[openldap] CVE-2011-4079 one-byte buffer overflow in slapd

Tue Nov 1 14:40:31 UTC 2011

commit 356af46ea67f33229cb4ac9339c95eeff86d7249
Author: Jan Vcelak <jvcelak at redhat.com>
Date:   Tue Nov 1 15:23:31 2011 +0100

    CVE-2011-4079 one-byte buffer overflow in slapd
    
    Resolves: #749324

 openldap-cve-onebyte-buffer-overflow.patch |   55 ++++++++++++++++++++++++++++
 openldap.spec                              |    2 +
 2 files changed, 57 insertions(+), 0 deletions(-)
---

diff --git a/openldap-cve-onebyte-buffer-overflow.patch b/openldap-cve-onebyte-buffer-overflow.patch
new file mode 100644
index 0000000..94a453d
--- /dev/null
+++ b/openldap-cve-onebyte-buffer-overflow.patch
@@ -0,0 +1,55 @@
+one-byte buffer overflow in slapd
+
+Resolves: #749324 (CVE-2011-4079)
+Upstream ITS: #7059
+Upstream commits: d0dd861 5072387
+Author: Howard Chu <hyc at openldap.org>
+
+diff -u
+--- a/servers/slapd/schema_init.c
++++ b/servers/slapd/schema_init.c
+@@ -1852,12 +1852,12 @@ UTF8StringNormalize(
+ 		}
+ 		nvalue.bv_val[nvalue.bv_len] = '\0';
+ 
+-	} else {
++	} else if ( tmp.bv_len )  {
+ 		/* string of all spaces is treated as one space */
+ 		nvalue.bv_val[0] = ' ';
+ 		nvalue.bv_val[1] = '\0';
+ 		nvalue.bv_len = 1;
+-	}
++	}	/* should never be entered with 0-length val */
+ 
+ 	*normalized = nvalue;
+ 	return LDAP_SUCCESS;
+@@ -2331,13 +2331,18 @@ postalAddressNormalize(
+ 	}
+ 	lines[l].bv_len = &val->bv_val[c] - lines[l].bv_val;
+ 
+-	normalized->bv_len = l;
++	normalized->bv_len = c = l;
+ 
+-	for ( l = 0; !BER_BVISNULL( &lines[l] ); l++ ) {
++	for ( l = 0; l <= c; l++ ) {
+ 		/* NOTE: we directly normalize each line,
+ 		 * without unescaping the values, since the special
+ 		 * values '\24' ('$') and '\5C' ('\') are not affected
+ 		 * by normalization */
++		if ( !lines[l].bv_len ) {
++			nlines[l].bv_len = 0;
++			nlines[l].bv_val = NULL;
++			continue;
++		}
+ 		rc = UTF8StringNormalize( usage, NULL, xmr, &lines[l], &nlines[l], ctx );
+ 		if ( rc != LDAP_SUCCESS ) {
+ 			rc = LDAP_INVALID_SYNTAX;
+@@ -2350,7 +2355,7 @@ postalAddressNormalize(
+ 	normalized->bv_val = slap_sl_malloc( normalized->bv_len + 1, ctx );
+ 
+ 	p = normalized->bv_val;
+-	for ( l = 0; !BER_BVISNULL( &nlines[l] ); l++ ) {
++	for ( l = 0; l <= c ; l++ ) {
+ 		p = lutil_strbvcopy( p, &nlines[l] );
+ 		*p++ = '$';
+ 	}
diff --git a/openldap.spec b/openldap.spec
index 295c5c2..9f35543 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -43,6 +43,7 @@ Patch16: openldap-dns-priority.patch
 Patch17: openldap-man-ldap-sync.patch
 Patch18: openldap-nss-handshake-threadsafe.patch
 Patch19: openldap-syncrepl-unset-tls-options.patch
+Patch20: openldap-cve-onebyte-buffer-overflow.patch
 
 # Fedora specific patches
 Patch100: openldap-fedora-systemd.patch
@@ -155,6 +156,7 @@ pushd openldap-%{version}
 %patch17 -p1 -b .man-ldap-sync
 %patch18 -p1 -b .nss-handshake-threadsafe
 %patch19 -p1 -b .syncrepl-unset-tls-options
+%patch20 -p1 -b .cve-onebyte-buffer-overflow
 
 %patch100 -p1 -b .fedora-systemd
 
