From 381aba6d21c9149b0cc74396bbe8b68356553e9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C5=A0afr=C3=A1nek?= Date: Wed, 15 Oct 2008 14:11:35 +0000 Subject: [PATCH] New upstream release --- .cvsignore | 2 +- openldap-2.3.27-ber-decode.patch | 44 ------------------- openldap.spec | 14 +++--- patch.4.7.25.1 | 75 ++++++++++++++++++++++++++++++++ sources | 2 +- 5 files changed, 84 insertions(+), 53 deletions(-) delete mode 100644 openldap-2.3.27-ber-decode.patch create mode 100644 patch.4.7.25.1 diff --git a/.cvsignore b/.cvsignore index 07c9e1e..c4b7c9d 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,2 +1,2 @@ db-4.6.21.tar.gz -openldap-2.4.11.tgz +openldap-2.4.12.tgz diff --git a/openldap-2.3.27-ber-decode.patch b/openldap-2.3.27-ber-decode.patch deleted file mode 100644 index d47da3c..0000000 --- a/openldap-2.3.27-ber-decode.patch +++ /dev/null @@ -1,44 +0,0 @@ -453637, 453638, 453639, 453640,453444: CVE-2008-2952 OpenLDAP denial-of-service -flaw in ASN.1 decoder - -Source: upstream, cvs diff -r 1.120 -r 1.122 libraries/liblber/io.c - -Index: libraries/liblber/io.c -=================================================================== -RCS file: /repo/OpenLDAP/pkg/ldap/libraries/liblber/io.c,v -retrieving revision 1.120 -retrieving revision 1.122 -diff -u -r1.120 -r1.122 ---- libraries/liblber/io.c 7 Jan 2008 23:20:03 -0000 1.120 -+++ libraries/liblber/io.c 1 Jul 2008 23:33:15 -0000 1.122 -@@ -522,14 +522,18 @@ - } - - while (ber->ber_rwptr > (char *)&ber->ber_tag && ber->ber_rwptr < -- (char *)&ber->ber_len + LENSIZE*2 -1) { -+ (char *)&ber->ber_len + LENSIZE*2) { - ber_slen_t sblen; - char buf[sizeof(ber->ber_len)-1]; - ber_len_t tlen = 0; - -+ /* The tag & len can be at most 9 bytes; we try to read up to 8 here */ - sock_errset(0); -- sblen=ber_int_sb_read( sb, ber->ber_rwptr, -- ((char *)&ber->ber_len + LENSIZE*2 - 1)-ber->ber_rwptr); -+ sblen=((char *)&ber->ber_len + LENSIZE*2 - 1)-ber->ber_rwptr; -+ /* Trying to read the last len byte of a 9 byte tag+len */ -+ if (sblen<1) -+ sblen = 1; -+ sblen=ber_int_sb_read( sb, ber->ber_rwptr, sblen ); - if (sblen<=0) return LBER_DEFAULT; - ber->ber_rwptr += sblen; - -@@ -579,7 +583,7 @@ - int i; - unsigned char *p = (unsigned char *)ber->ber_ptr; - int llen = *p++ & 0x7f; -- if (llen > (int)sizeof(ber_len_t)) { -+ if (llen > LENSIZE) { - sock_errset(ERANGE); - return LBER_DEFAULT; - } diff --git a/openldap.spec b/openldap.spec index 7b87fac..1bddc0b 100644 --- a/openldap.spec +++ b/openldap.spec @@ -3,7 +3,7 @@ # not work with some versions of OpenLDAP. %define db_version 4.6.21 %define ldbm_backend berkeley -%define version 2.4.11 +%define version 2.4.12 %define evolution_connector_prefix %{_libdir}/evolution-openldap %define evolution_connector_includedir %{evolution_connector_prefix}/include %define evolution_connector_libdir %{evolution_connector_prefix}/%{_lib} @@ -11,7 +11,7 @@ Summary: The configuration files, libraries, and documentation for OpenLDAP Name: openldap Version: %{version} -Release: 3%{?dist} +Release: 1%{?dist} License: OpenLDAP Group: System Environment/Daemons Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz @@ -201,11 +201,6 @@ export CFLAGS="$CPPFLAGS $RPM_OPT_FLAGS -D_REENTRANT -fPIC -D_GNU_SOURCE" export LDFLAGS="-L${dbdir}/%{_lib}" export LD_LIBRARY_PATH=${dbdir}/%{_lib}${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}} -# hack to get properly named __lock_getlocker - needed for bdb 4.6.21 + openldap2.4.8 -# check later releases -export CPPFLAGS="$CPPFLAGS -D __lock_getlocker=__lock_getlocker_openldap_slapd_46" -export CFLAGS="$CFLAGS -D __lock_getlocker=__lock_getlocker_openldap_slapd_46" - build() { %configure \ --with-threads=posix \ @@ -249,7 +244,9 @@ build \ --enable-null \ --enable-shell \ --enable-sql=mod \ + --disable-ndb \ --enable-passwd \ + --enable-sock \ --disable-perl \ --enable-relay \ --disable-shared \ @@ -603,6 +600,9 @@ fi %attr(0644,root,root) %{evolution_connector_libdir}/*.a %changelog +* Wed Oct 15 2008 Jan Safranek 2.4.11-1 +- new upstream release + * Mon Oct 13 2008 Jan Safranek 2.4.11-3 - add SLAPD_SHUTDOWN_TIMEOUT to /etc/sysconfig/ldap, allowing admins to set non-default slapd shutdown timeout diff --git a/patch.4.7.25.1 b/patch.4.7.25.1 new file mode 100644 index 0000000..0d258ed --- /dev/null +++ b/patch.4.7.25.1 @@ -0,0 +1,75 @@ +*** sequence/sequence.c.orig 2008-05-05 13:25:09.000000000 -0700 +--- sequence/sequence.c 2008-08-15 09:58:46.000000000 -0700 +*************** +*** 187,193 **** + if ((ret = __db_get_flags(dbp, &tflags)) != 0) + goto err; + +! if (DB_IS_READONLY(dbp)) { + ret = __db_rdonly(dbp->env, "DB_SEQUENCE->open"); + goto err; + } +--- 187,197 ---- + if ((ret = __db_get_flags(dbp, &tflags)) != 0) + goto err; + +! /* +! * We can let replication clients open sequences, but must +! * check later that they do not update them. +! */ +! if (F_ISSET(dbp, DB_AM_RDONLY)) { + ret = __db_rdonly(dbp->env, "DB_SEQUENCE->open"); + goto err; + } +*************** +*** 244,249 **** +--- 248,258 ---- + if ((ret != DB_NOTFOUND && ret != DB_KEYEMPTY) || + !LF_ISSET(DB_CREATE)) + goto err; ++ if (IS_REP_CLIENT(env) && ++ !F_ISSET(dbp, DB_AM_NOT_DURABLE)) { ++ ret = __db_rdonly(env, "DB_SEQUENCE->open"); ++ goto err; ++ } + ret = 0; + + rp = &seq->seq_record; +*************** +*** 296,302 **** + */ + rp = seq->seq_data.data; + if (rp->seq_version == DB_SEQUENCE_OLDVER) { +! oldver: rp->seq_version = DB_SEQUENCE_VERSION; + if (!F_ISSET(env, ENV_LITTLEENDIAN)) { + if (IS_DB_AUTO_COMMIT(dbp, txn)) { + if ((ret = +--- 305,316 ---- + */ + rp = seq->seq_data.data; + if (rp->seq_version == DB_SEQUENCE_OLDVER) { +! oldver: if (IS_REP_CLIENT(env) && +! !F_ISSET(dbp, DB_AM_NOT_DURABLE)) { +! ret = __db_rdonly(env, "DB_SEQUENCE->open"); +! goto err; +! } +! rp->seq_version = DB_SEQUENCE_VERSION; + if (!F_ISSET(env, ENV_LITTLEENDIAN)) { + if (IS_DB_AUTO_COMMIT(dbp, txn)) { + if ((ret = +*************** +*** 707,712 **** +--- 721,733 ---- + + MUTEX_LOCK(env, seq->mtx_seq); + ++ if (handle_check && IS_REP_CLIENT(env) && ++ !F_ISSET(dbp, DB_AM_NOT_DURABLE)) { ++ ret = __db_rdonly(env, "DB_SEQUENCE->get"); ++ goto err; ++ } ++ ++ + if (rp->seq_min + delta > rp->seq_max) { + __db_errx(env, "Sequence overflow"); + ret = EINVAL; diff --git a/sources b/sources index 578b8b1..de06f50 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 718082e7e35fc48478a2334b0bc4cd11 db-4.6.21.tar.gz -920fedbbb5bc61c2ca52c56edeef770a openldap-2.4.11.tgz +78a03f7dd2c842103a987e97c243925e openldap-2.4.12.tgz