diff options
author | Leo Famulari <leo@famulari.name> | 2020-04-28 15:59:16 -0400 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2020-04-29 13:44:10 -0400 |
commit | f224a8bb79cc3c9e5960227ffea5524eb666d34a (patch) | |
tree | 0265f9a7ae283db29b11653624699ac08f64b920 | |
parent | 19987f5efe0acb65918802681f3a18cbb6a07c2a (diff) | |
download | guix-f224a8bb79cc3c9e5960227ffea5524eb666d34a.tar.gz |
gnu: OpenLDAP: Update to 2.4.50 [fixes CVE-2019-{13057,13565}].
* gnu/packages/openldap.scm (openldap)[replacement]: Use openldap-2.4.50. (openldap/fixed): Replace with ... (openldap-2.4.50): ... new variable. * gnu/packages/patches/openldap-CVE-2020-12243.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it.
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/openldap.scm | 16 | ||||
-rw-r--r-- | gnu/packages/patches/openldap-CVE-2020-12243.patch | 125 |
3 files changed, 11 insertions, 131 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 67bf04547c..9426ee30a0 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1276,7 +1276,6 @@ dist_patch_DATA = \ %D%/packages/patches/opencv-rgbd-aarch64-test-fix.patch \ %D%/packages/patches/openfoam-4.1-cleanup.patch \ %D%/packages/patches/openjdk-10-idlj-reproducibility.patch \ - %D%/packages/patches/openldap-CVE-2020-12243.patch \ %D%/packages/patches/openmpi-mtl-priorities.patch \ %D%/packages/patches/openocd-nrf52.patch \ %D%/packages/patches/openssl-runpath.patch \ diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm index aa51520654..53c57e846f 100644 --- a/gnu/packages/openldap.scm +++ b/gnu/packages/openldap.scm @@ -58,8 +58,8 @@ (define-public openldap (package - (replacement openldap/fixed) (name "openldap") + (replacement openldap-2.4.50) (version "2.4.47") (source (origin (method url-fetch) @@ -112,12 +112,18 @@ (license openldap2.8) (home-page "https://www.openldap.org/"))) -(define openldap/fixed +(define openldap-2.4.50 (package (inherit openldap) - (source - (origin (inherit (package-source openldap)) - (patches (search-patches "openldap-CVE-2020-12243.patch")))))) + (version "2.4.50") + (source (origin + (method url-fetch) + (uri (string-append "https://www.openldap.org/software/download/" + "OpenLDAP/openldap-release/openldap-" version + ".tgz")) + (sha256 + (base32 + "1f46nlfwmys110j36sifm7ah8m8f3s10c3vaiikmmigmifapvdaw")))))) (define-public nss-pam-ldapd (package diff --git a/gnu/packages/patches/openldap-CVE-2020-12243.patch b/gnu/packages/patches/openldap-CVE-2020-12243.patch deleted file mode 100644 index 6321998198..0000000000 --- a/gnu/packages/patches/openldap-CVE-2020-12243.patch +++ /dev/null @@ -1,125 +0,0 @@ -From 98464c11df8247d6a11b52e294ba5dd4f0380440 Mon Sep 17 00:00:00 2001 -From: Howard Chu <hyc@openldap.org> -Date: Thu, 16 Apr 2020 01:08:19 +0100 -Subject: [PATCH] ITS#9202 limit depth of nested filters - -Using a hardcoded limit for now; no reasonable apps -should ever run into it. ---- - servers/slapd/filter.c | 41 ++++++++++++++++++++++++++++++++--------- - 1 file changed, 32 insertions(+), 9 deletions(-) - -diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c -index 3252cf2a7..ed57bbd7b 100644 ---- a/servers/slapd/filter.c -+++ b/servers/slapd/filter.c -@@ -37,11 +37,16 @@ - const Filter *slap_filter_objectClass_pres; - const struct berval *slap_filterstr_objectClass_pres; - -+#ifndef SLAPD_MAX_FILTER_DEPTH -+#define SLAPD_MAX_FILTER_DEPTH 5000 -+#endif -+ - static int get_filter_list( - Operation *op, - BerElement *ber, - Filter **f, -- const char **text ); -+ const char **text, -+ int depth ); - - static int get_ssa( - Operation *op, -@@ -80,12 +85,13 @@ filter_destroy( void ) - return; - } - --int --get_filter( -+static int -+get_filter0( - Operation *op, - BerElement *ber, - Filter **filt, -- const char **text ) -+ const char **text, -+ int depth ) - { - ber_tag_t tag; - ber_len_t len; -@@ -126,6 +132,11 @@ get_filter( - * - */ - -+ if( depth > SLAPD_MAX_FILTER_DEPTH ) { -+ *text = "filter nested too deeply"; -+ return SLAPD_DISCONNECT; -+ } -+ - tag = ber_peek_tag( ber, &len ); - - if( tag == LBER_ERROR ) { -@@ -221,7 +232,7 @@ get_filter( - - case LDAP_FILTER_AND: - Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 ); -- err = get_filter_list( op, ber, &f.f_and, text ); -+ err = get_filter_list( op, ber, &f.f_and, text, depth+1 ); - if ( err != LDAP_SUCCESS ) { - break; - } -@@ -234,7 +245,7 @@ get_filter( - - case LDAP_FILTER_OR: - Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 ); -- err = get_filter_list( op, ber, &f.f_or, text ); -+ err = get_filter_list( op, ber, &f.f_or, text, depth+1 ); - if ( err != LDAP_SUCCESS ) { - break; - } -@@ -248,7 +259,7 @@ get_filter( - case LDAP_FILTER_NOT: - Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 ); - (void) ber_skip_tag( ber, &len ); -- err = get_filter( op, ber, &f.f_not, text ); -+ err = get_filter0( op, ber, &f.f_not, text, depth+1 ); - if ( err != LDAP_SUCCESS ) { - break; - } -@@ -311,10 +322,22 @@ get_filter( - return( err ); - } - -+int -+get_filter( -+ Operation *op, -+ BerElement *ber, -+ Filter **filt, -+ const char **text ) -+{ -+ return get_filter0( op, ber, filt, text, 0 ); -+} -+ -+ - static int - get_filter_list( Operation *op, BerElement *ber, - Filter **f, -- const char **text ) -+ const char **text, -+ int depth ) - { - Filter **new; - int err; -@@ -328,7 +351,7 @@ get_filter_list( Operation *op, BerElement *ber, - tag != LBER_DEFAULT; - tag = ber_next_element( ber, &len, last ) ) - { -- err = get_filter( op, ber, new, text ); -+ err = get_filter0( op, ber, new, text, depth ); - if ( err != LDAP_SUCCESS ) - return( err ); - new = &(*new)->f_next; --- -2.26.2 - |