Commit 8c6e5428 authored by Leonardo Arena's avatar Leonardo Arena
Browse files

main/ldb: security fix (CVE-2018-1140)

Fixes #9257
parent b8aa48b6
From 3f95957d6de321c803a66f3ec67a8ff09befd16d Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 21 May 2018 14:50:50 +1200
Subject: [PATCH] CVE-2018-1140 ldb: Check for ldb_dn_get_casefold() failure in
ldb_sqlite
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374
---
ldb_sqlite3/ldb_sqlite3.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ldb_sqlite3/ldb_sqlite3.c b/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
index f94dc993904..0f5abf87547 100644
--- a/ldb_sqlite3/ldb_sqlite3.c
+++ b/ldb_sqlite3/ldb_sqlite3.c
@@ -323,6 +323,9 @@ static char *parsetree_to_sql(struct ldb_module *module,
const char *cdn = ldb_dn_get_casefold(
ldb_dn_new(mem_ctx, ldb,
(const char *)value.data));
+ if (cdn == NULL) {
+ return NULL;
+ }
return lsqlite3_tprintf(mem_ctx,
"SELECT eid FROM ldb_entry "
--
2.18.0
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=ldb
pkgver=1.3.0
pkgrel=0
pkgrel=1
pkgdesc="A schema-less, ldap like, API and database"
url="http://ldb.samba.org/"
arch="all"
......@@ -9,10 +9,15 @@ license="LGPLv3+"
makedepends="$depends_dev tevent-dev py-tevent tdb-dev py-tdb talloc-dev
python2-dev popt-dev cmocka-dev"
subpackages="$pkgname-dev py-$pkgname:_py $pkgname-tools"
source="https://www.samba.org/ftp/pub/ldb/ldb-$pkgver.tar.gz"
source="https://www.samba.org/ftp/pub/ldb/ldb-$pkgver.tar.gz
0001-CVE-2018-1140-ldb-Check-for-ldb_dn_get_casefold-fail.patch
"
builddir="$srcdir"/ldb-$pkgver
# secfixes
# 1.3.0-r1:
# - CVE-2018-1140
build() {
cd "$builddir"
./configure \
......@@ -49,4 +54,5 @@ tools() {
mv "$pkgdir"/usr/lib/ldb/libldb-cmdline.* "$subpkgdir"/usr/lib/ldb/
}
sha512sums="c5afe3c5229cbc35a5715e6ed1faa070dfa3d6b3c0902cc53770373bbc1761ff4ff93aa9b88d5573b9af9925332bb5cebf4a7a129852231f13be33d5cee3a9f8 ldb-1.3.0.tar.gz"
sha512sums="c5afe3c5229cbc35a5715e6ed1faa070dfa3d6b3c0902cc53770373bbc1761ff4ff93aa9b88d5573b9af9925332bb5cebf4a7a129852231f13be33d5cee3a9f8 ldb-1.3.0.tar.gz
e582b6e99f94d566de3259e5585baab25d43613711c501e752971a6180ceac60f4fe2cc0bdfc2f0bf26208cb86cb4c857c16f6645410badf694efa8be10db64f 0001-CVE-2018-1140-ldb-Check-for-ldb_dn_get_casefold-fail.patch"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment