!23 update to openldap-2.4.50

Merge pull request !23 from lunankun/openEuler-20.03-LTS
2020-08-29 18:22:14 +08:00 · 2020-08-29 18:22:14 +08:00 · cc6bfdb601
commit cc6bfdb601
parent 1392bb8c0a 8022a8da85
9 changed files with 147 additions and 153 deletions
--- a/CVE-2020-12243.patch
+++ b/CVE-2020-12243.patch
@ -1,125 +0,0 @@
 From 98464c11df8247d6a11b52e294ba5dd4f0380440 Mon Sep 17 00:00:00 2001
 From: Howard Chu <hyc@openldap.org>
 Date: Thu, 16 Apr 2020 01:08:19 +0100
 Subject: [PATCH] ITS#9202 limit depth of nested filters
 Using a hardcoded limit for now; no reasonable apps
 should ever run into it.
 ---
 servers/slapd/filter.c | 41 ++++++++++++++++++++++++++++++++---------
 1 file changed, 32 insertions(+), 9 deletions(-)
 diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c
 index 3252cf2..ed57bbd 100644
 --- a/servers/slapd/filter.c
 +++ b/servers/slapd/filter.c
@@ -37,11 +37,16 @@
 const Filter *slap_filter_objectClass_pres;
 const struct berval *slap_filterstr_objectClass_pres;
 +#ifndef SLAPD_MAX_FILTER_DEPTH
 +#define SLAPD_MAX_FILTER_DEPTH	5000
 +#endif
 +
 static int	get_filter_list(
 	Operation *op,
 	BerElement *ber,
 	Filter **f,
 -	const char **text );
 +	const char **text,
 +	int depth );
 static int	get_ssa(
 	Operation *op,
@@ -80,12 +85,13 @@ filter_destroy( void )
 	return;
 }
 -int
 -get_filter(
 +static int
 +get_filter0(
 	Operation *op,
 	BerElement *ber,
 	Filter **filt,
 -	const char **text )
 +	const char **text,
 +	int depth )
 {
 	ber_tag_t	tag;
 	ber_len_t	len;
@@ -126,6 +132,11 @@ get_filter(
 	 *
 	 */
 +	if( depth > SLAPD_MAX_FILTER_DEPTH ) {
 +		*text = "filter nested too deeply";
 +		return SLAPD_DISCONNECT;
 +	}
 +
 	tag = ber_peek_tag( ber, &len );
 	if( tag == LBER_ERROR ) {
@@ -221,7 +232,7 @@ get_filter(
 	case LDAP_FILTER_AND:
 		Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
 -		err = get_filter_list( op, ber, &f.f_and, text );
 +		err = get_filter_list( op, ber, &f.f_and, text, depth+1 );
 		if ( err != LDAP_SUCCESS ) {
 			break;
 		}
@@ -234,7 +245,7 @@ get_filter(
 	case LDAP_FILTER_OR:
 		Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
 -		err = get_filter_list( op, ber, &f.f_or, text );
 +		err = get_filter_list( op, ber, &f.f_or, text, depth+1 );
 		if ( err != LDAP_SUCCESS ) {
 			break;
 		}
@@ -248,7 +259,7 @@ get_filter(
 	case LDAP_FILTER_NOT:
 		Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
 		(void) ber_skip_tag( ber, &len );
 -		err = get_filter( op, ber, &f.f_not, text );
 +		err = get_filter0( op, ber, &f.f_not, text, depth+1 );
 		if ( err != LDAP_SUCCESS ) {
 			break;
 		}
@@ -311,10 +322,22 @@ get_filter(
 	return( err );
 }
 +int
 +get_filter(
 +	Operation *op,
 +	BerElement *ber,
 +	Filter **filt,
 +	const char **text )
 +{
 +	return get_filter0( op, ber, filt, text, 0 );
 +}
 +
 +
 static int
 get_filter_list( Operation *op, BerElement *ber,
 	Filter **f,
 -	const char **text )
 +	const char **text,
 +	int depth )
 {
 	Filter		**new;
 	int		err;
@@ -328,7 +351,7 @@ get_filter_list( Operation *op, BerElement *ber,
 		tag != LBER_DEFAULT;
 		tag = ber_next_element( ber, &len, last ) )
 	{
 -		err = get_filter( op, ber, new, text );
 +		err = get_filter0( op, ber, new, text, depth );
 		if ( err != LDAP_SUCCESS )
 			return( err );
 		new = &(*new)->f_next;
 -- 
 1.8.3.1
--- a/README.en.md
+++ b/README.en.md
@ -0,0 +1,36 @@
 # openldap
 #### Description
 {**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**}
 #### Software Architecture
 Software architecture description
 #### Installation
 1.  xxxx
 2.  xxxx
 3.  xxxx
 #### Instructions
 1.  xxxx
 2.  xxxx
 3.  xxxx
 #### Contribution
 1.  Fork the repository
 2.  Create Feat_xxx branch
 3.  Commit your code
 4.  Create Pull Request
 #### Gitee Feature
 1.  You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md
 2.  Gitee blog [blog.gitee.com](https://blog.gitee.com)
 3.  Explore open source project [https://gitee.com/explore](https://gitee.com/explore)
 4.  The most valuable open source project [GVP](https://gitee.com/gvp)
 5.  The manual of Gitee [https://gitee.com/help](https://gitee.com/help)
 6.  The most popular members  [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)
--- a/README.md
+++ b/README.md
@ -0,0 +1,39 @@
 # openldap
 #### 介绍
 {**以下是码云平台说明，您可以替换此简介**
 码云是 OSCHINA 推出的基于 Git 的代码托管平台（同时支持 SVN）。专为开发者提供稳定、高效、安全的云端软件开发协作平台
 无论是个人、团队、或是企业，都能够用码云实现代码托管、项目管理、协作开发。企业项目请看 [https://gitee.com/enterprises](https://gitee.com/enterprises)}
 #### 软件架构
 软件架构说明
 #### 安装教程
 1.  xxxx
 2.  xxxx
 3.  xxxx
 #### 使用说明
 1.  xxxx
 2.  xxxx
 3.  xxxx
 #### 参与贡献
 1.  Fork 本仓库
 2.  新建 Feat_xxx 分支
 3.  提交代码
 4.  新建 Pull Request
 #### 码云特技
 1.  使用 Readme\_XXX.md 来支持不同的语言，例如 Readme\_en.md, Readme\_zh.md
 2.  码云官方博客 [blog.gitee.com](https://blog.gitee.com)
 3.  你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解码云上的优秀开源项目
 4.  [GVP](https://gitee.com/gvp) 全称是码云最有价值开源项目，是码云综合评定出的优秀开源项目
 5.  码云官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help)
 6.  码云封面人物是一档用来展示码云会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)
--- a/bugfix-openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch
+++ b/bugfix-openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch
@ -0,0 +1,36 @@
 From 85fc8974f5c32a9a052baafaa9499c8484e043c2 Mon Sep 17 00:00:00 2001
 From: Quanah Gibson-Mount <quanah@openldap.org>
 Date: Tue, 28 Apr 2020 20:49:53 +0000
 Subject: [PATCH] ITS#8650 - Fix Debug usage to follow RE24 format
 ---
 libraries/libldap/tls2.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
 index c1f15cb..ebe5bf1 100644
 --- a/libraries/libldap/tls2.c
 +++ b/libraries/libldap/tls2.c
@@ -907,8 +907,8 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
 			} else if ( sb->sb_trans_needs_write ) {
 				wr=1;
 			}
 -			Debug1( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ldap_int_tls_connect needs %s\n",
 -					wr ? "write": "read" );
 +			Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ldap_int_tls_connect needs %s\n",
 +					wr ? "write": "read", 0, 0 );
 			/* This is mostly copied from result.c:wait4msg(), should
 			 * probably be moved into a separate function */
@@ -946,7 +946,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
 			start_time_tv.tv_sec = curr_time_tv.tv_sec;
 			start_time_tv.tv_usec = curr_time_tv.tv_usec;
 			tv = tv0;
 -			Debug3( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ld %p %ld s %ld us to go\n",
 +			Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ld %p %ld s %ld us to go\n",
 				(void *)ld, (long) tv.tv_sec, (long) tv.tv_usec );
 			ret = ldap_int_poll( ld, sd, &tv, wr);
 			if ( ret < 0 ) {
 -- 
 1.8.3.1
--- a/bugfix-openldap-ITS9160-OOM-Handing.patch
+++ b/bugfix-openldap-ITS9160-OOM-Handing.patch
--- a/bugfix-openldap-fix-implicit-function-declaration.patch
+++ b/bugfix-openldap-fix-implicit-function-declaration.patch
--- a/openldap-2.4.49.tgz
+++ b/openldap-2.4.49.tgz
--- a/openldap-2.4.50.tgz
+++ b/openldap-2.4.50.tgz
--- a/openldap.spec
+++ b/openldap.spec
@ -1,8 +1,8 @@
 %global systemctl_bin /usr/bin/systemctl
 Name:           openldap
-Version:        2.4.49
+Version:        2.4.50
-Release:        4
+Release:        1
 Summary:        LDAP support libraries
 License:        OpenLDAP
 URL:            https://www.openldap.org/
@ -23,25 +23,26 @@ Patch3:         openldap-ai-addrconfig.patch
 Patch4:         openldap-allop-overlay.patch
 # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585
 Patch5:         openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
-Patch6:         check-password-makefile.patch
+Patch6:         openldap-openssl-allow-ssl3.patch
-Patch7: 	check-password.patch
+Patch7:         check-password-makefile.patch
-Patch8:         bugfix-openldap-autoconf-pkgconfig-nss.patch
+Patch8:         check-password.patch
-Patch9:         bugfix-openldap-nss-ciphers-use-nss-defaults.patch
+Patch9:         bugfix-openldap-autoconf-pkgconfig-nss.patch
-Patch10:        bugfix-openldap-nss-ignore-certdb-type-prefix.patch
+Patch10:        bugfix-openldap-nss-ciphers-use-nss-defaults.patch
-Patch11:        bugfix-openldap-nss-pk11-freeslot.patch
+Patch11:        bugfix-openldap-nss-ignore-certdb-type-prefix.patch
-Patch12:        bugfix-openldap-nss-protocol-version-new-api.patch
+Patch12:        bugfix-openldap-nss-pk11-freeslot.patch
-Patch13:        bugfix-openldap-nss-unregister-on-unload.patch
+Patch13:        bugfix-openldap-nss-protocol-version-new-api.patch
-Patch14:        bugfix-openldap-nss-update-list-of-ciphers.patch
+Patch14:        bugfix-openldap-nss-unregister-on-unload.patch
-Patch15:        bugfix-openldap-nss-ciphersuite-handle-masks-correctly.patch
+Patch15:        bugfix-openldap-nss-update-list-of-ciphers.patch
-Patch16:        bugfix-openldap-ssl-deadlock-revert.patch
+Patch16:        bugfix-openldap-nss-ciphersuite-handle-masks-correctly.patch
-Patch17:        bugfix-openldap-support-tlsv1-and-later.patch
+Patch17:        bugfix-openldap-ssl-deadlock-revert.patch
-Patch18:        bugfix-openldap-temporary-ssl-thr-init-race.patch
+Patch18:        bugfix-openldap-support-tlsv1-and-later.patch
-Patch19:        Fix-calls-to-SLAP_DEVPOLL_SOCK_LX-for-multi-listener.patch
+Patch19:        bugfix-openldap-temporary-ssl-thr-init-race.patch
-Patch20:        Fixup-for-binary-config-attrs.patch
+Patch20:        Fix-calls-to-SLAP_DEVPOLL_SOCK_LX-for-multi-listener.patch
-Patch21:	ITS9160-OOM-Handing.patch
+Patch21:        Fixup-for-binary-config-attrs.patch
-Patch22:	fix-implicit-function-declaration.patch
+Patch22:        bugfix-openldap-ITS9160-OOM-Handing.patch
-Patch23:	CVE-2020-12243.patch
+Patch23:        bugfix-openldap-fix-implicit-function-declaration.patch
-Patch24:        CVE-2020-15719.patch
+Patch24:        bugfix-openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch
 Patch25:        CVE-2020-15719.patch
 BuildRequires:  cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel chrpath
 BuildRequires:  glibc-devel libtool libtool-ltdl-devel groff perl-interpreter perl-devel perl-generators perl-ExtUtils-Embed
@ -113,8 +114,8 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
@ -131,6 +132,7 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
 %patch22 -p1
 %patch23 -p1
 %patch24 -p1
 %patch25 -p1
 ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
 mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd
@ -148,8 +150,8 @@ done
 popd
 pushd ltb-project-openldap-ppolicy-check-password-1.1
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
 popd
 %build
@ -271,11 +273,6 @@ rmdir %{buildroot}%{_localstatedir}/openldap-data
 mkdir -p %{buildroot}/etc/ld.so.conf.d
 echo "/usr/lib64/perl5/CORE" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 %check
 pushd openldap-%{version}
 make check
 popd
 %pre servers
 getent group ldap &>/dev/null || groupadd -r -g 55 ldap
@ -365,6 +362,11 @@ fi
 exit 0
 %check
 pushd openldap-%{version}
 make check
 popd
 %files
 %defattr(-,root,root)
 %license openldap-%{version}/COPYRIGHT
@ -416,6 +418,12 @@ exit 0
 %doc ltb-project-openldap-ppolicy-check-password-1.1/README.check_pwd
 %changelog
 * Tue Aug 25 2020 lunankun<lunankun@huawei.com> - 2.4.50-1
 - Type:requirement
 - ID:NA
 - SUG:NA
 - DESC:update to 2.4.50
 * Wed Aug 05 2020 lunankun<lunankun@huawei.com> - 2.4.49-4
 - Type:cves
 - ID:CVE-2020-15719