diff options
author | Leo <thinkabit.ukim@gmail.com> | 2020-12-10 05:07:11 -0300 |
---|---|---|
committer | Leo <thinkabit.ukim@gmail.com> | 2020-12-10 06:14:22 -0300 |
commit | 1291ff82e2bfcfde8fcfa1584812259167188bef (patch) | |
tree | 14ffe4b0aad4b3404a229c19c9a812edf2186757 | |
parent | b5a3085db9e2c52f6505eb5a26e15e40dd2b2848 (diff) |
main/openldap: fix a few CVEs
-rw-r--r-- | main/openldap/APKBUILD | 12 | ||||
-rw-r--r-- | main/openldap/CVE-2020-25692.patch | 27 | ||||
-rw-r--r-- | main/openldap/CVE-2020-25709.patch | 26 | ||||
-rw-r--r-- | main/openldap/CVE-2020-25710.patch | 27 |
4 files changed, 91 insertions, 1 deletions
diff --git a/main/openldap/APKBUILD b/main/openldap/APKBUILD index 8398c0e2992..03010d64451 100644 --- a/main/openldap/APKBUILD +++ b/main/openldap/APKBUILD @@ -2,6 +2,10 @@ # Contributor: Jakub Jirutka <jakub@jirutka.cz> # # secfixes: +# 2.4.50-r1: +# - CVE-2020-25709 +# - CVE-2020-25710 +# - CVE-2020-25692 # 2.4.50-r0: # - CVE-2020-12243 # 2.4.48-r0: @@ -15,7 +19,7 @@ # pkgname=openldap pkgver=2.4.50 -pkgrel=0 +pkgrel=1 pkgdesc="LDAP Server" url="https://www.openldap.org" arch="all" @@ -54,6 +58,9 @@ source="https://www.openldap.org/software/download/OpenLDAP/openldap-release/ope fix-manpages.patch configs.patch cacheflush.patch + CVE-2020-25709.patch + CVE-2020-25710.patch + CVE-2020-25692.patch slapd.initd slapd.confd @@ -274,5 +281,8 @@ sha512sums="f528043ff9de36f7b65d8816c9a9c24f0ac400041b2969965178ee6eae62c92a11af 8c4244d316a05870dd1147b2ab7ddbcfd7626b5dce2f5a0e72f066dc635c2edb4f1ea3be88c6fec2d5ab016001be16bedef70f2ce0695c3cd96f69e1614ff177 fix-manpages.patch fd1c1ba368148d42c24071a8a8f668232347f4c48268cd189b6be4a48bb51fc11e8c29074e70db69e1a2c249210bc7d4b4d55a0712e5e97a9df04cc8f743fa70 configs.patch 60c1ec62003a33036de68402544e25a71715ed124a3139056a94ed1ba02fb8148ee510ab8f182a308105a2f744b9787e67112bcd8cd0d800cdb6f5409c4f63ff cacheflush.patch +61d2d02b733011eefaac0681b7f6274e416dac4d420b354e37f51b07cc42dab61c798fbe5fab36f47079962046f309373b41886b4632e86dc08d5bfe59b275f7 CVE-2020-25709.patch +abb7f43b6379fe6c03e583dc3a2c861c573ad6b83710954e35928e0449a1b78e259d8d5c6b7c33747b347ab67388d4894980a954d5ddb24b51a693b9c43798f2 CVE-2020-25710.patch +023b32e1a8e61c96b77723dfe39d33de170af684e29defdb34c14719b77fa0e9a101f8aaafe378afb30bf5ca732cf7209ef291089d7524b2301a97c102f5f6e4 CVE-2020-25692.patch 2d286ff7cc56153204f3ab79c464d083801a40cc9bbb0b5cc1fb19de63d6e81c953b1ab0edd256d9ba48144bbda9a0c0d628bfec1342129aa2727344dea5fa9e slapd.initd 64dc4c0aa0abe3d9f7d2aef25fe4c8e23c53df2421067947ac4d096c9e942b26356cb8577ebc41b52d88d0b0a03b2a3e435fe86242671f9b36555a5f82ee0e3a slapd.confd" diff --git a/main/openldap/CVE-2020-25692.patch b/main/openldap/CVE-2020-25692.patch new file mode 100644 index 00000000000..941a4f56be3 --- /dev/null +++ b/main/openldap/CVE-2020-25692.patch @@ -0,0 +1,27 @@ +From 4c774220a752bf8e3284984890dc0931fe73165d Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Mon, 19 Oct 2020 14:03:41 +0100 +Subject: [PATCH] ITS#9370 check for equality rule on old_rdn + +Just skip normalization if there's no equality rule. We accept +DNs without equality rules already. +--- + servers/slapd/modrdn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c +index c73dd8dba..a22975540 100644 +--- a/servers/slapd/modrdn.c ++++ b/servers/slapd/modrdn.c +@@ -505,7 +505,7 @@ slap_modrdn2mods( + mod_tmp->sml_values = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) ); + ber_dupbv( &mod_tmp->sml_values[0], &old_rdn[d_cnt]->la_value ); + mod_tmp->sml_values[1].bv_val = NULL; +- if( desc->ad_type->sat_equality->smr_normalize) { ++ if( desc->ad_type->sat_equality && desc->ad_type->sat_equality->smr_normalize) { + mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) ); + (void) (*desc->ad_type->sat_equality->smr_normalize)( + SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, +-- +GitLab + diff --git a/main/openldap/CVE-2020-25709.patch b/main/openldap/CVE-2020-25709.patch new file mode 100644 index 00000000000..d38c9d241da --- /dev/null +++ b/main/openldap/CVE-2020-25709.patch @@ -0,0 +1,26 @@ +From 67670f4544e28fb09eb7319c39f404e1d3229e65 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Mon, 2 Nov 2020 13:12:10 +0000 +Subject: [PATCH] ITS#9383 remove assert in certificateListValidate + +--- + servers/slapd/schema_init.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index ea0d67aa6..28f9e71a1 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -371,8 +371,7 @@ certificateListValidate( Syntax *syntax, struct berval *in ) + /* Optional version */ + if ( tag == LBER_INTEGER ) { + tag = ber_get_int( ber, &version ); +- assert( tag == LBER_INTEGER ); +- if ( version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX; ++ if ( tag != LBER_INTEGER || version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX; + } + tag = ber_skip_tag( ber, &len ); /* Signature Algorithm */ + if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX; +-- +GitLab + diff --git a/main/openldap/CVE-2020-25710.patch b/main/openldap/CVE-2020-25710.patch new file mode 100644 index 00000000000..9b9bae8b31f --- /dev/null +++ b/main/openldap/CVE-2020-25710.patch @@ -0,0 +1,27 @@ +From bdb0d459187522a6063df13871b82ba8dcc6efe2 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Mon, 2 Nov 2020 16:01:14 +0000 +Subject: [PATCH] ITS#9384 remove assert in obsolete csnNormalize23() + +--- + servers/slapd/schema_init.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index 5812bc4b6..ea0d67aa6 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -5327,8 +5327,8 @@ csnNormalize23( + } + *ptr = '\0'; + +- assert( ptr == &bv.bv_val[bv.bv_len] ); +- if ( csnValidate( syntax, &bv ) != LDAP_SUCCESS ) { ++ if ( ptr != &bv.bv_val[bv.bv_len] || ++ csnValidate( syntax, &bv ) != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + +-- +GitLab + |