main/openldap: use local patch for CVE-2020-12243

author: Leo <thinkabit.ukim@gmail.com> 2020-12-10 07:08:42 -0300
committer: Leo <thinkabit.ukim@gmail.com> 2020-12-10 07:09:47 -0300
commit: d6419a61850ee4384d75190a6521a687278588e2 (patch)
tree: e3c6f4a0cf17dde8d246cf4e7d6dd4290cb44646
parent: c38f6687e6a4edac9cd376a31360ff3f9f645524 (diff)
2 files changed, 128 insertions, 3 deletions
diff --git a/main/openldap/APKBUILD b/main/openldap/APKBUILD
index 864d44be400..ea555831242 100644
--- a/main/openldap/APKBUILD
+++ b/main/openldap/APKBUILD
@@ -44,11 +44,11 @@ source="https://www.openldap.org/software/download/OpenLDAP/$pkgname-release/$pk
 	CVE-2020-25709.patch
 	CVE-2020-25710.patch
 	CVE-2020-25692.patch
+	CVE-2020-12243.patch
 
 	slapd.initd
 	slapd.confd
 
-	CVE-2020-12243.patch::https://git.openldap.org/openldap/openldap/-/commit/98464c11df8247d6a11b52e294ba5dd4f0380440.patch
 	"
 
 # SLAPD backends
@@ -237,6 +237,6 @@ sha512sums="cf694a415be0bd55cc7f606099da2ed461748efd276561944cd29d7f5a8252a9be79
 61d2d02b733011eefaac0681b7f6274e416dac4d420b354e37f51b07cc42dab61c798fbe5fab36f47079962046f309373b41886b4632e86dc08d5bfe59b275f7  CVE-2020-25709.patch
 abb7f43b6379fe6c03e583dc3a2c861c573ad6b83710954e35928e0449a1b78e259d8d5c6b7c33747b347ab67388d4894980a954d5ddb24b51a693b9c43798f2  CVE-2020-25710.patch
 023b32e1a8e61c96b77723dfe39d33de170af684e29defdb34c14719b77fa0e9a101f8aaafe378afb30bf5ca732cf7209ef291089d7524b2301a97c102f5f6e4  CVE-2020-25692.patch
+fddf5cf57c5b4b1d0e148ce850aafe5791dd7772727c824e858fe97e375871d2d3f622894d978444f7c5d8d64160c6fd766ae91de5eac3eb7f5292ceaaf599ea  CVE-2020-12243.patch
 0c3606e4dad1b32f1c4b62f2bc1990a4c9f7ccd10c7b50e623309ba9df98064e68fc42a7242450f32fb6e5fa2203609d3d069871b5ae994cd4b227a078c93532  slapd.initd
-64dc4c0aa0abe3d9f7d2aef25fe4c8e23c53df2421067947ac4d096c9e942b26356cb8577ebc41b52d88d0b0a03b2a3e435fe86242671f9b36555a5f82ee0e3a  slapd.confd
-fddf5cf57c5b4b1d0e148ce850aafe5791dd7772727c824e858fe97e375871d2d3f622894d978444f7c5d8d64160c6fd766ae91de5eac3eb7f5292ceaaf599ea  CVE-2020-12243.patch"
+64dc4c0aa0abe3d9f7d2aef25fe4c8e23c53df2421067947ac4d096c9e942b26356cb8577ebc41b52d88d0b0a03b2a3e435fe86242671f9b36555a5f82ee0e3a  slapd.confd"
diff --git a/main/openldap/CVE-2020-12243.patch b/main/openldap/CVE-2020-12243.patch
new file mode 100644
index 00000000000..d8e10f5bc66
--- /dev/null
+++ b/main/openldap/CVE-2020-12243.patch
@@ -0,0 +1,125 @@
+From 98464c11df8247d6a11b52e294ba5dd4f0380440 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Thu, 16 Apr 2020 01:08:19 +0100
+Subject: [PATCH] ITS#9202 limit depth of nested filters
+
+Using a hardcoded limit for now; no reasonable apps
+should ever run into it.
+---
+ servers/slapd/filter.c | 41 ++++++++++++++++++++++++++++++++---------
+ 1 file changed, 32 insertions(+), 9 deletions(-)
+
+diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c
+index 3252cf2a7..ed57bbd7b 100644
+--- a/servers/slapd/filter.c
++++ b/servers/slapd/filter.c
+@@ -37,11 +37,16 @@
+ const Filter *slap_filter_objectClass_pres;
+ const struct berval *slap_filterstr_objectClass_pres;
+ 
++#ifndef SLAPD_MAX_FILTER_DEPTH
++#define SLAPD_MAX_FILTER_DEPTH	5000
++#endif
++
+ static int	get_filter_list(
+ 	Operation *op,
+ 	BerElement *ber,
+ 	Filter **f,
+-	const char **text );
++	const char **text,
++	int depth );
+ 
+ static int	get_ssa(
+ 	Operation *op,
+@@ -80,12 +85,13 @@ filter_destroy( void )
+ 	return;
+ }
+ 
+-int
+-get_filter(
++static int
++get_filter0(
+ 	Operation *op,
+ 	BerElement *ber,
+ 	Filter **filt,
+-	const char **text )
++	const char **text,
++	int depth )
+ {
+ 	ber_tag_t	tag;
+ 	ber_len_t	len;
+@@ -126,6 +132,11 @@ get_filter(
+ 	 *
+ 	 */
+ 
++	if( depth > SLAPD_MAX_FILTER_DEPTH ) {
++		*text = "filter nested too deeply";
++		return SLAPD_DISCONNECT;
++	}
++
+ 	tag = ber_peek_tag( ber, &len );
+ 
+ 	if( tag == LBER_ERROR ) {
+@@ -221,7 +232,7 @@ get_filter(
+ 
+ 	case LDAP_FILTER_AND:
+ 		Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
+-		err = get_filter_list( op, ber, &f.f_and, text );
++		err = get_filter_list( op, ber, &f.f_and, text, depth+1 );
+ 		if ( err != LDAP_SUCCESS ) {
+ 			break;
+ 		}
+@@ -234,7 +245,7 @@ get_filter(
+ 
+ 	case LDAP_FILTER_OR:
+ 		Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
+-		err = get_filter_list( op, ber, &f.f_or, text );
++		err = get_filter_list( op, ber, &f.f_or, text, depth+1 );
+ 		if ( err != LDAP_SUCCESS ) {
+ 			break;
+ 		}
+@@ -248,7 +259,7 @@ get_filter(
+ 	case LDAP_FILTER_NOT:
+ 		Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
+ 		(void) ber_skip_tag( ber, &len );
+-		err = get_filter( op, ber, &f.f_not, text );
++		err = get_filter0( op, ber, &f.f_not, text, depth+1 );
+ 		if ( err != LDAP_SUCCESS ) {
+ 			break;
+ 		}
+@@ -311,10 +322,22 @@ get_filter(
+ 	return( err );
+ }
+ 
++int
++get_filter(
++	Operation *op,
++	BerElement *ber,
++	Filter **filt,
++	const char **text )
++{
++	return get_filter0( op, ber, filt, text, 0 );
++}
++
++
+ static int
+ get_filter_list( Operation *op, BerElement *ber,
+ 	Filter **f,
+-	const char **text )
++	const char **text,
++	int depth )
+ {
+ 	Filter		**new;
+ 	int		err;
+@@ -328,7 +351,7 @@ get_filter_list( Operation *op, BerElement *ber,
+ 		tag != LBER_DEFAULT;
+ 		tag = ber_next_element( ber, &len, last ) )
+ 	{
+-		err = get_filter( op, ber, new, text );
++		err = get_filter0( op, ber, new, text, depth );
+ 		if ( err != LDAP_SUCCESS )
+ 			return( err );
+ 		new = &(*new)->f_next;
+-- 
+GitLab
+
author	Leo <thinkabit.ukim@gmail.com>	2020-12-10 07:08:42 -0300
committer	Leo <thinkabit.ukim@gmail.com>	2020-12-10 07:09:47 -0300
commit	d6419a61850ee4384d75190a6521a687278588e2 (patch)
tree	e3c6f4a0cf17dde8d246cf4e7d6dd4290cb44646
parent	c38f6687e6a4edac9cd376a31360ff3f9f645524 (diff)