diff --git a/openldap-nss-clean-memory-for-token-pin.patch b/openldap-nss-clean-memory-for-token-pin.patch new file mode 100644 index 0000000..5be680d --- /dev/null +++ b/openldap-nss-clean-memory-for-token-pin.patch @@ -0,0 +1,31 @@ +MozNSS: read pin from file file can cause infinite loop + +The buffer allocated for reading password file has to be initialized +with zeros, or we need to append zero at the end of the file. Otherwise +we might read unitialized memory and consider it to be a password. + +Author: Jan Vcelak +Upstream ITS: #7291 +Upstream commit: 00d0e162720b8cf03b9e5428892158f0768db9a6 +Resolves: #829317 + +--- + libraries/libldap/tls_m.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +index d71fec7..2e755eb 100644 +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -786,7 +786,7 @@ tlsm_get_pin_from_file(const char *token_name, tlsm_ctx *ctx) + } + + /* create a buffer to hold the file contents */ +- if ( !( contents = PR_MALLOC( file_info.size + 1 ) ) ) { ++ if ( !( contents = PR_CALLOC( file_info.size + 1 ) ) ) { + PRErrorCode errcode = PR_GetError(); + Debug( LDAP_DEBUG_ANY, + "TLS: could not alloc a buffer for contents of pin file %s - error %d:%s.\n", +-- +1.7.10.4 + diff --git a/openldap.spec b/openldap.spec index 741bbd3..da6b401 100644 --- a/openldap.spec +++ b/openldap.spec @@ -42,6 +42,7 @@ Patch10: openldap-man-sasl-nocanon.patch Patch11: openldap-nss-allow-ca-dbdir-pemfile.patch Patch12: openldap-tls-unbind-shutdown-order.patch Patch13: openldap-nss-dont-overwrite-verify-cert-error.patch +Patch14: openldap-nss-clean-memory-for-token-pin.patch # Fedora specific patches Patch100: openldap-fedora-systemd.patch @@ -151,6 +152,7 @@ pushd openldap-%{version} %patch11 -p1 %patch12 -p1 %patch13 -p1 +%patch14 -p1 %patch100 -p1 @@ -666,6 +668,7 @@ exit 0 - update fix: count constraint broken when using multiple modifications (#795766) - fix: invalid order of TLS shutdown operations (#808464) - fix: TLS error messages overwriting in tlsm_verify_cert() (#810462) +- fix: reading pin from file can make all TLS connections hang (#829317) * Fri May 18 2012 Jan Vcelak 2.4.31-2 - fix: nss-tools package is required by the base package, not the server subpackage