!45 fix CVE-2021-3670

From: @yangl777 
Reviewed-by: @open-bot 
Signed-off-by: @open-bot

Skip-ldb_lmdb_free_list_test-on-ppc64el-ppc64-and-sp.patch

@@ -0,0 +1,27 @@
+From eb5409dd5e4dde482935421ce0eddf88a0d2d2f4 Mon Sep 17 00:00:00 2001
+From: Mathieu Parent <math.parent@gmail.com>
+Date: Thu, 25 Jun 2020 15:15:40 +0200
+Subject: [PATCH] Skip ldb_lmdb_free_list_test on alpha, ia64, mips64el, ppc64el, ppc64 and sparc64
+
+Workaround: https://bugzilla.samba.org/show_bug.cgi?id=14404
+---
+ wscript | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff -ruNa ldb-2.1.4/wscript ldb-2.1.4-org/wscript
+--- ldb-2.1.4/wscript   2021-03-23 11:14:55.530512420 +0800
++++ ldb-2.1.4-org/wscript       2020-06-25 16:43:52.000000000 +0800
+@@ -635,8 +635,9 @@
+                      # fit > 4G of data into the DB), it would fill up the disk on
+                      # many of our test instances
+                      'ldb_mdb_kv_ops_test',
++                     'ldb_key_value_sub_txn_mdb_test']
++        if os.environ.get('DEB_HOST_ARCH', 'unknown') not in ['alpha', 'ia64', 'mips64el', 'ppc64el', 'ppc64', 'sparc64', 'unknown']:
++            test_exes += ['ldb_lmdb_free_list_test']
+-                     'ldb_key_value_sub_txn_mdb_test',
+-                     'ldb_lmdb_free_list_test']
+     else:
+         test_exes += ['ldb_no_lmdb_test']
+
+--
+2.26.2

backport-001-CVE-2022-32746.patch

@@ -0,0 +1,104 @@
+From 0a3aa5f908e351201dc9c4d4807b09ed9eedff77 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Mon, 21 Feb 2022 16:27:37 +1300
+Subject: [PATCH] CVE-2022-32746 ldb: Make use of functions for appending to an
+ ldb_message
+
+This aims to minimise usage of the error-prone pattern of searching for
+a just-added message element in order to make modifications to it (and
+potentially finding the wrong element).
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+---
+ ldb_map/ldb_map.c                     |   5 +-
+ ldb_map/ldb_map_inbound.c             |   9 +-
+ modules/rdn_name.c                    |  22 +---
+ 3 files changed, 28 insertions(+), 8 deletions(-)
+
+diff --git a/ldb_map/ldb_map.c b/ldb_map/ldb_map.c
+index b453dff80d25..c7b0c2286311 100644
+--- a/ldb_map/ldb_map.c
++++ b/ldb_map/ldb_map.c
+@@ -946,10 +946,7 @@ struct ldb_request *map_build_fixup_req(struct map_context *ac,
+ 	if ( ! dn || ! ldb_dn_validate(msg->dn)) {
+ 		goto failed;
+ 	}
+-	if (ldb_msg_add_empty(msg, IS_MAPPED, LDB_FLAG_MOD_REPLACE, NULL) != 0) {
+-		goto failed;
+-	}
+-	if (ldb_msg_add_string(msg, IS_MAPPED, dn) != 0) {
++	if (ldb_msg_append_string(msg, IS_MAPPED, dn, LDB_FLAG_MOD_REPLACE) != 0) {
+ 		goto failed;
+ 	}
+ 
+diff --git a/ldb_map/ldb_map_inbound.c b/ldb_map/ldb_map_inbound.c
+index 324295737da1..50b9427c26c5 100644
+--- a/ldb_map/ldb_map_inbound.c
++++ b/ldb_map/ldb_map_inbound.c
+@@ -569,12 +569,9 @@ static int map_modify_do_local(struct map_context *ac)
+ 		/* No local record present, add it instead */
+ 		/* Add local 'IS_MAPPED' */
+ 		/* TODO: use GUIDs here instead */
+-		if (ldb_msg_add_empty(ac->local_msg, IS_MAPPED,
+-					LDB_FLAG_MOD_ADD, NULL) != 0) {
+-			return LDB_ERR_OPERATIONS_ERROR;
+-		}
+-		ret = ldb_msg_add_linearized_dn(ac->local_msg, IS_MAPPED,
+-						ac->remote_req->op.mod.message->dn);
++		ret = ldb_msg_append_linearized_dn(ac->local_msg, IS_MAPPED,
++						   ac->remote_req->op.mod.message->dn,
++						   LDB_FLAG_MOD_ADD);
+ 		if (ret != 0) {
+ 			return LDB_ERR_OPERATIONS_ERROR;
+ 		}
+diff --git a/modules/rdn_name.c b/modules/rdn_name.c
+index 25cffe07591a..3cb62bf567bd 100644
+--- a/modules/rdn_name.c
++++ b/modules/rdn_name.c
+@@ -308,16 +308,10 @@ static int rdn_rename_callback(struct ldb_request *req, struct ldb_reply *ares)
+ 	}
+ 	rdn_val = ldb_val_dup(msg, rdn_val_p);
+ 
+-	if (ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_REPLACE, NULL) != 0) {
++	if (ldb_msg_append_value(msg, rdn_name, &rdn_val, LDB_FLAG_MOD_REPLACE) != 0) {
+ 		goto error;
+ 	}
+-	if (ldb_msg_add_value(msg, rdn_name, &rdn_val, NULL) != 0) {
+-		goto error;
+-	}
+-	if (ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_REPLACE, NULL) != 0) {
+-		goto error;
+-	}
+-	if (ldb_msg_add_value(msg, "name", &rdn_val, NULL) != 0) {
++	if (ldb_msg_append_value(msg, "name", &rdn_val, LDB_FLAG_MOD_REPLACE) != 0) {
+ 		goto error;
+ 	}
+ 
+@@ -466,11 +460,7 @@ static int rdn_name_modify(struct ldb_module *module, struct ldb_request *req)
+ 		if (ret != 0) {
+ 			return ldb_module_oom(module);
+ 		}
+-		ret = ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_ADD, NULL);
+-		if (ret != 0) {
+-			return ldb_module_oom(module);
+-		}
+-		ret = ldb_msg_add_value(msg, rdn_name, &rdn_val, NULL);
++		ret = ldb_msg_append_value(msg, rdn_name, &rdn_val, LDB_FLAG_MOD_ADD);
+ 		if (ret != 0) {
+ 			return ldb_module_oom(module);
+ 		}
+@@ -479,11 +469,7 @@ static int rdn_name_modify(struct ldb_module *module, struct ldb_request *req)
+ 		if (ret != 0) {
+ 			return ldb_module_oom(module);
+ 		}
+-		ret = ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_ADD, NULL);
+-		if (ret != 0) {
+-			return ldb_module_oom(module);
+-		}
+-		ret = ldb_msg_add_value(msg, "name", &rdn_val, NULL);
++		ret = ldb_msg_append_value(msg, "name", &rdn_val, LDB_FLAG_MOD_ADD);
+ 		if (ret != 0) {
+ 			return ldb_module_oom(module);
+ 		}

backport-002-CVE-2022-32746.patch

@@ -0,0 +1,28 @@
+From 41b1fe6d4ae1f547b2f1a0ef8d1aee284b4ef93b Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 16 Feb 2022 12:43:52 +1300
+Subject: [PATCH] CVE-2022-32746 ldb:rdn_name: Use LDB_FLAG_MOD_TYPE() for
+ flags equality check
+
+Now unrelated flags will no longer affect the result.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+---
+ lib/ldb/modules/rdn_name.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/rdn_name.c b/modules/rdn_name.c
+index e69ad9315aec..25cffe07591a 100644
+--- a/modules/rdn_name.c
++++ b/modules/rdn_name.c
+@@ -545,7 +545,7 @@ static int rdn_name_modify(struct ldb_module *module, struct ldb_request *req)
+ 	if (e != NULL) {
+ 		ldb_asprintf_errstring(ldb, "Modify of 'distinguishedName' on %s not permitted, must use 'rename' operation instead",
+ 				       ldb_dn_get_linearized(req->op.mod.message->dn));
+-		if (e->flags == LDB_FLAG_MOD_REPLACE) {
++		if (LDB_FLAG_MOD_TYPE(e->flags) == LDB_FLAG_MOD_REPLACE) {
+ 			return LDB_ERR_CONSTRAINT_VIOLATION;
+ 		} else {
+ 			return LDB_ERR_UNWILLING_TO_PERFORM;

backport-003-CVE-2022-32746.patch

@@ -0,0 +1,112 @@
+From 7efe8182c165fbf17d2f88c173527a7a554e214b Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Mon, 21 Feb 2022 16:10:32 +1300
+Subject: [PATCH] CVE-2022-32746 ldb: Add flag to mark message element values
+ as shared
+
+When making a shallow copy of an ldb message, mark the message elements
+of the copy as sharing their values with the message elements in the
+original message.
+
+This flag value will be heeded in the next commit.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+---
+ common/ldb_msg.c     | 43 +++++++++++++++++++++++++++++++-----
+ include/ldb_module.h |  6 +++++
+ 2 files changed, 43 insertions(+), 6 deletions(-)
+
+diff --git a/common/ldb_msg.c b/common/ldb_msg.c
+index 57dfc5a04c2b..2a9ce384bb98 100644
+--- a/common/ldb_msg.c
++++ b/common/ldb_msg.c
+@@ -833,11 +833,7 @@ void ldb_msg_sort_elements(struct ldb_message *msg)
+ 		       ldb_msg_element_compare_name);
+ }
+ 
+-/*
+-  shallow copy a message - copying only the elements array so that the caller
+-  can safely add new elements without changing the message
+-*/
+-struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx,
++static struct ldb_message *ldb_msg_copy_shallow_impl(TALLOC_CTX *mem_ctx,
+ 					 const struct ldb_message *msg)
+ {
+ 	struct ldb_message *msg2;
+@@ -863,6 +859,35 @@ struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx,
+ 	return NULL;
+ }
+ 
++/*
++  shallow copy a message - copying only the elements array so that the caller
++  can safely add new elements without changing the message
++*/
++struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx,
++					 const struct ldb_message *msg)
++{
++	struct ldb_message *msg2;
++	unsigned int i;
++
++	msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg);
++	if (msg2 == NULL) {
++		return NULL;
++	}
++
++	for (i = 0; i < msg2->num_elements; ++i) {
++		/*
++		 * Mark this message's elements as sharing their values with the
++		 * original message, so that we don't inadvertently modify or
++		 * free them. We don't mark the original message element as
++		 * shared, so the original message element should not be
++		 * modified or freed while the shallow copy lives.
++		 */
++		struct ldb_message_element *el = &msg2->elements[i];
++		el->flags |= LDB_FLAG_INTERNAL_SHARED_VALUES;
++	}
++
++        return msg2;
++}
+ 
+ /*
+   copy a message, allocating new memory for all parts
+@@ -873,7 +898,7 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx,
+ 	struct ldb_message *msg2;
+ 	unsigned int i, j;
+ 
+-	msg2 = ldb_msg_copy_shallow(mem_ctx, msg);
++	msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg);
+ 	if (msg2 == NULL) return NULL;
+ 
+ 	if (msg2->dn != NULL) {
+@@ -894,6 +919,12 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx,
+ 				goto failed;
+ 			}
+ 		}
++
++                /*
++                 * Since we copied this element's values, we can mark them as
++                 * not shared.
++		 */
++		el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES;
+ 	}
+ 
+ 	return msg2;
+diff --git a/include/ldb_module.h b/include/ldb_module.h
+index 8c1e5ee7936c..4c7c85a17f00 100644
+--- a/include/ldb_module.h
++++ b/include/ldb_module.h
+@@ -96,6 +96,12 @@ struct ldb_module;
+  */
+ #define LDB_FLAG_INTERNAL_FORCE_UNIQUE_INDEX 0x100
+ 
++/*
++ * indicates that this element's values are shared with another element (for
++ * example, in a shallow copy of an ldb_message) and should not be freed
++ */
++#define LDB_FLAG_INTERNAL_SHARED_VALUES 0x200
++
+ /* an extended match rule that always fails to match */
+ #define SAMBA_LDAP_MATCH_ALWAYS_FALSE "1.3.6.1.4.1.7165.4.5.1"
+ 

backport-004-CVE-2022-32746.patch

@@ -0,0 +1,121 @@
+From a2bb5beee82fd9c4c29decc07024057febeaf1b5 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 16 Feb 2022 12:35:13 +1300
+Subject: [PATCH] CVE-2022-32746 ldb: Ensure shallow copy modifications do not
+ affect original message
+
+Using the newly added ldb flag, we can now detect when a message has
+been shallow-copied so that its elements share their values with the
+original message elements. Then when adding values to the copied
+message, we now make a copy of the shared values array first.
+
+This should prevent a use-after-free that occurred in LDB modules when
+new values were added to a shallow copy of a message by calling
+talloc_realloc() on the original values array, invalidating the 'values'
+pointer in the original message element. The original values pointer can
+later be used in the database audit logging module which logs database
+requests, and potentially cause a crash.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+---
+ common/ldb_msg.c   | 52 ++++++++++++++++++++++++++++++++------
+ include/ldb.h      |  6 +++++
+ 2 files changed, 56 insertions(+), 22 deletions(-)
+
+diff --git a/common/ldb_msg.c b/common/ldb_msg.c
+index 2a9ce384bb98..44d3b29e9a72 100644
+--- a/common/ldb_msg.c
++++ b/common/ldb_msg.c
+@@ -417,6 +417,47 @@ int ldb_msg_add(struct ldb_message *msg,
+ 	return LDB_SUCCESS;
+ }
+ 
++/*
++ * add a value to a message element
++ */
++int ldb_msg_element_add_value(TALLOC_CTX *mem_ctx,
++			      struct ldb_message_element *el,
++			      const struct ldb_val *val)
++{
++	struct ldb_val *vals;
++
++	if (el->flags & LDB_FLAG_INTERNAL_SHARED_VALUES) {
++		/*
++		 * Another message is using this message element's values array,
++		 * so we don't want to make any modifications to the original
++		 * message, or potentially invalidate its own values by calling
++		 * talloc_realloc(). Make a copy instead.
++		 */
++		el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES;
++
++		vals = talloc_array(mem_ctx, struct ldb_val,
++				    el->num_values + 1);
++		if (vals == NULL) {
++			return LDB_ERR_OPERATIONS_ERROR;
++		}
++
++		if (el->values != NULL) {
++			memcpy(vals, el->values, el->num_values * sizeof(struct ldb_val));
++		}
++	} else {
++		vals = talloc_realloc(mem_ctx, el->values, struct ldb_val,
++				      el->num_values + 1);
++		if (vals == NULL) {
++			return LDB_ERR_OPERATIONS_ERROR;
++		}
++	}
++	el->values = vals;
++	el->values[el->num_values] = *val;
++	el->num_values++;
++
++	return LDB_SUCCESS;
++}
++
+ /*
+   add a value to a message
+ */
+@@ -426,7 +467,6 @@ int ldb_msg_add_value(struct ldb_message *msg,
+ 		      struct ldb_message_element **return_el)
+ {
+ 	struct ldb_message_element *el;
+-	struct ldb_val *vals;
+ 	int ret;
+ 
+ 	el = ldb_msg_find_element(msg, attr_name);
+@@ -437,14 +477,10 @@ int ldb_msg_add_value(struct ldb_message *msg,
+ 		}
+ 	}
+ 
+-	vals = talloc_realloc(msg->elements, el->values, struct ldb_val,
+-			      el->num_values+1);
+-	if (!vals) {
+-		return LDB_ERR_OPERATIONS_ERROR;
++	ret = ldb_msg_element_add_value(msg->elements, el, val);
++	if (ret != LDB_SUCCESS) {
++		return ret;
+ 	}
+-	el->values = vals;
+-	el->values[el->num_values] = *val;
+-	el->num_values++;
+ 
+ 	if (return_el) {
+ 		*return_el = el;
+diff --git a/include/ldb.h b/include/ldb.h
+index bc44157eaf47..129beefeaf56 100644
+--- a/include/ldb.h
++++ b/include/ldb.h
+@@ -1981,6 +1981,12 @@ int ldb_msg_add_empty(struct ldb_message *msg,
+ 		int flags,
+ 		struct ldb_message_element **return_el);
+ 
++/**
++   add a value to a message element
++*/
++int ldb_msg_element_add_value(TALLOC_CTX *mem_ctx,
++			      struct ldb_message_element *el,
++			      const struct ldb_val *val);
+ /**
+    add a element to a ldb_message
+ */

backport-005-CVE-2022-32746.patch

@@ -0,0 +1,274 @@
+From df487eb2d713e817660dd3b56bb26ba715fadfea Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 16 Feb 2022 16:30:03 +1300
+Subject: [PATCH] CVE-2022-32746 ldb: Add functions for appending to an
+ ldb_message
+
+Currently, there are many places where we use ldb_msg_add_empty() to add
+an empty element to a message, and then call ldb_msg_add_value() or
+similar to add values to that element. However, this performs an
+unnecessary search of the message's elements to locate the new element.
+Moreover, if an element with the same attribute name already exists
+earlier in the message, the values will be added to that element,
+instead of to the intended newly added element.
+
+A similar pattern exists where we add values to a message, and then call
+ldb_msg_find_element() to locate that message element and sets its flags
+to (e.g.) LDB_FLAG_MOD_REPLACE. This also performs an unnecessary
+search, and may locate the wrong message element for setting the flags.
+
+To avoid these problems, add functions for appending a value to a
+message, so that a particular value can be added to the end of a message
+in a single operation.
+
+For ADD requests, it is important that no two message elements share the
+same attribute name, otherwise things will break. (Normally,
+ldb_msg_normalize() is called before processing the request to help
+ensure this.) Thus, we must be careful not to append an attribute to an
+ADD message, unless we are sure (e.g. through ldb_msg_find_element())
+that an existing element for that attribute is not present.
+
+These functions will be used in the next commit.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+---
+ common/ldb_msg.c | 165 ++++++++++++++++++++++++++++++++++++++-
+ include/ldb.h    |  24 ++++++
+ 2 files changed, 185 insertions(+), 4 deletions(-)
+
+diff --git a/common/ldb_msg.c b/common/ldb_msg.c
+index 44d3b29e9a7..9cd7998e21c 100644
+--- a/common/ldb_msg.c
++++ b/common/ldb_msg.c
+@@ -509,12 +509,15 @@ int ldb_msg_add_steal_value(struct ldb_message *msg,
+ 
+ 
+ /*
+-  add a string element to a message
++  add a string element to a message, specifying flags
+ */
+-int ldb_msg_add_string(struct ldb_message *msg,
+-		       const char *attr_name, const char *str)
++int ldb_msg_add_string_flags(struct ldb_message *msg,
++			     const char *attr_name, const char *str,
++			     int flags)
+ {
+ 	struct ldb_val val;
++	int ret;
++	struct ldb_message_element *el = NULL;
+ 
+ 	val.data = discard_const_p(uint8_t, str);
+ 	val.length = strlen(str);
+@@ -524,7 +527,25 @@ int ldb_msg_add_string(struct ldb_message *msg,
+ 		return LDB_SUCCESS;
+ 	}
+ 
+-	return ldb_msg_add_value(msg, attr_name, &val, NULL);
++	ret = ldb_msg_add_value(msg, attr_name, &val, &el);
++	if (ret != LDB_SUCCESS) {
++		return ret;
++	}
++
++	if (flags != 0) {
++		el->flags = flags;
++	}
++
++	return LDB_SUCCESS;
++}
++
++/*
++  add a string element to a message
++*/
++int ldb_msg_add_string(struct ldb_message *msg,
++		       const char *attr_name, const char *str)
++{
++	return ldb_msg_add_string_flags(msg, attr_name, str, 0);
+ }
+ 
+ /*
+@@ -586,6 +607,142 @@ int ldb_msg_add_fmt(struct ldb_message *msg,
+ 	return ldb_msg_add_steal_value(msg, attr_name, &val);
+ }
+ 
++static int ldb_msg_append_value_impl(struct ldb_message *msg,
++				     const char *attr_name,
++				     const struct ldb_val *val,
++				     int flags,
++				     struct ldb_message_element **return_el)
++{
++	struct ldb_message_element *el = NULL;
++	int ret;
++
++	ret = ldb_msg_add_empty(msg, attr_name, flags, &el);
++	if (ret != LDB_SUCCESS) {
++		return ret;
++	}
++
++	ret = ldb_msg_element_add_value(msg->elements, el, val);
++	if (ret != LDB_SUCCESS) {
++		return ret;
++	}
++
++	if (return_el != NULL) {
++		*return_el = el;
++	}
++
++	return LDB_SUCCESS;
++}
++
++/*
++  append a value to a message
++*/
++int ldb_msg_append_value(struct ldb_message *msg,
++			 const char *attr_name,
++			 const struct ldb_val *val,
++			 int flags)
++{
++	return ldb_msg_append_value_impl(msg, attr_name, val, flags, NULL);
++}
++
++/*
++  append a value to a message, stealing it into the 'right' place
++*/
++int ldb_msg_append_steal_value(struct ldb_message *msg,
++			       const char *attr_name,
++			       struct ldb_val *val,
++			       int flags)
++{
++	int ret;
++	struct ldb_message_element *el = NULL;
++
++	ret = ldb_msg_append_value_impl(msg, attr_name, val, flags, &el);
++	if (ret == LDB_SUCCESS) {
++		talloc_steal(el->values, val->data);
++	}
++	return ret;
++}
++
++/*
++  append a string element to a message, stealing it into the 'right' place
++*/
++int ldb_msg_append_steal_string(struct ldb_message *msg,
++				const char *attr_name, char *str,
++				int flags)
++{
++	struct ldb_val val;
++
++	val.data = (uint8_t *)str;
++	val.length = strlen(str);
++
++	if (val.length == 0) {
++		/* allow empty strings as non-existent attributes */
++		return LDB_SUCCESS;
++	}
++
++	return ldb_msg_append_steal_value(msg, attr_name, &val, flags);
++}
++
++/*
++  append a string element to a message
++*/
++int ldb_msg_append_string(struct ldb_message *msg,
++			  const char *attr_name, const char *str, int flags)
++{
++	struct ldb_val val;
++
++	val.data = discard_const_p(uint8_t, str);
++	val.length = strlen(str);
++
++	if (val.length == 0) {
++		/* allow empty strings as non-existent attributes */
++		return LDB_SUCCESS;
++	}
++
++	return ldb_msg_append_value(msg, attr_name, &val, flags);
++}
++
++/*
++  append a DN element to a message
++  WARNING: this uses the linearized string from the dn, and does not
++  copy the string.
++*/
++int ldb_msg_append_linearized_dn(struct ldb_message *msg, const char *attr_name,
++				 struct ldb_dn *dn, int flags)
++{
++	char *str = ldb_dn_alloc_linearized(msg, dn);
++
++	if (str == NULL) {
++		/* we don't want to have unknown DNs added */
++		return LDB_ERR_OPERATIONS_ERROR;
++	}
++
++	return ldb_msg_append_steal_string(msg, attr_name, str, flags);
++}
++
++/*
++  append a printf formatted element to a message
++*/
++int ldb_msg_append_fmt(struct ldb_message *msg, int flags,
++		       const char *attr_name, const char *fmt, ...)
++{
++	struct ldb_val val;
++	va_list ap;
++	char *str = NULL;
++
++	va_start(ap, fmt);
++	str = talloc_vasprintf(msg, fmt, ap);
++	va_end(ap);
++
++	if (str == NULL) {
++		return LDB_ERR_OPERATIONS_ERROR;
++	}
++
++	val.data   = (uint8_t *)str;
++	val.length = strlen(str);
++
++	return ldb_msg_append_steal_value(msg, attr_name, &val, flags);
++}
++
+ /*
+   compare two ldb_message_element structures
+   assumes case sensitive comparison
+diff --git a/include/ldb.h b/include/ldb.h
+index 129beefeaf5..63d8aedd672 100644
+--- a/include/ldb.h
++++ b/include/ldb.h
+@@ -2002,12 +2002,36 @@ int ldb_msg_add_steal_value(struct ldb_message *msg,
+ 		      struct ldb_val *val);
+ int ldb_msg_add_steal_string(struct ldb_message *msg,
+ 			     const char *attr_name, char *str);
++int ldb_msg_add_string_flags(struct ldb_message *msg,
++			     const char *attr_name, const char *str,
++			     int flags);
+ int ldb_msg_add_string(struct ldb_message *msg,
+ 		       const char *attr_name, const char *str);
+ int ldb_msg_add_linearized_dn(struct ldb_message *msg, const char *attr_name,
+ 			      struct ldb_dn *dn);
+ int ldb_msg_add_fmt(struct ldb_message *msg,
+ 		    const char *attr_name, const char *fmt, ...) PRINTF_ATTRIBUTE(3,4);
++/**
++   append a element to a ldb_message
++*/
++int ldb_msg_append_value(struct ldb_message *msg,
++			 const char *attr_name,
++			 const struct ldb_val *val,
++			 int flags);
++int ldb_msg_append_steal_value(struct ldb_message *msg,
++			       const char *attr_name,
++			       struct ldb_val *val,
++			       int flags);
++int ldb_msg_append_steal_string(struct ldb_message *msg,
++				const char *attr_name, char *str,
++				int flags);
++int ldb_msg_append_string(struct ldb_message *msg,
++			  const char *attr_name, const char *str,
++			  int flags);
++int ldb_msg_append_linearized_dn(struct ldb_message *msg, const char *attr_name,
++				 struct ldb_dn *dn, int flags);
++int ldb_msg_append_fmt(struct ldb_message *msg, int flags,
++		       const char *attr_name, const char *fmt, ...) PRINTF_ATTRIBUTE(4,5);
+ 
+ /**
+    compare two message elements - return 0 on match

backport-CVE-2021-3670.patch

@@ -0,0 +1,165 @@
+From 1d5b155619bc532c46932965b215bd73a920e56f Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Mon, 27 Sep 2021 16:47:46 +1300
+Subject: [PATCH] CVE-2021-3670 ldb: Confirm the request has not yet timed out
+ in ldb filter processing
+
+The LDB filter processing is where the time is spent in the LDB stack
+but the timeout event will not get run while this is ongoing, so we
+must confirm we have not yet timed out manually.
+
+RN: Ensure that the LDB request has not timed out during filter processing
+as the LDAP server MaxQueryDuration is otherwise not honoured.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+
+---
+ ldb_key_value/ldb_kv.c        |  2 ++
+ ldb_key_value/ldb_kv.h        | 10 +++++++++
+ ldb_key_value/ldb_kv_index.c  | 41 +++++++++++++++++++++++++++++++++++
+ ldb_key_value/ldb_kv_search.c | 33 +++++++++++++++++++++++++++-
+ 4 files changed, 85 insertions(+), 1 deletion(-)
+
+diff --git a/ldb_key_value/ldb_kv.c b/ldb_key_value/ldb_kv.c
+index 4e7b8a1..8e36dc6 100644
+--- a/ldb_key_value/ldb_kv.c
++++ b/ldb_key_value/ldb_kv.c
+@@ -2082,6 +2082,8 @@ static int ldb_kv_handle_request(struct ldb_module *module,
+ 		}
+ 	}
+ 
++	ac->timeout_timeval = tv;
++
+ 	/* set a spy so that we do not try to use the request context
+ 	 * if it is freed before ltdb_callback fires */
+ 	ac->spy = talloc(req, struct ldb_kv_req_spy);
+diff --git a/ldb_key_value/ldb_kv.h b/ldb_key_value/ldb_kv.h
+index f9dffae..ac474b0 100644
+--- a/ldb_key_value/ldb_kv.h
++++ b/ldb_key_value/ldb_kv.h
+@@ -152,6 +152,16 @@ struct ldb_kv_context {
+ 	struct ldb_module *module;
+ 	struct ldb_request *req;
+ 
++	/*
++	 * Required as we might not get to the event loop before the
++	 * timeout, so we need some old-style cooperative multitasking
++	 * here.
++	 */
++	struct timeval timeout_timeval;
++
++	/* Used to throttle calls to gettimeofday() */
++	size_t timeout_counter;
++
+ 	bool request_terminated;
+ 	struct ldb_kv_req_spy *spy;
+ 
+diff --git a/ldb_key_value/ldb_kv_index.c b/ldb_key_value/ldb_kv_index.c
+index 8e756c1..aca542c 100644
+--- a/ldb_key_value/ldb_kv_index.c
++++ b/ldb_key_value/ldb_kv_index.c
+@@ -2324,6 +2324,47 @@ static int ldb_kv_index_filter(struct ldb_kv_private *ldb_kv,
+ 	for (i = 0; i < num_keys; i++) {
+ 		int ret;
+ 		bool matched;
++		
++		/*
++		 * Check the time every 64 records, to reduce calls to
++		 * gettimeofday().  This is a compromise, not all
++		 * calls to ldb_match_message() will take the same
++		 * time, most will run quickly but by luck it might be
++		 * possible to have 64 records that are slow, doing a
++		 * recursive search via LDAP_MATCHING_RULE_IN_CHAIN.
++		 *
++		 * Thankfully this is after index processing so only
++		 * on the subset that matches some index (but still
++		 * possibly a big one like objectclass=user)
++		 */
++		if (i % 64 == 0) {
++			struct timeval now = tevent_timeval_current();
++			int timeval_cmp = tevent_timeval_compare(&ac->timeout_timeval,
++								 &now);
++
++			/*
++			 * The search has taken too long.  This is the
++			 * most likely place for our time to expire,
++			 * as we are checking the records after the
++			 * index set intersection.  This is now the
++			 * slow process of checking if the records
++			 * actually match.
++			 *
++			 * The tevent based timeout is not likely to
++			 * be hit, sadly, as we don't run an event
++			 * loop.
++			 *
++			 * While we are indexed and most of the work
++			 * should have been done already, the
++			 * ldb_match_* calls can be quite expensive if
++			 * the caller uses LDAP_MATCHING_RULE_IN_CHAIN
++			 */
++			if (timeval_cmp <= 0) {
++				talloc_free(keys);
++				return LDB_ERR_TIME_LIMIT_EXCEEDED;
++			}
++		}
++
+ 		msg = ldb_msg_new(ac);
+ 		if (!msg) {
+ 			talloc_free(keys);
+diff --git a/ldb_key_value/ldb_kv_search.c b/ldb_key_value/ldb_kv_search.c
+index f2d9619..9636828 100644
+--- a/ldb_key_value/ldb_kv_search.c
++++ b/ldb_key_value/ldb_kv_search.c
+@@ -314,7 +314,8 @@ static int search_func(_UNUSED_ struct ldb_kv_private *ldb_kv,
+ 	struct ldb_context *ldb;
+ 	struct ldb_kv_context *ac;
+ 	struct ldb_message *msg, *filtered_msg;
+-	int ret;
++	struct timeval now;
++	int ret, timeval_cmp;
+ 	bool matched;
+ 
+ 	ac = talloc_get_type(state, struct ldb_kv_context);
+@@ -341,6 +342,36 @@ static int search_func(_UNUSED_ struct ldb_kv_private *ldb_kv,
+ 		return 0;
+ 	}
+ 
++	/*
++	 * Check the time every 64 records, to reduce calls to
++	 * gettimeofday().  This is a compromise, not all calls to
++	 * ldb_match_message() will take the same time, most will fail
++	 * quickly but by luck it might be possible to have 64 records
++	 * that are slow, doing a recursive search via
++	 * LDAP_MATCHING_RULE_IN_CHAIN.
++	 */
++	if (ac->timeout_counter++ % 64 == 0) {
++		now = tevent_timeval_current();
++		timeval_cmp = tevent_timeval_compare(&ac->timeout_timeval,
++						     &now);
++
++		/*
++		 * The search has taken too long.  This is the most
++		 * likely place for our time to expire, as we are in
++		 * an un-indexed search and we return the data from
++		 * within this loop.  The tevent based timeout is not
++		 * likely to be hit, sadly.
++		 *
++		 * ldb_match_msg_error() can be quite expensive if a
++		 * LDAP_MATCHING_RULE_IN_CHAIN extended match was
++		 * specified.
++		 */
++		if (timeval_cmp <= 0) {
++			ac->error = LDB_ERR_TIME_LIMIT_EXCEEDED;
++			return -1;
++		}
++	}
++
+ 	msg = ldb_msg_new(ac);
+ 	if (!msg) {
+ 		ac->error = LDB_ERR_OPERATIONS_ERROR;
+-- 
+2.43.0
+

backport-pre-CVE-2022-32746-ldb_msg-Dont-fail-in-ldb_msg_copy-if-source-DN-is-NULL.patch

@@ -0,0 +1,32 @@
+From c2bbe774ce03661666a1f48922a9ab681ef4f64b Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Tue, 14 Sep 2021 11:08:41 +1200
+Subject: [PATCH] ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+---
+ common/ldb_msg.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/common/ldb_msg.c b/common/ldb_msg.c
+index 0179c35659bd..57dfc5a04c2b 100644
+--- a/common/ldb_msg.c
++++ b/common/ldb_msg.c
+@@ -876,8 +876,10 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx,
+ 	msg2 = ldb_msg_copy_shallow(mem_ctx, msg);
+ 	if (msg2 == NULL) return NULL;
+ 
+-	msg2->dn = ldb_dn_copy(msg2, msg2->dn);
+-	if (msg2->dn == NULL) goto failed;
++	if (msg2->dn != NULL) {
++		msg2->dn = ldb_dn_copy(msg2, msg2->dn);
++		if (msg2->dn == NULL) goto failed;
++	}
+ 
+ 	for (i=0;i<msg2->num_elements;i++) {
+ 		struct ldb_message_element *el = &msg2->elements[i];

libldb.spec

@@ -6,7 +6,7 @@
 
 Name:          libldb
 Version:       2.0.12
-Release:       1
+Release:       5
 Summary:       A schema-less, ldap like, API and database
 Requires:      libtalloc%{?_isa} >= %{talloc_version}
 Requires:      libtdb%{?_isa} >= %{tdb_version}
@@ -15,10 +15,20 @@ License:       LGPLv3+
 URL:           http://ldb.samba.org/
 Source0:       https://www.samba.org/ftp/ldb/ldb-%{version}.tar.gz
 
+Patch0:        Skip-ldb_lmdb_free_list_test-on-ppc64el-ppc64-and-sp.patch
+Patch1:        backport-pre-CVE-2022-32746-ldb_msg-Dont-fail-in-ldb_msg_copy-if-source-DN-is-NULL.patch
+Patch2:        backport-001-CVE-2022-32746.patch
+Patch3:        backport-002-CVE-2022-32746.patch
+Patch4:        backport-003-CVE-2022-32746.patch
+Patch5:        backport-004-CVE-2022-32746.patch
+Patch6:        backport-005-CVE-2022-32746.patch
+Patch7:        backport-CVE-2021-3670.patch
+
 BuildRequires: gcc libtalloc-devel >= %{talloc_version} libtdb-devel >= %{tdb_version}
 BuildRequires: libtevent-devel >= %{tevent_version} lmdb-devel >= 0.9.16 popt-devel
 BuildRequires: libxslt docbook-style-xsl python3-devel python3-tdb python3-talloc-devel
 BuildRequires: python3-tevent doxygen openldap-devel libcmocka-devel gdb
+BuildRequires: chrpath
 
 Provides:      bundled(libreplace) ldb-tools
 Obsoletes:     python2-ldb < 2.0.5-1 python2-ldb-devel < 2.0.5-1 pyldb < 1.1.26-2 ldb-tools
@@ -94,6 +104,19 @@ make install DESTDIR=$RPM_BUILD_ROOT
 cp -a apidocs/man/* $RPM_BUILD_ROOT/%{_mandir}
 rm -f $RPM_BUILD_ROOT/%{_mandir}/man3/_*
 
+# remove rpath
+chrpath -d %{buildroot}%{_bindir}/ldbrename
+chrpath -d %{buildroot}%{_bindir}/ldbedit
+chrpath -d %{buildroot}%{_bindir}/ldbmodify
+chrpath -d %{buildroot}%{_bindir}/ldbadd
+chrpath -d %{buildroot}%{_bindir}/ldbdel
+chrpath -d %{buildroot}%{_bindir}/ldbsearch
+chrpath -d %{buildroot}%{_libdir}/ldb/*.so
+chrpath -d %{buildroot}%{_libdir}/ldb/modules/ldb/*.so
+
+mkdir -p %{buildroot}/etc/ld.so.conf.d
+echo "%{_libdir}/ldb" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
+
 %ldconfig_scriptlets
 
 %files
@@ -103,6 +126,7 @@ rm -f $RPM_BUILD_ROOT/%{_mandir}/man3/_*
 %{_bindir}/ldbmodify
 %{_bindir}/ldbrename
 %{_bindir}/ldbsearch
+%config(noreplace) /etc/ld.so.conf.d/*
 %dir %{_libdir}/ldb
 %{_libdir}/libldb.so.*
 %{_libdir}/ldb/libldb-key-value.so
@@ -150,13 +174,37 @@ rm -f $RPM_BUILD_ROOT/%{_mandir}/man3/_*
 %{_mandir}/man1/ldbsearch.1.*
 
 %changelog
+* Mon Jun 03 2024 yanglu <yanglu72@h-parnters.com> - 2.0.12-5
+- Type:CVE
+- ID:CVE-2021-3670
+- SUG:NA
+- DESC:fix CVE-2021-3670
+
+* Wed Aug 31 2022 xingwei <xingwei14@h-partners.com> - 2.0.12-4
+- Type:requirement
+- ID:NA
+- SUG:NA
+- DESC:remove rpath of libldb's binary files
+
+* Mon Aug 01 2022 gaihuiying <eaglegai@163.com> - 2.0.12-3
+- Type:CVE
+- ID:CVE-2022-32746
+- SUG:NA
+- DESC:fix CVE-2022-32746
+
+* Tue Mar 23 2021 gaihuiying <gaihuiying1@huawei.com> - 2.0.12-2
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix tests failed when build with rpmbuild command
+
 * Mon Aug 31 2020 gaihuiying <gaihuiying1@huawei.com> - 2.0.12-1
 - Type:requirement
 - ID:NA
 - SUG:NA
 - DESC:update to 2.0.12
 
-* Tue Aug 21 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.0.8-3
+* Fri Aug 21 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.0.8-3
 - Type:rebuild
 - ID:NA
 - SUG:NA