[openldap/f14/master] various security fixes
jvcelak
jvcelak at fedoraproject.org
Tue Mar 1 12:26:18 UTC 2011
commit ef2177992e327ce47c0a2bca4360bce0104a25dc
Author: Jan Vcelak <jvcelak at redhat.com>
Date: Tue Mar 1 13:09:42 2011 +0100
various security fixes
- CVE-2011-1024 ppolicy forwarded bind failure messages cause success
- CVE-2011-1025 rootpw is not verified for ndb backend
- DoS when submitting special MODRDN request
Resolves: #680466 #680472 #680975
openldap-cve-ndb-bind-rootdn.patch | 26 ++++++++++++++++
openldap-cve-ppolicy-forward-updates.patch | 44 ++++++++++++++++++++++++++++
openldap-security-dos-empty-modrdn.patch | 20 ++++++++++++
openldap.spec | 13 +++++++-
4 files changed, 102 insertions(+), 1 deletions(-)
---
diff --git a/openldap-cve-ndb-bind-rootdn.patch b/openldap-cve-ndb-bind-rootdn.patch
new file mode 100644
index 0000000..c909aac
--- /dev/null
+++ b/openldap-cve-ndb-bind-rootdn.patch
@@ -0,0 +1,26 @@
+(CVE-2011-1025) CVE-2011-1025 openldap: rootpw is not verified with slapd.conf
+
+Resolves: #680472 (tracker)
+Upstream ITS: #6661
+Upstream patch: http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/back-ndb/bind.cpp.diff?r1=1.5&r2=1.8
+
+diff -uNPrp openldap-2.4.23/servers/slapd/back-ndb/bind.cpp openldap-2.4.23.fix/servers/slapd/back-ndb/bind.cpp
+--- openldap-2.4.23/servers/slapd/back-ndb/bind.cpp 2010-04-13 22:23:34.000000000 +0200
++++ openldap-2.4.23.fix/servers/slapd/back-ndb/bind.cpp 2011-02-28 15:05:48.014126213 +0100
+@@ -43,11 +43,13 @@ ndb_back_bind( Operation *op, SlapReply
+
+ /* allow noauth binds */
+ switch ( be_rootdn_bind( op, NULL ) ) {
+- case SLAP_CB_CONTINUE:
+- break;
++ case LDAP_SUCCESS:
++ /* frontend will send result */
++ return rs->sr_err = LDAP_SUCCESS;
+
+ default:
+- return rs->sr_err;
++ /* give the database a chance */
++ break;
+ }
+
+ /* Get our NDB handle */
diff --git a/openldap-cve-ppolicy-forward-updates.patch b/openldap-cve-ppolicy-forward-updates.patch
new file mode 100644
index 0000000..936686d
--- /dev/null
+++ b/openldap-cve-ppolicy-forward-updates.patch
@@ -0,0 +1,44 @@
+(CVE-2011-1024) CVE-2011-1024 openldap: forwarded bind failure messages cause success
+
+Resolves: #680466 (tracker)
+Upstream ITS: #6607
+Upstream patch: http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/back-ldap/chain.c.diff?r1=1.76&r2=1.77
+
+diff -uNPrp openldap-2.4.23/servers/slapd/back-ldap/chain.c openldap-2.4.23.fix/servers/slapd/back-ldap/chain.c
+--- openldap-2.4.23/servers/slapd/back-ldap/chain.c 2010-04-13 22:23:28.000000000 +0200
++++ openldap-2.4.23.fix/servers/slapd/back-ldap/chain.c 2011-02-28 14:43:16.377111481 +0100
+@@ -854,6 +854,7 @@ ldap_chain_response( Operation *op, Slap
+
+ /* we need this to know if back-ldap returned any result */
+ lb.lb_lc = lc;
++ sc2.sc_next = sc->sc_next;
+ sc2.sc_private = &lb;
+ sc2.sc_response = ldap_chain_cb_response;
+ op->o_callback = &sc2;
+@@ -947,6 +948,7 @@ ldap_chain_response( Operation *op, Slap
+
+ case LDAP_SUCCESS:
+ case LDAP_REFERRAL:
++ sr_err = rs->sr_err;
+ /* slapd-ldap sent response */
+ if ( !op->o_abandon && lb.lb_status != LDAP_CH_RES ) {
+ /* FIXME: should we send response? */
+@@ -974,7 +976,7 @@ cannot_chain:;
+ default:
+ #endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
+ if ( LDAP_CHAIN_RETURN_ERR( lc ) ) {
+- rs->sr_err = rc;
++ sr_err = rs->sr_err = rc;
+ rs->sr_type = sr_type;
+
+ } else {
+@@ -992,7 +994,8 @@ cannot_chain:;
+ }
+
+ if ( lb.lb_status == LDAP_CH_NONE && rc != SLAPD_ABANDON ) {
+- op->o_callback = NULL;
++ /* give the remaining callbacks a chance */
++ op->o_callback = sc->sc_next;
+ rc = rs->sr_err = slap_map_api2result( rs );
+ send_ldap_result( op, rs );
+ }
diff --git a/openldap-security-dos-empty-modrdn.patch b/openldap-security-dos-empty-modrdn.patch
new file mode 100644
index 0000000..30f939f
--- /dev/null
+++ b/openldap-security-dos-empty-modrdn.patch
@@ -0,0 +1,20 @@
+DoS when submitting special MODRDN request
+
+Resolves: #680975 (tracker)
+Upstream ITS: #6768
+Upstream patch: http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/modrdn.c.diff?r1=1.170.2.8&r2=1.170.2.9
+
+diff -uNPrp openldap-2.4.23/servers/slapd/modrdn.c openldap-2.4.23.fixed/servers/slapd/modrdn.c
+--- openldap-2.4.23/servers/slapd/modrdn.c 2010-06-10 19:48:07.000000000 +0200
++++ openldap-2.4.23.fixed/servers/slapd/modrdn.c 2011-03-01 11:53:49.625095480 +0100
+@@ -392,7 +392,9 @@ slap_modrdn2mods(
+ LDAPRDN new_rdn = NULL;
+
+ assert( !BER_BVISEMPTY( &op->oq_modrdn.rs_newrdn ) );
+- assert( !op->orr_deleteoldrdn || !BER_BVISEMPTY( &op->o_req_dn ) );
++
++ /* if requestDN is empty, silently reset deleteOldRDN */
++ if ( BER_BVISEMPTY( &op->o_req_dn ) ) op->orr_deleteoldrdn = 0;
+
+ if ( ldap_bv2rdn_x( &op->oq_modrdn.rs_newrdn, &new_rdn,
+ (char **)&rs->sr_text, LDAP_DN_FORMAT_LDAP, op->o_tmpmemctx ) ) {
diff --git a/openldap.spec b/openldap.spec
index 92e3b1a..3890ffa 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -7,7 +7,7 @@
Name: openldap
Version: 2.4.23
-Release: 8%{?dist}
+Release: 9%{?dist}
Summary: LDAP support libraries
Group: System Environment/Daemons
License: OpenLDAP
@@ -41,6 +41,9 @@ Patch108: openldap-verify-self-issued-certs.patch
Patch109: openldap-nss-cipher-suites.patch
Patch110: openldap-nss-restart-modules-fork.patch
Patch111: openldap-nss-disable-nofork.patch
+Patch112: openldap-cve-ppolicy-forward-updates.patch
+Patch113: openldap-cve-ndb-bind-rootdn.patch
+Patch114: openldap-security-dos-empty-modrdn.patch
# patches for the evolution library (see README.evolution)
Patch200: openldap-evolution-ntlm.patch
@@ -154,6 +157,9 @@ pushd openldap-%{version}
%patch109 -p1 -b .nss-cipher-suites
%patch110 -p1 -b .nss-restart-modules-fork
%patch111 -p1 -b .nss-disable-nofork
+%patch112 -p1 -b .cve-ppolicy-forward-updates
+%patch113 -p1 -b .cve-ndb-bind-rootdn
+%patch114 -p1 -b .security-dos-empty-modrdn
cp %{_datadir}/libtool/config/config.{sub,guess} build/
@@ -670,6 +676,11 @@ exit 0
%attr(0644,root,root) %{evolution_connector_libdir}/*.a
%changelog
+* Tue Mar 01 2011 Jan Vcelak <jvcelak at redhat.com> 2.4.23-9
+- fix: CVE-2011-1024 ppolicy forwarded bind failure messages cause success (#680466)
+- fix: CVE-2011-1025 rootpw is not verified for ndb backend (#680472)
+- fix: security - DoS when submitting special MODRDN request (#680975)
+
* Wed Feb 02 2011 Jan Vcelak <jvcelak at redhat.com> 2.4.23-8
- fix update: openldap can't use TLS after a fork() (#636956)
More information about the scm-commits
mailing list