Compare commits

...

No commits in common. "c8" and "c8-beta" have entirely different histories.
c8 ... c8-beta

4 changed files with 1 additions and 131 deletions

View File

@ -1,72 +0,0 @@
From 840944e26f734bb03d925f26c4ef11a6cedcbb9c Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Thu, 25 Aug 2022 16:13:21 +0100
Subject: [PATCH] ITS#9904 ldap_url_parsehosts: check for strdup failure
Avoid unnecessary strdup in IPv6 addr parsing, check for strdup
failure when dup'ing scheme.
Code present since 2000, 8da110a9e726dbc612b302feafe0109271e6bc59
---
libraries/libldap/url.c | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)
diff --git a/libraries/libldap/url.c b/libraries/libldap/url.c
index dcf2aac9e8..493fd7ce47 100644
--- a/libraries/libldap/url.c
+++ b/libraries/libldap/url.c
@@ -1385,24 +1385,22 @@ ldap_url_parsehosts(
}
ludp->lud_port = port;
ludp->lud_host = specs[i];
- specs[i] = NULL;
p = strchr(ludp->lud_host, ':');
if (p != NULL) {
/* more than one :, IPv6 address */
if ( strchr(p+1, ':') != NULL ) {
/* allow [address] and [address]:port */
if ( *ludp->lud_host == '[' ) {
- p = LDAP_STRDUP(ludp->lud_host+1);
- /* copied, make sure we free source later */
- specs[i] = ludp->lud_host;
- ludp->lud_host = p;
- p = strchr( ludp->lud_host, ']' );
+ p = strchr( ludp->lud_host+1, ']' );
if ( p == NULL ) {
LDAP_FREE(ludp);
ldap_charray_free(specs);
return LDAP_PARAM_ERROR;
}
- *p++ = '\0';
+ /* Truncate trailing ']' and shift hostname down 1 char */
+ *p = '\0';
+ AC_MEMCPY( ludp->lud_host, ludp->lud_host+1, p - ludp->lud_host );
+ p++;
if ( *p != ':' ) {
if ( *p != '\0' ) {
LDAP_FREE(ludp);
@@ -1428,14 +1426,19 @@ ldap_url_parsehosts(
}
}
}
- ldap_pvt_hex_unescape(ludp->lud_host);
ludp->lud_scheme = LDAP_STRDUP("ldap");
+ if ( ludp->lud_scheme == NULL ) {
+ LDAP_FREE(ludp);
+ ldap_charray_free(specs);
+ return LDAP_NO_MEMORY;
+ }
+ specs[i] = NULL;
+ ldap_pvt_hex_unescape(ludp->lud_host);
ludp->lud_next = *ludlist;
*ludlist = ludp;
}
/* this should be an array of NULLs now */
- /* except entries starting with [ */
ldap_charray_free(specs);
return LDAP_SUCCESS;
}
--
2.44.0

View File

@ -1,26 +0,0 @@
From c5c8c06a8bd52ea7b843e7d8ca961a7d1800ce5f Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 24 Aug 2022 14:40:51 +0100
Subject: [PATCH] ITS#9904 ldif_open_url: check for ber_strdup failure
Code present since 1999, df8f7cbb9b79be3be9205d116d1dd0b263d6861a
---
libraries/libldap/fetch.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libraries/libldap/fetch.c b/libraries/libldap/fetch.c
index 9e426dc647..536871bcfe 100644
--- a/libraries/libldap/fetch.c
+++ b/libraries/libldap/fetch.c
@@ -69,6 +69,8 @@ ldif_open_url(
}
p = ber_strdup( urlstr );
+ if ( p == NULL )
+ return NULL;
/* But we should convert to LDAP_DIRSEP before use */
if ( LDAP_DIRSEP[0] != '/' ) {
--
2.44.0

View File

@ -1,18 +0,0 @@
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 6f27168..eb7b97c 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -862,7 +862,12 @@ tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
return 0;
#if OPENSSL_VERSION_NUMBER >= 0x10100000
- md = EVP_get_digestbynid( X509_get_signature_nid( cert ));
+ {
+ int mdnid;
+ if ( !OBJ_find_sigid_algs( X509_get_signature_nid( cert ), &mdnid, NULL ))
+ return 0;
+ md = EVP_get_digestbynid( mdnid );
+ }
#else
md = EVP_get_digestbynid(OBJ_obj2nid( cert->sig_alg->algorithm ));
#endif

View File

@ -5,7 +5,7 @@
Name: openldap Name: openldap
Version: 2.4.46 Version: 2.4.46
Release: 20%{?dist} Release: 18%{?dist}
Summary: LDAP support libraries Summary: LDAP support libraries
License: OpenLDAP License: OpenLDAP
URL: http://www.openldap.org/ URL: http://www.openldap.org/
@ -58,9 +58,6 @@ Patch61: openldap-cbinding-Convert-test077-to-LDIF-config.patch
Patch62: openldap-cbinding-Update-keys-to-RSA-4096.patch Patch62: openldap-cbinding-Update-keys-to-RSA-4096.patch
Patch63: openldap-add-TLS_REQSAN-option.patch Patch63: openldap-add-TLS_REQSAN-option.patch
Patch64: openldap-change-TLS_REQSAN-default-to-TRY.patch Patch64: openldap-change-TLS_REQSAN-default-to-TRY.patch
Patch65: openldap-cbinding-fix-openssl-digest.patch
Patch66: 0001-ITS-9904-ldap_url_parsehosts-check-for-strdup-failur.patch
Patch67: 0001-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch
# check-password module specific patches # check-password module specific patches
Patch90: check-password-makefile.patch Patch90: check-password-makefile.patch
@ -156,9 +153,6 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
%patch62 -p1 %patch62 -p1
%patch63 -p1 %patch63 -p1
%patch64 -p1 %patch64 -p1
%patch65 -p1
%patch66 -p1
%patch67 -p1
# build smbk5pwd with other overlays # build smbk5pwd with other overlays
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
@ -528,14 +522,6 @@ exit 0
%{_mandir}/man3/* %{_mandir}/man3/*
%changelog %changelog
* Wed Jul 3 2024 Simon Pichugin <spichugi@redhat.com> - 2.4.46-20
- Bump version to 2.4.46-20
- Resolves: RHEL-35538 - Fix OpenSSL channel binding digest
* Tue Apr 30 2024 Simon Pichugin <spichugi@redhat.com> - 2.4.46-19
- Bump version to 2.4.46-19
- Resolves: RHEL-34283 - openldap: null pointer dereference in ber_memalloc_x function
* Thu Aug 5 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.46-18 * Thu Aug 5 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.46-18
- Add TLS_REQSAN option and change the default to TRY (#1814674) - Add TLS_REQSAN option and change the default to TRY (#1814674)