[openldap] CVE-2011-4079 one-byte buffer overflow in slapd
jvcelak
jvcelak at fedoraproject.org
Tue Nov 1 14:40:31 UTC 2011
commit 356af46ea67f33229cb4ac9339c95eeff86d7249
Author: Jan Vcelak <jvcelak at redhat.com>
Date: Tue Nov 1 15:23:31 2011 +0100
CVE-2011-4079 one-byte buffer overflow in slapd
Resolves: #749324
openldap-cve-onebyte-buffer-overflow.patch | 55 ++++++++++++++++++++++++++++
openldap.spec | 2 +
2 files changed, 57 insertions(+), 0 deletions(-)
---
diff --git a/openldap-cve-onebyte-buffer-overflow.patch b/openldap-cve-onebyte-buffer-overflow.patch
new file mode 100644
index 0000000..94a453d
--- /dev/null
+++ b/openldap-cve-onebyte-buffer-overflow.patch
@@ -0,0 +1,55 @@
+one-byte buffer overflow in slapd
+
+Resolves: #749324 (CVE-2011-4079)
+Upstream ITS: #7059
+Upstream commits: d0dd861 5072387
+Author: Howard Chu <hyc at openldap.org>
+
+diff -u
+--- a/servers/slapd/schema_init.c
++++ b/servers/slapd/schema_init.c
+@@ -1852,12 +1852,12 @@ UTF8StringNormalize(
+ }
+ nvalue.bv_val[nvalue.bv_len] = '\0';
+
+- } else {
++ } else if ( tmp.bv_len ) {
+ /* string of all spaces is treated as one space */
+ nvalue.bv_val[0] = ' ';
+ nvalue.bv_val[1] = '\0';
+ nvalue.bv_len = 1;
+- }
++ } /* should never be entered with 0-length val */
+
+ *normalized = nvalue;
+ return LDAP_SUCCESS;
+@@ -2331,13 +2331,18 @@ postalAddressNormalize(
+ }
+ lines[l].bv_len = &val->bv_val[c] - lines[l].bv_val;
+
+- normalized->bv_len = l;
++ normalized->bv_len = c = l;
+
+- for ( l = 0; !BER_BVISNULL( &lines[l] ); l++ ) {
++ for ( l = 0; l <= c; l++ ) {
+ /* NOTE: we directly normalize each line,
+ * without unescaping the values, since the special
+ * values '\24' ('$') and '\5C' ('\') are not affected
+ * by normalization */
++ if ( !lines[l].bv_len ) {
++ nlines[l].bv_len = 0;
++ nlines[l].bv_val = NULL;
++ continue;
++ }
+ rc = UTF8StringNormalize( usage, NULL, xmr, &lines[l], &nlines[l], ctx );
+ if ( rc != LDAP_SUCCESS ) {
+ rc = LDAP_INVALID_SYNTAX;
+@@ -2350,7 +2355,7 @@ postalAddressNormalize(
+ normalized->bv_val = slap_sl_malloc( normalized->bv_len + 1, ctx );
+
+ p = normalized->bv_val;
+- for ( l = 0; !BER_BVISNULL( &nlines[l] ); l++ ) {
++ for ( l = 0; l <= c ; l++ ) {
+ p = lutil_strbvcopy( p, &nlines[l] );
+ *p++ = '$';
+ }
diff --git a/openldap.spec b/openldap.spec
index 295c5c2..9f35543 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -43,6 +43,7 @@ Patch16: openldap-dns-priority.patch
Patch17: openldap-man-ldap-sync.patch
Patch18: openldap-nss-handshake-threadsafe.patch
Patch19: openldap-syncrepl-unset-tls-options.patch
+Patch20: openldap-cve-onebyte-buffer-overflow.patch
# Fedora specific patches
Patch100: openldap-fedora-systemd.patch
@@ -155,6 +156,7 @@ pushd openldap-%{version}
%patch17 -p1 -b .man-ldap-sync
%patch18 -p1 -b .nss-handshake-threadsafe
%patch19 -p1 -b .syncrepl-unset-tls-options
+%patch20 -p1 -b .cve-onebyte-buffer-overflow
%patch100 -p1 -b .fedora-systemd
More information about the scm-commits
mailing list