* [Buildroot] [PATCH] package/openldap: add upstream security fix for CVE-2021-27212
@ 2021-02-26 23:13 Peter Korsgaard
2021-02-27 8:20 ` Yann E. MORIN
2021-03-09 23:00 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-02-26 23:13 UTC (permalink / raw)
To: buildroot
In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion
failure in slapd can occur in the issuerAndThisUpdateCheck function via a
crafted packet, resulting in a denial of service (daemon exit) via a short
timestamp. This is related to schema_init.c and checkTime.
For more details, see the bugtracker:
https://bugs.openldap.org/show_bug.cgi?id=9454
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
...TS-9454-fix-issuerAndThisUpdateCheck.patch | 26 +++++++++++++++++++
package/openldap/openldap.mk | 3 +++
2 files changed, 29 insertions(+)
create mode 100644 package/openldap/0005-ITS-9454-fix-issuerAndThisUpdateCheck.patch
diff --git a/package/openldap/0005-ITS-9454-fix-issuerAndThisUpdateCheck.patch b/package/openldap/0005-ITS-9454-fix-issuerAndThisUpdateCheck.patch
new file mode 100644
index 0000000000..a611b9ff59
--- /dev/null
+++ b/package/openldap/0005-ITS-9454-fix-issuerAndThisUpdateCheck.patch
@@ -0,0 +1,26 @@
+From 9badb73425a67768c09bcaed1a9c26c684af6c30 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Sat, 6 Feb 2021 20:52:06 +0000
+Subject: [PATCH] ITS#9454 fix issuerAndThisUpdateCheck
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ servers/slapd/schema_init.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
+index 31be1154e..8b1e25539 100644
+--- a/servers/slapd/schema_init.c
++++ b/servers/slapd/schema_init.c
+@@ -3900,6 +3900,8 @@ issuerAndThisUpdateCheck(
+ break;
+ }
+ }
++ if ( tu->bv_len < STRLENOF("YYYYmmddHHmmssZ") ) return LDAP_INVALID_SYNTAX;
++
+ x.bv_val += tu->bv_len + 1;
+ x.bv_len -= tu->bv_len + 1;
+
+--
+2.20.1
+
diff --git a/package/openldap/openldap.mk b/package/openldap/openldap.mk
index b4c06d8640..ec11e4fa7d 100644
--- a/package/openldap/openldap.mk
+++ b/package/openldap/openldap.mk
@@ -13,6 +13,9 @@ OPENLDAP_CPE_ID_VENDOR = openldap
OPENLDAP_INSTALL_STAGING = YES
OPENLDAP_DEPENDENCIES = host-pkgconf
+# 0005-ITS-9454-fix-issuerAndThisUpdateCheck.patch
+OPENLDAP_IGNORE_CVES += CVE-2021-27212
+
ifeq ($(BR2_PACKAGE_OPENSSL),y)
OPENLDAP_TLS = openssl
OPENLDAP_DEPENDENCIES += openssl
--
2.20.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/openldap: add upstream security fix for CVE-2021-27212
2021-02-26 23:13 [Buildroot] [PATCH] package/openldap: add upstream security fix for CVE-2021-27212 Peter Korsgaard
@ 2021-02-27 8:20 ` Yann E. MORIN
2021-03-09 23:00 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Yann E. MORIN @ 2021-02-27 8:20 UTC (permalink / raw)
To: buildroot
Peter, All,
On 2021-02-27 00:13 +0100, Peter Korsgaard spake thusly:
> In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion
> failure in slapd can occur in the issuerAndThisUpdateCheck function via a
> crafted packet, resulting in a denial of service (daemon exit) via a short
> timestamp. This is related to schema_init.c and checkTime.
>
> For more details, see the bugtracker:
> https://bugs.openldap.org/show_bug.cgi?id=9454
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> ...TS-9454-fix-issuerAndThisUpdateCheck.patch | 26 +++++++++++++++++++
> package/openldap/openldap.mk | 3 +++
> 2 files changed, 29 insertions(+)
> create mode 100644 package/openldap/0005-ITS-9454-fix-issuerAndThisUpdateCheck.patch
>
> diff --git a/package/openldap/0005-ITS-9454-fix-issuerAndThisUpdateCheck.patch b/package/openldap/0005-ITS-9454-fix-issuerAndThisUpdateCheck.patch
> new file mode 100644
> index 0000000000..a611b9ff59
> --- /dev/null
> +++ b/package/openldap/0005-ITS-9454-fix-issuerAndThisUpdateCheck.patch
> @@ -0,0 +1,26 @@
> +From 9badb73425a67768c09bcaed1a9c26c684af6c30 Mon Sep 17 00:00:00 2001
> +From: Howard Chu <hyc@openldap.org>
> +Date: Sat, 6 Feb 2021 20:52:06 +0000
> +Subject: [PATCH] ITS#9454 fix issuerAndThisUpdateCheck
> +
> +Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> +---
> + servers/slapd/schema_init.c | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
> +index 31be1154e..8b1e25539 100644
> +--- a/servers/slapd/schema_init.c
> ++++ b/servers/slapd/schema_init.c
> +@@ -3900,6 +3900,8 @@ issuerAndThisUpdateCheck(
> + break;
> + }
> + }
> ++ if ( tu->bv_len < STRLENOF("YYYYmmddHHmmssZ") ) return LDAP_INVALID_SYNTAX;
> ++
> + x.bv_val += tu->bv_len + 1;
> + x.bv_len -= tu->bv_len + 1;
> +
> +--
> +2.20.1
> +
> diff --git a/package/openldap/openldap.mk b/package/openldap/openldap.mk
> index b4c06d8640..ec11e4fa7d 100644
> --- a/package/openldap/openldap.mk
> +++ b/package/openldap/openldap.mk
> @@ -13,6 +13,9 @@ OPENLDAP_CPE_ID_VENDOR = openldap
> OPENLDAP_INSTALL_STAGING = YES
> OPENLDAP_DEPENDENCIES = host-pkgconf
>
> +# 0005-ITS-9454-fix-issuerAndThisUpdateCheck.patch
> +OPENLDAP_IGNORE_CVES += CVE-2021-27212
> +
> ifeq ($(BR2_PACKAGE_OPENSSL),y)
> OPENLDAP_TLS = openssl
> OPENLDAP_DEPENDENCIES += openssl
> --
> 2.20.1
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/openldap: add upstream security fix for CVE-2021-27212
2021-02-26 23:13 [Buildroot] [PATCH] package/openldap: add upstream security fix for CVE-2021-27212 Peter Korsgaard
2021-02-27 8:20 ` Yann E. MORIN
@ 2021-03-09 23:00 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-03-09 23:00 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion
> failure in slapd can occur in the issuerAndThisUpdateCheck function via a
> crafted packet, resulting in a denial of service (daemon exit) via a short
> timestamp. This is related to schema_init.c and checkTime.
> For more details, see the bugtracker:
> https://bugs.openldap.org/show_bug.cgi?id=9454
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2020.02.x and 2020.11.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-03-09 23:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-02-26 23:13 [Buildroot] [PATCH] package/openldap: add upstream security fix for CVE-2021-27212 Peter Korsgaard
2021-02-27 8:20 ` Yann E. MORIN
2021-03-09 23:00 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox