aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeo <thinkabit.ukim@gmail.com>2020-12-10 05:07:11 -0300
committerLeo <thinkabit.ukim@gmail.com>2020-12-10 05:10:01 -0300
commitc38f6687e6a4edac9cd376a31360ff3f9f645524 (patch)
tree1ed412b3b9017820c75c85eeaf1bc06e176f8e6d
parent1da8994b12025629480c07b488c355fb2a1e3a32 (diff)
downloadaports-c38f6687e6a4edac9cd376a31360ff3f9f645524.tar.gz
aports-c38f6687e6a4edac9cd376a31360ff3f9f645524.tar.bz2
aports-c38f6687e6a4edac9cd376a31360ff3f9f645524.tar.xz
main/openldap: fix a few CVEs
-rw-r--r--main/openldap/APKBUILD14
-rw-r--r--main/openldap/CVE-2020-25692.patch27
-rw-r--r--main/openldap/CVE-2020-25709.patch26
-rw-r--r--main/openldap/CVE-2020-25710.patch27
4 files changed, 92 insertions, 2 deletions
diff --git a/main/openldap/APKBUILD b/main/openldap/APKBUILD
index 9691997590..864d44be40 100644
--- a/main/openldap/APKBUILD
+++ b/main/openldap/APKBUILD
@@ -2,6 +2,10 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
#
# secfixes:
+# 2.4.48-r2:
+# - CVE-2020-25709
+# - CVE-2020-25710
+# - CVE-2020-25692
# 2.4.48-r1:
# - CVE-2020-12243
# 2.4.48-r0:
@@ -15,7 +19,7 @@
#
pkgname=openldap
pkgver=2.4.48
-pkgrel=1
+pkgrel=2
pkgdesc="LDAP Server"
url="http://www.openldap.org/"
arch="all"
@@ -37,6 +41,9 @@ source="https://www.openldap.org/software/download/OpenLDAP/$pkgname-release/$pk
fix-manpages.patch
configs.patch
cacheflush.patch
+ CVE-2020-25709.patch
+ CVE-2020-25710.patch
+ CVE-2020-25692.patch
slapd.initd
slapd.confd
@@ -227,6 +234,9 @@ sha512sums="cf694a415be0bd55cc7f606099da2ed461748efd276561944cd29d7f5a8252a9be79
8c4244d316a05870dd1147b2ab7ddbcfd7626b5dce2f5a0e72f066dc635c2edb4f1ea3be88c6fec2d5ab016001be16bedef70f2ce0695c3cd96f69e1614ff177 fix-manpages.patch
0d2e570ddcb7ace1221abad9fc1d3dd0d00d6948340df69879b449959a68feee6a0ad8e17ef9971b35986293e16fc9d8e88de81815fedd5ea6a952eb085406ca configs.patch
60c1ec62003a33036de68402544e25a71715ed124a3139056a94ed1ba02fb8148ee510ab8f182a308105a2f744b9787e67112bcd8cd0d800cdb6f5409c4f63ff cacheflush.patch
+61d2d02b733011eefaac0681b7f6274e416dac4d420b354e37f51b07cc42dab61c798fbe5fab36f47079962046f309373b41886b4632e86dc08d5bfe59b275f7 CVE-2020-25709.patch
+abb7f43b6379fe6c03e583dc3a2c861c573ad6b83710954e35928e0449a1b78e259d8d5c6b7c33747b347ab67388d4894980a954d5ddb24b51a693b9c43798f2 CVE-2020-25710.patch
+023b32e1a8e61c96b77723dfe39d33de170af684e29defdb34c14719b77fa0e9a101f8aaafe378afb30bf5ca732cf7209ef291089d7524b2301a97c102f5f6e4 CVE-2020-25692.patch
0c3606e4dad1b32f1c4b62f2bc1990a4c9f7ccd10c7b50e623309ba9df98064e68fc42a7242450f32fb6e5fa2203609d3d069871b5ae994cd4b227a078c93532 slapd.initd
64dc4c0aa0abe3d9f7d2aef25fe4c8e23c53df2421067947ac4d096c9e942b26356cb8577ebc41b52d88d0b0a03b2a3e435fe86242671f9b36555a5f82ee0e3a slapd.confd
-d4d8bec1c23c73e7126462bfe2e51cb603d1e83be4c64698ac167f221d515554b3b0e311f9789450b5c4c206c09cbdad1842b0b5b2364919967195da4ea6d833 CVE-2020-12243.patch"
+fddf5cf57c5b4b1d0e148ce850aafe5791dd7772727c824e858fe97e375871d2d3f622894d978444f7c5d8d64160c6fd766ae91de5eac3eb7f5292ceaaf599ea CVE-2020-12243.patch"
diff --git a/main/openldap/CVE-2020-25692.patch b/main/openldap/CVE-2020-25692.patch
new file mode 100644
index 0000000000..941a4f56be
--- /dev/null
+++ b/main/openldap/CVE-2020-25692.patch
@@ -0,0 +1,27 @@
+From 4c774220a752bf8e3284984890dc0931fe73165d Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 19 Oct 2020 14:03:41 +0100
+Subject: [PATCH] ITS#9370 check for equality rule on old_rdn
+
+Just skip normalization if there's no equality rule. We accept
+DNs without equality rules already.
+---
+ servers/slapd/modrdn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c
+index c73dd8dba..a22975540 100644
+--- a/servers/slapd/modrdn.c
++++ b/servers/slapd/modrdn.c
+@@ -505,7 +505,7 @@ slap_modrdn2mods(
+ mod_tmp->sml_values = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) );
+ ber_dupbv( &mod_tmp->sml_values[0], &old_rdn[d_cnt]->la_value );
+ mod_tmp->sml_values[1].bv_val = NULL;
+- if( desc->ad_type->sat_equality->smr_normalize) {
++ if( desc->ad_type->sat_equality && desc->ad_type->sat_equality->smr_normalize) {
+ mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) );
+ (void) (*desc->ad_type->sat_equality->smr_normalize)(
+ SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
+--
+GitLab
+
diff --git a/main/openldap/CVE-2020-25709.patch b/main/openldap/CVE-2020-25709.patch
new file mode 100644
index 0000000000..d38c9d241d
--- /dev/null
+++ b/main/openldap/CVE-2020-25709.patch
@@ -0,0 +1,26 @@
+From 67670f4544e28fb09eb7319c39f404e1d3229e65 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 2 Nov 2020 13:12:10 +0000
+Subject: [PATCH] ITS#9383 remove assert in certificateListValidate
+
+---
+ servers/slapd/schema_init.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
+index ea0d67aa6..28f9e71a1 100644
+--- a/servers/slapd/schema_init.c
++++ b/servers/slapd/schema_init.c
+@@ -371,8 +371,7 @@ certificateListValidate( Syntax *syntax, struct berval *in )
+ /* Optional version */
+ if ( tag == LBER_INTEGER ) {
+ tag = ber_get_int( ber, &version );
+- assert( tag == LBER_INTEGER );
+- if ( version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX;
++ if ( tag != LBER_INTEGER || version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX;
+ }
+ tag = ber_skip_tag( ber, &len ); /* Signature Algorithm */
+ if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
+--
+GitLab
+
diff --git a/main/openldap/CVE-2020-25710.patch b/main/openldap/CVE-2020-25710.patch
new file mode 100644
index 0000000000..9b9bae8b31
--- /dev/null
+++ b/main/openldap/CVE-2020-25710.patch
@@ -0,0 +1,27 @@
+From bdb0d459187522a6063df13871b82ba8dcc6efe2 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 2 Nov 2020 16:01:14 +0000
+Subject: [PATCH] ITS#9384 remove assert in obsolete csnNormalize23()
+
+---
+ servers/slapd/schema_init.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
+index 5812bc4b6..ea0d67aa6 100644
+--- a/servers/slapd/schema_init.c
++++ b/servers/slapd/schema_init.c
+@@ -5327,8 +5327,8 @@ csnNormalize23(
+ }
+ *ptr = '\0';
+
+- assert( ptr == &bv.bv_val[bv.bv_len] );
+- if ( csnValidate( syntax, &bv ) != LDAP_SUCCESS ) {
++ if ( ptr != &bv.bv_val[bv.bv_len] ||
++ csnValidate( syntax, &bv ) != LDAP_SUCCESS ) {
+ return LDAP_INVALID_SYNTAX;
+ }
+
+--
+GitLab
+