From 13c47e0e20d0e5fb7fd76dcb41972265f1b3915d Mon Sep 17 00:00:00 2001 From: jvcelak Date: Tue, 20 Jul 2010 14:58:07 +0000 Subject: [PATCH] CVE-2010-0211 openldap: modrdn processing uninitialized pointer free (#605448) CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference (#605452) obsolete configuration file moved to /usr/share/openldap-servers (#612602) --- openldap-2.4.22-modrdn-segfault.patch | 74 +++++++++++++++++++++++++++ openldap.spec | 53 +++++++++++++------ 2 files changed, 111 insertions(+), 16 deletions(-) create mode 100644 openldap-2.4.22-modrdn-segfault.patch diff --git a/openldap-2.4.22-modrdn-segfault.patch b/openldap-2.4.22-modrdn-segfault.patch new file mode 100644 index 0000000..ed46756 --- /dev/null +++ b/openldap-2.4.22-modrdn-segfault.patch @@ -0,0 +1,74 @@ +bz #605448 CVE-2010-0211 openldap: modrdn processing uninitialized pointer free +bz #605452 CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference + +diff -urp openldap-2.4.22/servers/slapd/dn.c openldap-2.4.22.new/servers/slapd/dn.c +--- openldap-2.4.22/servers/slapd/dn.c 2010-04-13 22:23:14.000000000 +0200 ++++ openldap-2.4.22.new/servers/slapd/dn.c 2010-07-19 17:57:51.974346501 +0200 +@@ -302,16 +302,13 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned f + ava->la_attr = ad->ad_cname; + + if( ava->la_flags & LDAP_AVA_BINARY ) { +- if( ava->la_value.bv_len == 0 ) { +- /* BER encoding is empty */ +- return LDAP_INVALID_SYNTAX; +- } ++ /* AVA is binary encoded, not supported */ ++ return LDAP_INVALID_SYNTAX; + + /* Do not allow X-ORDERED 'VALUES' naming attributes */ + } else if( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) { + return LDAP_INVALID_SYNTAX; + +- /* AVA is binary encoded, don't muck with it */ + } else if( flags & SLAP_LDAPDN_PRETTY ) { + transf = ad->ad_type->sat_syntax->ssyn_pretty; + if( !transf ) { +@@ -379,6 +376,10 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned f + ava->la_value = bv; + ava->la_flags |= LDAP_AVA_FREE_VALUE; + } ++ /* reject empty values */ ++ if (!ava->la_value.bv_len) { ++ return LDAP_INVALID_SYNTAX; ++ } + } + rc = LDAP_SUCCESS; + +diff -urp openldap-2.4.22/servers/slapd/modrdn.c openldap-2.4.22.new/servers/slapd/modrdn.c +--- openldap-2.4.22/servers/slapd/modrdn.c 2010-04-13 22:23:16.000000000 +0200 ++++ openldap-2.4.22.new/servers/slapd/modrdn.c 2010-07-19 17:57:51.975346274 +0200 +@@ -445,12 +445,19 @@ slap_modrdn2mods( + mod_tmp->sml_values[1].bv_val = NULL; + if( desc->ad_type->sat_equality->smr_normalize) { + mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) ); +- (void) (*desc->ad_type->sat_equality->smr_normalize)( ++ rs->sr_err = desc->ad_type->sat_equality->smr_normalize( + SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, + desc->ad_type->sat_syntax, + desc->ad_type->sat_equality, + &mod_tmp->sml_values[0], + &mod_tmp->sml_nvalues[0], NULL ); ++ if (rs->sr_err != LDAP_SUCCESS) { ++ ch_free(mod_tmp->sml_nvalues); ++ ch_free(mod_tmp->sml_values[0].bv_val); ++ ch_free(mod_tmp->sml_values); ++ ch_free(mod_tmp); ++ goto done; ++ } + mod_tmp->sml_nvalues[1].bv_val = NULL; + } else { + mod_tmp->sml_nvalues = NULL; +diff -urp openldap-2.4.22/servers/slapd/schema_init.c openldap-2.4.22.new/servers/slapd/schema_init.c +--- openldap-2.4.22/servers/slapd/schema_init.c 2010-04-14 20:12:15.000000000 +0200 ++++ openldap-2.4.22.new/servers/slapd/schema_init.c 2010-07-19 17:57:51.978346712 +0200 +@@ -1735,8 +1735,9 @@ UTF8StringNormalize( + ? LDAP_UTF8_APPROX : 0; + + val = UTF8bvnormalize( val, &tmp, flags, ctx ); ++ /* out of memory or syntax error, the former is unlikely */ + if( val == NULL ) { +- return LDAP_OTHER; ++ return LDAP_INVALID_SYNTAX; + } + + /* collapse spaces (in place) */ diff --git a/openldap.spec b/openldap.spec index b53ddb3..3de7edf 100644 --- a/openldap.spec +++ b/openldap.spec @@ -11,7 +11,7 @@ Summary: LDAP support libraries Name: openldap Version: %{version} -Release: 5%{?dist} +Release: 6%{?dist} License: OpenLDAP Group: System Environment/Daemons Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz @@ -38,6 +38,7 @@ Patch11: openldap-2.4.16-doc-cacertdir.patch Patch12: openldap-2.4.21-dn2id-segfault.patch Patch13: openldap-2.4.22-ldif_h.patch Patch14: openldap-2.4.22-libldif.patch +Patch15: openldap-2.4.22-modrdn-segfault.patch # Patches for the evolution library Patch200: openldap-2.4.6-evolution-ntlm.patch @@ -137,6 +138,7 @@ pushd openldap-%{version} %patch12 -p1 -b .segfault %patch13 -p1 -b .ldif_h %patch14 -p1 -b .libldif +%patch15 -p1 -b .modrdn-segfault cp %{_datadir}/libtool/config/config.{sub,guess} build/ popd @@ -379,12 +381,6 @@ install -d -m755 $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/redhat install -m644 %SOURCE6 \ $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/redhat/ -# Move doc files out of _sysconfdir -mv $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/README README.schema -mv $RPM_BUILD_ROOT%{_sysconfdir}/openldap/DB_CONFIG.example DB_CONFIG.example -chmod 0644 DB_CONFIG.example -chmod 0644 openldap-%{version}/servers/slapd/back-sql/rdbms_depend/timesten/*.sh - # Move slapd and slurpd out of _libdir mv $RPM_BUILD_ROOT/%{_libdir}/slapd $RPM_BUILD_ROOT/%{_sbindir}/ rm -f $RPM_BUILD_ROOT/%{_sbindir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema} @@ -395,9 +391,18 @@ for X in acl add auth cat dn index passwd test schema; do ln -s slapd $RPM_BUILD chmod 755 $RPM_BUILD_ROOT/%{_libdir}/lib*.so* chmod 644 $RPM_BUILD_ROOT/%{_libdir}/lib*.*a -# Add files and dirs which would be created by %post scriptlet -touch $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.conf.bak +# slapd.conf(5) is obsoleted since 2.3, see slapd-config(5) +# new configuration will be generated in %post +mkdir -p $RPM_BUILD_ROOT/%{_datadir}/openldap-servers mkdir $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.d +mv $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.conf $RPM_BUILD_ROOT/%{_datadir}/openldap-servers/slapd.conf.obsolete +chmod 0644 $RPM_BUILD_ROOT/%{_datadir}/openldap-servers/slapd.conf.obsolete + +# Move doc files out of _sysconfdir +mv $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/README README.schema +mv $RPM_BUILD_ROOT%{_sysconfdir}/openldap/DB_CONFIG.example $RPM_BUILD_ROOT/%{_datadir}/openldap-servers/DB_CONFIG.example +chmod 0644 openldap-%{version}/servers/slapd/back-sql/rdbms_depend/timesten/*.sh +chmod 0644 $RPM_BUILD_ROOT/%{_datadir}/openldap-servers/DB_CONFIG.example # Remove files which we don't want packaged. rm -f $RPM_BUILD_ROOT/%{_libdir}/*.la @@ -529,8 +534,15 @@ chmod 640 slapd.pem popd fi -if [ -f %{_sysconfdir}/openldap/slapd.conf ]; then - # if there is no slapd.conf, we probably already have new configuration in place +if [ `find %{_sysconfdir}/openldap/slapd.d -maxdepth 0 -empty | wc -l` = "1" ]; then + # configuration in slapd.d not available + + [ ! -f %{_sysconfdir}/openldap/slapd.conf ] + fresh_install=$? + + [ $fresh_install -eq 0 ] && \ + cp %{_datadir}/openldap-servers/slapd.conf.obsolete %{_sysconfdir}/openldap/slapd.conf + mv %{_sysconfdir}/openldap/slapd.conf %{_sysconfdir}/openldap/slapd.conf.bak mkdir -p %{_sysconfdir}/openldap/slapd.d/ lines=`egrep -n '^(database|backend)' %{_sysconfdir}/openldap/slapd.conf.bak | cut -d: -f1 | head -n 1` @@ -550,8 +562,9 @@ EOF chmod -R u+rwX %{_sysconfdir}/openldap/slapd.d rm -f %{_sysconfdir}/openldap/slapd.conf rm -f %{_sharedstatedir}/ldap/__db* %{_sharedstatedir}/ldap/alock -fi + [ $fresh_install -eq 0 ] && rm -f %{_sysconfdir}/openldap/slapd.conf.bak +fi if [ $1 -ge 1 ] ; then /sbin/service slapd condrestart &>/dev/null @@ -607,14 +620,12 @@ fi %doc openldap-%{version}/contrib/slapd-modules/smbk5pwd/README.smbk5pwd %doc openldap-%{version}/doc/guide/admin/*.html %doc openldap-%{version}/doc/guide/admin/*.png -%attr(0644,root,root) %doc DB_CONFIG.example %doc README.schema %ghost %config(noreplace) %{_sysconfdir}/pki/tls/certs/slapd.pem %attr(0755,root,root) %{_sysconfdir}/rc.d/init.d/slapd -%attr(0640,root,ldap) %config(noreplace,missingok) %{_sysconfdir}/openldap/slapd.conf -%attr(0640,root,ldap) %ghost %{_sysconfdir}/openldap/slapd.conf.bak -%attr(0640,ldap,ldap) %ghost %{_sysconfdir}/openldap/slapd.d +%attr(0750,ldap,ldap) %dir %config(noreplace) %{_sysconfdir}/openldap/slapd.d %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ldap +%attr(0755,root,root) %dir %config(noreplace) %{_sysconfdir}/openldap/schema %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/openldap/schema/*.schema* %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/openldap/schema/*.ldif %attr(0755,root,root) %dir %{_sysconfdir}/openldap/schema/redhat @@ -628,6 +639,11 @@ fi %attr(0755,root,root) %{_libdir}/libslapd_db-*.*.so %attr(0755,root,root) %dir %{_libdir}/openldap %attr(0755,root,root) %{_libdir}/openldap/[^b]* +%attr(0755,root,root) %dir %{_datadir}/openldap-servers +%attr(0644,root,root) %{_datadir}/openldap-servers/* +# obsolete configuration +%attr(0640,ldap,ldap) %ghost %config(noreplace,missingok) %{_sysconfdir}/openldap/slapd.conf +%attr(0640,ldap,ldap) %ghost %config(noreplace,missingok) %{_sysconfdir}/openldap/slapd.conf.bak %files servers-sql %defattr(-,root,root) @@ -655,6 +671,11 @@ fi %attr(0644,root,root) %{evolution_connector_libdir}/*.a %changelog +* Tue Jul 20 2010 Jan Vcelak - 2.4.22-6 +- CVE-2010-0211 openldap: modrdn processing uninitialized pointer free (#605448) +- CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference (#605452) +- obsolete configuration file moved to /usr/share/openldap-servers (#612602) + * Thu Jul 01 2010 Jan Zeleny - 2.4.22-5 - another shot at previous fix