main/openldap: security fix (CVE-2012-1164)

fixes #1320

main/openldap: security fix (CVE-2012-1164)
a751b31b · Natanael Copa · 4d1843c3 · a751b31b · a751b31b
Commit a751b31b authored 12 years ago by Natanael Copa
--- a/main/openldap/APKBUILD
+++ b/main/openldap/APKBUILD
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=openldap
 pkgver=2.4.24
-pkgrel=1
+pkgrel=2
 pkgdesc="LDAP Server"
 url="http://www.openldap.org/"
 license="custom"
@@ -17,6 +17,7 @@ source="ftp://ftp.$pkgname.org/pub/OpenLDAP/$pkgname-release/$pkgname-$pkgver.tg
 	openldap-2.4-ppolicy.patch
 	openldap-2.4.11-libldap_r.patch
 	cve-2011-4079.patch
+	openldap-cve-assertion-processing-search-queries.patch
 	slapd.initd
 	slapd.confd
 	slurpd.initd
@@ -99,6 +100,7 @@ md5sums="116fe1e23a7b67686d5e62274367e6c0  openldap-2.4.24.tgz
 2524e490ba334a760fa57057c16da7a9  openldap-2.4-ppolicy.patch
 d19d0502f046078ecd737e29e7552fa8  openldap-2.4.11-libldap_r.patch
 967d86fbfdbf9054b722f23323751fc9  cve-2011-4079.patch
+4f71dd299204ab338c33a17594934466  openldap-cve-assertion-processing-search-queries.patch
 a729bf553d12b4a9fbda0ff5202a0443  slapd.initd
 b672311fca605c398240cd37a2ae080a  slapd.confd
 fa5ce0005ef5f1160b6ff126f97aaa1a  slurpd.initd"
--- a/main/openldap/openldap-cve-assertion-processing-search-queries.patch
+++ b/main/openldap/openldap-cve-assertion-processing-search-queries.patch
+Assertion failure by processing search queries requesting only attributes for particular entry
+
+Upstream ITS: #7143
+Upstream commit: ef2f526 430256f 463c1fa
+Resolves: #802514 (CVE-2012-1164)
+
+diff --git a/servers/slapd/attr.c b/servers/slapd/attr.c
+index 51f5075..bfc717c 100644
+--- a/servers/slapd/attr.c
+++ b/servers/slapd/attr.c
+@@ -232,13 +232,16 @@ attr_dup2( Attribute *tmp, Attribute *a )
+ 		if ( a->a_nvals != a->a_vals ) {
+ 
+ 			tmp->a_nvals = ch_malloc( (tmp->a_numvals + 1) * sizeof(struct berval) );
+-			for ( j = 0; !BER_BVISNULL( &a->a_nvals[j] ); j++ ) {
+-				assert( j < i );
+-				ber_dupbv( &tmp->a_nvals[j], &a->a_nvals[j] );
+-				if ( BER_BVISNULL( &tmp->a_nvals[j] ) ) break;
+-				/* FIXME: error? */
+			j = 0;
+			if ( i ) {
+				for ( ; !BER_BVISNULL( &a->a_nvals[j] ); j++ ) {
+					assert( j < i );
+					ber_dupbv( &tmp->a_nvals[j], &a->a_nvals[j] );
+					if ( BER_BVISNULL( &tmp->a_nvals[j] ) ) break;
+					/* FIXME: error? */
+				}
+				assert( j == i );
+ 			}
+-			assert( j == i );
+ 			BER_BVZERO( &tmp->a_nvals[j] );
+ 
+ 		} else {
+diff --git a/servers/slapd/overlays/rwm.c b/servers/slapd/overlays/rwm.c
+index c724be2..0c78e80 100644
+--- a/servers/slapd/overlays/rwm.c
+++ b/servers/slapd/overlays/rwm.c
+@@ -1276,7 +1276,13 @@ rwm_attrs( Operation *op, SlapReply *rs, Attribute** a_first, int stripEntryDN )
+ 								NULL );
+ 
+ 							if ( rc != LDAP_SUCCESS ) {
+-								BER_BVZERO( &(*ap)->a_nvals[i] );
+								/* FIXME: this is wrong, putting a non-normalized value
+								 * into nvals. But when a proxy sends us bogus data,
+								 * we still need to give it to the client, even if it
+								 * violates the syntax. I.e., we don't want to silently
+								 * drop things and trigger an apparent data loss.
+								 */
+								ber_dupbv( &(*ap)->a_nvals[i], &(*ap)->a_vals[i] );
+ 							}
+ 						}
+ 						BER_BVZERO( &(*ap)->a_nvals[i] );