rpms/openldap/F-11 openldap-2.4.15-tls-null-char.patch, NONE, 1.1 openldap.spec, 1.144, 1.145

Jan Zeleny jzeleny at fedoraproject.org
Mon Jan 18 17:08:36 UTC 2010 

Author: jzeleny

Update of /cvs/extras/rpms/openldap/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv18164

Modified Files:
	openldap.spec 
Added Files:
	openldap-2.4.15-tls-null-char.patch 
Log Message:
upstream patch fixing CVE-2009-3767

openldap-2.4.15-tls-null-char.patch:
 tls_o.c |   52 +++++++++++++++++++++++++++++++++-------------------
 1 file changed, 33 insertions(+), 19 deletions(-)

--- NEW FILE openldap-2.4.15-tls-null-char.patch ---
diff -u -r1.8 -r1.11
--- openldap-2.4.15/libraries/libldap/tls_o.c.orig	1 Jul 2009 21:46:36 -0000	1.8
+++ openldap-2.4.15/libraries/libldap/tls_o.c	7 Aug 2009 19:46:25 -0000	1.11
@@ -466,7 +466,7 @@
 	X509 *x;
 	const char *name;
 	char *ptr;
-	int ntype = IS_DNS;
+	int ntype = IS_DNS, nlen;
 #ifdef LDAP_PF_INET6
 	struct in6_addr addr;
 #else
@@ -480,6 +480,7 @@
 	} else {
 		name = name_in;
 	}
+	nlen = strlen(name);
 
 	x = tlso_get_cert(s);
 	if (!x) {
@@ -513,15 +514,14 @@
 		ex = X509_get_ext(x, i);
 		alt = X509V3_EXT_d2i(ex);
 		if (alt) {
-			int n, len1 = 0, len2 = 0;
+			int n, len2 = 0;
 			char *domain = NULL;
 			GENERAL_NAME *gn;
 
 			if (ntype == IS_DNS) {
-				len1 = strlen(name);
 				domain = strchr(name, '.');
 				if (domain) {
-					len2 = len1 - (domain-name);
+					len2 = nlen - (domain-name);
 				}
 			}
 			n = sk_GENERAL_NAME_num(alt);
@@ -539,7 +539,7 @@
 					if (sl == 0) continue;
 
 					/* Is this an exact match? */
-					if ((len1 == sl) && !strncasecmp(name, sn, len1)) {
+					if ((nlen == sl) && !strncasecmp(name, sn, nlen)) {
 						break;
 					}
 
@@ -579,13 +579,28 @@
 
 	if (ret != LDAP_SUCCESS) {
 		X509_NAME *xn;
-		char buf[2048];
-		buf[0] = '\0';
+		X509_NAME_ENTRY *ne;
+		ASN1_OBJECT *obj;
+		ASN1_STRING *cn = NULL;
+		int navas;
+
+		/* find the last CN */
+		obj = OBJ_nid2obj( NID_commonName );
+		if ( !obj ) goto no_cn;	/* should never happen */
 
 		xn = X509_get_subject_name(x);
-		if( X509_NAME_get_text_by_NID( xn, NID_commonName,
-			buf, sizeof(buf)) == -1)
+		navas = X509_NAME_entry_count( xn );
+		for ( i=navas-1; i>=0; i-- ) {
+			ne = X509_NAME_get_entry( xn, i );
+			if ( !OBJ_cmp( ne->object, obj )) {
+				cn = X509_NAME_ENTRY_get_data( ne );
+				break;
+			}
+		}
+
+		if( !cn )
 		{
+no_cn:
 			Debug( LDAP_DEBUG_ANY,
 				"TLS: unable to get common name from peer certificate.\n",
 				0, 0, 0 );
@@ -596,21 +611,20 @@
 			ld->ld_error = LDAP_STRDUP(
 				_("TLS: unable to get CN from peer certificate"));
 
-		} else if (strcasecmp(name, buf) == 0 ) {
+		} else if ( cn->length == nlen &&
+			strncasecmp( name, (char *) cn->data, nlen ) == 0 ) {
 			ret = LDAP_SUCCESS;
 
-		} else if (( buf[0] == '*' ) && ( buf[1] == '.' )) {
+		} else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) {
 			char *domain = strchr(name, '.');
 			if( domain ) {
-				size_t dlen = 0;
-				size_t sl;
+				size_t dlen;
 
-				sl = strlen(name);
-				dlen = sl - (domain-name);
-				sl = strlen(buf);
+				dlen = nlen - (domain-name);
 
 				/* Is this a wildcard match? */
-				if ((dlen == sl-1) && !strncasecmp(domain, &buf[1], dlen)) {
+				if ((dlen == cn->length-1) &&
+					!strncasecmp(domain, (char *) &cn->data[1], dlen)) {
 					ret = LDAP_SUCCESS;
 				}
 			}
@@ -618,8 +632,8 @@
 
 		if( ret == LDAP_LOCAL_ERROR ) {
 			Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
-				"common name in certificate (%s).\n", 
-				name, buf, 0 );
+				"common name in certificate (%.*s).\n", 
+				name, cn->length, cn->data );
 			ret = LDAP_CONNECT_ERROR;
 			if ( ld->ld_error ) {
 				LDAP_FREE( ld->ld_error );


Index: openldap.spec
===================================================================
RCS file: /cvs/extras/rpms/openldap/F-11/openldap.spec,v
retrieving revision 1.144
retrieving revision 1.145
diff -u -p -r1.144 -r1.145
--- openldap.spec	7 Oct 2009 09:25:40 -0000	1.144
+++ openldap.spec	18 Jan 2010 17:08:35 -0000	1.145
@@ -11,7 +11,7 @@
 Summary: LDAP support libraries
 Name: openldap
 Version: %{version}
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: OpenLDAP
 Group: System Environment/Daemons
 Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
@@ -35,6 +35,7 @@ Patch6: openldap-2.3.19-gethostbyXXXX_r.
 Patch9: openldap-2.3.37-smbk5pwd.patch
 Patch10: openldap-2.4.6-multilib.patch
 Patch11: openldap-2.4.12-options.patch
+Patch12: openldap-2.4.15-tls-null-char.patch
 
 # Patches for the evolution library
 Patch200: openldap-2.4.6-evolution-ntlm.patch
@@ -141,6 +142,7 @@ pushd openldap-%{version}
 %patch9 -p1 -b .smbk5pwd
 %patch10 -p1 -b .multilib
 %patch11 -p1 -b .options
+%patch12 -p1 -b .tls-null-char
 
 cp %{_datadir}/libtool/config/config.{sub,guess} build/
 popd
@@ -606,6 +608,9 @@ fi
 %attr(0644,root,root)      %{evolution_connector_libdir}/*.a
 
 %changelog
+* Mon Jan 18 2010 Jan Zeleny <jzeleny at redhat.com> - 2.4.15-7
+- upstream path fixing CVE-2009-3767 (#537895)
+
 * Wed Oct 07 2009 Jan Zeleny <jzeleny at redhat.com> 2.4.15-6
 - fix of smbk5pwd patch - linking with libldap (#526500)

More information about the scm-commits mailing list