From 0b25812872904d61024791778dae36636c52ded6 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Tue, 28 Apr 2020 22:52:20 +0300 Subject: gnu: openldap: Fix CVE-2020-12243. * gnu/packages/openldap.scm (openldap)[replacement]: New field. (openldap/fixed): New variable. * gnu/packages/patches/openldap-CVE-2020-12243.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/local.mk | 3 +- gnu/packages/openldap.scm | 9 ++ gnu/packages/patches/openldap-CVE-2020-12243.patch | 125 +++++++++++++++++++++ 3 files changed, 136 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/openldap-CVE-2020-12243.patch diff --git a/gnu/local.mk b/gnu/local.mk index 9b082a6f2a..67bf04547c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -10,7 +10,7 @@ # Copyright © 2016, 2017, 2018, 2019, 2020 Ricardo Wurmus # Copyright © 2016 Ben Woodcroft # Copyright © 2016, 2017, 2018, 2019 Alex Vong -# Copyright © 2016, 2017, 2018, 2019 Efraim Flashner +# Copyright © 2016, 2017, 2018, 2019, 2020 Efraim Flashner # Copyright © 2016, 2017, 2018, 2019 Jan (janneke) Nieuwenhuizen # Copyright © 2017, 2018, 2019, 2020 Tobias Geerinckx-Rice # Copyright © 2017, 2018 Clément Lassieur @@ -1276,6 +1276,7 @@ dist_patch_DATA = \ %D%/packages/patches/opencv-rgbd-aarch64-test-fix.patch \ %D%/packages/patches/openfoam-4.1-cleanup.patch \ %D%/packages/patches/openjdk-10-idlj-reproducibility.patch \ + %D%/packages/patches/openldap-CVE-2020-12243.patch \ %D%/packages/patches/openmpi-mtl-priorities.patch \ %D%/packages/patches/openocd-nrf52.patch \ %D%/packages/patches/openssl-runpath.patch \ diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm index de8239b7fe..aa51520654 100644 --- a/gnu/packages/openldap.scm +++ b/gnu/packages/openldap.scm @@ -5,6 +5,7 @@ ;;; Copyright © 2017, 2018, 2019 Ricardo Wurmus ;;; Copyright © 2018 Tobias Geerinckx-Rice ;;; Copyright © 2020 Lars-Dominik Braun +;;; Copyright © 2020 Efraim Flashner ;;; ;;; This file is part of GNU Guix. ;;; @@ -57,6 +58,7 @@ (define-public openldap (package + (replacement openldap/fixed) (name "openldap") (version "2.4.47") (source (origin @@ -110,6 +112,13 @@ (license openldap2.8) (home-page "https://www.openldap.org/"))) +(define openldap/fixed + (package + (inherit openldap) + (source + (origin (inherit (package-source openldap)) + (patches (search-patches "openldap-CVE-2020-12243.patch")))))) + (define-public nss-pam-ldapd (package (name "nss-pam-ldapd") diff --git a/gnu/packages/patches/openldap-CVE-2020-12243.patch b/gnu/packages/patches/openldap-CVE-2020-12243.patch new file mode 100644 index 0000000000..6321998198 --- /dev/null +++ b/gnu/packages/patches/openldap-CVE-2020-12243.patch @@ -0,0 +1,125 @@ +From 98464c11df8247d6a11b52e294ba5dd4f0380440 Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Thu, 16 Apr 2020 01:08:19 +0100 +Subject: [PATCH] ITS#9202 limit depth of nested filters + +Using a hardcoded limit for now; no reasonable apps +should ever run into it. +--- + servers/slapd/filter.c | 41 ++++++++++++++++++++++++++++++++--------- + 1 file changed, 32 insertions(+), 9 deletions(-) + +diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c +index 3252cf2a7..ed57bbd7b 100644 +--- a/servers/slapd/filter.c ++++ b/servers/slapd/filter.c +@@ -37,11 +37,16 @@ + const Filter *slap_filter_objectClass_pres; + const struct berval *slap_filterstr_objectClass_pres; + ++#ifndef SLAPD_MAX_FILTER_DEPTH ++#define SLAPD_MAX_FILTER_DEPTH 5000 ++#endif ++ + static int get_filter_list( + Operation *op, + BerElement *ber, + Filter **f, +- const char **text ); ++ const char **text, ++ int depth ); + + static int get_ssa( + Operation *op, +@@ -80,12 +85,13 @@ filter_destroy( void ) + return; + } + +-int +-get_filter( ++static int ++get_filter0( + Operation *op, + BerElement *ber, + Filter **filt, +- const char **text ) ++ const char **text, ++ int depth ) + { + ber_tag_t tag; + ber_len_t len; +@@ -126,6 +132,11 @@ get_filter( + * + */ + ++ if( depth > SLAPD_MAX_FILTER_DEPTH ) { ++ *text = "filter nested too deeply"; ++ return SLAPD_DISCONNECT; ++ } ++ + tag = ber_peek_tag( ber, &len ); + + if( tag == LBER_ERROR ) { +@@ -221,7 +232,7 @@ get_filter( + + case LDAP_FILTER_AND: + Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 ); +- err = get_filter_list( op, ber, &f.f_and, text ); ++ err = get_filter_list( op, ber, &f.f_and, text, depth+1 ); + if ( err != LDAP_SUCCESS ) { + break; + } +@@ -234,7 +245,7 @@ get_filter( + + case LDAP_FILTER_OR: + Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 ); +- err = get_filter_list( op, ber, &f.f_or, text ); ++ err = get_filter_list( op, ber, &f.f_or, text, depth+1 ); + if ( err != LDAP_SUCCESS ) { + break; + } +@@ -248,7 +259,7 @@ get_filter( + case LDAP_FILTER_NOT: + Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 ); + (void) ber_skip_tag( ber, &len ); +- err = get_filter( op, ber, &f.f_not, text ); ++ err = get_filter0( op, ber, &f.f_not, text, depth+1 ); + if ( err != LDAP_SUCCESS ) { + break; + } +@@ -311,10 +322,22 @@ get_filter( + return( err ); + } + ++int ++get_filter( ++ Operation *op, ++ BerElement *ber, ++ Filter **filt, ++ const char **text ) ++{ ++ return get_filter0( op, ber, filt, text, 0 ); ++} ++ ++ + static int + get_filter_list( Operation *op, BerElement *ber, + Filter **f, +- const char **text ) ++ const char **text, ++ int depth ) + { + Filter **new; + int err; +@@ -328,7 +351,7 @@ get_filter_list( Operation *op, BerElement *ber, + tag != LBER_DEFAULT; + tag = ber_next_element( ber, &len, last ) ) + { +- err = get_filter( op, ber, new, text ); ++ err = get_filter0( op, ber, new, text, depth ); + if ( err != LDAP_SUCCESS ) + return( err ); + new = &(*new)->f_next; +-- +2.26.2 + -- cgit v1.2.3