cb, NULL, NULL };
+-	Modifications	mod[ 2 ] = { { { 0 } } }, *ml;
+-	struct berval	values[ 4 ], nvalues[ 4 ];
++	Modifications	*mod, *ml;
++	struct berval   *values, *nvalues;
+ 	int		mcnt = 0;
+ 
++	mod = (Modifications*)malloc(2 * sizeof(Modifications));
++	memset(mod, 0, 2 * sizeof(Modifications));
++
++	values = (struct berval*)malloc(4 * sizeof(struct berval));
++	nvalues = (struct berval*)malloc(4 * sizeof(struct berval));
++
+ 	op2.o_tag = LDAP_REQ_MODIFY;
+ 
+ 	op2.o_req_dn = *ndn;
+@@ -493,6 +499,11 @@ memberof_value_modify(
+ 	/* restore original opid */
+ 	op->o_opid = opid;
+ 
++
++	slap_mods_free( mod, 0 );
++	free(values);
++	free(nvalues);
++
+ 	/* FIXME: if old_group_ndn doesn't exist, both delete __and__
+ 	 * add will fail; better split in two operations, although
+ 	 * not optimal in terms of performance.  At least it would
diff --git a/openldap2.changes b/openldap2.changes
index ddafb96..931677b 100644
--- a/openldap2.changes
+++ b/openldap2.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue Nov 20 13:32:36 UTC 2018 - ckowalczyk@suse.com
+
+- Fix CVE-2017-17740: when both the nops module and the memberof
+  overlay are enabled, attempts to free a buffer that was allocated
+  on the stack
+  * patch: 0017-Fix-segfault-in-nops.patch
+  (bsc#1073313)
+
 -------------------------------------------------------------------
 Mon Nov 12 14:25:52 UTC 2018 - Dominique Leuenberger <dleuenberger@suse.com>
 
diff --git a/openldap2.spec b/openldap2.spec
index 08ec180..510da23 100644
--- a/openldap2.spec
+++ b/openldap2.spec
@@ -69,6 +69,7 @@ Patch12:        0012-ITS8051-sockdnpat.patch
 Patch14:        0014-ITS-8714-Send-out-EXTENDED-operation-message-from-back-sock.patch
 Patch15:        openldap-r-only.dif
 Patch16:        0016-Clear-shared-key-only-in-close-function.patch
+Patch17:        0017-Fix-segfault-in-nops.patch
 Source200:      %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz
 Source201:      %{name_ppolicy_check_module}.Makefile
 Source202:      %{name_ppolicy_check_module}.conf
@@ -268,6 +269,7 @@ gzip -k %{S:203}
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
+%patch17 -p1
 cp %{SOURCE5} .
 
 # Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/