branch master updated: gnu: openldap: Fix CVE-2020-12243.

guix-commits
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
branch master updated: gnu: openldap: Fix CVE-2020-12243.

From:	guix-commits
Subject:	branch master updated: gnu: openldap: Fix CVE-2020-12243.
Date:	Tue, 28 Apr 2020 15:53:48 -0400
This is an automated email from the git hooks/post-receive script.

efraim pushed a commit to branch master
in repository guix.

The following commit(s) were added to refs/heads/master by this push:
     new 0b25812  gnu: openldap: Fix CVE-2020-12243.
0b25812 is described below

commit 0b25812872904d61024791778dae36636c52ded6
Author: Efraim Flashner <address@hidden>
AuthorDate: Tue Apr 28 22:52:20 2020 +0300

    gnu: openldap: Fix CVE-2020-12243.
    
    * gnu/packages/openldap.scm (openldap)[replacement]: New field.
    (openldap/fixed): New variable.
    * gnu/packages/patches/openldap-CVE-2020-12243.patch: New file.
    * gnu/local.mk (dist_patch_DATA): Register it.
---
 gnu/local.mk                                       |   3 +-
 gnu/packages/openldap.scm                          |   9 ++
 gnu/packages/patches/openldap-CVE-2020-12243.patch | 125 +++++++++++++++++++++
 3 files changed, 136 insertions(+), 1 deletion(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index 9b082a6..67bf045 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -10,7 +10,7 @@
 # Copyright © 2016, 2017, 2018, 2019, 2020 Ricardo Wurmus <address@hidden>
 # Copyright © 2016 Ben Woodcroft <address@hidden>
 # Copyright © 2016, 2017, 2018, 2019 Alex Vong <address@hidden>
-# Copyright © 2016, 2017, 2018, 2019 Efraim Flashner <address@hidden>
+# Copyright © 2016, 2017, 2018, 2019, 2020 Efraim Flashner <address@hidden>
 # Copyright © 2016, 2017, 2018, 2019 Jan (janneke) Nieuwenhuizen 
<address@hidden>
 # Copyright © 2017, 2018, 2019, 2020 Tobias Geerinckx-Rice <address@hidden>
 # Copyright © 2017, 2018 Clément Lassieur <address@hidden>
@@ -1276,6 +1276,7 @@ dist_patch_DATA =                                         
\
   %D%/packages/patches/opencv-rgbd-aarch64-test-fix.patch      \
   %D%/packages/patches/openfoam-4.1-cleanup.patch                      \
   %D%/packages/patches/openjdk-10-idlj-reproducibility.patch   \
+  %D%/packages/patches/openldap-CVE-2020-12243.patch           \
   %D%/packages/patches/openmpi-mtl-priorities.patch            \
   %D%/packages/patches/openocd-nrf52.patch                     \
   %D%/packages/patches/openssl-runpath.patch                   \
diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm
index de8239b..aa51520 100644
--- a/gnu/packages/openldap.scm
+++ b/gnu/packages/openldap.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2017, 2018, 2019 Ricardo Wurmus <address@hidden>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <address@hidden>
 ;;; Copyright © 2020 Lars-Dominik Braun <address@hidden>
+;;; Copyright © 2020 Efraim Flashner <address@hidden>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -57,6 +58,7 @@
 
 (define-public openldap
   (package
+   (replacement openldap/fixed)
    (name "openldap")
    (version "2.4.47")
    (source (origin
@@ -110,6 +112,13 @@
    (license openldap2.8)
    (home-page "https://www.openldap.org/";)))
 
+(define openldap/fixed
+  (package
+    (inherit openldap)
+    (source
+      (origin (inherit (package-source openldap))
+              (patches (search-patches "openldap-CVE-2020-12243.patch"))))))
+
 (define-public nss-pam-ldapd
   (package
     (name "nss-pam-ldapd")
diff --git a/gnu/packages/patches/openldap-CVE-2020-12243.patch 
b/gnu/packages/patches/openldap-CVE-2020-12243.patch
new file mode 100644
index 0000000..6321998
--- /dev/null
+++ b/gnu/packages/patches/openldap-CVE-2020-12243.patch
@@ -0,0 +1,125 @@
+From 98464c11df8247d6a11b52e294ba5dd4f0380440 Mon Sep 17 00:00:00 2001
+From: Howard Chu <address@hidden>
+Date: Thu, 16 Apr 2020 01:08:19 +0100
+Subject: [PATCH] ITS#9202 limit depth of nested filters
+
+Using a hardcoded limit for now; no reasonable apps
+should ever run into it.
+---
+ servers/slapd/filter.c | 41 ++++++++++++++++++++++++++++++++---------
+ 1 file changed, 32 insertions(+), 9 deletions(-)
+
+diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c
+index 3252cf2a7..ed57bbd7b 100644
+--- a/servers/slapd/filter.c
++++ b/servers/slapd/filter.c
+@@ -37,11 +37,16 @@
+ const Filter *slap_filter_objectClass_pres;
+ const struct berval *slap_filterstr_objectClass_pres;
+ 
++#ifndef SLAPD_MAX_FILTER_DEPTH
++#define SLAPD_MAX_FILTER_DEPTH        5000
++#endif
++
+ static int    get_filter_list(
+       Operation *op,
+       BerElement *ber,
+       Filter **f,
+-      const char **text );
++      const char **text,
++      int depth );
+ 
+ static int    get_ssa(
+       Operation *op,
+@@ -80,12 +85,13 @@ filter_destroy( void )
+       return;
+ }
+ 
+-int
+-get_filter(
++static int
++get_filter0(
+       Operation *op,
+       BerElement *ber,
+       Filter **filt,
+-      const char **text )
++      const char **text,
++      int depth )
+ {
+       ber_tag_t       tag;
+       ber_len_t       len;
+@@ -126,6 +132,11 @@ get_filter(
+        *
+        */
+ 
++      if( depth > SLAPD_MAX_FILTER_DEPTH ) {
++              *text = "filter nested too deeply";
++              return SLAPD_DISCONNECT;
++      }
++
+       tag = ber_peek_tag( ber, &len );
+ 
+       if( tag == LBER_ERROR ) {
+@@ -221,7 +232,7 @@ get_filter(
+ 
+       case LDAP_FILTER_AND:
+               Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
+-              err = get_filter_list( op, ber, &f.f_and, text );
++              err = get_filter_list( op, ber, &f.f_and, text, depth+1 );
+               if ( err != LDAP_SUCCESS ) {
+                       break;
+               }
+@@ -234,7 +245,7 @@ get_filter(
+ 
+       case LDAP_FILTER_OR:
+               Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
+-              err = get_filter_list( op, ber, &f.f_or, text );
++              err = get_filter_list( op, ber, &f.f_or, text, depth+1 );
+               if ( err != LDAP_SUCCESS ) {
+                       break;
+               }
+@@ -248,7 +259,7 @@ get_filter(
+       case LDAP_FILTER_NOT:
+               Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
+               (void) ber_skip_tag( ber, &len );
+-              err = get_filter( op, ber, &f.f_not, text );
++              err = get_filter0( op, ber, &f.f_not, text, depth+1 );
+               if ( err != LDAP_SUCCESS ) {
+                       break;
+               }
+@@ -311,10 +322,22 @@ get_filter(
+       return( err );
+ }
+ 
++int
++get_filter(
++      Operation *op,
++      BerElement *ber,
++      Filter **filt,
++      const char **text )
++{
++      return get_filter0( op, ber, filt, text, 0 );
++}
++
++
+ static int
+ get_filter_list( Operation *op, BerElement *ber,
+       Filter **f,
+-      const char **text )
++      const char **text,
++      int depth )
+ {
+       Filter          **new;
+       int             err;
+@@ -328,7 +351,7 @@ get_filter_list( Operation *op, BerElement *ber,
+               tag != LBER_DEFAULT;
+               tag = ber_next_element( ber, &len, last ) )
+       {
+-              err = get_filter( op, ber, new, text );
++              err = get_filter0( op, ber, new, text, depth );
+               if ( err != LDAP_SUCCESS )
+                       return( err );
+               new = &(*new)->f_next;
+-- 
+2.26.2
+
[Prev in Thread]
Current Thread
[Next in Thread]
branch master updated: gnu: openldap: Fix CVE-2020-12243., guix-commits <=
Prev by Date: branch master updated: gnu: valgrind: Update source uri.
Next by Date: 01/02: gnu: elfutils: Skip tests on powerpc.
Previous by thread: branch master updated: gnu: valgrind: Update source uri.
Next by thread: branch wip-ppc updated (93fd923 -> 4fd649d)
Index(es):
- Date
- Thread