rpms/openldap/F-12 openldap-2.4.19-modrdn-segfault.patch, NONE, 1.1 openldap.spec, 1.159, 1.160

jvcelak jvcelak at fedoraproject.org
Tue Jul 20 17:17:23 UTC 2010 

Author: jvcelak

Update of /cvs/pkgs/rpms/openldap/F-12
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv30338

Modified Files:
	openldap.spec 
Added Files:
	openldap-2.4.19-modrdn-segfault.patch 
Log Message:
CVE-2010-0211 openldap: modrdn processing uninitialized pointer free (#605448)
CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference (#605452)


openldap-2.4.19-modrdn-segfault.patch:
 dn.c          |   11 ++++++-----
 modrdn.c      |    9 ++++++++-
 schema_init.c |    3 ++-
 3 files changed, 16 insertions(+), 7 deletions(-)

--- NEW FILE openldap-2.4.19-modrdn-segfault.patch ---
bz #605448 CVE-2010-0211 openldap: modrdn processing uninitialized pointer free
bz #605452 CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference

diff -ru openldap-2.4.19.old/servers/slapd/dn.c openldap-2.4.19.new/servers/slapd/dn.c
--- openldap-2.4.19.old/servers/slapd/dn.c	2009-08-13 01:38:56.000000000 +0200
+++ openldap-2.4.19.new/servers/slapd/dn.c	2010-07-20 18:42:20.065806556 +0200
@@ -302,16 +302,13 @@
 		ava->la_attr = ad->ad_cname;
 
 		if( ava->la_flags & LDAP_AVA_BINARY ) {
-			if( ava->la_value.bv_len == 0 ) {
-				/* BER encoding is empty */
-				return LDAP_INVALID_SYNTAX;
-			}
+			/* AVA is binary encoded, not supported */
+			return LDAP_INVALID_SYNTAX;
 
 			/* Do not allow X-ORDERED 'VALUES' naming attributes */
 		} else if( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) {
 			return LDAP_INVALID_SYNTAX;
 
-			/* AVA is binary encoded, don't muck with it */
 		} else if( flags & SLAP_LDAPDN_PRETTY ) {
 			transf = ad->ad_type->sat_syntax->ssyn_pretty;
 			if( !transf ) {
@@ -379,6 +376,10 @@
 			ava->la_value = bv;
 			ava->la_flags |= LDAP_AVA_FREE_VALUE;
 		}
+		/* reject empty values */
+		if (!ava->la_value.bv_len) {
+			return LDAP_INVALID_SYNTAX;
+		}
 	}
 	rc = LDAP_SUCCESS;
 
diff -ru openldap-2.4.19.old/servers/slapd/modrdn.c openldap-2.4.19.new/servers/slapd/modrdn.c
--- openldap-2.4.19.old/servers/slapd/modrdn.c	2009-01-22 01:01:01.000000000 +0100
+++ openldap-2.4.19.new/servers/slapd/modrdn.c	2010-07-20 18:42:20.065806556 +0200
@@ -445,12 +445,19 @@
 		mod_tmp->sml_values[1].bv_val = NULL;
 		if( desc->ad_type->sat_equality->smr_normalize) {
 			mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) );
-			(void) (*desc->ad_type->sat_equality->smr_normalize)(
+			rs->sr_err = desc->ad_type->sat_equality->smr_normalize(
 				SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
 				desc->ad_type->sat_syntax,
 				desc->ad_type->sat_equality,
 				&mod_tmp->sml_values[0],
 				&mod_tmp->sml_nvalues[0], NULL );
+			if (rs->sr_err != LDAP_SUCCESS) {
+				ch_free(mod_tmp->sml_nvalues);
+				ch_free(mod_tmp->sml_values[0].bv_val);
+				ch_free(mod_tmp->sml_values);
+				ch_free(mod_tmp);
+				goto done;
+			}
 			mod_tmp->sml_nvalues[1].bv_val = NULL;
 		} else {
 			mod_tmp->sml_nvalues = NULL;
diff -ru openldap-2.4.19.old/servers/slapd/schema_init.c openldap-2.4.19.new/servers/slapd/schema_init.c
--- openldap-2.4.19.old/servers/slapd/schema_init.c	2009-08-13 02:35:54.000000000 +0200
+++ openldap-2.4.19.new/servers/slapd/schema_init.c	2010-07-20 18:42:20.069806353 +0200
@@ -1732,8 +1732,9 @@
 		? LDAP_UTF8_APPROX : 0;
 
 	val = UTF8bvnormalize( val, &tmp, flags, ctx );
+	/* out of memory or syntax error, the former is unlikely */
 	if( val == NULL ) {
-		return LDAP_OTHER;
+		return LDAP_INVALID_SYNTAX;
 	}
 	
 	/* collapse spaces (in place) */


Index: openldap.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openldap/F-12/openldap.spec,v
retrieving revision 1.159
retrieving revision 1.160
diff -u -p -r1.159 -r1.160
--- openldap.spec	25 Jun 2010 22:34:11 -0000	1.159
+++ openldap.spec	20 Jul 2010 17:17:23 -0000	1.160
@@ -11,7 +11,7 @@
 Summary: LDAP support libraries
 Name: openldap
 Version: %{version}
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: OpenLDAP
 Group: System Environment/Daemons
 Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
@@ -37,6 +37,7 @@ Patch10: openldap-2.4.6-multilib.patch
 Patch11: openldap-2.4.16-doc-cacertdir.patch
 Patch12: openldap-2.4.19-tls-accept.patch
 Patch13: openldap-2.4.19-dn2id-segfault.patch
+Patch14: openldap-2.4.19-modrdn-segfault.patch
 
 # Patches for the evolution library
 Patch200: openldap-2.4.6-evolution-ntlm.patch
@@ -134,6 +135,7 @@ pushd openldap-%{version}
 %patch11 -p1 -b .cacertdir
 %patch12 -p1 -b .tls-accept
 %patch13 -p1 -b .segfault
+%patch14 -p1 -b .modrdn-segfault
 
 cp %{_datadir}/libtool/config/config.{sub,guess} build/
 popd
@@ -635,6 +637,10 @@ fi
 %attr(0644,root,root)      %{evolution_connector_libdir}/*.a
 
 %changelog
+* Tue Jul 20 2010 Jan Vcelak <jvcelak at redhat.com> - 2.4.19-6
+- CVE-2010-0211 openldap: modrdn processing uninitialized pointer free (#605448)
+- CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference (#605452)
+
 * Fri Jun 25 2010 Jan Zeleny <jzeleny at redhat.com> - 2.4.19-5
 - fixed regression caused by tls accept patch
 - updated autofs schema (#587722)

More information about the scm-commits mailing list