From 62f1c6f935ce93b4e5988076d15975710d207d63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C5=A0afr=C3=A1nek?= Date: Wed, 2 Jul 2008 10:04:30 +0000 Subject: [PATCH] fix CVE-2008-2952 Resolves: #453728 --- openldap-2.3.27-ber-decode.patch | 44 ++++++++++++++++++++++++++++++++ openldap.spec | 7 ++++- 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 openldap-2.3.27-ber-decode.patch diff --git a/openldap-2.3.27-ber-decode.patch b/openldap-2.3.27-ber-decode.patch new file mode 100644 index 0000000..d47da3c --- /dev/null +++ b/openldap-2.3.27-ber-decode.patch @@ -0,0 +1,44 @@ +453637, 453638, 453639, 453640,453444: CVE-2008-2952 OpenLDAP denial-of-service +flaw in ASN.1 decoder + +Source: upstream, cvs diff -r 1.120 -r 1.122 libraries/liblber/io.c + +Index: libraries/liblber/io.c +=================================================================== +RCS file: /repo/OpenLDAP/pkg/ldap/libraries/liblber/io.c,v +retrieving revision 1.120 +retrieving revision 1.122 +diff -u -r1.120 -r1.122 +--- libraries/liblber/io.c 7 Jan 2008 23:20:03 -0000 1.120 ++++ libraries/liblber/io.c 1 Jul 2008 23:33:15 -0000 1.122 +@@ -522,14 +522,18 @@ + } + + while (ber->ber_rwptr > (char *)&ber->ber_tag && ber->ber_rwptr < +- (char *)&ber->ber_len + LENSIZE*2 -1) { ++ (char *)&ber->ber_len + LENSIZE*2) { + ber_slen_t sblen; + char buf[sizeof(ber->ber_len)-1]; + ber_len_t tlen = 0; + ++ /* The tag & len can be at most 9 bytes; we try to read up to 8 here */ + sock_errset(0); +- sblen=ber_int_sb_read( sb, ber->ber_rwptr, +- ((char *)&ber->ber_len + LENSIZE*2 - 1)-ber->ber_rwptr); ++ sblen=((char *)&ber->ber_len + LENSIZE*2 - 1)-ber->ber_rwptr; ++ /* Trying to read the last len byte of a 9 byte tag+len */ ++ if (sblen<1) ++ sblen = 1; ++ sblen=ber_int_sb_read( sb, ber->ber_rwptr, sblen ); + if (sblen<=0) return LBER_DEFAULT; + ber->ber_rwptr += sblen; + +@@ -579,7 +583,7 @@ + int i; + unsigned char *p = (unsigned char *)ber->ber_ptr; + int llen = *p++ & 0x7f; +- if (llen > (int)sizeof(ber_len_t)) { ++ if (llen > LENSIZE) { + sock_errset(ERANGE); + return LBER_DEFAULT; + } diff --git a/openldap.spec b/openldap.spec index c693902..6383642 100644 --- a/openldap.spec +++ b/openldap.spec @@ -11,7 +11,7 @@ Summary: The configuration files, libraries, and documentation for OpenLDAP Name: openldap Version: %{version} -Release: 1%{?dist} +Release: 2%{?dist} License: OpenLDAP Group: System Environment/Daemons Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz @@ -34,6 +34,7 @@ Patch5: openldap-2.4.6-nosql.patch Patch6: openldap-2.3.19-gethostbyXXXX_r.patch Patch9: openldap-2.3.37-smbk5pwd.patch Patch10: openldap-2.4.6-multilib.patch +Patch11: openldap-2.3.27-ber-decode.patch # Patches for the evolution library Patch200: openldap-2.4.6-evolution-ntlm.patch @@ -131,6 +132,7 @@ pushd openldap-%{version} %patch6 -p1 -b .gethostbyname_r %patch9 -p1 -b .smbk5pwd %patch10 -p1 -b .multilib +%patch11 -p0 -b .ber-decode cp %{_datadir}/libtool/config.{sub,guess} build/ popd @@ -597,6 +599,9 @@ fi %attr(0644,root,root) %{evolution_connector_libdir}/*.a %changelog +* Wed Jul 2 2008 Jan Safranek 2.4.10-2 +- fix CVE-2008-2952 (#453728) + * Thu Jun 12 2008 Jan Safranek 2.4.10-1 - new upstream release