main/openldap: security fix (CVE-2011-4079)

fixes #835

1 files changed, 55 insertions, 0 deletions

diff --git a/main/openldap/cve-2011-4079.patch b/main/openldap/cve-2011-4079.patch
new file mode 100644
index 0000000000..94a453d9c6
--- /dev/null
+++ b/main/openldap/cve-2011-4079.patch
@@ -0,0 +1,55 @@
+one-byte buffer overflow in slapd
+
+Resolves: #749324 (CVE-2011-4079)
+Upstream ITS: #7059
+Upstream commits: d0dd861 5072387
+Author: Howard Chu <hyc@openldap.org>
+
+diff -u
+--- a/servers/slapd/schema_init.c
++++ b/servers/slapd/schema_init.c
+@@ -1852,12 +1852,12 @@ UTF8StringNormalize(
+ 		}
+ 		nvalue.bv_val[nvalue.bv_len] = '\0';
+ 
+-	} else {
++	} else if ( tmp.bv_len )  {
+ 		/* string of all spaces is treated as one space */
+ 		nvalue.bv_val[0] = ' ';
+ 		nvalue.bv_val[1] = '\0';
+ 		nvalue.bv_len = 1;
+-	}
++	}	/* should never be entered with 0-length val */
+ 
+ 	*normalized = nvalue;
+ 	return LDAP_SUCCESS;
+@@ -2331,13 +2331,18 @@ postalAddressNormalize(
+ 	}
+ 	lines[l].bv_len = &val->bv_val[c] - lines[l].bv_val;
+ 
+-	normalized->bv_len = l;
++	normalized->bv_len = c = l;
+ 
+-	for ( l = 0; !BER_BVISNULL( &lines[l] ); l++ ) {
++	for ( l = 0; l <= c; l++ ) {
+ 		/* NOTE: we directly normalize each line,
+ 		 * without unescaping the values, since the special
+ 		 * values '\24' ('$') and '\5C' ('\') are not affected
+ 		 * by normalization */
++		if ( !lines[l].bv_len ) {
++			nlines[l].bv_len = 0;
++			nlines[l].bv_val = NULL;
++			continue;
++		}
+ 		rc = UTF8StringNormalize( usage, NULL, xmr, &lines[l], &nlines[l], ctx );
+ 		if ( rc != LDAP_SUCCESS ) {
+ 			rc = LDAP_INVALID_SYNTAX;
+@@ -2350,7 +2355,7 @@ postalAddressNormalize(
+ 	normalized->bv_val = slap_sl_malloc( normalized->bv_len + 1, ctx );
+ 
+ 	p = normalized->bv_val;
+-	for ( l = 0; !BER_BVISNULL( &nlines[l] ); l++ ) {
++	for ( l = 0; l <= c ; l++ ) {
+ 		p = lutil_strbvcopy( p, &nlines[l] );
+ 		*p++ = '$';
+ 	}