Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-0.7.git;a=commitdiff;h=e855a9000021ed47de582fd912378f325e224db3
commit e855a9000021ed47de582fd912378f325e224db3 Author: Miklos Vajna <[EMAIL PROTECTED]> Date: Tue Feb 19 12:55:13 2008 +0100 openldap-2.3.39-1sayshell2-i686 added CVE-2008-0658.diff closes #2786 diff --git a/source/network-extra/openldap/CVE-2008-0658.diff b/source/network-extra/openldap/CVE-2008-0658.diff new file mode 100644 index 0000000..7c01b9a --- /dev/null +++ b/source/network-extra/openldap/CVE-2008-0658.diff @@ -0,0 +1,16 @@ +=================================================================== +RCS file: /repo/OpenLDAP/pkg/ldap/servers/slapd/back-bdb/modrdn.c,v +retrieving revision 1.197 +retrieving revision 1.198 +diff -p -u -r1.197 -r1.198 +--- ldap/servers/slapd/back-bdb/modrdn.c 2008/01/11 03:01:37 1.197 ++++ ldap/servers/slapd/back-bdb/modrdn.c 2008/02/07 11:06:24 1.198 +@@ -739,6 +739,8 @@ retry: /* transaction retry */ + } else { + rs->sr_err = LDAP_X_NO_OPERATION; + ltid = NULL; ++ /* Only free attrs if they were dup'd. */ ++ if ( dummy.e_attrs == e->e_attrs ) dummy.e_attrs = NULL; + goto return_results; + } + diff --git a/source/network-extra/openldap/FrugalBuild b/source/network-extra/openldap/FrugalBuild index 0589953..231ab31 100644 --- a/source/network-extra/openldap/FrugalBuild +++ b/source/network-extra/openldap/FrugalBuild @@ -3,7 +3,7 @@ pkgname=openldap pkgver=2.3.39 -pkgrel=1sayshell1 +pkgrel=1sayshell2 pkgdesc="A suite of the Lightweight Directory Access Protocol servers" url="http://www.openldap.org/" groups=('network-extra') @@ -14,10 +14,11 @@ rodepends=("libldap=$pkgver") makedepends=('tcp_wrappers' 'openssl' 'cyrus-sasl') up2date="lynx -dump http://www.openldap.org/software/download/|grep 'United States'|sed -e 's/.*]\(.*\) \[.*/\1/'" source=(ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/$pkgname-$pkgver.tgz rc.slapd \ - openldap-ntlm.patch0) + openldap-ntlm.patch CVE-2008-0658.diff) sha1sums=('e87e60b1269f51d753d88df9b51745a66730a5d4' \ 'e2e32477a3252545c04709b172eb65b1847c3678' \ - '29b8e9c4835235c976f026cd5883228b77581083') + 'c0546e88975c94567ad657da9205ca30cf41df59' \ + '729eb4778b44262a97d5a16c2b867729006cea5a') subpkgs=('libldap') subdescs=('OpenLDAP library.') diff --git a/source/network-extra/openldap/openldap-ntlm.patch b/source/network-extra/openldap/openldap-ntlm.patch new file mode 100644 index 0000000..24c4b67 --- /dev/null +++ b/source/network-extra/openldap/openldap-ntlm.patch @@ -0,0 +1,199 @@ +(Note that this patch is not useful on its own... it just adds some +hooks to work with the LDAP authentication process at a lower level +than the API otherwise allows. The code that calls these hooks and +actually drives the NTLM authentication process is in +lib/e2k-global-catalog.c, and the code that actually implements the +NTLM algorithms is in xntlm/.) + +This is a patch against OpenLDAP 2.2.6. Apply with -p1 + + +--- include/ldap.h.orig 2004-01-01 13:16:28.000000000 -0500 ++++ include/ldap.h 2004-07-14 11:58:49.000000000 -0400 +@@ -1753,5 +1753,26 @@ + LDAPControl **cctrls )); + + ++/* ++ * hacks for NTLM ++ */ ++#define LDAP_AUTH_NTLM_REQUEST ((ber_tag_t) 0x8aU) ++#define LDAP_AUTH_NTLM_RESPONSE ((ber_tag_t) 0x8bU) ++LDAP_F( int ) ++ldap_ntlm_bind LDAP_P(( ++ LDAP *ld, ++ LDAP_CONST char *dn, ++ ber_tag_t tag, ++ struct berval *cred, ++ LDAPControl **sctrls, ++ LDAPControl **cctrls, ++ int *msgidp )); ++LDAP_F( int ) ++ldap_parse_ntlm_bind_result LDAP_P(( ++ LDAP *ld, ++ LDAPMessage *res, ++ struct berval *challenge)); ++ ++ + LDAP_END_DECL + #endif /* _LDAP_H */ +--- libraries/libldap/Makefile.in.orig 2004-01-01 13:16:29.000000000 -0500 ++++ libraries/libldap/Makefile.in 2004-07-14 13:37:23.000000000 -0400 +@@ -20,7 +20,7 @@ + SRCS = bind.c open.c result.c error.c compare.c search.c \ + controls.c messages.c references.c extended.c cyrus.c \ + modify.c add.c modrdn.c delete.c abandon.c \ +- sasl.c sbind.c kbind.c unbind.c cancel.c \ ++ sasl.c ntlm.c sbind.c kbind.c unbind.c cancel.c \ + filter.c free.c sort.c passwd.c whoami.c \ + getdn.c getentry.c getattr.c getvalues.c addentry.c \ + request.c os-ip.c url.c sortctrl.c vlvctrl.c \ +@@ -29,7 +29,7 @@ + OBJS = bind.lo open.lo result.lo error.lo compare.lo search.lo \ + controls.lo messages.lo references.lo extended.lo cyrus.lo \ + modify.lo add.lo modrdn.lo delete.lo abandon.lo \ +- sasl.lo sbind.lo kbind.lo unbind.lo cancel.lo \ ++ sasl.lo ntlm.lo sbind.lo kbind.lo unbind.lo cancel.lo \ + filter.lo free.lo sort.lo passwd.lo whoami.lo \ + getdn.lo getentry.lo getattr.lo getvalues.lo addentry.lo \ + request.lo os-ip.lo url.lo sortctrl.lo vlvctrl.lo \ +--- /dev/null 2004-06-30 15:04:37.000000000 -0400 ++++ libraries/libldap/ntlm.c 2004-07-14 13:44:18.000000000 -0400 +@@ -0,0 +1,137 @@ ++/* $OpenLDAP: pkg/ldap/libraries/libldap/ntlm.c,v 1.1.4.10 2002/01/04 20:38:21 kurt Exp $ */ ++/* ++ * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved. ++ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file ++ */ ++ ++/* Mostly copied from sasl.c */ ++ ++#include "portable.h" ++ ++#include <stdlib.h> ++#include <stdio.h> ++ ++#include <ac/socket.h> ++#include <ac/string.h> ++#include <ac/time.h> ++#include <ac/errno.h> ++ ++#include "ldap-int.h" ++ ++int ++ldap_ntlm_bind( ++ LDAP *ld, ++ LDAP_CONST char *dn, ++ ber_tag_t tag, ++ struct berval *cred, ++ LDAPControl **sctrls, ++ LDAPControl **cctrls, ++ int *msgidp ) ++{ ++ BerElement *ber; ++ int rc; ++ ber_int_t id; ++ ++ Debug( LDAP_DEBUG_TRACE, "ldap_ntlm_bind\n", 0, 0, 0 ); ++ ++ assert( ld != NULL ); ++ assert( LDAP_VALID( ld ) ); ++ assert( msgidp != NULL ); ++ ++ if( msgidp == NULL ) { ++ ld->ld_errno = LDAP_PARAM_ERROR; ++ return ld->ld_errno; ++ } ++ ++ /* create a message to send */ ++ if ( (ber = ldap_alloc_ber_with_options( ld )) == NULL ) { ++ ld->ld_errno = LDAP_NO_MEMORY; ++ return ld->ld_errno; ++ } ++ ++ assert( LBER_VALID( ber ) ); ++ ++ LDAP_NEXT_MSGID( ld, id ); ++ rc = ber_printf( ber, "{it{istON}" /*}*/, ++ id, LDAP_REQ_BIND, ++ ld->ld_version, dn, tag, ++ cred ); ++ ++ /* Put Server Controls */ ++ if( ldap_int_put_controls( ld, sctrls, ber ) != LDAP_SUCCESS ) { ++ ber_free( ber, 1 ); ++ return ld->ld_errno; ++ } ++ ++ if ( ber_printf( ber, /*{*/ "N}" ) == -1 ) { ++ ld->ld_errno = LDAP_ENCODING_ERROR; ++ ber_free( ber, 1 ); ++ return ld->ld_errno; ++ } ++ ++ /* send the message */ ++ *msgidp = ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber, id ); ++ ++ if(*msgidp < 0) ++ return ld->ld_errno; ++ ++ return LDAP_SUCCESS; ++} ++ ++int ++ldap_parse_ntlm_bind_result( ++ LDAP *ld, ++ LDAPMessage *res, ++ struct berval *challenge) ++{ ++ ber_int_t errcode; ++ ber_tag_t tag; ++ BerElement *ber; ++ ber_len_t len; ++ ++ Debug( LDAP_DEBUG_TRACE, "ldap_parse_ntlm_bind_result\n", 0, 0, 0 ); ++ ++ assert( ld != NULL ); ++ assert( LDAP_VALID( ld ) ); ++ assert( res != NULL ); ++ ++ if ( ld == NULL || res == NULL ) { ++ return LDAP_PARAM_ERROR; ++ } ++ ++ if( res->lm_msgtype != LDAP_RES_BIND ) { ++ ld->ld_errno = LDAP_PARAM_ERROR; ++ return ld->ld_errno; ++ } ++ ++ if ( ld->ld_error ) { ++ LDAP_FREE( ld->ld_error ); ++ ld->ld_error = NULL; ++ } ++ if ( ld->ld_matched ) { ++ LDAP_FREE( ld->ld_matched ); ++ ld->ld_matched = NULL; ++ } ++ ++ /* parse results */ ++ ++ ber = ber_dup( res->lm_ber ); ++ ++ if( ber == NULL ) { ++ ld->ld_errno = LDAP_NO_MEMORY; ++ return ld->ld_errno; ++ } ++ ++ tag = ber_scanf( ber, "{ioa" /*}*/, ++ &errcode, challenge, &ld->ld_error ); ++ ber_free( ber, 0 ); ++ ++ if( tag == LBER_ERROR ) { ++ ld->ld_errno = LDAP_DECODING_ERROR; ++ return ld->ld_errno; ++ } ++ ++ ld->ld_errno = errcode; ++ ++ return( ld->ld_errno ); ++} diff --git a/source/network-extra/openldap/openldap-ntlm.patch0 b/source/network-extra/openldap/openldap-ntlm.patch0 deleted file mode 100644 index 1e52f99..0000000 --- a/source/network-extra/openldap/openldap-ntlm.patch0 +++ /dev/null @@ -1,199 +0,0 @@ -(Note that this patch is not useful on its own... it just adds some -hooks to work with the LDAP authentication process at a lower level -than the API otherwise allows. The code that calls these hooks and -actually drives the NTLM authentication process is in -lib/e2k-global-catalog.c, and the code that actually implements the -NTLM algorithms is in xntlm/.) - -This is a patch against OpenLDAP 2.2.6. Apply with -p0 - - ---- include/ldap.h.orig 2004-01-01 13:16:28.000000000 -0500 -+++ include/ldap.h 2004-07-14 11:58:49.000000000 -0400 -@@ -1753,5 +1753,26 @@ - LDAPControl **cctrls )); - - -+/* -+ * hacks for NTLM -+ */ -+#define LDAP_AUTH_NTLM_REQUEST ((ber_tag_t) 0x8aU) -+#define LDAP_AUTH_NTLM_RESPONSE ((ber_tag_t) 0x8bU) -+LDAP_F( int ) -+ldap_ntlm_bind LDAP_P(( -+ LDAP *ld, -+ LDAP_CONST char *dn, -+ ber_tag_t tag, -+ struct berval *cred, -+ LDAPControl **sctrls, -+ LDAPControl **cctrls, -+ int *msgidp )); -+LDAP_F( int ) -+ldap_parse_ntlm_bind_result LDAP_P(( -+ LDAP *ld, -+ LDAPMessage *res, -+ struct berval *challenge)); -+ -+ - LDAP_END_DECL - #endif /* _LDAP_H */ ---- libraries/libldap/Makefile.in.orig 2004-01-01 13:16:29.000000000 -0500 -+++ libraries/libldap/Makefile.in 2004-07-14 13:37:23.000000000 -0400 -@@ -20,7 +20,7 @@ - SRCS = bind.c open.c result.c error.c compare.c search.c \ - controls.c messages.c references.c extended.c cyrus.c \ - modify.c add.c modrdn.c delete.c abandon.c \ -- sasl.c sbind.c kbind.c unbind.c cancel.c \ -+ sasl.c ntlm.c sbind.c kbind.c unbind.c cancel.c \ - filter.c free.c sort.c passwd.c whoami.c \ - getdn.c getentry.c getattr.c getvalues.c addentry.c \ - request.c os-ip.c url.c sortctrl.c vlvctrl.c \ -@@ -29,7 +29,7 @@ - OBJS = bind.lo open.lo result.lo error.lo compare.lo search.lo \ - controls.lo messages.lo references.lo extended.lo cyrus.lo \ - modify.lo add.lo modrdn.lo delete.lo abandon.lo \ -- sasl.lo sbind.lo kbind.lo unbind.lo cancel.lo \ -+ sasl.lo ntlm.lo sbind.lo kbind.lo unbind.lo cancel.lo \ - filter.lo free.lo sort.lo passwd.lo whoami.lo \ - getdn.lo getentry.lo getattr.lo getvalues.lo addentry.lo \ - request.lo os-ip.lo url.lo sortctrl.lo vlvctrl.lo \ ---- /dev/null 2004-06-30 15:04:37.000000000 -0400 -+++ libraries/libldap/ntlm.c 2004-07-14 13:44:18.000000000 -0400 -@@ -0,0 +1,137 @@ -+/* $OpenLDAP: pkg/ldap/libraries/libldap/ntlm.c,v 1.1.4.10 2002/01/04 20:38:21 kurt Exp $ */ -+/* -+ * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved. -+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file -+ */ -+ -+/* Mostly copied from sasl.c */ -+ -+#include "portable.h" -+ -+#include <stdlib.h> -+#include <stdio.h> -+ -+#include <ac/socket.h> -+#include <ac/string.h> -+#include <ac/time.h> -+#include <ac/errno.h> -+ -+#include "ldap-int.h" -+ -+int -+ldap_ntlm_bind( -+ LDAP *ld, -+ LDAP_CONST char *dn, -+ ber_tag_t tag, -+ struct berval *cred, -+ LDAPControl **sctrls, -+ LDAPControl **cctrls, -+ int *msgidp ) -+{ -+ BerElement *ber; -+ int rc; -+ ber_int_t id; -+ -+ Debug( LDAP_DEBUG_TRACE, "ldap_ntlm_bind\n", 0, 0, 0 ); -+ -+ assert( ld != NULL ); -+ assert( LDAP_VALID( ld ) ); -+ assert( msgidp != NULL ); -+ -+ if( msgidp == NULL ) { -+ ld->ld_errno = LDAP_PARAM_ERROR; -+ return ld->ld_errno; -+ } -+ -+ /* create a message to send */ -+ if ( (ber = ldap_alloc_ber_with_options( ld )) == NULL ) { -+ ld->ld_errno = LDAP_NO_MEMORY; -+ return ld->ld_errno; -+ } -+ -+ assert( LBER_VALID( ber ) ); -+ -+ LDAP_NEXT_MSGID( ld, id ); -+ rc = ber_printf( ber, "{it{istON}" /*}*/, -+ id, LDAP_REQ_BIND, -+ ld->ld_version, dn, tag, -+ cred ); -+ -+ /* Put Server Controls */ -+ if( ldap_int_put_controls( ld, sctrls, ber ) != LDAP_SUCCESS ) { -+ ber_free( ber, 1 ); -+ return ld->ld_errno; -+ } -+ -+ if ( ber_printf( ber, /*{*/ "N}" ) == -1 ) { -+ ld->ld_errno = LDAP_ENCODING_ERROR; -+ ber_free( ber, 1 ); -+ return ld->ld_errno; -+ } -+ -+ /* send the message */ -+ *msgidp = ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber, id ); -+ -+ if(*msgidp < 0) -+ return ld->ld_errno; -+ -+ return LDAP_SUCCESS; -+} -+ -+int -+ldap_parse_ntlm_bind_result( -+ LDAP *ld, -+ LDAPMessage *res, -+ struct berval *challenge) -+{ -+ ber_int_t errcode; -+ ber_tag_t tag; -+ BerElement *ber; -+ ber_len_t len; -+ -+ Debug( LDAP_DEBUG_TRACE, "ldap_parse_ntlm_bind_result\n", 0, 0, 0 ); -+ -+ assert( ld != NULL ); -+ assert( LDAP_VALID( ld ) ); -+ assert( res != NULL ); -+ -+ if ( ld == NULL || res == NULL ) { -+ return LDAP_PARAM_ERROR; -+ } -+ -+ if( res->lm_msgtype != LDAP_RES_BIND ) { -+ ld->ld_errno = LDAP_PARAM_ERROR; -+ return ld->ld_errno; -+ } -+ -+ if ( ld->ld_error ) { -+ LDAP_FREE( ld->ld_error ); -+ ld->ld_error = NULL; -+ } -+ if ( ld->ld_matched ) { -+ LDAP_FREE( ld->ld_matched ); -+ ld->ld_matched = NULL; -+ } -+ -+ /* parse results */ -+ -+ ber = ber_dup( res->lm_ber ); -+ -+ if( ber == NULL ) { -+ ld->ld_errno = LDAP_NO_MEMORY; -+ return ld->ld_errno; -+ } -+ -+ tag = ber_scanf( ber, "{ioa" /*}*/, -+ &errcode, challenge, &ld->ld_error ); -+ ber_free( ber, 0 ); -+ -+ if( tag == LBER_ERROR ) { -+ ld->ld_errno = LDAP_DECODING_ERROR; -+ return ld->ld_errno; -+ } -+ -+ ld->ld_errno = errcode; -+ -+ return( ld->ld_errno ); -+} _______________________________________________ Frugalware-git mailing list Frugalware-git@frugalware.org http://frugalware.org/mailman/listinfo/frugalware-git