GNU bug report logs - #40946
[PATCH] gnu: OpenLDAP: Update to 2.4.50 [fixes CVE-2019-{13057, 13565}].

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 40946 in the body.
You can then email your comments to 40946 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: OpenLDAP: Update to 2.4.50 [fixes CVE-2019-{13057,
 13565}].
Date: Tue, 28 Apr 2020 16:22:57 -0400

* gnu/packages/openldap.scm (openldap)[replacement]: Use openldap-2.4.50.
(openldap/fixed): Replace with ...
(openldap-2.4.50): ... new variable.
* gnu/packages/patches/openldap-CVE-2020-12243.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
---
 gnu/local.mk                                  |   1 -
 gnu/packages/openldap.scm                     |  16 ++-
 .../patches/openldap-CVE-2020-12243.patch     | 125 ------------------
 3 files changed, 11 insertions(+), 131 deletions(-)
 delete mode 100644 gnu/packages/patches/openldap-CVE-2020-12243.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 67bf04547c..9426ee30a0 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1276,7 +1276,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/opencv-rgbd-aarch64-test-fix.patch	\
   %D%/packages/patches/openfoam-4.1-cleanup.patch			\
   %D%/packages/patches/openjdk-10-idlj-reproducibility.patch	\
-  %D%/packages/patches/openldap-CVE-2020-12243.patch		\
   %D%/packages/patches/openmpi-mtl-priorities.patch		\
   %D%/packages/patches/openocd-nrf52.patch			\
   %D%/packages/patches/openssl-runpath.patch			\
diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm
index aa51520654..53c57e846f 100644
--- a/gnu/packages/openldap.scm
+++ b/gnu/packages/openldap.scm
@@ -58,8 +58,8 @@
 
 (define-public openldap
   (package
-   (replacement openldap/fixed)
    (name "openldap")
+   (replacement openldap-2.4.50)
    (version "2.4.47")
    (source (origin
             (method url-fetch)
@@ -112,12 +112,18 @@
    (license openldap2.8)
    (home-page "https://www.openldap.org/")))
 
-(define openldap/fixed
+(define openldap-2.4.50
   (package
     (inherit openldap)
-    (source
-      (origin (inherit (package-source openldap))
-              (patches (search-patches "openldap-CVE-2020-12243.patch"))))))
+    (version "2.4.50")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://www.openldap.org/software/download/"
+                                  "OpenLDAP/openldap-release/openldap-" version
+                                  ".tgz"))
+              (sha256
+               (base32
+                "1f46nlfwmys110j36sifm7ah8m8f3s10c3vaiikmmigmifapvdaw"))))))
 
 (define-public nss-pam-ldapd
   (package
diff --git a/gnu/packages/patches/openldap-CVE-2020-12243.patch b/gnu/packages/patches/openldap-CVE-2020-12243.patch
deleted file mode 100644
index 6321998198..0000000000
--- a/gnu/packages/patches/openldap-CVE-2020-12243.patch
+++ /dev/null
@@ -1,125 +0,0 @@
-From 98464c11df8247d6a11b52e294ba5dd4f0380440 Mon Sep 17 00:00:00 2001
-From: Howard Chu <hyc <at> openldap.org>
-Date: Thu, 16 Apr 2020 01:08:19 +0100
-Subject: [PATCH] ITS#9202 limit depth of nested filters
-
-Using a hardcoded limit for now; no reasonable apps
-should ever run into it.
----
- servers/slapd/filter.c | 41 ++++++++++++++++++++++++++++++++---------
- 1 file changed, 32 insertions(+), 9 deletions(-)
-
-diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c
-index 3252cf2a7..ed57bbd7b 100644
---- a/servers/slapd/filter.c
-+++ b/servers/slapd/filter.c
-@@ -37,11 +37,16 @@
- const Filter *slap_filter_objectClass_pres;
- const struct berval *slap_filterstr_objectClass_pres;
- 
-+#ifndef SLAPD_MAX_FILTER_DEPTH
-+#define SLAPD_MAX_FILTER_DEPTH	5000
-+#endif
-+
- static int	get_filter_list(
- 	Operation *op,
- 	BerElement *ber,
- 	Filter **f,
--	const char **text );
-+	const char **text,
-+	int depth );
- 
- static int	get_ssa(
- 	Operation *op,
-@@ -80,12 +85,13 @@ filter_destroy( void )
- 	return;
- }
- 
--int
--get_filter(
-+static int
-+get_filter0(
- 	Operation *op,
- 	BerElement *ber,
- 	Filter **filt,
--	const char **text )
-+	const char **text,
-+	int depth )
- {
- 	ber_tag_t	tag;
- 	ber_len_t	len;
-@@ -126,6 +132,11 @@ get_filter(
- 	 *
- 	 */
- 
-+	if( depth > SLAPD_MAX_FILTER_DEPTH ) {
-+		*text = "filter nested too deeply";
-+		return SLAPD_DISCONNECT;
-+	}
-+
- 	tag = ber_peek_tag( ber, &len );
- 
- 	if( tag == LBER_ERROR ) {
-@@ -221,7 +232,7 @@ get_filter(
- 
- 	case LDAP_FILTER_AND:
- 		Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
--		err = get_filter_list( op, ber, &f.f_and, text );
-+		err = get_filter_list( op, ber, &f.f_and, text, depth+1 );
- 		if ( err != LDAP_SUCCESS ) {
- 			break;
- 		}
-@@ -234,7 +245,7 @@ get_filter(
- 
- 	case LDAP_FILTER_OR:
- 		Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
--		err = get_filter_list( op, ber, &f.f_or, text );
-+		err = get_filter_list( op, ber, &f.f_or, text, depth+1 );
- 		if ( err != LDAP_SUCCESS ) {
- 			break;
- 		}
-@@ -248,7 +259,7 @@ get_filter(
- 	case LDAP_FILTER_NOT:
- 		Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
- 		(void) ber_skip_tag( ber, &len );
--		err = get_filter( op, ber, &f.f_not, text );
-+		err = get_filter0( op, ber, &f.f_not, text, depth+1 );
- 		if ( err != LDAP_SUCCESS ) {
- 			break;
- 		}
-@@ -311,10 +322,22 @@ get_filter(
- 	return( err );
- }
- 
-+int
-+get_filter(
-+	Operation *op,
-+	BerElement *ber,
-+	Filter **filt,
-+	const char **text )
-+{
-+	return get_filter0( op, ber, filt, text, 0 );
-+}
-+
-+
- static int
- get_filter_list( Operation *op, BerElement *ber,
- 	Filter **f,
--	const char **text )
-+	const char **text,
-+	int depth )
- {
- 	Filter		**new;
- 	int		err;
-@@ -328,7 +351,7 @@ get_filter_list( Operation *op, BerElement *ber,
- 		tag != LBER_DEFAULT;
- 		tag = ber_next_element( ber, &len, last ) )
- 	{
--		err = get_filter( op, ber, new, text );
-+		err = get_filter0( op, ber, new, text, depth );
- 		if ( err != LDAP_SUCCESS )
- 			return( err );
- 		new = &(*new)->f_next;
--- 
-2.26.2
-
-- 
2.26.2

Message #8 received at 40946 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Leo Famulari <leo <at> famulari.name>, 40946 <at> debbugs.gnu.org
Subject: Re: [bug#40946] [PATCH] gnu: OpenLDAP: Update to 2.4.50 [fixes
 CVE-2019-{13057, 13565}].
Date: Tue, 28 Apr 2020 23:48:32 +0200

[Message part 1 (text/plain, inline)]

Leo Famulari <leo <at> famulari.name> writes:

> * gnu/packages/openldap.scm (openldap)[replacement]: Use openldap-2.4.50.
> (openldap/fixed): Replace with ...
> (openldap-2.4.50): ... new variable.
> * gnu/packages/patches/openldap-CVE-2020-12243.patch: Delete file.
> * gnu/local.mk (dist_patch_DATA): Remove it.

LGTM, assuming there are no ABI changes since 2.4.47.

[signature.asc (application/pgp-signature, inline)]

Message #13 received at 40946-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: 40946-done <at> debbugs.gnu.org
Subject: Re: [bug#40946] [PATCH] gnu: OpenLDAP: Update to 2.4.50 [fixes
 CVE-2019-{13057, 13565}].
Date: Wed, 29 Apr 2020 13:49:18 -0400

[Message part 1 (text/plain, inline)]

On Tue, Apr 28, 2020 at 11:48:32PM +0200, Marius Bakke wrote:
> Leo Famulari <leo <at> famulari.name> writes:
> 
> > * gnu/packages/openldap.scm (openldap)[replacement]: Use openldap-2.4.50.
> > (openldap/fixed): Replace with ...
> > (openldap-2.4.50): ... new variable.
> > * gnu/packages/patches/openldap-CVE-2020-12243.patch: Delete file.
> > * gnu/local.mk (dist_patch_DATA): Remove it.
> 
> LGTM, assuming there are no ABI changes since 2.4.47.

Pushed as f224a8bb79cc3c9e5960227ffea5524eb666d34a

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.