From 4041a223b7e7b9a7ab163406bc7f4b04a4a8fad3 Mon Sep 17 00:00:00 2001 From: Leonardo Arena Date: Mon, 14 Sep 2015 08:21:50 +0000 Subject: main/openldap: fix ber_get_next denial of service (CVE-2015-6908) http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8240 --- main/openldap/APKBUILD | 7 ++++++- main/openldap/CVE-2015-6908.patch | 25 +++++++++++++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 main/openldap/CVE-2015-6908.patch diff --git a/main/openldap/APKBUILD b/main/openldap/APKBUILD index 13ccec338a..d7381249fb 100644 --- a/main/openldap/APKBUILD +++ b/main/openldap/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa pkgname=openldap pkgver=2.4.42 -pkgrel=0 +pkgrel=1 pkgdesc="LDAP Server" url="http://www.openldap.org/" arch="all" @@ -24,6 +24,8 @@ source="ftp://ftp.$pkgname.org/pub/OpenLDAP/$pkgname-release/$pkgname-$pkgver.tg openldap-2.4.11-libldap_r.patch 0001-dbd-enabled-by-default.patch openldap-mqtt-overlay.patch + CVE-2015-6908.patch + slapd.initd slapd.confd slurpd.initd @@ -152,6 +154,7 @@ md5sums="47c8e2f283647a6105b8b0325257e922 openldap-2.4.42.tgz d19d0502f046078ecd737e29e7552fa8 openldap-2.4.11-libldap_r.patch 7b4eec9a90d2f7f727e0f9cb4653887c 0001-dbd-enabled-by-default.patch 05266dddd5a9cc5de1b67ab62b6d26fb openldap-mqtt-overlay.patch +2df05f886ad96db4da8098078b3f8ae4 CVE-2015-6908.patch b1291a48e7f5228a88d8d479cc1c2714 slapd.initd b672311fca605c398240cd37a2ae080a slapd.confd 9ecb5712e8e4a8fe5bf0183254305f0d slurpd.initd" @@ -160,6 +163,7 @@ sha256sums="eeb7b0e2c5852bfd2650e83909bb6152835c0b862fab10b63954dc1bcbba8e63 op 3310a89d38bc39e6eb4333799d475411b274482b8bccab212b3edfd4385db70e openldap-2.4.11-libldap_r.patch 8d1ee24c52928302acb876bc99cc75757eb15b278a10bfd3d43cabb332bcd3c4 0001-dbd-enabled-by-default.patch 5de1464a6ae154e1556f7faa9494caf7ca94d26a0ef2f7d5abdc6aa2513cc1c9 openldap-mqtt-overlay.patch +6950a117365046be3c4f5a1b45557ac2d1df0201d354889b0d7be26dc517e31c CVE-2015-6908.patch 454480c29e938a82fd46e490a0369586ed7c344a2ac559f95bbe813df6c07f8a slapd.initd 1ccb8a3b78b65b125b24779dd065cf8000e2d5e4da267bb0a892e730edd2055d slapd.confd 3cdd67b848f470399c0e8aeb89031de152383deeaf9da1416596093c67594118 slurpd.initd" @@ -168,6 +172,7 @@ sha512sums="52d6af7610c4fdc8f965ebea04d09c38f73773a02c2e484dc111100f3d472f8b2f76 44d97efb25d4f39ab10cd5571db43f3bfa7c617a5bb087085ae16c0298aca899b55c8742a502121ba743a73e6d77cd2056bc96cee63d6d0862dabc8fb5574357 openldap-2.4.11-libldap_r.patch b0892e049feab931d6439374ecf2497c54fbf46daef622f9949f02a26cd4b20f73de7cff1e1d64894539dc599793ffbd61d7a5bba6e026f3966295cf6a39f1be 0001-dbd-enabled-by-default.patch 9c7f41279e91ed995c91e9a8c543c797d9294a93cf260afdc03ab5777e45ed045a4d6a4d4d0180b5dc387dc04babca01d818fbfa8168309df44f4500d2a430a4 openldap-mqtt-overlay.patch +f3d0a844aeea4215d5ce09df2d444b3a29cb43ffeca0d05ba29f72cb3666dd5dfb350467e8003b600e1a93990978b249c4756ad531c34bf538fa7e917d8ee9e5 CVE-2015-6908.patch 1a5490a29a2be8382a64d3d07a36906d2189571f4c44d8ad96b769db58d91a33b2eee24fe10343ec26440fa61cfd406c4e95153dce29c2f315d1f13f5b0f47e8 slapd.initd 8290769b63b3a5863622de2deb9269a0711ba5f4a225eb230d7c5097937b9d4e8cf5a998ee99232824e2335ae1b6e0114357b61c9611bc2460ebd195d12eabae slapd.confd c8bffecdbd09583bec7720b5f6a5b9680b0eae055fd63f10736cf2fe25378b95acddf910e60f6408c9637a3fe48050299cfb500a6bc9a95a0ef135d5a4c4d5f9 slurpd.initd" diff --git a/main/openldap/CVE-2015-6908.patch b/main/openldap/CVE-2015-6908.patch new file mode 100644 index 0000000000..9a2474c647 --- /dev/null +++ b/main/openldap/CVE-2015-6908.patch @@ -0,0 +1,25 @@ +From: Howard Chu +Date: Sat, 12 Sep 2015 21:18:22 +0000 (+0100) +Subject: Revert "Revert "ITS#8240 remove obsolete assert"" +X-Git-Url: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff_plain;h=844ee7df820fa397249ce76984d2e7094746cd93;hp=55dd4d3275d24c5190fdfada8dfae0320628b993 + +Revert "Revert "ITS#8240 remove obsolete assert"" + +We have never documented our use of assert, so can't expect +builders to do the right thing. +This reverts commit 55dd4d3275d24c5190fdfada8dfae0320628b993. +--- + +diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c +index 85c3e23..c05dcf8 100644 +--- a/libraries/liblber/io.c ++++ b/libraries/liblber/io.c +@@ -679,7 +679,7 @@ done: + return (ber->ber_tag); + } + +- assert( 0 ); /* ber structure is messed up ?*/ ++ /* invalid input */ + return LBER_DEFAULT; + } + -- cgit v1.2.3