diff --git a/.gitignore b/.gitignore index 6d6680b..4b4f04b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz -SOURCES/openldap-2.4.40.tgz +SOURCES/openldap-2.4.44.tgz diff --git a/.openldap.metadata b/.openldap.metadata index e394c8f..12ca5b7 100644 --- a/.openldap.metadata +++ b/.openldap.metadata @@ -1,2 +1,2 @@ 444fe85f8c42d97355d88ec295b18ecb58faeb52 SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz -0cfac3b024b99de2e2456cc7254481b6644e0b96 SOURCES/openldap-2.4.40.tgz +016a738d050a68d388602a74b5e991035cdba149 SOURCES/openldap-2.4.44.tgz diff --git a/SOURCES/openldap-ITS8003-fix-off-by-one-in-LDIF-length.patch b/SOURCES/openldap-ITS8003-fix-off-by-one-in-LDIF-length.patch deleted file mode 100644 index 26ece7d..0000000 --- a/SOURCES/openldap-ITS8003-fix-off-by-one-in-LDIF-length.patch +++ /dev/null @@ -1,28 +0,0 @@ -commit aa66d539543de0ad884f1b8e38948ecd946bf47a -Author: Howard Chu -Date: Mon Dec 15 14:36:55 2014 +0000 - - ITS#8003 fix off-by-one in LDIF length - - must account for leading space when counting total number of lines - -diff --git a/include/ldif.h b/include/ldif.h -index f638ef9..69bb0c9 100644 ---- a/include/ldif.h -+++ b/include/ldif.h -@@ -52,12 +52,12 @@ LDAP_LDIF_V (int) ldif_debug; - */ - #define LDIF_SIZE_NEEDED(nlen,vlen) \ - ((nlen) + 4 + LDIF_BASE64_LEN(vlen) \ -- + ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / LDIF_LINE_WIDTH * 2 )) -+ + ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / (LDIF_LINE_WIDTH-1) * 2 )) - - #define LDIF_SIZE_NEEDED_WRAP(nlen,vlen,wrap) \ - ((nlen) + 4 + LDIF_BASE64_LEN(vlen) \ -- + ((wrap) == 0 ? ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / ( LDIF_LINE_WIDTH ) * 2 ) : \ -- ((wrap) == LDIF_LINE_WIDTH_MAX ? 0 : ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / (wrap) * 2 )))) -+ + ((wrap) == 0 ? ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / ( LDIF_LINE_WIDTH-1 ) * 2 ) : \ -+ ((wrap) == LDIF_LINE_WIDTH_MAX ? 0 : ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / (wrap-1) * 2 )))) - - LDAP_LDIF_F( int ) - ldif_parse_line LDAP_P(( diff --git a/SOURCES/openldap-ITS8240-remove-obsolete-assert.patch b/SOURCES/openldap-ITS8240-remove-obsolete-assert.patch deleted file mode 100644 index 33d7283..0000000 --- a/SOURCES/openldap-ITS8240-remove-obsolete-assert.patch +++ /dev/null @@ -1,15 +0,0 @@ -CVE-2015-6908 openldap: ber_get_next denial of service vulnerability -Upstream: ITS#8240 - -diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c ---- a/libraries/liblber/io.c -+++ b/libraries/liblber/io.c -@@ -679,7 +679,7 @@ done: - return (ber->ber_tag); - } - -+ /* invalid input */ -- assert( 0 ); /* ber structure is messed up ?*/ - return LBER_DEFAULT; - } - diff --git a/SOURCES/openldap-ITS8329-back_sql-id_query.patch b/SOURCES/openldap-ITS8329-back_sql-id_query.patch deleted file mode 100644 index cf05c96..0000000 --- a/SOURCES/openldap-ITS8329-back_sql-id_query.patch +++ /dev/null @@ -1,27 +0,0 @@ -fix: id_query option is not available after rebasing openldap to 2.4.39 -Resolves: rhbz#1311832 -Upstream: ITS#8329 -diff --git a/servers/slapd/back-sql/config.c b/servers/slapd/back-sql/config.c ---- a/servers/slapd/back-sql/config.c -+++ b/servers/slapd/back-sql/config.c -@@ -213,6 +213,11 @@ static ConfigTable sqlcfg[] = { - ARG_ON_OFF|ARG_MAGIC|SQL_AUTOCOMMIT, (void *)sql_cf_gen, - "( OLcfgDbAt:6.45 NAME 'olcSqlAutocommit' " - "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL }, -+ { "id_query", "SQL expression", 2, 0, 0, ARG_STRING|ARG_QUOTE|ARG_OFFSET, -+ (void *)offsetof(struct backsql_info, sql_id_query), -+ "( OLcfgDbAt:6.46 NAME 'olcSqlIdQuery' " -+ "DESC 'Query used to collect entryID mapping data' " -+ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, - { NULL, NULL, 0, 0, 0, ARG_IGNORED, - NULL, NULL, NULL, NULL } - }; -@@ -233,7 +238,7 @@ static ConfigOCs sqlocs[] = { - "olcSqlFailIfNoMapping $ olcSqlAllowOrphans $ olcSqlBaseObject $ " - "olcSqlLayer $ olcSqlUseSubtreeShortcut $ olcSqlFetchAllAttrs $ " - "olcSqlFetchAttrs $ olcSqlCheckSchema $ olcSqlAliasingKeyword $ " -- "olcSqlAliasingQuote $ olcSqlAutocommit ) )", -+ "olcSqlAliasingQuote $ olcSqlAutocommit $ olcSqlIdQuery ) )", - Cft_Database, sqlcfg }, - { NULL, Cft_Abstract, NULL } - }; diff --git a/SOURCES/openldap-ITS8337-fix-missing-olcDbChecksum-config-attr.patch b/SOURCES/openldap-ITS8337-fix-missing-olcDbChecksum-config-attr.patch deleted file mode 100644 index 76cc3fd..0000000 --- a/SOURCES/openldap-ITS8337-fix-missing-olcDbChecksum-config-attr.patch +++ /dev/null @@ -1,21 +0,0 @@ -commit 901fe3318f1c4ea7adac45f906d5447d71e43f8a -Author: Howard Chu -Date: Sat Dec 12 16:14:02 2015 +0000 - - ITS#8337 fix missing olcDbChecksum config attr - -diff --git a/servers/slapd/back-bdb/config.c b/servers/slapd/back-bdb/config.c -index e07381f..a5b5888 100644 ---- a/servers/slapd/back-bdb/config.c -+++ b/servers/slapd/back-bdb/config.c -@@ -163,8 +163,8 @@ static ConfigOCs bdbocs[] = { - #endif - "SUP olcDatabaseConfig " - "MUST olcDbDirectory " -- "MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbConfig $ " -- "olcDbCryptFile $ olcDbCryptKey $ " -+ "MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbChecksum $ " -+ "olcDbConfig $ olcDbCryptFile $ olcDbCryptKey $ " - "olcDbNoSync $ olcDbDirtyRead $ olcDbIDLcacheSize $ " - "olcDbIndex $ olcDbLinearIndex $ olcDbLockDetect $ " - "olcDbMode $ olcDbSearchStack $ olcDbShmKey $ " diff --git a/SOURCES/openldap-ITS8655-fix-double-free-on-paged-search-with-pagesize-0.patch b/SOURCES/openldap-ITS8655-fix-double-free-on-paged-search-with-pagesize-0.patch new file mode 100644 index 0000000..7ccec9e --- /dev/null +++ b/SOURCES/openldap-ITS8655-fix-double-free-on-paged-search-with-pagesize-0.patch @@ -0,0 +1,23 @@ +commit ec2fe743f5795eb7aaf43687e6b257ac071cef22 +Author: Ryan Tandy +Date: Wed May 17 20:07:39 2017 -0700 + + ITS#8655 fix double free on paged search with pagesize 0 + + Fixes a double free when a search includes the Paged Results control + with a page size of 0 and the search base matches the filter. + +diff --git a/servers/slapd/back-mdb/search.c b/servers/slapd/back-mdb/search.c +index 009939d..d0db918 100644 +--- a/servers/slapd/back-mdb/search.c ++++ b/servers/slapd/back-mdb/search.c +@@ -1066,7 +1066,8 @@ notfound: + /* check size limit */ + if ( get_pagedresults(op) > SLAP_CONTROL_IGNORED ) { + if ( rs->sr_nentries >= ((PagedResultsState *)op->o_pagedresults_state)->ps_size ) { +- mdb_entry_return( op, e ); ++ if (e != base) ++ mdb_entry_return( op, e ); + e = NULL; + send_paged_response( op, rs, &lastid, tentries ); + goto done; diff --git a/SOURCES/openldap-fix-missing-frontend-indexing.patch b/SOURCES/openldap-fix-missing-frontend-indexing.patch deleted file mode 100644 index d2e8d4e..0000000 --- a/SOURCES/openldap-fix-missing-frontend-indexing.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/servers/slapd/bconfig.c 2015-06-02 14:37:10.930873419 +0200 -+++ b/servers/slapd/bconfig.c 2015-06-02 14:37:35.105233408 +0200 -@@ -4679,7 +4679,7 @@ - if ( ce_type == Cft_Database ) - nsibs--; - -- if ( index != nsibs ) { -+ if ( index != nsibs || isfrontend) { - if ( gotindex ) { - if ( index < nsibs ) { - if ( tailindex ) return LDAP_NAMING_VIOLATION; diff --git a/SOURCES/openldap-nss-ciphersuite-handle-masks-correctly.patch b/SOURCES/openldap-nss-ciphersuite-handle-masks-correctly.patch index 75832da..c3d087c 100644 --- a/SOURCES/openldap-nss-ciphersuite-handle-masks-correctly.patch +++ b/SOURCES/openldap-nss-ciphersuite-handle-masks-correctly.patch @@ -16,7 +16,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c #define SSL_aDSA 0x00000004L #define SSL_DSA SSL_aDSA #define SSL_eNULL 0x00000008L -@@ -225,19 +224,26 @@ typedef struct { +@@ -225,19 +224,27 @@ typedef struct { #define SSL_RC2 0x00000080L #define SSL_AES128 0x00000100L #define SSL_AES256 0x00000200L @@ -36,6 +36,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +#define SSL_kEECDH 0x00200000L +#define SSL_AESGCM 0x00400000L +#define SSL_AEAD 0x00800000L ++#define SSL_CHACHA20POLY1305 0x02000000L + +/* cipher attributes non-unique - do not use for definitions */ +#define SSL_RSA 0x00000001L @@ -118,7 +119,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c } else if (!strcmp(cipher, "3DES")) { mask |= SSL_3DES; } else if (!strcmp(cipher, "DES")) { -@@ -685,28 +705,43 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) +@@ -685,28 +705,45 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) mask |= SSL_RC2; } else if (!strcmp(cipher, "MD5")) { mask |= SSL_MD5; @@ -166,6 +167,8 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c + } else if ((!strcmp(cipher, "ECDSA")) || (!strcmp(cipher, "aECDSA"))) { mask |= SSL_aECDSA; + negative_mask |= SSL_kECDH; ++ } else if (!strcmp(cipher, "CHACHA20POLY1305")) { ++ mask |= SSL_CHACHA20POLY1305; } else if (!strcmp(cipher, "SSLv2")) { protocol |= SSL2; } else if (!strcmp(cipher, "SSLv3")) { diff --git a/SOURCES/openldap-nss-reregister-nss-shutdown-callback.patch b/SOURCES/openldap-nss-reregister-nss-shutdown-callback.patch new file mode 100644 index 0000000..03b8611 --- /dev/null +++ b/SOURCES/openldap-nss-reregister-nss-shutdown-callback.patch @@ -0,0 +1,50 @@ +NSS: re-register NSS_Shutdown callback + +Original upstream comment: +""" +When there's a persistent daemon for auth and it sets LDAP_OPT_X_TLS_NEWCTX, it +fails to auth at third login. + +1. everything is good and destroyed after use but +tlsm_register_shutdown_callonce.initialized=1. +2. still good but because tlsm_register_shutdown_callonce.initialized==1, it +fails to register shutdown function. + so pem_module is not destroyed at the end. +3. pem_module is not NULL so it's not initialized again and not added to modules +list. And Login fails. +""" + +Sent-By: soohoon.lee@f5.com +Original-Name: soohoon-lee-160823.patch +Upstream-ITS: 8484 + +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +index cdf7f8e..cf05914 100644 +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -1145,6 +1145,8 @@ tlsm_auth_cert_handler(void *arg, PRFileDesc *fd, + return ret; + } + ++static PRCallOnceType tlsm_register_shutdown_callonce = {0,0}; ++ + static SECStatus + tlsm_nss_shutdown_cb( void *appData, void *nssData ) + { +@@ -1157,10 +1159,15 @@ tlsm_nss_shutdown_cb( void *appData, void *nssData ) + SECMOD_DestroyModule( pem_module ); + pem_module = NULL; + } ++ ++ /* init callonce so it can be armed again for cases like persistent daemon with LDAP_OPT_X_TLS_NEWCTX */ ++ tlsm_register_shutdown_callonce.initialized = 0; ++ tlsm_register_shutdown_callonce.inProgress = 0; ++ tlsm_register_shutdown_callonce.status = 0; ++ + return rc; + } + +-static PRCallOnceType tlsm_register_shutdown_callonce = {0,0}; + static PRStatus PR_CALLBACK + tlsm_register_nss_shutdown_cb( void ) + { diff --git a/SOURCES/openldap-nss-update-list-of-ciphers.patch b/SOURCES/openldap-nss-update-list-of-ciphers.patch index d0d7ae6..23f136b 100644 --- a/SOURCES/openldap-nss-update-list-of-ciphers.patch +++ b/SOURCES/openldap-nss-update-list-of-ciphers.patch @@ -77,7 +77,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c /* cipher strength */ #define SSL_NULL 0x00000001L -@@ -237,32 +251,117 @@ typedef struct { +@@ -237,32 +251,120 @@ typedef struct { #define SSL3 0x00000002L /* OpenSSL treats SSL3 and TLSv1 the same */ #define TLS1 SSL3 @@ -213,6 +213,9 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c + {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA384, TLS1_2, SSL_HIGH}, +#endif + ++ {"ECDHE-RSA-CHACHA20-POLY1305", 0xcca8 /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ {"ECDHE-ECDSA-CHACHA20-POLY1305", 0xcca9 /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aECDSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ {"DHE-RSA-CHACHA20-POLY1305", 0xccaa /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kEDH|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH}, }; #define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties)) diff --git a/SOURCES/openldap-perl-fix-moduleconfig-config.patch b/SOURCES/openldap-perl-fix-moduleconfig-config.patch deleted file mode 100644 index 8103487..0000000 --- a/SOURCES/openldap-perl-fix-moduleconfig-config.patch +++ /dev/null @@ -1,24 +0,0 @@ -fix: slaptest doesn't convert perlModuleConfig lines - -Resolves: #1184585 -Upstream: ITS #8105 -Author: Jan Synacek - -diff --git a/servers/slapd/back-perl/config.c b/servers/slapd/back-perl/config.c -index fd00965..d1c7886 100644 ---- a/servers/slapd/back-perl/config.c -+++ b/servers/slapd/back-perl/config.c -@@ -219,9 +219,11 @@ perl_cf( - XPUSHs( pb->pb_obj_ref ); - - /* Put all arguments on the perl stack */ -- for( args = 1; args < c->argc; args++ ) { -+ for( args = 1; args < c->argc; args++ ) - XPUSHs(sv_2mortal(newSVpv(c->argv[args], 0))); -- } -+ -+ ber_str2bv( c->line + STRLENOF("perlModuleConfig "), 0, 0, &bv ); -+ value_add_one( &pb->pb_module_config, &bv ); - - PUTBACK ; - diff --git a/SPECS/openldap.spec b/SPECS/openldap.spec index f1bbe23..d8dbcbf 100644 --- a/SPECS/openldap.spec +++ b/SPECS/openldap.spec @@ -4,8 +4,8 @@ %global check_password_version 1.1 Name: openldap -Version: 2.4.40 -Release: 13%{?dist} +Version: 2.4.44 +Release: 5%{?dist} Summary: LDAP support libraries Group: System Environment/Daemons License: OpenLDAP @@ -58,25 +58,17 @@ Patch22: openldap-support-tlsv1-and-later.patch Patch23: openldap-module-passwd-sha2.patch # pending upstream inclusion, ITS #7744 Patch24: openldap-man-tls-reqcert.patch -# already in upstream, see ITS #8105, incorporated by commits 25bbf11 and fb1bf1c -Patch25: openldap-perl-fix-moduleconfig-config.patch -# already in upstream, see ITS#8150, incorporated by commit 39b05c7 -Patch26: openldap-fix-missing-frontend-indexing.patch Patch27: openldap-nss-ciphersuite-handle-masks-correctly.patch Patch28: openldap-nss-ciphers-use-nss-defaults.patch -# CVE-2015-6908, ITS#8240 -Patch29: openldap-ITS8240-remove-obsolete-assert.patch # this is a temporary fix for #1294385, it should be solved properly, backported from #1144294 Patch30: openldap-temporary-ssl-thr-init-race.patch -# already in upstream (2.4.41), see ITS#8003 -Patch31: openldap-ITS8003-fix-off-by-one-in-LDIF-length.patch -# already in upstream, see ITS#8337 -Patch32: openldap-ITS8337-fix-missing-olcDbChecksum-config-attr.patch -# ITS#8329 -Patch33: openldap-ITS8329-back_sql-id_query.patch Patch34: openldap-nss-protocol-version-new-api.patch Patch35: openldap-ITS8428-init-sc_writewait.patch Patch36: openldap-bdb_idl_fetch_key-correct-key-pointer.patch +Patch37: openldap-ITS8655-fix-double-free-on-paged-search-with-pagesize-0.patch + +# upstream ITS#8484 +Patch60: openldap-nss-reregister-nss-shutdown-callback.patch # check-password module specific patches Patch90: check-password-makefile.patch @@ -206,18 +198,14 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch22 -p1 %patch23 -p1 %patch24 -p1 -%patch25 -p1 -%patch26 -p1 %patch27 -p1 %patch28 -p1 -%patch29 -p1 %patch30 -p1 -%patch31 -p1 -%patch32 -p1 -%patch33 -p1 %patch34 -p1 %patch35 -p1 %patch36 -p1 +%patch37 -p1 +%patch60 -p1 %patch102 -p1 @@ -307,6 +295,12 @@ pushd openldap-%{version} --libexecdir=%{_libdir} make %{_smp_mflags} + +# build mdb_* tools +pushd libraries/liblmdb +export XCFLAGS="$CFLAGS" +make %{_smp_mflags} +popd popd pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version} @@ -321,6 +315,9 @@ mkdir -p %{buildroot}%{_libdir}/ pushd openldap-%{version} make install DESTDIR=%{buildroot} STRIP="" +pushd libraries/liblmdb +make install DESTDIR=%{buildroot} +popd popd # install check_password module @@ -370,6 +367,14 @@ install -m 0755 %SOURCE53 %{buildroot}%{_libexecdir}/openldap/upgrade-db.sh install -m 0755 %SOURCE54 %{buildroot}%{_libexecdir}/openldap/create-certdb.sh install -m 0755 %SOURCE55 %{buildroot}%{_libexecdir}/openldap/generate-server-cert.sh +# install mdb_* tools +mv %{buildroot}/usr/local/bin/mdb_{copy,dump,load,stat} %{buildroot}%{_libexecdir}/openldap/ +mkdir -p %{buildroot}%{_libexecdir}/openldap/man/man1 +mv %{buildroot}/usr/local/share/man/man1/mdb_{copy,dump,load,stat}.1 %{buildroot}%{_libexecdir}/openldap/man/man1/ +# we don't want the library itself nor header file +rm -f %{buildroot}/usr/local/include/lmdb.h +rm -f %{buildroot}/usr/local/lib/liblmdb.{a,so} + # remove build root from config files and manual pages perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/openldap/*.conf perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_mandir}/*/*.* @@ -649,6 +654,8 @@ exit 0 %{_libexecdir}/openldap/check-config.sh %{_libexecdir}/openldap/upgrade-db.sh %{_libexecdir}/openldap/generate-server-cert.sh +%{_libexecdir}/openldap/mdb_* +%{_libexecdir}/openldap/man/man1/mdb_* %{_sbindir}/sl* %{_mandir}/man8/* %{_mandir}/man5/slapd*.5* @@ -673,6 +680,21 @@ exit 0 %{_mandir}/man3/* %changelog +* Tue Jun 6 2017 Matus Honek - 2.4.44-5 +- fix CVE-2017-9287 openldap: Double free vulnerability in servers/slapd/back-mdb/search.c (#1458210) + +* Fri Mar 24 2017 Matus Honek - 2.4.44-4 +- NSS: Include some CHACHA20POLY1305 ciphers (#1432907) + +* Wed Mar 15 2017 Matus Honek - 2.4.44-3 +- NSS: re-register NSS_Shutdown callback (#1405354) + +* Wed Mar 15 2017 Matus Honek - 2.4.44-2 +- Include MDB tools in openldap-servers (#1428740) + +* Wed Jan 4 2017 Matus Honek - 2.4.44-1 +- Rebase to openldap-2.4.44 (#1386365) + * Wed Aug 17 2016 Matus Honek - 2.4.40-13 - fix: Bad log levels in check_password module - fix: We can't search expected entries from LDAP server