diff --git a/openldap-ITS-9370-check-for-equality-rule-on-old_rdn.patch b/openldap-ITS-9370-check-for-equality-rule-on-old_rdn.patch new file mode 100644 index 0000000000000000000000000000000000000000..34f6a747536e6e0ade5795bd5eb633f46830c170 --- /dev/null +++ b/openldap-ITS-9370-check-for-equality-rule-on-old_rdn.patch @@ -0,0 +1,27 @@ +From 4c774220a752bf8e3284984890dc0931fe73165d Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Mon, 19 Oct 2020 14:03:41 +0100 +Subject: [PATCH] ITS#9370 check for equality rule on old_rdn + +Just skip normalization if there's no equality rule. We accept +DNs without equality rules already. +--- + servers/slapd/modrdn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c +index c73dd8dba..a22975540 100644 +--- a/servers/slapd/modrdn.c ++++ b/servers/slapd/modrdn.c +@@ -505,7 +505,7 @@ slap_modrdn2mods( + mod_tmp->sml_values = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) ); + ber_dupbv( &mod_tmp->sml_values[0], &old_rdn[d_cnt]->la_value ); + mod_tmp->sml_values[1].bv_val = NULL; +- if( desc->ad_type->sat_equality->smr_normalize) { ++ if( desc->ad_type->sat_equality && desc->ad_type->sat_equality->smr_normalize) { + mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) ); + (void) (*desc->ad_type->sat_equality->smr_normalize)( + SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, +-- +2.26.2 + diff --git a/openldap-cldap-check-for-error-on-connected-socket.patch b/openldap-cldap-check-for-error-on-connected-socket.patch new file mode 100644 index 0000000000000000000000000000000000000000..bade69a9d011d0369bc1dc6c4a93616dd6f4f633 --- /dev/null +++ b/openldap-cldap-check-for-error-on-connected-socket.patch @@ -0,0 +1,41 @@ +From ec5eba5393e5cc65b05e54658c55500cdbff775a Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Wed, 26 Aug 2020 13:22:52 +0100 +Subject: [PATCH 01/34] ITS#9328 cldap: check for error on connected socket + +libldap doesn't use a connected socket for UDP sessions, but 3rd +parties can, passed in with ldap_init_fd(). +--- + libraries/libldap/result.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/libraries/libldap/result.c b/libraries/libldap/result.c +index bdced135b..e2b220630 100644 +--- a/libraries/libldap/result.c ++++ b/libraries/libldap/result.c +@@ -486,7 +486,8 @@ retry: + #ifdef LDAP_CONNECTIONLESS + if ( LDAP_IS_UDP(ld) ) { + struct sockaddr_storage from; +- ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr_storage) ); ++ if ( ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr_storage) ) < 0 ) ++ goto fail; + if ( ld->ld_options.ldo_version == LDAP_VERSION2 ) isv2 = 1; + } + nextresp3: +@@ -502,10 +503,11 @@ nextresp3: + break; + + case LBER_DEFAULT: ++fail: + err = sock_errno(); + #ifdef LDAP_DEBUG + Debug( LDAP_DEBUG_CONNS, +- "ber_get_next failed.\n", 0, 0, 0 ); ++ "ber_get_next failed, errno=%d.\n", err, 0, 0 ); + #endif + if ( err == EWOULDBLOCK ) return LDAP_MSG_X_KEEP_LOOKING; + if ( err == EAGAIN ) return LDAP_MSG_X_KEEP_LOOKING; +-- +2.26.2 + diff --git a/openldap.spec b/openldap.spec index 5fd0460a7e76cecf84b5001108d1eb68646c9627..81dcc704e2a95610c4284d09185ea8608028e1a4 100644 --- a/openldap.spec +++ b/openldap.spec @@ -5,7 +5,7 @@ Name: openldap Version: 2.4.44 -Release: 22%{?dist} +Release: 24%{?dist} Summary: LDAP support libraries Group: System Environment/Daemons License: OpenLDAP @@ -38,6 +38,7 @@ Patch7: openldap-allop-overlay.patch Patch8: openldap-syncrepl-unset-tls-options.patch Patch9: openldap-man-sasl-nocanon.patch Patch10: openldap-ai-addrconfig.patch +Patch18: openldap-cldap-check-for-error-on-connected-socket.patch # fix back_perl problems with lt_dlopen() # might cause crashes because of symbol collisions # the proper fix is to link all perl modules against libperl @@ -56,6 +57,7 @@ Patch36: openldap-bdb_idl_fetch_key-correct-key-pointer.patch Patch37: openldap-ITS8655-fix-double-free-on-paged-search-with-pagesize-0.patch Patch38: openldap-ITS8720-back-ldap-starttls-timeout.patch Patch39: openldap-ITS-9202-limit-depth-of-nested-filters.patch +Patch40: openldap-ITS-9370-check-for-equality-rule-on-old_rdn.patch # fixes for DH and ECDH Patch50: openldap-openssl-its7506-fix-DH-params-1.patch @@ -175,6 +177,7 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch18 -p1 %patch19 -p1 %patch20 -p1 %patch21 -p1 @@ -186,6 +189,7 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch37 -p1 %patch38 -p1 %patch39 -p1 +%patch40 -p1 %patch50 -p1 %patch51 -p1 %patch52 -p1 @@ -677,6 +681,12 @@ exit 0 %{_mandir}/man3/* %changelog +* Wed Aug 4 2021 Simon Pichugin - 2.4.44-24 +- CLDAP ldap_result hangs if nobody listens on the port (#1989919) + +* Mon Jan 4 2021 Simon Pichugin - 2.4.44-23 +- Fix CVE-2020-25692 openldap: NULL pointer dereference for unauthenticated packet in slapd (#1895328) + * Sat Jun 6 2020 Matus Honek - 2.4.44-22 - Fix CVE-2020-12243 openldap: denial of service via nested boolean expressions in LDAP search filters (#1838405)