6 changed files with 1 additions and 188 deletions
--- a/SOURCES/0001-ITS-9904-ldap_url_parsehosts-check-for-strdup-failur.patch
+++ b/SOURCES/0001-ITS-9904-ldap_url_parsehosts-check-for-strdup-failur.patch
@ -1,72 +0,0 @@
-From 840944e26f734bb03d925f26c4ef11a6cedcbb9c Mon Sep 17 00:00:00 2001
-From: Howard Chu <hyc@openldap.org>
-Date: Thu, 25 Aug 2022 16:13:21 +0100
-Subject: [PATCH] ITS#9904 ldap_url_parsehosts: check for strdup failure
-
-Avoid unnecessary strdup in IPv6 addr parsing, check for strdup
-failure when dup'ing scheme.
-
-Code present since 2000, 8da110a9e726dbc612b302feafe0109271e6bc59
---
- libraries/libldap/url.c | 21 ++++++++++++---------
- 1 file changed, 12 insertions(+), 9 deletions(-)
-
-diff --git a/libraries/libldap/url.c b/libraries/libldap/url.c
-index dcf2aac9e8..493fd7ce47 100644
--- a/libraries/libldap/url.c
-+++ b/libraries/libldap/url.c
-@@ -1385,24 +1385,22 @@ ldap_url_parsehosts(
- 		}
- 		ludp->lud_port = port;
- 		ludp->lud_host = specs[i];
-		specs[i] = NULL;
- 		p = strchr(ludp->lud_host, ':');
- 		if (p != NULL) {
- 			/* more than one :, IPv6 address */
- 			if ( strchr(p+1, ':') != NULL ) {
- 				/* allow [address] and [address]:port */
- 				if ( *ludp->lud_host == '[' ) {
-					p = LDAP_STRDUP(ludp->lud_host+1);
-					/* copied, make sure we free source later */
-					specs[i] = ludp->lud_host;
-					ludp->lud_host = p;
-					p = strchr( ludp->lud_host, ']' );
-+					p = strchr( ludp->lud_host+1, ']' );
- 					if ( p == NULL ) {
- 						LDAP_FREE(ludp);
- 						ldap_charray_free(specs);
- 						return LDAP_PARAM_ERROR;
- 					}
-					*p++ = '\0';
-+					/* Truncate trailing ']' and shift hostname down 1 char */
-+					*p = '\0';
-+					AC_MEMCPY( ludp->lud_host, ludp->lud_host+1, p - ludp->lud_host );
-+					p++;
- 					if ( *p != ':' ) {
- 						if ( *p != '\0' ) {
- 							LDAP_FREE(ludp);
-@@ -1428,14 +1426,19 @@ ldap_url_parsehosts(
- 				}
- 			}
- 		}
-		ldap_pvt_hex_unescape(ludp->lud_host);
- 		ludp->lud_scheme = LDAP_STRDUP("ldap");
-+		if ( ludp->lud_scheme == NULL ) {
-+			LDAP_FREE(ludp);
-+			ldap_charray_free(specs);
-+			return LDAP_NO_MEMORY;
-+		}
-+		specs[i] = NULL;
-+		ldap_pvt_hex_unescape(ludp->lud_host);
- 		ludp->lud_next = *ludlist;
- 		*ludlist = ludp;
- 	}
- 
- 	/* this should be an array of NULLs now */
-	/* except entries starting with [ */
- 	ldap_charray_free(specs);
- 	return LDAP_SUCCESS;
- }
-- 
-2.44.0
-
--- a/SOURCES/0001-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch
+++ b/SOURCES/0001-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch
@ -1,26 +0,0 @@
-From c5c8c06a8bd52ea7b843e7d8ca961a7d1800ce5f Mon Sep 17 00:00:00 2001
-From: Howard Chu <hyc@openldap.org>
-Date: Wed, 24 Aug 2022 14:40:51 +0100
-Subject: [PATCH] ITS#9904 ldif_open_url: check for ber_strdup failure
-
-Code present since 1999, df8f7cbb9b79be3be9205d116d1dd0b263d6861a
---
- libraries/libldap/fetch.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/libraries/libldap/fetch.c b/libraries/libldap/fetch.c
-index 9e426dc647..536871bcfe 100644
--- a/libraries/libldap/fetch.c
-+++ b/libraries/libldap/fetch.c
-@@ -69,6 +69,8 @@ ldif_open_url(
- 		}
- 
- 		p = ber_strdup( urlstr );
-+		if ( p == NULL )
-+			return NULL;
- 
- 		/* But we should convert to LDAP_DIRSEP before use */
- 		if ( LDAP_DIRSEP[0] != '/' ) {
-- 
-2.44.0
-
--- a/SOURCES/openldap-cbinding-fix-openssl-digest.patch
+++ b/SOURCES/openldap-cbinding-fix-openssl-digest.patch
@ -1,18 +0,0 @@
-diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
-index 6f27168..eb7b97c 100644
--- a/libraries/libldap/tls_o.c
-+++ b/libraries/libldap/tls_o.c
-@@ -862,7 +862,12 @@ tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
- 		return 0;
- 
- #if OPENSSL_VERSION_NUMBER >= 0x10100000
-	md = EVP_get_digestbynid( X509_get_signature_nid( cert ));
-+	{
-+		int mdnid;
-+		if ( !OBJ_find_sigid_algs( X509_get_signature_nid( cert ), &mdnid, NULL ))
-+			return 0;
-+		md = EVP_get_digestbynid( mdnid );
-+	}
- #else
- 	md = EVP_get_digestbynid(OBJ_obj2nid( cert->sig_alg->algorithm ));
- #endif
--- a/SOURCES/openldap-libldap-fix-double-sb_close-when-first-TLS.patch
+++ b/SOURCES/openldap-libldap-fix-double-sb_close-when-first-TLS.patch
@ -1,25 +0,0 @@
-From 2b842a7eed3c299659bf7ede341fc1d6d281b603 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Florin=20Cri=C8=99an?= <florin.crisan@gmail.com>
-Date: Wed, 20 Sep 2023 16:06:09 +0300
-Subject: [PATCH] ITS#10101 libldap: fix double sb_close when first TLS
- connection fails
-
---
- libraries/libldap/open.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/libraries/libldap/open.c b/libraries/libldap/open.c
-index f1c7b9d031..b90b3ca181 100644
--- a/libraries/libldap/open.c
-+++ b/libraries/libldap/open.c
-@@ -480,6 +480,7 @@ ldap_int_open_connection(
- 				LDAP_MUTEX_UNLOCK( &lo->ldo_mutex );
- 			}
- 			ber_int_sb_close( conn->lconn_sb );
-+			ber_int_sb_destroy( conn->lconn_sb );
- 			return -1;
- 		}
- 	}
-- 
-2.47.1
-
--- a/SOURCES/openldap-plug-descriptor-leak-if-ldaps-connect-fails.patch
+++ b/SOURCES/openldap-plug-descriptor-leak-if-ldaps-connect-fails.patch
@ -1,24 +0,0 @@
-From a64febc5c646952773e6195ab1ec54ef63deb73a Mon Sep 17 00:00:00 2001
-From: Howard Chu <hyc@openldap.org>
-Date: Sat, 11 Jan 2020 04:16:01 +0000
-Subject: [PATCH 001/336] ITS#9147 plug descriptor leak if ldaps connect fails
-
---
- libraries/libldap/open.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/libraries/libldap/open.c b/libraries/libldap/open.c
-index 4e0f9f8028..cde157b079 100644
--- a/libraries/libldap/open.c
-+++ b/libraries/libldap/open.c
-@@ -476,6 +476,7 @@ ldap_int_open_connection(
- 				}
- 				LDAP_MUTEX_UNLOCK( &lo->ldo_mutex );
- 			}
-+			ber_int_sb_close( conn->lconn_sb );
- 			return -1;
- 		}
- 	}
-- 
-2.47.1
-
--- a/SPECS/openldap.spec
+++ b/SPECS/openldap.spec
@ -5,7 +5,7 @@

 Name: openldap
 Version: 2.4.46
-Release: 21%{?dist}
+Release: 18%{?dist}
 Summary: LDAP support libraries
 License: OpenLDAP
 URL: http://www.openldap.org/
@ -58,11 +58,6 @@ Patch61: openldap-cbinding-Convert-test077-to-LDIF-config.patch
 Patch62: openldap-cbinding-Update-keys-to-RSA-4096.patch
 Patch63: openldap-add-TLS_REQSAN-option.patch
 Patch64: openldap-change-TLS_REQSAN-default-to-TRY.patch
-Patch65: openldap-cbinding-fix-openssl-digest.patch
-Patch66: 0001-ITS-9904-ldap_url_parsehosts-check-for-strdup-failur.patch
-Patch67: 0001-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch
-Patch68: openldap-plug-descriptor-leak-if-ldaps-connect-fails.patch
-Patch69: openldap-libldap-fix-double-sb_close-when-first-TLS.patch

 # check-password module specific patches
 Patch90: check-password-makefile.patch
@ -158,11 +153,6 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
 %patch62 -p1
 %patch63 -p1
 %patch64 -p1
-%patch65 -p1
-%patch66 -p1
-%patch67 -p1
-%patch68 -p1
-%patch69 -p1

 # build smbk5pwd with other overlays
 ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
@ -532,18 +522,6 @@ exit 0
 %{_mandir}/man3/*

 %changelog
-* Mon Jan 27 2025 Simon Pichugin <spichugi@redhat.com> - 2.4.46-21
- Bump version to 2.4.46-21
- Resolves: RHEL-75823 - Fix double file close when first TLS connection fails
-
-* Wed Jul  3 2024 Simon Pichugin <spichugi@redhat.com> - 2.4.46-20
- Bump version to 2.4.46-20
- Resolves: RHEL-35538 - Fix OpenSSL channel binding digest
-
-* Tue Apr 30 2024 Simon Pichugin <spichugi@redhat.com> - 2.4.46-19
- Bump version to 2.4.46-19
- Resolves: RHEL-34283 - openldap: null pointer dereference in ber_memalloc_x function
-
 * Thu Aug  5 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.46-18
 - Add TLS_REQSAN option and change the default to TRY (#1814674)