[Pkg-fedora-ds-maintainers] 389-ds-base: Changes to 'ubuntu'
Timo Aaltonen
tjaalton-guest at alioth.debian.org
Tue Mar 12 07:53:18 UTC 2013
VERSION.sh | 2
debian/changelog | 73 ---------
debian/patches/fix-CVE-2013-0312.diff | 274 ++++++++++++++++++++++++++++++++++
debian/patches/series | 1
ldap/servers/slapd/dse.c | 32 +--
ldap/servers/slapd/pw.c | 8
6 files changed, 300 insertions(+), 90 deletions(-)
New commits:
commit 5c84826c3dde546e2408d7763ad4b19f35d1e483
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Mon Mar 11 14:23:38 2013 +0200
releasing version 1.3.0.3-1
diff --git a/debian/changelog b/debian/changelog
index d4eb84d..8460a03 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,10 @@
-389-ds-base (1.3.0.3-1) UNRELEASED; urgency=low
+389-ds-base (1.3.0.3-1) unstable; urgency=low
* New upstream release.
* control: Bump the policy to 3.9.4, no changes.
* fix-CVE-2013-0312.diff: Patch to fix handling LDAPv3 control data.
- -- Timo Aaltonen <tjaalton at ubuntu.com> Tue, 11 Dec 2012 14:34:01 +0200
+ -- Timo Aaltonen <tjaalton at ubuntu.com> Mon, 11 Mar 2013 14:23:20 +0200
389-ds-base (1.2.11.17-1) UNRELEASED; urgency=low
commit 9d8f66ed4edc9790c3e9702f7fbeda41c4cef37b
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Mon Mar 11 14:19:25 2013 +0200
fix-CVE-2013-0312.diff: Patch to fix handling LDAPv3 control data.
diff --git a/debian/changelog b/debian/changelog
index 88c878c..d4eb84d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@
* New upstream release.
* control: Bump the policy to 3.9.4, no changes.
+ * fix-CVE-2013-0312.diff: Patch to fix handling LDAPv3 control data.
-- Timo Aaltonen <tjaalton at ubuntu.com> Tue, 11 Dec 2012 14:34:01 +0200
diff --git a/debian/patches/fix-CVE-2013-0312.diff b/debian/patches/fix-CVE-2013-0312.diff
new file mode 100644
index 0000000..15db862
--- /dev/null
+++ b/debian/patches/fix-CVE-2013-0312.diff
@@ -0,0 +1,274 @@
+From: Noriko Hosoi <nhosoi at redhat.com>
+Date: Fri, 22 Feb 2013 14:40:46 -0800
+Subject: [PATCH] Bugzilla 912964 - bug in handling of LDAPv3 control data
+
+Bug Description:
+If we receive an incorrect control, with non NULL bv_val but
+bv_len=0, it can trigger a crash. This bug occurs because
+of a call of openldap ber_init with such incorrect control.
+
+Fix Description:
+Before calling ber_init, check that the control lenght is not 0.
+
+Note: checking in the patch on behalf of "Thierry bordaz"
+<tbordaz at redhat.com>
+
+https://bugzilla.redhat.com/show_bug.cgi?id=913228
+
+Reviewed by: rmeggins at redhat.com, nhosoi at redhat.com
+
+Platforms tested: Fedora 18, RHEL 6.4 (RHDS6.4)
+
+Flag Day: no
+
+Doc impact: possibly document a security bug
+---
+ ldap/servers/plugins/chainingdb/cb_controls.c | 6 ++----
+ ldap/servers/plugins/chainingdb/cb_utils.c | 2 +-
+ ldap/servers/plugins/deref/deref.c | 2 +-
+ ldap/servers/plugins/dna/dna.c | 7 ++++---
+ ldap/servers/plugins/replication/repl5_total.c | 6 +++---
+ ldap/servers/plugins/replication/repl_controls.c | 2 +-
+ ldap/servers/plugins/replication/repl_extop.c | 21 +++++++++++++--------
+ ldap/servers/plugins/replication/windows_private.c | 7 +++++++
+ ldap/servers/slapd/back-ldbm/sort.c | 9 ++++-----
+ ldap/servers/slapd/back-ldbm/vlv.c | 4 ++--
+ ldap/servers/slapd/passwd_extop.c | 2 +-
+ ldap/servers/slapd/proxyauth.c | 2 +-
+ ldap/servers/slapd/slapi-plugin.h | 4 ++++
+ 13 files changed, 44 insertions(+), 30 deletions(-)
+
+--- a/ldap/servers/plugins/chainingdb/cb_controls.c
++++ b/ldap/servers/plugins/chainingdb/cb_controls.c
+@@ -220,10 +220,8 @@ int cb_update_controls( Slapi_PBlock * p
+ ctrls[dCount]=slapi_dup_control(reqControls[cCount]);
+ dCount++;
+
+- } else
+- if (!strcmp(reqControls[cCount]->ldctl_oid,CB_LDAP_CONTROL_CHAIN_SERVER) &&
+- reqControls[cCount]->ldctl_value.bv_val) {
+-
++ } else if (!strcmp(reqControls[cCount]->ldctl_oid,CB_LDAP_CONTROL_CHAIN_SERVER) &&
++ BV_HAS_DATA((&(reqControls[cCount]->ldctl_value)))) {
+ /* Max hop count reached ? */
+ /* Checked earlier by a call to cb_forward_operation() */
+
+--- a/ldap/servers/plugins/chainingdb/cb_utils.c
++++ b/ldap/servers/plugins/chainingdb/cb_utils.c
+@@ -148,7 +148,7 @@ int cb_forward_operation(Slapi_PBlock *
+ int iscritical=0;
+
+ if (slapi_control_present(ctrls,CB_LDAP_CONTROL_CHAIN_SERVER,&ctl_value,&iscritical) &&
+- ctl_value && ctl_value->bv_val) {
++ BV_HAS_DATA(ctl_value)) {
+
+ /* Decode control data */
+ /* hop INTEGER (0 .. maxInt) */
+--- a/ldap/servers/plugins/deref/deref.c
++++ b/ldap/servers/plugins/deref/deref.c
+@@ -380,7 +380,7 @@ deref_parse_ctrl_value(DerefSpecList *sp
+
+ PR_ASSERT(ctrlbv && ctrlbv->bv_val && ctrlbv->bv_len && ldapcode && ldaperrtext);
+
+- if (!ctrlbv || !ctrlbv->bv_val) {
++ if (!BV_HAS_DATA(ctrlbv)) {
+ *ldapcode = LDAP_PROTOCOL_ERROR;
+ *ldaperrtext = "Empty deref control value";
+ return;
+--- a/ldap/servers/plugins/dna/dna.c
++++ b/ldap/servers/plugins/dna/dna.c
+@@ -1653,7 +1653,7 @@ static int dna_request_range(struct conf
+ }
+
+ /* Parse response */
+- if (responsedata && responsedata->bv_val) {
++ if (BV_HAS_DATA(responsedata)) {
+ respber = ber_init(responsedata);
+ if (ber_scanf(respber, "{aa}", &lower_str, &upper_str) == LBER_ERROR) {
+ ret = LDAP_PROTOCOL_ERROR;
+@@ -3715,14 +3715,15 @@ static int dna_extend_exop(Slapi_PBlock
+
+ /* Fetch the request data */
+ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &reqdata);
+- if (!reqdata || !reqdata->bv_val) {
++ if (!BV_HAS_DATA(reqdata)) {
+ slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM,
+ "dna_extend_exop: No request data received.\n");
+ goto free_and_return;
+ }
+
+ /* decode the exop */
+- if ((reqdata->bv_val == NULL) || (tmp_bere = ber_init(reqdata)) == NULL) {
++ tmp_bere = ber_init(reqdata);
++ if (tmp_bere == NULL) {
+ goto free_and_return;
+ }
+
+--- a/ldap/servers/plugins/replication/repl5_total.c
++++ b/ldap/servers/plugins/replication/repl5_total.c
+@@ -726,10 +726,10 @@ decode_total_update_extop(Slapi_PBlock *
+ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &extop_oid);
+ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
+
+- if (NULL == extop_oid ||
++ if ((NULL == extop_oid) ||
+ ((strcmp(extop_oid, REPL_NSDS50_REPLICATION_ENTRY_REQUEST_OID) != 0) &&
+- (strcmp(extop_oid, REPL_NSDS71_REPLICATION_ENTRY_REQUEST_OID) != 0)) ||
+- NULL == extop_value || NULL == extop_value->bv_val)
++ (strcmp(extop_oid, REPL_NSDS71_REPLICATION_ENTRY_REQUEST_OID) != 0)) ||
++ !BV_HAS_DATA(extop_value))
+ {
+ /* Bogus */
+ goto loser;
+--- a/ldap/servers/plugins/replication/repl_controls.c
++++ b/ldap/servers/plugins/replication/repl_controls.c
+@@ -216,7 +216,7 @@ decode_NSDS50ReplUpdateInfoControl(LDAPC
+ if (slapi_control_present(controlsp, REPL_NSDS50_UPDATE_INFO_CONTROL_OID,
+ &ctl_value, &iscritical))
+ {
+- if ((ctl_value->bv_val == NULL) || (tmp_bere = ber_init(ctl_value)) == NULL)
++ if (!BV_HAS_DATA(ctl_value) || (tmp_bere = ber_init(ctl_value)) == NULL)
+ {
+ rc = -1;
+ goto loser;
+--- a/ldap/servers/plugins/replication/repl_extop.c
++++ b/ldap/servers/plugins/replication/repl_extop.c
+@@ -343,10 +343,10 @@ decode_startrepl_extop(Slapi_PBlock *pb,
+ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &extop_oid);
+ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
+
+- if (NULL == extop_oid ||
++ if ((NULL == extop_oid) ||
+ ((strcmp(extop_oid, REPL_START_NSDS50_REPLICATION_REQUEST_OID) != 0) &&
+- (strcmp(extop_oid, REPL_START_NSDS90_REPLICATION_REQUEST_OID) != 0)) ||
+- NULL == extop_value || NULL == extop_value->bv_val)
++ (strcmp(extop_oid, REPL_START_NSDS90_REPLICATION_REQUEST_OID) != 0)) ||
++ !BV_HAS_DATA(extop_value))
+ {
+ /* bogus */
+ rc = -1;
+@@ -480,9 +480,9 @@ decode_endrepl_extop(Slapi_PBlock *pb, c
+ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &extop_oid);
+ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
+
+- if (NULL == extop_oid ||
+- strcmp(extop_oid, REPL_END_NSDS50_REPLICATION_REQUEST_OID) != 0 ||
+- NULL == extop_value || NULL == extop_value->bv_val)
++ if ((NULL == extop_oid) ||
++ (strcmp(extop_oid, REPL_END_NSDS50_REPLICATION_REQUEST_OID) != 0) ||
++ !BV_HAS_DATA(extop_value))
+ {
+ /* bogus */
+ rc = -1;
+@@ -545,8 +545,8 @@ decode_repl_ext_response(struct berval *
+ PR_ASSERT(NULL != response_code);
+ PR_ASSERT(NULL != ruv_bervals);
+
+- if (NULL == bvdata || NULL == response_code || NULL == ruv_bervals ||
+- NULL == data_guid || NULL == data || NULL == bvdata->bv_val)
++ if ((NULL == response_code) || (NULL == ruv_bervals) ||
++ (NULL == data_guid) || (NULL == data) || !BV_HAS_DATA(bvdata))
+ {
+ return_value = -1;
+ }
+@@ -1413,6 +1413,11 @@ decode_cleanruv_payload(struct berval *e
+ {
+ BerElement *tmp_bere = NULL;
+ int rc = 0;
++
++ if (!BV_HAS_DATA(extop_value)) {
++ rc = -1;
++ goto free_and_return;
++ }
+
+ if ((tmp_bere = ber_init(extop_value)) == NULL){
+ rc = -1;
+--- a/ldap/servers/plugins/replication/windows_private.c
++++ b/ldap/servers/plugins/replication/windows_private.c
+@@ -793,6 +793,13 @@ void windows_private_update_dirsync_cont
+ dirsync = slapi_dup_control( controls[i-1]);
+ }
+
++ if (!dirsync || !BV_HAS_DATA((&(dirsync->ldctl_value)))) {
++#ifdef FOR_DEBUGGING
++ return_value = LDAP_CONTROL_NOT_FOUND;
++#endif
++ goto choke;
++ }
++
+ ber = ber_init( &dirsync->ldctl_value ) ;
+
+ if (ber_scanf( ber, "{iiO}", &hasMoreData, &maxAttributeCount, &serverCookie) == LBER_ERROR)
+--- a/ldap/servers/slapd/back-ldbm/sort.c
++++ b/ldap/servers/slapd/back-ldbm/sort.c
+@@ -299,15 +299,14 @@ int parse_sort_spec(struct berval *sort_
+ char *matchrule = NULL;
+ int rc = LDAP_SUCCESS;
+
+- if (NULL == sort_spec_ber->bv_val) {
++ if (!BV_HAS_DATA(sort_spec_ber)) {
+ return LDAP_PROTOCOL_ERROR;
+ }
+
+ ber = ber_init(sort_spec_ber);
+- if(ber==NULL)
+- {
+- return -1;
+- }
++ if (ber == NULL) {
++ return -1;
++ }
+
+ /* Work our way along the BER, one sort spec at a time */
+ for ( tag = ber_first_element( ber, &len, &last ); !term_tag(tag); tag = ber_next_element( ber, &len, last )) {
+--- a/ldap/servers/slapd/back-ldbm/vlv.c
++++ b/ldap/servers/slapd/back-ldbm/vlv.c
+@@ -1861,11 +1861,11 @@ vlv_parse_request_control( backend *be,
+ */
+ BerElement *ber = NULL;
+ int return_value = LDAP_SUCCESS;
+-
++
+ vlvp->value.bv_len = 0;
+ vlvp->value.bv_val = NULL;
+
+- if (NULL == vlv_spec_ber->bv_val)
++ if (!BV_HAS_DATA(vlv_spec_ber))
+ {
+ return_value= LDAP_OPERATIONS_ERROR;
+ return return_value;
+--- a/ldap/servers/slapd/passwd_extop.c
++++ b/ldap/servers/slapd/passwd_extop.c
+@@ -534,7 +534,7 @@ passwd_modify_extop( Slapi_PBlock *pb )
+ /* Get the ber value of the extended operation */
+ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
+
+- if (extop_value->bv_val == NULL)
++ if (!BV_HAS_DATA(extop_value))
+ {
+ /* The request field wasn't provided. We'll
+ * now try to determine the userid and verify
+--- a/ldap/servers/slapd/proxyauth.c
++++ b/ldap/servers/slapd/proxyauth.c
+@@ -96,7 +96,7 @@ parse_LDAPProxyAuth(struct berval *spec_
+ break;
+ }
+
+- if ( !spec_ber || !spec_ber->bv_val ) {
++ if (!BV_HAS_DATA(spec_ber)) {
+ break;
+ }
+
+--- a/ldap/servers/slapd/slapi-plugin.h
++++ b/ldap/servers/slapd/slapi-plugin.h
+@@ -107,6 +107,10 @@ NSPR_API(PRUint32) PR_fprintf(struct PRF
+ #define BERLEN_T "u"
+ #endif
+
++/* Common check on berval before accessing the contents. */
++/* bv is a struct berval *bv */
++#define BV_HAS_DATA(bv) ((bv != NULL) && (bv->bv_len > 0) && (bv->bv_val != NULL))
++
+ /*
+ * The slapi_attr_get_flags() routine returns a bitmap that contains one or
+ * more of these values.
diff --git a/debian/patches/series b/debian/patches/series
index 4c983c0..0d6f971 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
default_user
+fix-CVE-2013-0312.diff
commit db2100ad92414246484755f13643d4eb8ea9677a
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Mon Mar 11 14:15:37 2013 +0200
bump the version
diff --git a/debian/changelog b/debian/changelog
index baba417..88c878c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-389-ds-base (1.3.0.2-1) UNRELEASED; urgency=low
+389-ds-base (1.3.0.3-1) UNRELEASED; urgency=low
* New upstream release.
* control: Bump the policy to 3.9.4, no changes.
commit d8da32fc252bfb515c16c1436332a3f918242b99
Author: Noriko Hosoi <nhosoi at totoro.usersys.redhat.com>
Date: Wed Feb 13 15:27:53 2013 -0800
bump version to 1.3.0.3
diff --git a/VERSION.sh b/VERSION.sh
index 852013d..6391f34 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -10,7 +10,7 @@ vendor="389 Project"
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=3
-VERSION_MAINT=0.2
+VERSION_MAINT=0.3
# if this is a PRERELEASE, set VERSION_PREREL
# otherwise, comment it out
# be sure to include the dot prefix in the prerel
commit 4dcf155d2b25c15d52a6336790f2e82acb37228e
Author: Noriko Hosoi <nhosoi at totoro.usersys.redhat.com>
Date: Wed Feb 13 14:13:56 2013 -0800
Ticket #584 - Existence of an entry is not checked when its password is to be deleted
Bug description: When attempting to delete a password from an
entry, a password syntax checking api check_pw_syntax_ext missed
a check if the target entry exists or not. Note: add and replace
checks it and handles the case correctly.
Fix description: In this patch the check is added to the delete
case, as well.
Reviewed by Rich (Thank you!!)
(cherry picked from commit d559d4665b18702b51161a25737b62799d8ef430)
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
index 9135a52..b01fb2b 100644
--- a/ldap/servers/slapd/pw.c
+++ b/ldap/servers/slapd/pw.c
@@ -777,7 +777,7 @@ int
check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
char **old_pw, Slapi_Entry *e, int mod_op, Slapi_Mods *smods)
{
- Slapi_Attr *attr;
+ Slapi_Attr *attr;
int i, pwresponse_req = 0;
int is_replication = 0;
int internal_op = 0;
@@ -794,6 +794,12 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
* PASS == 0.
*/
if (LDAP_MOD_DELETE == (mod_op & LDAP_MOD_OP)) {
+ /* check if the entry exists or not */
+ e = get_entry(pb, dn);
+ if (e == NULL) {
+ return -1;
+ }
+ slapi_entry_free(e);
return 0;
}
if (NULL == vals) {
commit ba4b1c6f693cd4b30a061b760fa19921b1eeb79c
Author: Mark Reynolds <mreynolds at redhat.com>
Date: Thu Jan 24 11:02:25 2013 -0500
Ticket 562 - Crash when deleting suffix
Bug Description: If you delete a suffix you can crash the server if
you do not have a backend "userRoot".
Fix Description: Not sure why the nsme userroot needs to be present, maybe
it impacts the callback linked list order, not sure. So
in dse_call_callback we grab the next callback before
calling the callback function. It's possible that one of
these callbacks will unregister other callbacks - potentially
the "next" callback that we already put aside. So it
gets freed, and then its read on the next pass which crashes
the server.
The fix is just to not "pre grab" the next callback, and
wait until after the callback function returns to move on
to the next callback.
Note: this only appears to happen on 32-bit platforms.
https://fedorahosted.org/389/ticket/562
Reviewed by: Ludwig & nkinder(Thanks!)
(cherry picked from commit 6c855a8ce0de3c6b34594856762e68503da433fc)
diff --git a/ldap/servers/slapd/dse.c b/ldap/servers/slapd/dse.c
index fd40432..27e71b6 100644
--- a/ldap/servers/slapd/dse.c
+++ b/ldap/servers/slapd/dse.c
@@ -2396,31 +2396,27 @@ dse_call_callback(struct dse* pdse, Slapi_PBlock *pb, int operation, int flags,
/* ONREPL callbacks can potentially modify pblock parameters like backend
* which would cause problems during request processing. We need to save
* "important" fields before calls and restoring them afterwards */
- int r = SLAPI_DSE_CALLBACK_OK;
+ int rc = SLAPI_DSE_CALLBACK_OK;
+
if (pdse->dse_callback != NULL) {
- struct dse_callback *p;
- p=pdse->dse_callback;
- while (p!=NULL) {
- struct dse_callback *p_next = p->next;
+ struct dse_callback *p = pdse->dse_callback;
+ int result;
+
+ while (p != NULL) {
if ((p->operation & operation) && (p->flags & flags)) {
- if(slapi_sdn_scope_test(slapi_entry_get_sdn_const(entryBefore), p->base, p->scope))
- {
- if(NULL == p->slapifilter ||
- slapi_vattr_filter_test(pb, entryBefore, p->slapifilter,
- 0 /* !verify access */ )==0)
- {
- int result= (*p->fn)(pb, entryBefore,entryAfter,returncode,returntext,p->fn_arg);
- if(result<r)
- {
- r= result;
+ if(slapi_sdn_scope_test(slapi_entry_get_sdn_const(entryBefore), p->base, p->scope)){
+ if(NULL == p->slapifilter || slapi_vattr_filter_test(pb, entryBefore, p->slapifilter, 0) == 0){
+ result = (*p->fn)(pb, entryBefore,entryAfter,returncode,returntext,p->fn_arg);
+ if(result < rc){
+ rc = result;
}
- }
+ }
}
}
- p = p_next;
+ p = p->next;
}
}
- return r;
+ return rc;
}
int
More information about the Pkg-fedora-ds-maintainers
mailing list