New upstream release

This commit is contained in:
Jan Šafránek 2008-10-15 14:11:35 +00:00
parent 4c8f60bfd0
commit 381aba6d21
5 changed files with 84 additions and 53 deletions

View File

@ -1,2 +1,2 @@
db-4.6.21.tar.gz db-4.6.21.tar.gz
openldap-2.4.11.tgz openldap-2.4.12.tgz

View File

@ -1,44 +0,0 @@
453637, 453638, 453639, 453640,453444: CVE-2008-2952 OpenLDAP denial-of-service
flaw in ASN.1 decoder
Source: upstream, cvs diff -r 1.120 -r 1.122 libraries/liblber/io.c
Index: libraries/liblber/io.c
===================================================================
RCS file: /repo/OpenLDAP/pkg/ldap/libraries/liblber/io.c,v
retrieving revision 1.120
retrieving revision 1.122
diff -u -r1.120 -r1.122
--- libraries/liblber/io.c 7 Jan 2008 23:20:03 -0000 1.120
+++ libraries/liblber/io.c 1 Jul 2008 23:33:15 -0000 1.122
@@ -522,14 +522,18 @@
}
while (ber->ber_rwptr > (char *)&ber->ber_tag && ber->ber_rwptr <
- (char *)&ber->ber_len + LENSIZE*2 -1) {
+ (char *)&ber->ber_len + LENSIZE*2) {
ber_slen_t sblen;
char buf[sizeof(ber->ber_len)-1];
ber_len_t tlen = 0;
+ /* The tag & len can be at most 9 bytes; we try to read up to 8 here */
sock_errset(0);
- sblen=ber_int_sb_read( sb, ber->ber_rwptr,
- ((char *)&ber->ber_len + LENSIZE*2 - 1)-ber->ber_rwptr);
+ sblen=((char *)&ber->ber_len + LENSIZE*2 - 1)-ber->ber_rwptr;
+ /* Trying to read the last len byte of a 9 byte tag+len */
+ if (sblen<1)
+ sblen = 1;
+ sblen=ber_int_sb_read( sb, ber->ber_rwptr, sblen );
if (sblen<=0) return LBER_DEFAULT;
ber->ber_rwptr += sblen;
@@ -579,7 +583,7 @@
int i;
unsigned char *p = (unsigned char *)ber->ber_ptr;
int llen = *p++ & 0x7f;
- if (llen > (int)sizeof(ber_len_t)) {
+ if (llen > LENSIZE) {
sock_errset(ERANGE);
return LBER_DEFAULT;
}

View File

@ -3,7 +3,7 @@
# not work with some versions of OpenLDAP. # not work with some versions of OpenLDAP.
%define db_version 4.6.21 %define db_version 4.6.21
%define ldbm_backend berkeley %define ldbm_backend berkeley
%define version 2.4.11 %define version 2.4.12
%define evolution_connector_prefix %{_libdir}/evolution-openldap %define evolution_connector_prefix %{_libdir}/evolution-openldap
%define evolution_connector_includedir %{evolution_connector_prefix}/include %define evolution_connector_includedir %{evolution_connector_prefix}/include
%define evolution_connector_libdir %{evolution_connector_prefix}/%{_lib} %define evolution_connector_libdir %{evolution_connector_prefix}/%{_lib}
@ -11,7 +11,7 @@
Summary: The configuration files, libraries, and documentation for OpenLDAP Summary: The configuration files, libraries, and documentation for OpenLDAP
Name: openldap Name: openldap
Version: %{version} Version: %{version}
Release: 3%{?dist} Release: 1%{?dist}
License: OpenLDAP License: OpenLDAP
Group: System Environment/Daemons Group: System Environment/Daemons
Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
@ -201,11 +201,6 @@ export CFLAGS="$CPPFLAGS $RPM_OPT_FLAGS -D_REENTRANT -fPIC -D_GNU_SOURCE"
export LDFLAGS="-L${dbdir}/%{_lib}" export LDFLAGS="-L${dbdir}/%{_lib}"
export LD_LIBRARY_PATH=${dbdir}/%{_lib}${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}} export LD_LIBRARY_PATH=${dbdir}/%{_lib}${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
# hack to get properly named __lock_getlocker - needed for bdb 4.6.21 + openldap2.4.8
# check later releases
export CPPFLAGS="$CPPFLAGS -D __lock_getlocker=__lock_getlocker_openldap_slapd_46"
export CFLAGS="$CFLAGS -D __lock_getlocker=__lock_getlocker_openldap_slapd_46"
build() { build() {
%configure \ %configure \
--with-threads=posix \ --with-threads=posix \
@ -249,7 +244,9 @@ build \
--enable-null \ --enable-null \
--enable-shell \ --enable-shell \
--enable-sql=mod \ --enable-sql=mod \
--disable-ndb \
--enable-passwd \ --enable-passwd \
--enable-sock \
--disable-perl \ --disable-perl \
--enable-relay \ --enable-relay \
--disable-shared \ --disable-shared \
@ -603,6 +600,9 @@ fi
%attr(0644,root,root) %{evolution_connector_libdir}/*.a %attr(0644,root,root) %{evolution_connector_libdir}/*.a
%changelog %changelog
* Wed Oct 15 2008 Jan Safranek <jsafranek@redhat.com> 2.4.11-1
- new upstream release
* Mon Oct 13 2008 Jan Safranek <jsafranek@redhat.com> 2.4.11-3 * Mon Oct 13 2008 Jan Safranek <jsafranek@redhat.com> 2.4.11-3
- add SLAPD_SHUTDOWN_TIMEOUT to /etc/sysconfig/ldap, allowing admins - add SLAPD_SHUTDOWN_TIMEOUT to /etc/sysconfig/ldap, allowing admins
to set non-default slapd shutdown timeout to set non-default slapd shutdown timeout

75
patch.4.7.25.1 Normal file
View File

@ -0,0 +1,75 @@
*** sequence/sequence.c.orig 2008-05-05 13:25:09.000000000 -0700
--- sequence/sequence.c 2008-08-15 09:58:46.000000000 -0700
***************
*** 187,193 ****
if ((ret = __db_get_flags(dbp, &tflags)) != 0)
goto err;
! if (DB_IS_READONLY(dbp)) {
ret = __db_rdonly(dbp->env, "DB_SEQUENCE->open");
goto err;
}
--- 187,197 ----
if ((ret = __db_get_flags(dbp, &tflags)) != 0)
goto err;
! /*
! * We can let replication clients open sequences, but must
! * check later that they do not update them.
! */
! if (F_ISSET(dbp, DB_AM_RDONLY)) {
ret = __db_rdonly(dbp->env, "DB_SEQUENCE->open");
goto err;
}
***************
*** 244,249 ****
--- 248,258 ----
if ((ret != DB_NOTFOUND && ret != DB_KEYEMPTY) ||
!LF_ISSET(DB_CREATE))
goto err;
+ if (IS_REP_CLIENT(env) &&
+ !F_ISSET(dbp, DB_AM_NOT_DURABLE)) {
+ ret = __db_rdonly(env, "DB_SEQUENCE->open");
+ goto err;
+ }
ret = 0;
rp = &seq->seq_record;
***************
*** 296,302 ****
*/
rp = seq->seq_data.data;
if (rp->seq_version == DB_SEQUENCE_OLDVER) {
! oldver: rp->seq_version = DB_SEQUENCE_VERSION;
if (!F_ISSET(env, ENV_LITTLEENDIAN)) {
if (IS_DB_AUTO_COMMIT(dbp, txn)) {
if ((ret =
--- 305,316 ----
*/
rp = seq->seq_data.data;
if (rp->seq_version == DB_SEQUENCE_OLDVER) {
! oldver: if (IS_REP_CLIENT(env) &&
! !F_ISSET(dbp, DB_AM_NOT_DURABLE)) {
! ret = __db_rdonly(env, "DB_SEQUENCE->open");
! goto err;
! }
! rp->seq_version = DB_SEQUENCE_VERSION;
if (!F_ISSET(env, ENV_LITTLEENDIAN)) {
if (IS_DB_AUTO_COMMIT(dbp, txn)) {
if ((ret =
***************
*** 707,712 ****
--- 721,733 ----
MUTEX_LOCK(env, seq->mtx_seq);
+ if (handle_check && IS_REP_CLIENT(env) &&
+ !F_ISSET(dbp, DB_AM_NOT_DURABLE)) {
+ ret = __db_rdonly(env, "DB_SEQUENCE->get");
+ goto err;
+ }
+
+
if (rp->seq_min + delta > rp->seq_max) {
__db_errx(env, "Sequence overflow");
ret = EINVAL;

View File

@ -1,2 +1,2 @@
718082e7e35fc48478a2334b0bc4cd11 db-4.6.21.tar.gz 718082e7e35fc48478a2334b0bc4cd11 db-4.6.21.tar.gz
920fedbbb5bc61c2ca52c56edeef770a openldap-2.4.11.tgz 78a03f7dd2c842103a987e97c243925e openldap-2.4.12.tgz