[Pkg-fedora-ds-maintainers] 389-ds-base: Changes to 'ubuntu-precise'
Timo Aaltonen
tjaalton-guest at alioth.debian.org
Tue Aug 6 12:59:12 UTC 2013
debian/changelog | 7 +
debian/patches/fix-CVE-2013-0312.diff | 238 ++++++++++++++++++++++++++++++++++
debian/patches/series | 1
3 files changed, 246 insertions(+)
New commits:
commit 379030b784b3288cb44aaf86655b160966166f91
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Wed Apr 17 21:25:40 2013 +0300
fix-CVE-2013-0312.diff: Unauthenticated denial of service vulnerability in handling of LDAPv3 control data.
diff --git a/debian/changelog b/debian/changelog
index 7fbeb9f..f4fd995 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+389-ds-base (1.2.10.4-0ubuntu3.2) UNRELEASED; urgency=low
+
+ * fix-CVE-2013-0312.diff: Unauthenticated denial of service vulnerability
+ in handling of LDAPv3 control data.
+
+ -- Timo Aaltonen <tjaalton at ubuntu.com> Wed, 17 Apr 2013 21:22:07 +0300
+
389-ds-base (1.2.10.4-0ubuntu3.1) precise; urgency=low
* 389-ds-base.config: Removed, there is no debconf template.
diff --git a/debian/patches/fix-CVE-2013-0312.diff b/debian/patches/fix-CVE-2013-0312.diff
new file mode 100644
index 0000000..2533af4
--- /dev/null
+++ b/debian/patches/fix-CVE-2013-0312.diff
@@ -0,0 +1,238 @@
+commit 36425a3d5875a05ee812c293b50eb0da44d8d39e
+Author: Mark Reynolds <mreynolds at redhat.com>
+Date: Mon Mar 11 15:35:22 2013 -0400
+
+ Ticket 571 - server does not accept 0 length LDAP Control sequence
+
+ Bug Description: If we receive an incorrect control, with non NULL bv_val but
+ bv_len=0, it can trigger a crash. This bug occurs because
+ of a call of openldap ber_init with such incorrect control.
+
+ Fix Description: Before calling ber_init, check that the control length is not 0.
+
+ https://fedorahosted.org/389/ticket/571
+
+ Reviewed by richm(Thanks!)
+
+--- a/ldap/servers/plugins/chainingdb/cb_controls.c
++++ b/ldap/servers/plugins/chainingdb/cb_controls.c
+@@ -220,10 +220,8 @@ int cb_update_controls( Slapi_PBlock * p
+ ctrls[dCount]=slapi_dup_control(reqControls[cCount]);
+ dCount++;
+
+- } else
+- if (!strcmp(reqControls[cCount]->ldctl_oid,CB_LDAP_CONTROL_CHAIN_SERVER) &&
+- reqControls[cCount]->ldctl_value.bv_val) {
+-
++ } else if (!strcmp(reqControls[cCount]->ldctl_oid,CB_LDAP_CONTROL_CHAIN_SERVER) &&
++ BV_HAS_DATA((&(reqControls[cCount]->ldctl_value)))) {
+ /* Max hop count reached ? */
+ /* Checked earlier by a call to cb_forward_operation() */
+
+--- a/ldap/servers/plugins/chainingdb/cb_utils.c
++++ b/ldap/servers/plugins/chainingdb/cb_utils.c
+@@ -148,7 +148,7 @@ int cb_forward_operation(Slapi_PBlock *
+ int iscritical=0;
+
+ if (slapi_control_present(ctrls,CB_LDAP_CONTROL_CHAIN_SERVER,&ctl_value,&iscritical) &&
+- ctl_value && ctl_value->bv_val) {
++ BV_HAS_DATA(ctl_value)) {
+
+ /* Decode control data */
+ /* hop INTEGER (0 .. maxInt) */
+--- a/ldap/servers/plugins/deref/deref.c
++++ b/ldap/servers/plugins/deref/deref.c
+@@ -380,7 +380,7 @@ deref_parse_ctrl_value(DerefSpecList *sp
+
+ PR_ASSERT(ctrlbv && ctrlbv->bv_val && ctrlbv->bv_len && ldapcode && ldaperrtext);
+
+- if (!ctrlbv || !ctrlbv->bv_val) {
++ if (!BV_HAS_DATA(ctrlbv)) {
+ *ldapcode = LDAP_PROTOCOL_ERROR;
+ *ldaperrtext = "Empty deref control value";
+ return;
+--- a/ldap/servers/plugins/dna/dna.c
++++ b/ldap/servers/plugins/dna/dna.c
+@@ -1695,7 +1695,7 @@ static int dna_request_range(struct conf
+ }
+
+ /* Parse response */
+- if (responsedata && responsedata->bv_val) {
++ if (BV_HAS_DATA(responsedata)) {
+ respber = ber_init(responsedata);
+ if (ber_scanf(respber, "{aa}", &lower_str, &upper_str) == LBER_ERROR) {
+ ret = LDAP_PROTOCOL_ERROR;
+@@ -3272,14 +3272,15 @@ static int dna_extend_exop(Slapi_PBlock
+
+ /* Fetch the request data */
+ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &reqdata);
+- if (!reqdata || !reqdata->bv_val) {
++ if (!BV_HAS_DATA(reqdata)) {
+ slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM,
+ "dna_extend_exop: No request data received.\n");
+ goto free_and_return;
+ }
+
+ /* decode the exop */
+- if ((reqdata->bv_val == NULL) || (tmp_bere = ber_init(reqdata)) == NULL) {
++ tmp_bere = ber_init(reqdata);
++ if (tmp_bere == NULL) {
+ goto free_and_return;
+ }
+
+--- a/ldap/servers/plugins/replication/repl5_total.c
++++ b/ldap/servers/plugins/replication/repl5_total.c
+@@ -726,10 +726,10 @@ decode_total_update_extop(Slapi_PBlock *
+ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &extop_oid);
+ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
+
+- if (NULL == extop_oid ||
++ if ((NULL == extop_oid) ||
+ ((strcmp(extop_oid, REPL_NSDS50_REPLICATION_ENTRY_REQUEST_OID) != 0) &&
+- (strcmp(extop_oid, REPL_NSDS71_REPLICATION_ENTRY_REQUEST_OID) != 0)) ||
+- NULL == extop_value || NULL == extop_value->bv_val)
++ (strcmp(extop_oid, REPL_NSDS71_REPLICATION_ENTRY_REQUEST_OID) != 0)) ||
++ !BV_HAS_DATA(extop_value))
+ {
+ /* Bogus */
+ goto loser;
+--- a/ldap/servers/plugins/replication/repl_controls.c
++++ b/ldap/servers/plugins/replication/repl_controls.c
+@@ -216,7 +216,7 @@ decode_NSDS50ReplUpdateInfoControl(LDAPC
+ if (slapi_control_present(controlsp, REPL_NSDS50_UPDATE_INFO_CONTROL_OID,
+ &ctl_value, &iscritical))
+ {
+- if ((ctl_value->bv_val == NULL) || (tmp_bere = ber_init(ctl_value)) == NULL)
++ if (!BV_HAS_DATA(ctl_value) || (tmp_bere = ber_init(ctl_value)) == NULL)
+ {
+ rc = -1;
+ goto loser;
+--- a/ldap/servers/plugins/replication/repl_extop.c
++++ b/ldap/servers/plugins/replication/repl_extop.c
+@@ -339,10 +339,10 @@ decode_startrepl_extop(Slapi_PBlock *pb,
+ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &extop_oid);
+ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
+
+- if (NULL == extop_oid ||
++ if ((NULL == extop_oid) ||
+ ((strcmp(extop_oid, REPL_START_NSDS50_REPLICATION_REQUEST_OID) != 0) &&
+- (strcmp(extop_oid, REPL_START_NSDS90_REPLICATION_REQUEST_OID) != 0)) ||
+- NULL == extop_value || NULL == extop_value->bv_val)
++ (strcmp(extop_oid, REPL_START_NSDS90_REPLICATION_REQUEST_OID) != 0)) ||
++ !BV_HAS_DATA(extop_value))
+ {
+ /* bogus */
+ rc = -1;
+@@ -476,9 +476,9 @@ decode_endrepl_extop(Slapi_PBlock *pb, c
+ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &extop_oid);
+ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
+
+- if (NULL == extop_oid ||
+- strcmp(extop_oid, REPL_END_NSDS50_REPLICATION_REQUEST_OID) != 0 ||
+- NULL == extop_value || NULL == extop_value->bv_val)
++ if ((NULL == extop_oid) ||
++ (strcmp(extop_oid, REPL_END_NSDS50_REPLICATION_REQUEST_OID) != 0) ||
++ !BV_HAS_DATA(extop_value))
+ {
+ /* bogus */
+ rc = -1;
+@@ -541,8 +541,8 @@ decode_repl_ext_response(struct berval *
+ PR_ASSERT(NULL != response_code);
+ PR_ASSERT(NULL != ruv_bervals);
+
+- if (NULL == bvdata || NULL == response_code || NULL == ruv_bervals ||
+- NULL == data_guid || NULL == data || NULL == bvdata->bv_val)
++ if ((NULL == response_code) || (NULL == ruv_bervals) ||
++ (NULL == data_guid) || (NULL == data) || !BV_HAS_DATA(bvdata))
+ {
+ return_value = -1;
+ }
+--- a/ldap/servers/plugins/replication/windows_private.c
++++ b/ldap/servers/plugins/replication/windows_private.c
+@@ -680,6 +680,13 @@ void windows_private_update_dirsync_cont
+ dirsync = slapi_dup_control( controls[i-1]);
+ }
+
++ if (!dirsync || !BV_HAS_DATA((&(dirsync->ldctl_value)))) {
++#ifdef FOR_DEBUGGING
++ return_value = LDAP_CONTROL_NOT_FOUND;
++#endif
++ goto choke;
++ }
++
+ ber = ber_init( &dirsync->ldctl_value ) ;
+
+ if (ber_scanf( ber, "{iiO}", &hasMoreData, &maxAttributeCount, &serverCookie) == LBER_ERROR)
+--- a/ldap/servers/slapd/back-ldbm/sort.c
++++ b/ldap/servers/slapd/back-ldbm/sort.c
+@@ -299,15 +299,14 @@ int parse_sort_spec(struct berval *sort_
+ char *matchrule = NULL;
+ int rc = LDAP_SUCCESS;
+
+- if (NULL == sort_spec_ber->bv_val) {
++ if (!BV_HAS_DATA(sort_spec_ber)) {
+ return LDAP_PROTOCOL_ERROR;
+ }
+
+ ber = ber_init(sort_spec_ber);
+- if(ber==NULL)
+- {
+- return -1;
+- }
++ if (ber == NULL) {
++ return -1;
++ }
+
+ /* Work our way along the BER, one sort spec at a time */
+ for ( tag = ber_first_element( ber, &len, &last ); !term_tag(tag); tag = ber_next_element( ber, &len, last )) {
+--- a/ldap/servers/slapd/back-ldbm/vlv.c
++++ b/ldap/servers/slapd/back-ldbm/vlv.c
+@@ -1866,11 +1866,11 @@ vlv_parse_request_control( backend *be,
+ */
+ BerElement *ber = NULL;
+ int return_value = LDAP_SUCCESS;
+-
++
+ vlvp->value.bv_len = 0;
+ vlvp->value.bv_val = NULL;
+
+- if (NULL == vlv_spec_ber->bv_val)
++ if (!BV_HAS_DATA(vlv_spec_ber))
+ {
+ return_value= LDAP_OPERATIONS_ERROR;
+ return return_value;
+--- a/ldap/servers/slapd/passwd_extop.c
++++ b/ldap/servers/slapd/passwd_extop.c
+@@ -538,7 +538,7 @@ passwd_modify_extop( Slapi_PBlock *pb )
+ /* Get the ber value of the extended operation */
+ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
+
+- if (extop_value->bv_val == NULL)
++ if (!BV_HAS_DATA(extop_value))
+ {
+ /* The request field wasn't provided. We'll
+ * now try to determine the userid and verify
+--- a/ldap/servers/slapd/proxyauth.c
++++ b/ldap/servers/slapd/proxyauth.c
+@@ -96,7 +96,7 @@ parse_LDAPProxyAuth(struct berval *spec_
+ break;
+ }
+
+- if ( !spec_ber || !spec_ber->bv_val ) {
++ if (!BV_HAS_DATA(spec_ber)) {
+ break;
+ }
+
+--- a/ldap/servers/slapd/slapi-plugin.h
++++ b/ldap/servers/slapd/slapi-plugin.h
+@@ -106,6 +106,10 @@ NSPR_API(PRUint32) PR_fprintf(struct PRF
+ #define BERLEN_T "u"
+ #endif
+
++/* Common check on berval before accessing the contents. */
++/* bv is a struct berval *bv */
++#define BV_HAS_DATA(bv) ((bv != NULL) && (bv->bv_len > 0) && (bv->bv_val != NULL))
++
+ /*
+ * The slapi_attr_get_flags() routine returns a bitmap that contains one or
+ * more of these values.
diff --git a/debian/patches/series b/debian/patches/series
index 1ceb200..14d1cec 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
default_user
format-security.diff
+fix-CVE-2013-0312.diff
More information about the Pkg-fedora-ds-maintainers
mailing list