update to openldap-2.4.50

2020-08-25 19:36:01 +08:00 · 2020-08-25 19:36:01 +08:00 · 8022a8da85
commit 8022a8da85
parent 2aa6e544be
9 changed files with 147 additions and 153 deletions
--- a/CVE-2020-12243.patch
+++ b/CVE-2020-12243.patch
@ -1,125 +0,0 @@
-From 98464c11df8247d6a11b52e294ba5dd4f0380440 Mon Sep 17 00:00:00 2001
-From: Howard Chu <hyc@openldap.org>
-Date: Thu, 16 Apr 2020 01:08:19 +0100
-Subject: [PATCH] ITS#9202 limit depth of nested filters
-
-Using a hardcoded limit for now; no reasonable apps
-should ever run into it.
---
- servers/slapd/filter.c | 41 ++++++++++++++++++++++++++++++++---------
- 1 file changed, 32 insertions(+), 9 deletions(-)
-
-diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c
-index 3252cf2..ed57bbd 100644
--- a/servers/slapd/filter.c
-+++ b/servers/slapd/filter.c
-@@ -37,11 +37,16 @@
- const Filter *slap_filter_objectClass_pres;
- const struct berval *slap_filterstr_objectClass_pres;
- 
-+#ifndef SLAPD_MAX_FILTER_DEPTH
-+#define SLAPD_MAX_FILTER_DEPTH	5000
-+#endif
-+
- static int	get_filter_list(
- 	Operation *op,
- 	BerElement *ber,
- 	Filter **f,
-	const char **text );
-+	const char **text,
-+	int depth );
- 
- static int	get_ssa(
- 	Operation *op,
-@@ -80,12 +85,13 @@ filter_destroy( void )
- 	return;
- }
- 
-int
-get_filter(
-+static int
-+get_filter0(
- 	Operation *op,
- 	BerElement *ber,
- 	Filter **filt,
-	const char **text )
-+	const char **text,
-+	int depth )
- {
- 	ber_tag_t	tag;
- 	ber_len_t	len;
-@@ -126,6 +132,11 @@ get_filter(
- 	 *
- 	 */
- 
-+	if( depth > SLAPD_MAX_FILTER_DEPTH ) {
-+		*text = "filter nested too deeply";
-+		return SLAPD_DISCONNECT;
-+	}
-+
- 	tag = ber_peek_tag( ber, &len );
- 
- 	if( tag == LBER_ERROR ) {
-@@ -221,7 +232,7 @@ get_filter(
- 
- 	case LDAP_FILTER_AND:
- 		Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
-		err = get_filter_list( op, ber, &f.f_and, text );
-+		err = get_filter_list( op, ber, &f.f_and, text, depth+1 );
- 		if ( err != LDAP_SUCCESS ) {
- 			break;
- 		}
-@@ -234,7 +245,7 @@ get_filter(
- 
- 	case LDAP_FILTER_OR:
- 		Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
-		err = get_filter_list( op, ber, &f.f_or, text );
-+		err = get_filter_list( op, ber, &f.f_or, text, depth+1 );
- 		if ( err != LDAP_SUCCESS ) {
- 			break;
- 		}
-@@ -248,7 +259,7 @@ get_filter(
- 	case LDAP_FILTER_NOT:
- 		Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
- 		(void) ber_skip_tag( ber, &len );
-		err = get_filter( op, ber, &f.f_not, text );
-+		err = get_filter0( op, ber, &f.f_not, text, depth+1 );
- 		if ( err != LDAP_SUCCESS ) {
- 			break;
- 		}
-@@ -311,10 +322,22 @@ get_filter(
- 	return( err );
- }
- 
-+int
-+get_filter(
-+	Operation *op,
-+	BerElement *ber,
-+	Filter **filt,
-+	const char **text )
-+{
-+	return get_filter0( op, ber, filt, text, 0 );
-+}
-+
-+
- static int
- get_filter_list( Operation *op, BerElement *ber,
- 	Filter **f,
-	const char **text )
-+	const char **text,
-+	int depth )
- {
- 	Filter		**new;
- 	int		err;
-@@ -328,7 +351,7 @@ get_filter_list( Operation *op, BerElement *ber,
- 		tag != LBER_DEFAULT;
- 		tag = ber_next_element( ber, &len, last ) )
- 	{
-		err = get_filter( op, ber, new, text );
-+		err = get_filter0( op, ber, new, text, depth );
- 		if ( err != LDAP_SUCCESS )
- 			return( err );
- 		new = &(*new)->f_next;
-- 
-1.8.3.1
-
--- a/README.en.md
+++ b/README.en.md
@ -0,0 +1,36 @@
+# openldap
+
+#### Description
+{**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**}
+
+#### Software Architecture
+Software architecture description
+
+#### Installation
+
+1.  xxxx
+2.  xxxx
+3.  xxxx
+
+#### Instructions
+
+1.  xxxx
+2.  xxxx
+3.  xxxx
+
+#### Contribution
+
+1.  Fork the repository
+2.  Create Feat_xxx branch
+3.  Commit your code
+4.  Create Pull Request
+
+
+#### Gitee Feature
+
+1.  You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md
+2.  Gitee blog [blog.gitee.com](https://blog.gitee.com)
+3.  Explore open source project [https://gitee.com/explore](https://gitee.com/explore)
+4.  The most valuable open source project [GVP](https://gitee.com/gvp)
+5.  The manual of Gitee [https://gitee.com/help](https://gitee.com/help)
+6.  The most popular members  [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)
--- a/README.md
+++ b/README.md
@ -0,0 +1,39 @@
+# openldap
+
+#### 介绍
+{**以下是码云平台说明，您可以替换此简介**
+码云是 OSCHINA 推出的基于 Git 的代码托管平台（同时支持 SVN）。专为开发者提供稳定、高效、安全的云端软件开发协作平台
+无论是个人、团队、或是企业，都能够用码云实现代码托管、项目管理、协作开发。企业项目请看 [https://gitee.com/enterprises](https://gitee.com/enterprises)}
+
+#### 软件架构
+软件架构说明
+
+
+#### 安装教程
+
+1.  xxxx
+2.  xxxx
+3.  xxxx
+
+#### 使用说明
+
+1.  xxxx
+2.  xxxx
+3.  xxxx
+
+#### 参与贡献
+
+1.  Fork 本仓库
+2.  新建 Feat_xxx 分支
+3.  提交代码
+4.  新建 Pull Request
+
+
+#### 码云特技
+
+1.  使用 Readme\_XXX.md 来支持不同的语言，例如 Readme\_en.md, Readme\_zh.md
+2.  码云官方博客 [blog.gitee.com](https://blog.gitee.com)
+3.  你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解码云上的优秀开源项目
+4.  [GVP](https://gitee.com/gvp) 全称是码云最有价值开源项目，是码云综合评定出的优秀开源项目
+5.  码云官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help)
+6.  码云封面人物是一档用来展示码云会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)
--- a/bugfix-openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch
+++ b/bugfix-openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch
@ -0,0 +1,36 @@
+From 85fc8974f5c32a9a052baafaa9499c8484e043c2 Mon Sep 17 00:00:00 2001
+From: Quanah Gibson-Mount <quanah@openldap.org>
+Date: Tue, 28 Apr 2020 20:49:53 +0000
+Subject: [PATCH] ITS#8650 - Fix Debug usage to follow RE24 format
+
+---
+ libraries/libldap/tls2.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index c1f15cb..ebe5bf1 100644
+--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
+@@ -907,8 +907,8 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
+ 			} else if ( sb->sb_trans_needs_write ) {
+ 				wr=1;
+ 			}
+-			Debug1( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ldap_int_tls_connect needs %s\n",
+-					wr ? "write": "read" );
+			Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ldap_int_tls_connect needs %s\n",
+					wr ? "write": "read", 0, 0 );
+ 
+ 			/* This is mostly copied from result.c:wait4msg(), should
+ 			 * probably be moved into a separate function */
+@@ -946,7 +946,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
+ 			start_time_tv.tv_sec = curr_time_tv.tv_sec;
+ 			start_time_tv.tv_usec = curr_time_tv.tv_usec;
+ 			tv = tv0;
+-			Debug3( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ld %p %ld s %ld us to go\n",
+			Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ld %p %ld s %ld us to go\n",
+ 				(void *)ld, (long) tv.tv_sec, (long) tv.tv_usec );
+ 			ret = ldap_int_poll( ld, sd, &tv, wr);
+ 			if ( ret < 0 ) {
+-- 
+1.8.3.1
+
--- a/bugfix-openldap-ITS9160-OOM-Handing.patch
+++ b/bugfix-openldap-ITS9160-OOM-Handing.patch
--- a/bugfix-openldap-fix-implicit-function-declaration.patch
+++ b/bugfix-openldap-fix-implicit-function-declaration.patch
--- a/openldap-2.4.49.tgz
+++ b/openldap-2.4.49.tgz
--- a/openldap-2.4.50.tgz
+++ b/openldap-2.4.50.tgz
--- a/openldap.spec
+++ b/openldap.spec
@ -1,8 +1,8 @@
 %global systemctl_bin /usr/bin/systemctl

 Name:           openldap
-Version:        2.4.49
-Release:        4
+Version:        2.4.50
+Release:        1
 Summary:        LDAP support libraries
 License:        OpenLDAP
 URL:            https://www.openldap.org/
@ -23,25 +23,26 @@ Patch3:         openldap-ai-addrconfig.patch
 Patch4:         openldap-allop-overlay.patch
 # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585
 Patch5:         openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
-Patch6:         check-password-makefile.patch
-Patch7: 	check-password.patch
-Patch8:         bugfix-openldap-autoconf-pkgconfig-nss.patch
-Patch9:         bugfix-openldap-nss-ciphers-use-nss-defaults.patch
-Patch10:        bugfix-openldap-nss-ignore-certdb-type-prefix.patch
-Patch11:        bugfix-openldap-nss-pk11-freeslot.patch
-Patch12:        bugfix-openldap-nss-protocol-version-new-api.patch
-Patch13:        bugfix-openldap-nss-unregister-on-unload.patch
-Patch14:        bugfix-openldap-nss-update-list-of-ciphers.patch
-Patch15:        bugfix-openldap-nss-ciphersuite-handle-masks-correctly.patch
-Patch16:        bugfix-openldap-ssl-deadlock-revert.patch
-Patch17:        bugfix-openldap-support-tlsv1-and-later.patch
-Patch18:        bugfix-openldap-temporary-ssl-thr-init-race.patch
-Patch19:        Fix-calls-to-SLAP_DEVPOLL_SOCK_LX-for-multi-listener.patch
-Patch20:        Fixup-for-binary-config-attrs.patch
-Patch21:	ITS9160-OOM-Handing.patch
-Patch22:	fix-implicit-function-declaration.patch
-Patch23:	CVE-2020-12243.patch
-Patch24:        CVE-2020-15719.patch
+Patch6:         openldap-openssl-allow-ssl3.patch
+Patch7:         check-password-makefile.patch
+Patch8:         check-password.patch
+Patch9:         bugfix-openldap-autoconf-pkgconfig-nss.patch
+Patch10:        bugfix-openldap-nss-ciphers-use-nss-defaults.patch
+Patch11:        bugfix-openldap-nss-ignore-certdb-type-prefix.patch
+Patch12:        bugfix-openldap-nss-pk11-freeslot.patch
+Patch13:        bugfix-openldap-nss-protocol-version-new-api.patch
+Patch14:        bugfix-openldap-nss-unregister-on-unload.patch
+Patch15:        bugfix-openldap-nss-update-list-of-ciphers.patch
+Patch16:        bugfix-openldap-nss-ciphersuite-handle-masks-correctly.patch
+Patch17:        bugfix-openldap-ssl-deadlock-revert.patch
+Patch18:        bugfix-openldap-support-tlsv1-and-later.patch
+Patch19:        bugfix-openldap-temporary-ssl-thr-init-race.patch
+Patch20:        Fix-calls-to-SLAP_DEVPOLL_SOCK_LX-for-multi-listener.patch
+Patch21:        Fixup-for-binary-config-attrs.patch
+Patch22:        bugfix-openldap-ITS9160-OOM-Handing.patch
+Patch23:        bugfix-openldap-fix-implicit-function-declaration.patch
+Patch24:        bugfix-openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch
+Patch25:        CVE-2020-15719.patch

 BuildRequires:  cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel chrpath
 BuildRequires:  glibc-devel libtool libtool-ltdl-devel groff perl-interpreter perl-devel perl-generators perl-ExtUtils-Embed
@ -113,8 +114,8 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1

-%patch8 -p1
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
@ -131,6 +132,7 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
 %patch22 -p1
 %patch23 -p1
 %patch24 -p1
+%patch25 -p1

 ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
 mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd
@ -148,8 +150,8 @@ done
 popd

 pushd ltb-project-openldap-ppolicy-check-password-1.1
-%patch6 -p1
 %patch7 -p1
+%patch8 -p1
 popd

 %build
@ -271,11 +273,6 @@ rmdir %{buildroot}%{_localstatedir}/openldap-data
 mkdir -p %{buildroot}/etc/ld.so.conf.d
 echo "/usr/lib64/perl5/CORE" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf

-%check
-pushd openldap-%{version}
-make check
-popd
-
 %pre servers

 getent group ldap &>/dev/null || groupadd -r -g 55 ldap
@ -365,6 +362,11 @@ fi

 exit 0

+%check
+pushd openldap-%{version}
+make check
+popd
+
 %files
 %defattr(-,root,root)
 %license openldap-%{version}/COPYRIGHT
@ -416,6 +418,12 @@ exit 0
 %doc ltb-project-openldap-ppolicy-check-password-1.1/README.check_pwd

 %changelog
+* Tue Aug 25 2020 lunankun<lunankun@huawei.com> - 2.4.50-1
+- Type:requirement
+- ID:NA
+- SUG:NA
+- DESC:update to 2.4.50
+
 * Wed Aug 05 2020 lunankun<lunankun@huawei.com> - 2.4.49-4
 - Type:cves
 - ID:CVE-2020-15719