aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEfraim Flashner <efraim@flashner.co.il>2020-04-28 22:52:20 +0300
committerEfraim Flashner <efraim@flashner.co.il>2020-04-28 22:52:20 +0300
commit0b25812872904d61024791778dae36636c52ded6 (patch)
tree0307259a0a6430aaecb0cc1c7ae770a89d99fb94
parentcd8c419722780765b075a7217b861e7608c0bac2 (diff)
downloadguix-0b25812872904d61024791778dae36636c52ded6.tar
guix-0b25812872904d61024791778dae36636c52ded6.tar.gz
gnu: openldap: Fix CVE-2020-12243.
* gnu/packages/openldap.scm (openldap)[replacement]: New field. (openldap/fixed): New variable. * gnu/packages/patches/openldap-CVE-2020-12243.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it.
-rw-r--r--gnu/local.mk3
-rw-r--r--gnu/packages/openldap.scm9
-rw-r--r--gnu/packages/patches/openldap-CVE-2020-12243.patch125
3 files changed, 136 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 9b082a6f2a..67bf04547c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -10,7 +10,7 @@
# Copyright © 2016, 2017, 2018, 2019, 2020 Ricardo Wurmus <rekado@elephly.net>
# Copyright © 2016 Ben Woodcroft <donttrustben@gmail.com>
# Copyright © 2016, 2017, 2018, 2019 Alex Vong <alexvong1995@gmail.com>
-# Copyright © 2016, 2017, 2018, 2019 Efraim Flashner <efraim@flashner.co.il>
+# Copyright © 2016, 2017, 2018, 2019, 2020 Efraim Flashner <efraim@flashner.co.il>
# Copyright © 2016, 2017, 2018, 2019 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
# Copyright © 2017, 2018, 2019, 2020 Tobias Geerinckx-Rice <me@tobias.gr>
# Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org>
@@ -1276,6 +1276,7 @@ dist_patch_DATA = \
%D%/packages/patches/opencv-rgbd-aarch64-test-fix.patch \
%D%/packages/patches/openfoam-4.1-cleanup.patch \
%D%/packages/patches/openjdk-10-idlj-reproducibility.patch \
+ %D%/packages/patches/openldap-CVE-2020-12243.patch \
%D%/packages/patches/openmpi-mtl-priorities.patch \
%D%/packages/patches/openocd-nrf52.patch \
%D%/packages/patches/openssl-runpath.patch \
diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm
index de8239b7fe..aa51520654 100644
--- a/gnu/packages/openldap.scm
+++ b/gnu/packages/openldap.scm
@@ -5,6 +5,7 @@
;;; Copyright © 2017, 2018, 2019 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2020 Lars-Dominik Braun <ldb@leibniz-psychology.org>
+;;; Copyright © 2020 Efraim Flashner <efraim@flashner.co.il>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -57,6 +58,7 @@
(define-public openldap
(package
+ (replacement openldap/fixed)
(name "openldap")
(version "2.4.47")
(source (origin
@@ -110,6 +112,13 @@
(license openldap2.8)
(home-page "https://www.openldap.org/")))
+(define openldap/fixed
+ (package
+ (inherit openldap)
+ (source
+ (origin (inherit (package-source openldap))
+ (patches (search-patches "openldap-CVE-2020-12243.patch"))))))
+
(define-public nss-pam-ldapd
(package
(name "nss-pam-ldapd")
diff --git a/gnu/packages/patches/openldap-CVE-2020-12243.patch b/gnu/packages/patches/openldap-CVE-2020-12243.patch
new file mode 100644
index 0000000000..6321998198
--- /dev/null
+++ b/gnu/packages/patches/openldap-CVE-2020-12243.patch
@@ -0,0 +1,125 @@
+From 98464c11df8247d6a11b52e294ba5dd4f0380440 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Thu, 16 Apr 2020 01:08:19 +0100
+Subject: [PATCH] ITS#9202 limit depth of nested filters
+
+Using a hardcoded limit for now; no reasonable apps
+should ever run into it.
+---
+ servers/slapd/filter.c | 41 ++++++++++++++++++++++++++++++++---------
+ 1 file changed, 32 insertions(+), 9 deletions(-)
+
+diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c
+index 3252cf2a7..ed57bbd7b 100644
+--- a/servers/slapd/filter.c
++++ b/servers/slapd/filter.c
+@@ -37,11 +37,16 @@
+ const Filter *slap_filter_objectClass_pres;
+ const struct berval *slap_filterstr_objectClass_pres;
+
++#ifndef SLAPD_MAX_FILTER_DEPTH
++#define SLAPD_MAX_FILTER_DEPTH 5000
++#endif
++
+ static int get_filter_list(
+ Operation *op,
+ BerElement *ber,
+ Filter **f,
+- const char **text );
++ const char **text,
++ int depth );
+
+ static int get_ssa(
+ Operation *op,
+@@ -80,12 +85,13 @@ filter_destroy( void )
+ return;
+ }
+
+-int
+-get_filter(
++static int
++get_filter0(
+ Operation *op,
+ BerElement *ber,
+ Filter **filt,
+- const char **text )
++ const char **text,
++ int depth )
+ {
+ ber_tag_t tag;
+ ber_len_t len;
+@@ -126,6 +132,11 @@ get_filter(
+ *
+ */
+
++ if( depth > SLAPD_MAX_FILTER_DEPTH ) {
++ *text = "filter nested too deeply";
++ return SLAPD_DISCONNECT;
++ }
++
+ tag = ber_peek_tag( ber, &len );
+
+ if( tag == LBER_ERROR ) {
+@@ -221,7 +232,7 @@ get_filter(
+
+ case LDAP_FILTER_AND:
+ Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
+- err = get_filter_list( op, ber, &f.f_and, text );
++ err = get_filter_list( op, ber, &f.f_and, text, depth+1 );
+ if ( err != LDAP_SUCCESS ) {
+ break;
+ }
+@@ -234,7 +245,7 @@ get_filter(
+
+ case LDAP_FILTER_OR:
+ Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
+- err = get_filter_list( op, ber, &f.f_or, text );
++ err = get_filter_list( op, ber, &f.f_or, text, depth+1 );
+ if ( err != LDAP_SUCCESS ) {
+ break;
+ }
+@@ -248,7 +259,7 @@ get_filter(
+ case LDAP_FILTER_NOT:
+ Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
+ (void) ber_skip_tag( ber, &len );
+- err = get_filter( op, ber, &f.f_not, text );
++ err = get_filter0( op, ber, &f.f_not, text, depth+1 );
+ if ( err != LDAP_SUCCESS ) {
+ break;
+ }
+@@ -311,10 +322,22 @@ get_filter(
+ return( err );
+ }
+
++int
++get_filter(
++ Operation *op,
++ BerElement *ber,
++ Filter **filt,
++ const char **text )
++{
++ return get_filter0( op, ber, filt, text, 0 );
++}
++
++
+ static int
+ get_filter_list( Operation *op, BerElement *ber,
+ Filter **f,
+- const char **text )
++ const char **text,
++ int depth )
+ {
+ Filter **new;
+ int err;
+@@ -328,7 +351,7 @@ get_filter_list( Operation *op, BerElement *ber,
+ tag != LBER_DEFAULT;
+ tag = ber_next_element( ber, &len, last ) )
+ {
+- err = get_filter( op, ber, new, text );
++ err = get_filter0( op, ber, new, text, depth );
+ if ( err != LDAP_SUCCESS )
+ return( err );
+ new = &(*new)->f_next;
+--
+2.26.2
+