diff --git a/.gitignore b/.gitignore
index ff1002d..f771bbd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/ldb-1.1.20.tar.gz
+SOURCES/ldb-1.1.25.tar.gz
diff --git a/.libldb.metadata b/.libldb.metadata
index 264fbb1..602c000 100644
--- a/.libldb.metadata
+++ b/.libldb.metadata
@@ -1 +1 @@
-f0419faf576b425775b52b46bd42875e0bd84e77 SOURCES/ldb-1.1.20.tar.gz
+aaafb6f0632e8526a1fc0140480c4f8792bc33e0 SOURCES/ldb-1.1.25.tar.gz
diff --git a/SOURCES/ldb_binary_cmp.patch b/SOURCES/ldb_binary_cmp.patch
deleted file mode 100644
index 46563c1..0000000
--- a/SOURCES/ldb_binary_cmp.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From e84802e2c61ff06501764496a11ea9e417d70d39 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 9 Jun 2015 14:00:01 -0700
-Subject: [PATCH 2/9] CVE-2015-3223: lib: ldb: Use memmem binary search, not
- strstr text search.
-
-Values might have embedded zeros.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11325
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
----
- lib/ldb/common/ldb_match.c | 17 +++++++++++++----
- 1 file changed, 13 insertions(+), 4 deletions(-)
-
-diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c
-index 7414289..182c6ce 100644
---- a/lib/ldb/common/ldb_match.c
-+++ b/lib/ldb/common/ldb_match.c
-@@ -241,7 +241,6 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
- struct ldb_val val;
- struct ldb_val cnk;
- struct ldb_val *chunk;
-- char *p, *g;
- uint8_t *save_p = NULL;
- unsigned int c = 0;
-
-@@ -288,6 +287,7 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
- }
-
- while (tree->u.substring.chunks[c]) {
-+ uint8_t *p;
-
- chunk = tree->u.substring.chunks[c];
- if(a->syntax->canonicalise_fn(ldb, ldb, chunk, &cnk) != 0) goto mismatch;
-@@ -299,15 +299,24 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
- if (cnk.length == 0) {
- goto mismatch;
- }
-- p = strstr((char *)val.data, (char *)cnk.data);
-+ /*
-+ * Values might be binary blobs. Don't use string
-+ * search, but memory search instead.
-+ */
-+ p = memmem((const void *)val.data,val.length,
-+ (const void *)cnk.data, cnk.length);
- if (p == NULL) goto mismatch;
- if ( (! tree->u.substring.chunks[c + 1]) && (! tree->u.substring.end_with_wildcard) ) {
-+ uint8_t *g;
- do { /* greedy */
-- g = strstr((char *)p + cnk.length, (char *)cnk.data);
-+ g = memmem(p + cnk.length,
-+ val.length - (p - val.data),
-+ (const uint8_t *)cnk.data,
-+ cnk.length);
- if (g) p = g;
- } while(g);
- }
-- val.length = val.length - (p - (char *)(val.data)) - cnk.length;
-+ val.length = val.length - (p - (uint8_t *)(val.data)) - cnk.length;
- val.data = (uint8_t *)(p + cnk.length);
- c++;
- talloc_free(cnk.data);
---
-2.5.0
diff --git a/SOURCES/ldb_canon_zero.patch b/SOURCES/ldb_canon_zero.patch
deleted file mode 100644
index 6c6994a..0000000
--- a/SOURCES/ldb_canon_zero.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 7d38a883dae528a0216733b4d831f2f20aa9c04b Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 9 Jun 2015 12:42:10 -0700
-Subject: [PATCH 1/9] CVE-2015-3223: lib: ldb: Cope with canonicalise_fn
- returning string "", length 0.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11325
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
----
- lib/ldb/common/ldb_match.c | 16 +++++++++++++++-
- 1 file changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c
-index a493dae..7414289 100644
---- a/lib/ldb/common/ldb_match.c
-+++ b/lib/ldb/common/ldb_match.c
-@@ -271,6 +271,14 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
- if (cnk.length > val.length) {
- goto mismatch;
- }
-+ /*
-+ * Empty strings are returned as length 0. Ensure
-+ * we can cope with this.
-+ */
-+ if (cnk.length == 0) {
-+ goto mismatch;
-+ }
-+
- if (memcmp((char *)val.data, (char *)cnk.data, cnk.length) != 0) goto mismatch;
- val.length -= cnk.length;
- val.data += cnk.length;
-@@ -284,7 +292,13 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
- chunk = tree->u.substring.chunks[c];
- if(a->syntax->canonicalise_fn(ldb, ldb, chunk, &cnk) != 0) goto mismatch;
-
-- /* FIXME: case of embedded nulls */
-+ /*
-+ * Empty strings are returned as length 0. Ensure
-+ * we can cope with this.
-+ */
-+ if (cnk.length == 0) {
-+ goto mismatch;
-+ }
- p = strstr((char *)val.data, (char *)cnk.data);
- if (p == NULL) goto mismatch;
- if ( (! tree->u.substring.chunks[c + 1]) && (! tree->u.substring.end_with_wildcard) ) {
---
-2.5.0
diff --git a/SOURCES/ldb_dn_escape_fix.patch b/SOURCES/ldb_dn_escape_fix.patch
deleted file mode 100644
index 803772f..0000000
--- a/SOURCES/ldb_dn_escape_fix.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-From e5b2d30678f80df15a60e6b1101b20e22762aa48 Mon Sep 17 00:00:00 2001
-From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
-Date: Tue, 24 Nov 2015 13:07:23 +1300
-Subject: [PATCH 3/9] CVE-2015-5330: ldb_dn: simplify and fix
- ldb_dn_escape_internal()
-
-Previously we relied on NUL terminated strings and jumped back and
-forth between copying escaped bytes and memcpy()ing un-escaped chunks.
-This simple version is easier to reason about and works with
-unterminated strings. It may also be faster as it avoids reading the
-string twice (first with strcspn, then with memcpy).
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
-
-Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
-Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
----
- lib/ldb/common/ldb_dn.c | 46 ++++++++++++++++++----------------------------
- 1 file changed, 18 insertions(+), 28 deletions(-)
-
-diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c
-index 6b6f90c..1b8e51e 100644
---- a/lib/ldb/common/ldb_dn.c
-+++ b/lib/ldb/common/ldb_dn.c
-@@ -189,33 +189,23 @@ struct ldb_dn *ldb_dn_new_fmt(TALLOC_CTX *mem_ctx,
- /* see RFC2253 section 2.4 */
- static int ldb_dn_escape_internal(char *dst, const char *src, int len)
- {
-- const char *p, *s;
-+ char c;
- char *d;
-- size_t l;
--
-- p = s = src;
-+ int i;
- d = dst;
-
-- while (p - src < len) {
-- p += strcspn(p, ",=\n\r+<>#;\\\" ");
--
-- if (p - src == len) /* found no escapable chars */
-- break;
--
-- /* copy the part of the string before the stop */
-- memcpy(d, s, p - s);
-- d += (p - s); /* move to current position */
--
-- switch (*p) {
-+ for (i = 0; i < len; i++){
-+ c = src[i];
-+ switch (c) {
- case ' ':
-- if (p == src || (p-src)==(len-1)) {
-+ if (i == 0 || i == len - 1) {
- /* if at the beginning or end
- * of the string then escape */
- *d++ = '\\';
-- *d++ = *p++;
-+ *d++ = c;
- } else {
- /* otherwise don't escape */
-- *d++ = *p++;
-+ *d++ = c;
- }
- break;
-
-@@ -231,30 +221,30 @@ static int ldb_dn_escape_internal(char *dst, const char *src, int len)
- case '?':
- /* these must be escaped using \c form */
- *d++ = '\\';
-- *d++ = *p++;
-+ *d++ = c;
- break;
-
-- default: {
-+ case ';':
-+ case '\r':
-+ case '\n':
-+ case '=':
-+ case '\0': {
- /* any others get \XX form */
- unsigned char v;
- const char *hexbytes = "0123456789ABCDEF";
-- v = *(const unsigned char *)p;
-+ v = (const unsigned char)c;
- *d++ = '\\';
- *d++ = hexbytes[v>>4];
- *d++ = hexbytes[v&0xF];
-- p++;
- break;
- }
-+ default:
-+ *d++ = c;
- }
-- s = p; /* move forward */
- }
-
-- /* copy the last part (with zero) and return */
-- l = len - (s - src);
-- memcpy(d, s, l + 1);
--
- /* return the length of the resulting string */
-- return (l + (d - dst));
-+ return (d - dst);
- }
-
- char *ldb_dn_escape_value(TALLOC_CTX *mem_ctx, struct ldb_val value)
---
-2.5.0
-
-
diff --git a/SOURCES/ldb_dn_escape_no_strlen.patch b/SOURCES/ldb_dn_escape_no_strlen.patch
deleted file mode 100644
index 27f1bec..0000000
--- a/SOURCES/ldb_dn_escape_no_strlen.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 85a1c62c942033f6e1b864aeb4fd72c4a8b3d38a Mon Sep 17 00:00:00 2001
-From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
-Date: Tue, 24 Nov 2015 13:09:36 +1300
-Subject: [PATCH 4/9] CVE-2015-5330: ldb_dn_escape_value: use known string
- length, not strlen()
-
-ldb_dn_escape_internal() reports the number of bytes it copied, so
-lets use that number, rather than using strlen() and hoping a zero got
-in the right place.
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
-
-Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
-Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
----
- lib/ldb/common/ldb_dn.c | 12 ++++++++----
- 1 file changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c
-index 1b8e51e..a3b8f92 100644
---- a/lib/ldb/common/ldb_dn.c
-+++ b/lib/ldb/common/ldb_dn.c
-@@ -250,7 +250,7 @@ static int ldb_dn_escape_internal(char *dst, const char *src, int len)
- char *ldb_dn_escape_value(TALLOC_CTX *mem_ctx, struct ldb_val value)
- {
- char *dst;
--
-+ size_t len;
- if (!value.length)
- return NULL;
-
-@@ -261,10 +261,14 @@ char *ldb_dn_escape_value(TALLOC_CTX *mem_ctx, struct ldb_val value)
- return NULL;
- }
-
-- ldb_dn_escape_internal(dst, (const char *)value.data, value.length);
--
-- dst = talloc_realloc(mem_ctx, dst, char, strlen(dst) + 1);
-+ len = ldb_dn_escape_internal(dst, (const char *)value.data, value.length);
-
-+ dst = talloc_realloc(mem_ctx, dst, char, len + 1);
-+ if ( ! dst) {
-+ talloc_free(dst);
-+ return NULL;
-+ }
-+ dst[len] = '\0';
- return dst;
- }
-
---
-2.5.0
diff --git a/SOURCES/ldb_dn_explode_no_strlen.patch b/SOURCES/ldb_dn_explode_no_strlen.patch
deleted file mode 100644
index be6fd39..0000000
--- a/SOURCES/ldb_dn_explode_no_strlen.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From bce1b285de7829d9fa110efdfa98fe877ef19e3f Mon Sep 17 00:00:00 2001
-From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
-Date: Thu, 26 Nov 2015 11:17:11 +1300
-Subject: [PATCH 8/9] CVE-2015-5330: ldb_dn_explode: copy strings by length,
- not terminators
-
-That is, memdup(), not strdup(). The terminators might not be there.
-
-But, we have to make sure we put the terminator on, because we tend to
-assume the terminator is there in other places.
-
-Use talloc_set_name_const() on the resulting chunk so talloc_report()
-remains unchanged.
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
-
-Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
-Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
-Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
-Pair-programmed-with: Stefan Metzmacher <metze@samba.org>
-Pair-programmed-with: Ralph Boehme <slow@samba.org>
----
- lib/ldb/common/ldb_dn.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c
-index a3b8f92..cd17cda 100644
---- a/lib/ldb/common/ldb_dn.c
-+++ b/lib/ldb/common/ldb_dn.c
-@@ -586,12 +586,15 @@ static bool ldb_dn_explode(struct ldb_dn *dn)
-
- p++;
- *d++ = '\0';
-- dn->components[dn->comp_num].value.data = (uint8_t *)talloc_strdup(dn->components, dt);
-+ dn->components[dn->comp_num].value.data = \
-+ (uint8_t *)talloc_memdup(dn->components, dt, l + 1);
- dn->components[dn->comp_num].value.length = l;
- if ( ! dn->components[dn->comp_num].value.data) {
- /* ouch ! */
- goto failed;
- }
-+ talloc_set_name_const(dn->components[dn->comp_num].value.data,
-+ (const char *)dn->components[dn->comp_num].value.data);
-
- dt = d;
-
-@@ -707,11 +710,13 @@ static bool ldb_dn_explode(struct ldb_dn *dn)
- *d++ = '\0';
- dn->components[dn->comp_num].value.length = l;
- dn->components[dn->comp_num].value.data =
-- (uint8_t *)talloc_strdup(dn->components, dt);
-+ (uint8_t *)talloc_memdup(dn->components, dt, l + 1);
- if ( ! dn->components[dn->comp_num].value.data) {
- /* ouch */
- goto failed;
- }
-+ talloc_set_name_const(dn->components[dn->comp_num].value.data,
-+ (const char *)dn->components[dn->comp_num].value.data);
-
- dn->comp_num++;
-
---
-2.5.0
-
-
diff --git a/SPECS/libldb.spec b/SPECS/libldb.spec
index d6ae704..6ac1887 100644
--- a/SPECS/libldb.spec
+++ b/SPECS/libldb.spec
@@ -8,8 +8,8 @@
%define tevent_version 0.9.24
Name: libldb
-Version: 1.1.20
-Release: 1%{?dist}.2
+Version: 1.1.25
+Release: 1%{?dist}
Group: Development/Libraries
Summary: A schema-less, ldap like, API and database
Requires: libtalloc%{?_isa} >= %{talloc_version}
@@ -42,11 +42,6 @@ Provides: bundled(libreplace)
Provides: bundled(libtdb_compat)
# Patches
-Patch0001: ldb_canon_zero.patch
-Patch0002: ldb_binary_cmp.patch
-Patch0003: ldb_dn_escape_fix.patch
-Patch0004: ldb_dn_escape_no_strlen.patch
-Patch0005: ldb_dn_explode_no_strlen.patch
%description
An extensible library that implements an LDAP like API to access remote LDAP
@@ -91,11 +86,6 @@ Development files for the Python bindings for the LDB library
%prep
%setup -q -n ldb-%{version}
-%patch0001 -p3 -b .ldb_canon_zero
-%patch0002 -p3 -b .ldb_binary_cmp
-%patch0003 -p3 -b .ldb_dn_escape_fix
-%patch0004 -p3 -b .ldb_dn_escape_no_strlen
-%patch0005 -p3 -b .ldb_dn_explode_no_strlen
%build
@@ -175,6 +165,7 @@ rm -rf %{buildroot}
%defattr(-,root,root,-)
%{python_sitearch}/ldb.so
%{_libdir}/libpyldb-util.so.1*
+%{python_sitearch}/_ldb_text.py*
%files -n pyldb-devel
%defattr(-,root,root,-)
@@ -187,6 +178,10 @@ rm -rf %{buildroot}
%postun -n pyldb -p /sbin/ldconfig
%changelog
+* Fri Apr 1 2016 Jakub Hrozek <jhrozek@redhat.com> - 1.1.25-1
+- Rebase libldb to 1.1.25
+- Related: rhbz#1322690
+
* Mon Dec 14 2015 Jakub Hrozek <jhrozek@redhat.com> - 1.1.20-1.2
- Resolves: rhbz#1290714 - CVE-2015-5330 libldb: samba: Remote memory read
in Samba LDAP server [rhel-7.2.z]