main/openldap: security fix (CVE-2012-1164)

fixes #1319

2 files changed, 55 insertions, 1 deletions

diff --git a/main/openldap/APKBUILD b/main/openldap/APKBUILD
index cb50dd92e69..5687cb27cdd 100644
--- a/main/openldap/APKBUILD
+++ b/main/openldap/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=openldap
 pkgver=2.4.26
-pkgrel=3
+pkgrel=4
 pkgdesc="LDAP Server"
 url="http://www.openldap.org/"
 arch="all"
@@ -18,6 +18,7 @@ source="ftp://ftp.$pkgname.org/pub/OpenLDAP/$pkgname-release/$pkgname-$pkgver.tg
 	openldap-2.4-ppolicy.patch
 	openldap-2.4.11-libldap_r.patch
 	cve-2011-4079.patch
+	openldap-cve-assertion-processing-search-queries.patch
 	slapd.initd
 	slapd.confd
 	slurpd.initd
@@ -115,6 +116,7 @@ md5sums="f36f3086031dd56ae94f722ffae8df5e  openldap-2.4.26.tgz
 2524e490ba334a760fa57057c16da7a9  openldap-2.4-ppolicy.patch
 d19d0502f046078ecd737e29e7552fa8  openldap-2.4.11-libldap_r.patch
 967d86fbfdbf9054b722f23323751fc9  cve-2011-4079.patch
+4f71dd299204ab338c33a17594934466  openldap-cve-assertion-processing-search-queries.patch
 a729bf553d12b4a9fbda0ff5202a0443  slapd.initd
 b672311fca605c398240cd37a2ae080a  slapd.confd
 fa5ce0005ef5f1160b6ff126f97aaa1a  slurpd.initd"
diff --git a/main/openldap/openldap-cve-assertion-processing-search-queries.patch b/main/openldap/openldap-cve-assertion-processing-search-queries.patch
new file mode 100644
index 00000000000..1848830045f
--- /dev/null
+++ b/main/openldap/openldap-cve-assertion-processing-search-queries.patch
@@ -0,0 +1,52 @@
+Assertion failure by processing search queries requesting only attributes for particular entry
+
+Upstream ITS: #7143
+Upstream commit: ef2f526 430256f 463c1fa
+Resolves: #802514 (CVE-2012-1164)
+
+diff --git a/servers/slapd/attr.c b/servers/slapd/attr.c
+index 51f5075..bfc717c 100644
+--- a/servers/slapd/attr.c
++++ b/servers/slapd/attr.c
+@@ -232,13 +232,16 @@ attr_dup2( Attribute *tmp, Attribute *a )
+ 		if ( a->a_nvals != a->a_vals ) {
+ 
+ 			tmp->a_nvals = ch_malloc( (tmp->a_numvals + 1) * sizeof(struct berval) );
+-			for ( j = 0; !BER_BVISNULL( &a->a_nvals[j] ); j++ ) {
+-				assert( j < i );
+-				ber_dupbv( &tmp->a_nvals[j], &a->a_nvals[j] );
+-				if ( BER_BVISNULL( &tmp->a_nvals[j] ) ) break;
+-				/* FIXME: error? */
++			j = 0;
++			if ( i ) {
++				for ( ; !BER_BVISNULL( &a->a_nvals[j] ); j++ ) {
++					assert( j < i );
++					ber_dupbv( &tmp->a_nvals[j], &a->a_nvals[j] );
++					if ( BER_BVISNULL( &tmp->a_nvals[j] ) ) break;
++					/* FIXME: error? */
++				}
++				assert( j == i );
+ 			}
+-			assert( j == i );
+ 			BER_BVZERO( &tmp->a_nvals[j] );
+ 
+ 		} else {
+diff --git a/servers/slapd/overlays/rwm.c b/servers/slapd/overlays/rwm.c
+index c724be2..0c78e80 100644
+--- a/servers/slapd/overlays/rwm.c
++++ b/servers/slapd/overlays/rwm.c
+@@ -1276,7 +1276,13 @@ rwm_attrs( Operation *op, SlapReply *rs, Attribute** a_first, int stripEntryDN )
+ 								NULL );
+ 
+ 							if ( rc != LDAP_SUCCESS ) {
+-								BER_BVZERO( &(*ap)->a_nvals[i] );
++								/* FIXME: this is wrong, putting a non-normalized value
++								 * into nvals. But when a proxy sends us bogus data,
++								 * we still need to give it to the client, even if it
++								 * violates the syntax. I.e., we don't want to silently
++								 * drop things and trigger an apparent data loss.
++								 */
++								ber_dupbv( &(*ap)->a_nvals[i], &(*ap)->a_vals[i] );
+ 							}
+ 						}
+ 						BER_BVZERO( &(*ap)->a_nvals[i] );