[openldap/f16] CVE-2012-1164: Assertion failure by processing search queries requesting only attributes for particu
jvcelak
jvcelak at fedoraproject.org
Wed Jun 27 15:22:40 UTC 2012
commit b1bc9c8758f8568a3fa586fd1e4a77168e63bf41
Author: Jan Vcelak <jvcelak at redhat.com>
Date: Wed Jun 27 17:06:16 2012 +0200
CVE-2012-1164: Assertion failure by processing search queries requesting only attributes for particular entry
Resolves: #802514
...p-cve-assertion-processing-search-queries.patch | 52 ++++++++++++++++++++
openldap.spec | 3 +
2 files changed, 55 insertions(+), 0 deletions(-)
---
diff --git a/openldap-cve-assertion-processing-search-queries.patch b/openldap-cve-assertion-processing-search-queries.patch
new file mode 100644
index 0000000..1848830
--- /dev/null
+++ b/openldap-cve-assertion-processing-search-queries.patch
@@ -0,0 +1,52 @@
+Assertion failure by processing search queries requesting only attributes for particular entry
+
+Upstream ITS: #7143
+Upstream commit: ef2f526 430256f 463c1fa
+Resolves: #802514 (CVE-2012-1164)
+
+diff --git a/servers/slapd/attr.c b/servers/slapd/attr.c
+index 51f5075..bfc717c 100644
+--- a/servers/slapd/attr.c
++++ b/servers/slapd/attr.c
+@@ -232,13 +232,16 @@ attr_dup2( Attribute *tmp, Attribute *a )
+ if ( a->a_nvals != a->a_vals ) {
+
+ tmp->a_nvals = ch_malloc( (tmp->a_numvals + 1) * sizeof(struct berval) );
+- for ( j = 0; !BER_BVISNULL( &a->a_nvals[j] ); j++ ) {
+- assert( j < i );
+- ber_dupbv( &tmp->a_nvals[j], &a->a_nvals[j] );
+- if ( BER_BVISNULL( &tmp->a_nvals[j] ) ) break;
+- /* FIXME: error? */
++ j = 0;
++ if ( i ) {
++ for ( ; !BER_BVISNULL( &a->a_nvals[j] ); j++ ) {
++ assert( j < i );
++ ber_dupbv( &tmp->a_nvals[j], &a->a_nvals[j] );
++ if ( BER_BVISNULL( &tmp->a_nvals[j] ) ) break;
++ /* FIXME: error? */
++ }
++ assert( j == i );
+ }
+- assert( j == i );
+ BER_BVZERO( &tmp->a_nvals[j] );
+
+ } else {
+diff --git a/servers/slapd/overlays/rwm.c b/servers/slapd/overlays/rwm.c
+index c724be2..0c78e80 100644
+--- a/servers/slapd/overlays/rwm.c
++++ b/servers/slapd/overlays/rwm.c
+@@ -1276,7 +1276,13 @@ rwm_attrs( Operation *op, SlapReply *rs, Attribute** a_first, int stripEntryDN )
+ NULL );
+
+ if ( rc != LDAP_SUCCESS ) {
+- BER_BVZERO( &(*ap)->a_nvals[i] );
++ /* FIXME: this is wrong, putting a non-normalized value
++ * into nvals. But when a proxy sends us bogus data,
++ * we still need to give it to the client, even if it
++ * violates the syntax. I.e., we don't want to silently
++ * drop things and trigger an apparent data loss.
++ */
++ ber_dupbv( &(*ap)->a_nvals[i], &(*ap)->a_vals[i] );
+ }
+ }
+ BER_BVZERO( &(*ap)->a_nvals[i] );
diff --git a/openldap.spec b/openldap.spec
index a7ccaaf..7c64ecc 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -50,6 +50,7 @@ Patch24: openldap-nss-clean-memory-for-token-pin.patch
Patch25: openldap-cve-nss-cipher-suite-ignored.patch
Patch26: openldap-nss-default-cipher-suite-always-selected.patch
Patch27: openldap-tls-unbind-shutdown-order.patch
+Patch28: openldap-cve-assertion-processing-search-queries.patch
# patches for the evolution library (see README.evolution)
Patch200: openldap-evolution-ntlm.patch
@@ -170,6 +171,7 @@ pushd openldap-%{version}
%patch25 -p1 -b .cve-nss-cipher-suite-ignored
%patch26 -p1 -b .nss-default-cipher-suite-always-selected
%patch27 -p1 -b .tls-unbind-shutdown-order
+%patch28 -p1 -b .cve-assertion-processing-search-queries
cp %{_datadir}/libtool/config/config.{sub,guess} build/
@@ -701,6 +703,7 @@ exit 0
- CVE-2012-2668: cipher suite selection by name can be ignored (#825875)
- fix: default cipher suite is always selected (#828790)
- fix: invalid order of TLS shutdown operations (#808464)
+- CVE-2012-1164: Assertion failure by processing search queries requesting only attributes for particular entry (#802514)
* Mon Mar 26 2012 Jan Synáček <jsynacek at redhat.com> 2.4.26-7
- fix: Re-binding to a failed connection can segfault (#784989)
More information about the scm-commits
mailing list