GNU bug report logs - #40946
[PATCH] gnu: OpenLDAP: Update to 2.4.50 [fixes CVE-2019-{13057, 13565}].

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Leo Famulari <leo <at> famulari.name>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#40946: closed ([PATCH] gnu: OpenLDAP: Update to 2.4.50 [fixes
 CVE-2019-{13057, 13565}].)
Date: Wed, 29 Apr 2020 17:50:01 +0000

[Message part 1 (text/plain, inline)]

Your message dated Wed, 29 Apr 2020 13:49:18 -0400
with message-id <20200429174918.GA25738 <at> jasmine.lan>
and subject line Re: [bug#40946] [PATCH] gnu: OpenLDAP: Update to 2.4.50 [fixes CVE-2019-{13057, 13565}].
has caused the debbugs.gnu.org bug report #40946,
regarding [PATCH] gnu: OpenLDAP: Update to 2.4.50 [fixes CVE-2019-{13057, 13565}].
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
40946: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=40946
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: OpenLDAP: Update to 2.4.50 [fixes CVE-2019-{13057,
 13565}].
Date: Tue, 28 Apr 2020 16:22:57 -0400

* gnu/packages/openldap.scm (openldap)[replacement]: Use openldap-2.4.50.
(openldap/fixed): Replace with ...
(openldap-2.4.50): ... new variable.
* gnu/packages/patches/openldap-CVE-2020-12243.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
---
 gnu/local.mk                                  |   1 -
 gnu/packages/openldap.scm                     |  16 ++-
 .../patches/openldap-CVE-2020-12243.patch     | 125 ------------------
 3 files changed, 11 insertions(+), 131 deletions(-)
 delete mode 100644 gnu/packages/patches/openldap-CVE-2020-12243.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 67bf04547c..9426ee30a0 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1276,7 +1276,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/opencv-rgbd-aarch64-test-fix.patch	\
   %D%/packages/patches/openfoam-4.1-cleanup.patch			\
   %D%/packages/patches/openjdk-10-idlj-reproducibility.patch	\
-  %D%/packages/patches/openldap-CVE-2020-12243.patch		\
   %D%/packages/patches/openmpi-mtl-priorities.patch		\
   %D%/packages/patches/openocd-nrf52.patch			\
   %D%/packages/patches/openssl-runpath.patch			\
diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm
index aa51520654..53c57e846f 100644
--- a/gnu/packages/openldap.scm
+++ b/gnu/packages/openldap.scm
@@ -58,8 +58,8 @@
 
 (define-public openldap
   (package
-   (replacement openldap/fixed)
    (name "openldap")
+   (replacement openldap-2.4.50)
    (version "2.4.47")
    (source (origin
             (method url-fetch)
@@ -112,12 +112,18 @@
    (license openldap2.8)
    (home-page "https://www.openldap.org/")))
 
-(define openldap/fixed
+(define openldap-2.4.50
   (package
     (inherit openldap)
-    (source
-      (origin (inherit (package-source openldap))
-              (patches (search-patches "openldap-CVE-2020-12243.patch"))))))
+    (version "2.4.50")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://www.openldap.org/software/download/"
+                                  "OpenLDAP/openldap-release/openldap-" version
+                                  ".tgz"))
+              (sha256
+               (base32
+                "1f46nlfwmys110j36sifm7ah8m8f3s10c3vaiikmmigmifapvdaw"))))))
 
 (define-public nss-pam-ldapd
   (package
diff --git a/gnu/packages/patches/openldap-CVE-2020-12243.patch b/gnu/packages/patches/openldap-CVE-2020-12243.patch
deleted file mode 100644
index 6321998198..0000000000
--- a/gnu/packages/patches/openldap-CVE-2020-12243.patch
+++ /dev/null
@@ -1,125 +0,0 @@
-From 98464c11df8247d6a11b52e294ba5dd4f0380440 Mon Sep 17 00:00:00 2001
-From: Howard Chu <hyc <at> openldap.org>
-Date: Thu, 16 Apr 2020 01:08:19 +0100
-Subject: [PATCH] ITS#9202 limit depth of nested filters
-
-Using a hardcoded limit for now; no reasonable apps
-should ever run into it.
----
- servers/slapd/filter.c | 41 ++++++++++++++++++++++++++++++++---------
- 1 file changed, 32 insertions(+), 9 deletions(-)
-
-diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c
-index 3252cf2a7..ed57bbd7b 100644
---- a/servers/slapd/filter.c
-+++ b/servers/slapd/filter.c
-@@ -37,11 +37,16 @@
- const Filter *slap_filter_objectClass_pres;
- const struct berval *slap_filterstr_objectClass_pres;
- 
-+#ifndef SLAPD_MAX_FILTER_DEPTH
-+#define SLAPD_MAX_FILTER_DEPTH	5000
-+#endif
-+
- static int	get_filter_list(
- 	Operation *op,
- 	BerElement *ber,
- 	Filter **f,
--	const char **text );
-+	const char **text,
-+	int depth );
- 
- static int	get_ssa(
- 	Operation *op,
-@@ -80,12 +85,13 @@ filter_destroy( void )
- 	return;
- }
- 
--int
--get_filter(
-+static int
-+get_filter0(
- 	Operation *op,
- 	BerElement *ber,
- 	Filter **filt,
--	const char **text )
-+	const char **text,
-+	int depth )
- {
- 	ber_tag_t	tag;
- 	ber_len_t	len;
-@@ -126,6 +132,11 @@ get_filter(
- 	 *
- 	 */
- 
-+	if( depth > SLAPD_MAX_FILTER_DEPTH ) {
-+		*text = "filter nested too deeply";
-+		return SLAPD_DISCONNECT;
-+	}
-+
- 	tag = ber_peek_tag( ber, &len );
- 
- 	if( tag == LBER_ERROR ) {
-@@ -221,7 +232,7 @@ get_filter(
- 
- 	case LDAP_FILTER_AND:
- 		Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
--		err = get_filter_list( op, ber, &f.f_and, text );
-+		err = get_filter_list( op, ber, &f.f_and, text, depth+1 );
- 		if ( err != LDAP_SUCCESS ) {
- 			break;
- 		}
-@@ -234,7 +245,7 @@ get_filter(
- 
- 	case LDAP_FILTER_OR:
- 		Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
--		err = get_filter_list( op, ber, &f.f_or, text );
-+		err = get_filter_list( op, ber, &f.f_or, text, depth+1 );
- 		if ( err != LDAP_SUCCESS ) {
- 			break;
- 		}
-@@ -248,7 +259,7 @@ get_filter(
- 	case LDAP_FILTER_NOT:
- 		Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
- 		(void) ber_skip_tag( ber, &len );
--		err = get_filter( op, ber, &f.f_not, text );
-+		err = get_filter0( op, ber, &f.f_not, text, depth+1 );
- 		if ( err != LDAP_SUCCESS ) {
- 			break;
- 		}
-@@ -311,10 +322,22 @@ get_filter(
- 	return( err );
- }
- 
-+int
-+get_filter(
-+	Operation *op,
-+	BerElement *ber,
-+	Filter **filt,
-+	const char **text )
-+{
-+	return get_filter0( op, ber, filt, text, 0 );
-+}
-+
-+
- static int
- get_filter_list( Operation *op, BerElement *ber,
- 	Filter **f,
--	const char **text )
-+	const char **text,
-+	int depth )
- {
- 	Filter		**new;
- 	int		err;
-@@ -328,7 +351,7 @@ get_filter_list( Operation *op, BerElement *ber,
- 		tag != LBER_DEFAULT;
- 		tag = ber_next_element( ber, &len, last ) )
- 	{
--		err = get_filter( op, ber, new, text );
-+		err = get_filter0( op, ber, new, text, depth );
- 		if ( err != LDAP_SUCCESS )
- 			return( err );
- 		new = &(*new)->f_next;
--- 
-2.26.2
-
-- 
2.26.2

[Message part 3 (message/rfc822, inline)]

From: Leo Famulari <leo <at> famulari.name>
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: 40946-done <at> debbugs.gnu.org
Subject: Re: [bug#40946] [PATCH] gnu: OpenLDAP: Update to 2.4.50 [fixes
 CVE-2019-{13057, 13565}].
Date: Wed, 29 Apr 2020 13:49:18 -0400

[Message part 4 (text/plain, inline)]

On Tue, Apr 28, 2020 at 11:48:32PM +0200, Marius Bakke wrote:
> Leo Famulari <leo <at> famulari.name> writes:
> 
> > * gnu/packages/openldap.scm (openldap)[replacement]: Use openldap-2.4.50.
> > (openldap/fixed): Replace with ...
> > (openldap-2.4.50): ... new variable.
> > * gnu/packages/patches/openldap-CVE-2020-12243.patch: Delete file.
> > * gnu/local.mk (dist_patch_DATA): Remove it.
> 
> LGTM, assuming there are no ABI changes since 2.4.47.

Pushed as f224a8bb79cc3c9e5960227ffea5524eb666d34a

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.