rpms/openldap/F-8 openldap-2.3.27-ber-decode.patch, NONE, 1.1 openldap.spec, 1.101, 1.102

Wed Jul 2 10:12:17 UTC 2008

Author: jsafrane

Update of /cvs/pkgs/rpms/openldap/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv13466

Modified Files:
	openldap.spec 
Added Files:
	openldap-2.3.27-ber-decode.patch 
Log Message:
fix CVE-2008-2952
Resolves: #453726

openldap-2.3.27-ber-decode.patch:

--- NEW FILE openldap-2.3.27-ber-decode.patch ---
453637, 453638, 453639, 453640,453444: CVE-2008-2952 OpenLDAP denial-of-service 
flaw in ASN.1 decoder

Source: upstream, cvs diff -r 1.120 -r 1.122 libraries/liblber/io.c

Index: libraries/liblber/io.c
===================================================================
RCS file: /repo/OpenLDAP/pkg/ldap/libraries/liblber/io.c,v
retrieving revision 1.120
retrieving revision 1.122
diff -u -r1.120 -r1.122
--- libraries/liblber/io.c	7 Jan 2008 23:20:03 -0000	1.120
+++ libraries/liblber/io.c	1 Jul 2008 23:33:15 -0000	1.122
@@ -522,14 +522,18 @@
 	}
 
 	while (ber->ber_rwptr > (char *)&ber->ber_tag && ber->ber_rwptr <
-		(char *)&ber->ber_len + LENSIZE*2 -1) {
+		(char *)&ber->ber_len + LENSIZE*2) {
 		ber_slen_t sblen;
 		char buf[sizeof(ber->ber_len)-1];
 		ber_len_t tlen = 0;
 
+		/* The tag & len can be at most 9 bytes; we try to read up to 8 here */
 		sock_errset(0);
-		sblen=ber_int_sb_read( sb, ber->ber_rwptr,
-			((char *)&ber->ber_len + LENSIZE*2 - 1)-ber->ber_rwptr);
+		sblen=((char *)&ber->ber_len + LENSIZE*2 - 1)-ber->ber_rwptr;
+		/* Trying to read the last len byte of a 9 byte tag+len */
+		if (sblen<1)
+			sblen = 1;
+		sblen=ber_int_sb_read( sb, ber->ber_rwptr, sblen );
 		if (sblen<=0) return LBER_DEFAULT;
 		ber->ber_rwptr += sblen;
 
@@ -579,7 +583,7 @@
 			int i;
 			unsigned char *p = (unsigned char *)ber->ber_ptr;
 			int llen = *p++ & 0x7f;
-			if (llen > (int)sizeof(ber_len_t)) {
+			if (llen > LENSIZE) {
 				sock_errset(ERANGE);
 				return LBER_DEFAULT;
 			}


Index: openldap.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openldap/F-8/openldap.spec,v
retrieving revision 1.101
retrieving revision 1.102
diff -u -r1.101 -r1.102
--- openldap.spec	8 Feb 2008 14:09:22 -0000	1.101
+++ openldap.spec	2 Jul 2008 10:11:47 -0000	1.102
@@ -12,7 +12,7 @@
 Summary: The configuration files, libraries, and documentation for OpenLDAP
 Name: openldap
 Version: %{version_23}
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: OpenLDAP
 Group: System Environment/Daemons
 Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version_23}.tgz
@@ -39,6 +39,7 @@
 Patch8: openldap-2.3.34-pthread.patch
 Patch9: openldap-2.3.37-smbk5pwd.patch
 Patch10: openldap-2.3.27-modify-noop.patch
+Patch11: openldap-2.3.27-ber-decode.patch
 
 # Patches for 2.2.29 for the compat-openldap package.
 Patch100: openldap-2.2.13-tls-fix-connection-test.patch
@@ -174,6 +175,7 @@
 %patch8 -p1 -b .pthread
 %patch9 -p1 -b .smbk5pwd
 %patch10 -p0 -b .modify-noop
+%patch11 -p0 -b .ber-decode
 
 cp %{_datadir}/libtool/config.{sub,guess} build/
 popd
@@ -676,7 +678,10 @@
 %attr(0644,root,root)      %{evolution_connector_libdir}/*.a
 
 %changelog
-* Fri Feb  8 2008 Jan Safranek <jsafranek at redhat.com> 2.3.39-2
+* Wed Jul  2 2008 Jan Safranek <jsafranek at redhat.com> 2.3.39-4
+- fix CVE-2008-2952 (#453726)
+
+* Fri Feb  8 2008 Jan Safranek <jsafranek at redhat.com> 2.3.39-3
 - fix CVE-2008-0658 (#432013)
 
 * Mon Jan 14 2008 Jan Safranek <jsafranek at redhat.com> 2.3.39-2


