rpms/libldb
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import libldb-2.2.0-2.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-03-31 04:14:38 +00:00 committed by Andrew Lukoshko
parent 5dabe82e5a
commit e7e9397218
2 changed files with 308 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

303
SOURCES/CVE-2021-20277.patch Normal file
View File

@ -0,0 +1,303 @@
From 3895ccd4de3fd5d900b7c1122d912f0a06c2b069 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Fri, 5 Mar 2021 15:47:56 +1300
Subject: [PATCH 1/4] ldb: add tests for ldb_wildcard_compare
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14044
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry-picked from commit 33a95a1e75b85e9795c4490b78ead2162e2a1f47)
---
lib/ldb/tests/ldb_match_test.c | 134 ++++++++++++++++++++++++++++++---
1 file changed, 124 insertions(+), 10 deletions(-)
diff --git a/tests/ldb_match_test.c b/tests/ldb_match_test.c
index e09f50c86ba..3028aed072c 100644
--- a/tests/ldb_match_test.c
+++ b/tests/ldb_match_test.c
@@ -91,6 +91,33 @@ static int teardown(void **state)
return 0;
}
+static void escape_string(uint8_t *buf, size_t buflen,
+ const uint8_t *s, size_t len)
+{
+ size_t i;
+ size_t j = 0;
+ for (i = 0; i < len; i++) {
+ if (j == buflen - 1) {
+ goto fin;
+ }
+ if (s[i] >= 0x20) {
+ buf[j] = s[i];
+ j++;
+ } else {
+ if (j >= buflen - 4) {
+ goto fin;
+ }
+ /* utf-8 control char representation */
+ buf[j] = 0xE2;
+ buf[j + 1] = 0x90;
+ buf[j + 2] = 0x80 + s[i];
+ j+= 3;
+ }
+ }
+fin:
+ buf[j] = 0;
+}
+
/*
* The wild card pattern "attribute=*" is parsed as an LDB_OP_PRESENT operation
@@ -122,23 +149,110 @@ static void test_wildcard_match_star(void **state)
* Test basic wild card matching
*
*/
+struct wildcard_test {
+ uint8_t *val;
+ size_t val_size;
+ const char *search;
+ bool should_match;
+ bool fold;
+};
+
+/*
+ * Q: Why this macro rather than plain struct values?
+ * A: So we can get the size of the const char[] value while it is still a
+ * true array, not a pointer.
+ *
+ * Q: but why not just use strlen?
+ * A: so values can contain '\0', which we supposedly allow.
+ */
+
+#define TEST_ENTRY(val, search, should_match, fold) \
+ { \
+ (uint8_t*)discard_const(val), \
+ sizeof(val) - 1, \
+ search, \
+ should_match, \
+ fold \
+ }
+
static void test_wildcard_match(void **state)
{
struct ldbtest_ctx *ctx = *state;
- bool matched = false;
-
- uint8_t value[] = "The value.......end";
- struct ldb_val val = {
- .data = value,
- .length = (sizeof(value))
+ size_t failed = 0;
+ size_t i;
+ struct wildcard_test tests[] = {
+ TEST_ENTRY("The value.......end", "*end", true, true),
+ TEST_ENTRY("The value.......end", "*fend", false, true),
+ TEST_ENTRY("The value.......end", "*eel", false, true),
+ TEST_ENTRY("The value.......end", "*d", true, true),
+ TEST_ENTRY("The value.......end", "*D*", true, true),
+ TEST_ENTRY("The value.......end", "*e*d*", true, true),
+ TEST_ENTRY("end", "*e*d*", true, true),
+ TEST_ENTRY("end", " *e*d*", true, true),
+ TEST_ENTRY("1.0.0.0.0.0.0.0aaaaaaaaaaaa", "*aaaaa", true, true),
+ TEST_ENTRY("1.0..0.0.0.0.0.0.0aAaaaAAAAAAA", "*a", true, true),
+ TEST_ENTRY("1.0.0.0.0.0.0.0.0.0.0aaaa", "*aaaaa", false, true),
+ TEST_ENTRY("1.0.0.0.0.0.0.0.0.0.0", "*0.0", true, true),
+ TEST_ENTRY("1.0.0.0.0.0.0.0.0.0.0", "*0.0.0", true, true),
+ TEST_ENTRY("1.0.0.0.0.0.0.0.0.0", "1*0*0*0*0*0*0*0*0*0", true,
+ true),
+ TEST_ENTRY("1.0.0.0.0.0.0.0.0", "1*0*0*0*0*0*0*0*0*0", false,
+ true),
+ TEST_ENTRY("1.0.0.0.000.0.0.0.0", "1*0*0*0*0*0*0*0*0*0", true,
+ true),
+ TEST_ENTRY("1\n0\r0\t000.0.0.0.0", "1*0*0*0*0*0*0*0*0", true,
+ true),
+ /*
+ * We allow NUL bytes in non-casefolding syntaxes.
+ */
+ TEST_ENTRY("1\x00 x", "1*x", true, false),
+ TEST_ENTRY("1\x00 x", "*x", true, false),
+ TEST_ENTRY("1\x00 x", "*x*", true, false),
+ TEST_ENTRY("1\x00 x", "* *", true, false),
+ TEST_ENTRY("1\x00 x", "1*", true, false),
+ TEST_ENTRY("1\x00 b* x", "1*b*", true, false),
+ TEST_ENTRY("1.0..0.0.0.0.0.0.0aAaaaAAAAAAA", "*a", false, false),
};
- struct ldb_parse_tree *tree = ldb_parse_tree(ctx, "objectClass=*end");
- assert_non_null(tree);
- ldb_wildcard_compare(ctx->ldb, tree, val, &matched);
- assert_true(matched);
+ for (i = 0; i < ARRAY_SIZE(tests); i++) {
+ bool matched;
+ int ret;
+ struct ldb_val val = {
+ .data = (uint8_t *)tests[i].val,
+ .length = tests[i].val_size
+ };
+ const char *attr = tests[i].fold ? "objectclass" : "birthLocation";
+ const char *s = talloc_asprintf(ctx, "%s=%s",
+ attr, tests[i].search);
+ struct ldb_parse_tree *tree = ldb_parse_tree(ctx, s);
+ assert_non_null(tree);
+ ret = ldb_wildcard_compare(ctx->ldb, tree, val, &matched);
+ if (ret != LDB_SUCCESS) {
+ uint8_t buf[100];
+ escape_string(buf, sizeof(buf),
+ tests[i].val, tests[i].val_size);
+ print_error("%zu val: «%s», search «%s» FAILED with %d\n",
+ i, buf, tests[i].search, ret);
+ failed++;
+ }
+ if (matched != tests[i].should_match) {
+ uint8_t buf[100];
+ escape_string(buf, sizeof(buf),
+ tests[i].val, tests[i].val_size);
+ print_error("%zu val: «%s», search «%s» should %s\n",
+ i, buf, tests[i].search,
+ matched ? "not match" : "match");
+ failed++;
+ }
+ }
+ if (failed != 0) {
+ fail_msg("wrong results for %zu/%zu wildcard searches\n",
+ failed, ARRAY_SIZE(tests));
+ }
}
+#undef TEST_ENTRY
+
/*
* ldb_handler_copy and ldb_val_dup over allocate by one and add a trailing '\0'
--
2.25.1
From 984842f9881e7e72b1bcd032ad0245d08f79888d Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Fri, 5 Mar 2021 20:13:01 +1300
Subject: [PATCH 2/4] CVE-2021-20277 ldb tests: ldb_match tests with extra
spaces
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry-picked from commit for master)
---
lib/ldb/tests/ldb_match_test.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/tests/ldb_match_test.c b/tests/ldb_match_test.c
index 3028aed072c..ba6ea56be15 100644
--- a/tests/ldb_match_test.c
+++ b/tests/ldb_match_test.c
@@ -181,6 +181,8 @@ static void test_wildcard_match(void **state)
size_t failed = 0;
size_t i;
struct wildcard_test tests[] = {
+ TEST_ENTRY(" 1 0", "1*0*", true, true),
+ TEST_ENTRY(" 1 0", "1 *0", true, true),
TEST_ENTRY("The value.......end", "*end", true, true),
TEST_ENTRY("The value.......end", "*fend", false, true),
TEST_ENTRY("The value.......end", "*eel", false, true),
@@ -203,8 +205,12 @@ static void test_wildcard_match(void **state)
TEST_ENTRY("1\n0\r0\t000.0.0.0.0", "1*0*0*0*0*0*0*0*0", true,
true),
/*
- * We allow NUL bytes in non-casefolding syntaxes.
+ * We allow NUL bytes and redundant spaces in non-casefolding
+ * syntaxes.
*/
+ TEST_ENTRY(" 1 0", "*1 0", true, false),
+ TEST_ENTRY(" 1 0", "*1 0", true, false),
+ TEST_ENTRY("1 0", "*1 0", false, false),
TEST_ENTRY("1\x00 x", "1*x", true, false),
TEST_ENTRY("1\x00 x", "*x", true, false),
TEST_ENTRY("1\x00 x", "*x*", true, false),
--
2.25.1
From a3ea9b5cfd98e9c62d99b42e7ebd4af1549a0d26 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 12 Mar 2021 11:51:56 +1300
Subject: [PATCH 3/4] CVE-2021-20277 ldb: Remove tests from ldb_match_test that
do not pass
This reverts some of the backport of 33a95a1e75b85e9795c4490b78ead2162e2a1f47
This is done here rather than squashed in the cherry-pick of the expanded testsuite
because it allows this commit to be simply reverted for the backport of bug 14044
if this lands first, or to be dropped if bug 14044 lands first.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---
lib/ldb/tests/ldb_match_test.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/tests/ldb_match_test.c b/tests/ldb_match_test.c
index ba6ea56be15..fbf4106fa78 100644
--- a/tests/ldb_match_test.c
+++ b/tests/ldb_match_test.c
@@ -191,11 +191,9 @@ static void test_wildcard_match(void **state)
TEST_ENTRY("The value.......end", "*e*d*", true, true),
TEST_ENTRY("end", "*e*d*", true, true),
TEST_ENTRY("end", " *e*d*", true, true),
- TEST_ENTRY("1.0.0.0.0.0.0.0aaaaaaaaaaaa", "*aaaaa", true, true),
TEST_ENTRY("1.0..0.0.0.0.0.0.0aAaaaAAAAAAA", "*a", true, true),
TEST_ENTRY("1.0.0.0.0.0.0.0.0.0.0aaaa", "*aaaaa", false, true),
TEST_ENTRY("1.0.0.0.0.0.0.0.0.0.0", "*0.0", true, true),
- TEST_ENTRY("1.0.0.0.0.0.0.0.0.0.0", "*0.0.0", true, true),
TEST_ENTRY("1.0.0.0.0.0.0.0.0.0", "1*0*0*0*0*0*0*0*0*0", true,
true),
TEST_ENTRY("1.0.0.0.0.0.0.0.0", "1*0*0*0*0*0*0*0*0*0", false,
--
2.25.1
From 8fc0753ae7e2a2101c52574886e975ec8e90aee1 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Tue, 8 Dec 2020 21:32:09 +1300
Subject: [PATCH 4/4] CVE-2021-20277 ldb/attrib_handlers casefold: stay in
bounds
For a string that had N spaces at the beginning, we would
try to move N bytes beyond the end of the string.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry-picked from commit for master)
---
lib/ldb/common/attrib_handlers.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/common/attrib_handlers.c b/common/attrib_handlers.c
index b5212b73159..c6ef5ad477b 100644
--- a/common/attrib_handlers.c
+++ b/common/attrib_handlers.c
@@ -76,7 +76,7 @@ int ldb_handler_fold(struct ldb_context *ldb, void *mem_ctx,
/* remove leading spaces if any */
if (*s == ' ') {
- for (t = s; *s == ' '; s++) ;
+ for (t = s; *s == ' '; s++, l--) ;
/* remove leading spaces by moving down the string */
memmove(t, s, l);
--
2.25.1

6
SPECS/libldb.spec
View File

@ -26,7 +26,7 @@
Name: libldb Name: libldb
Version: 2.2.0 Version: 2.2.0
Release: 1%{?dist} Release: 2%{?dist}
Summary: A schema-less, ldap like, API and database Summary: A schema-less, ldap like, API and database
Requires: libtalloc%{?_isa} >= %{talloc_version} Requires: libtalloc%{?_isa} >= %{talloc_version}
Requires: libtdb%{?_isa} >= %{tdb_version} Requires: libtdb%{?_isa} >= %{tdb_version}
@ -42,6 +42,7 @@ Source2: ldb.keyring
Patch0001: 0001-PATCH-wafsamba-Fix-few-SyntaxWarnings-caused-by-regu.patch Patch0001: 0001-PATCH-wafsamba-Fix-few-SyntaxWarnings-caused-by-regu.patch
# Fix FTBFS / Increase the over-estimation for sparse files # Fix FTBFS / Increase the over-estimation for sparse files
Patch0002: 1420.patch Patch0002: 1420.patch
Patch0003: CVE-2021-20277.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: libtalloc-devel >= %{talloc_version} BuildRequires: libtalloc-devel >= %{talloc_version}
@ -214,6 +215,9 @@ rm -f $RPM_BUILD_ROOT/%{_mandir}/man3/_*
%endif %endif
%changelog %changelog
* Wed Mar 24 2021 Andreas Schneider <asn@redhat.com> - 2.2.0-2
* resolves: rhbz#1941515 - Fixed CVE-2021-20277
* Mon Nov 9 2020 Isaac Boukris <iboukris@redhat.com> - 2.2.0-1 * Mon Nov 9 2020 Isaac Boukris <iboukris@redhat.com> - 2.2.0-1
- Resolves: rhbz#1878114 - Rebase libldb to the version required by Samba - Resolves: rhbz#1878114 - Rebase libldb to the version required by Samba
- Resolves: rhbz#1794349 - Build libldb with lmdb support - Resolves: rhbz#1794349 - Build libldb with lmdb support