From: Li Wang <li.w...@windriver.com> the patch comes from: https://bugzilla.redhat.com/show_bug.cgi?id=1238322 https://bugzilla.redhat.com/attachment.cgi?id=1055640
The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors. Signed-off-by: Li Wang <li.w...@windriver.com> Signed-off-by: Wenzong Fan <wenzong....@windriver.com> --- .../openldap/openldap/openldap-CVE-2015-3276.patch | 59 ++++++++++++++++++++++ .../recipes-support/openldap/openldap_2.4.44.bb | 1 + 2 files changed, 60 insertions(+) create mode 100644 meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch diff --git a/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch b/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch new file mode 100644 index 0000000..de9ca52 --- /dev/null +++ b/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch @@ -0,0 +1,59 @@ +openldap CVE-2015-3276 + +the patch comes from: +https://bugzilla.redhat.com/show_bug.cgi?id=1238322 +https://bugzilla.redhat.com/attachment.cgi?id=1055640 + +The nss_parse_ciphers function in libraries/libldap/tls_m.c in +OpenLDAP does not properly parse OpenSSL-style multi-keyword mode +cipher strings, which might cause a weaker than intended cipher to +be used and allow remote attackers to have unspecified impact via +unknown vectors. + +Signed-off-by: Li Wang <li.w...@windriver.com> +--- + libraries/libldap/tls_m.c | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +index 9b101f9..e6f3051 100644 +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -621,18 +621,23 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) + */ + if (mask || strength || protocol) { + for (i=0; i<ciphernum; i++) { +- if (((ciphers_def[i].attr & mask) || +- (ciphers_def[i].strength & strength) || +- (ciphers_def[i].version & protocol)) && +- (cipher_list[i] != -1)) { +- /* Enable the NULL ciphers only if explicity +- * requested */ +- if (ciphers_def[i].attr & SSL_eNULL) { +- if (mask & SSL_eNULL) +- cipher_list[i] = action; +- } else ++ /* if more than one mask is provided ++ * then AND logic applies (to match openssl) ++ */ ++ if ( cipher_list[i] == -1) ) ++ continue; ++ if ( mask && ! (ciphers_def[i].attr & mask) ) ++ continue; ++ if ( strength && ! (ciphers_def[i].strength & strength) ) ++ continue; ++ if ( protocol && ! (ciphers_def[i].version & protocol) ) ++ continue; ++ /* Enable the NULL ciphers only if explicity requested */ ++ if (ciphers_def[i].attr & SSL_eNULL) { ++ if (mask & SSL_eNULL) + cipher_list[i] = action; +- } ++ } else ++ cipher_list[i] = action; + } + } else { + for (i=0; i<ciphernum; i++) { +-- +1.7.9.5 + diff --git a/meta-oe/recipes-support/openldap/openldap_2.4.44.bb b/meta-oe/recipes-support/openldap/openldap_2.4.44.bb index 48e9066..41f753e 100644 --- a/meta-oe/recipes-support/openldap/openldap_2.4.44.bb +++ b/meta-oe/recipes-support/openldap/openldap_2.4.44.bb @@ -24,6 +24,7 @@ SRC_URI = "ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/${BP}.tgz \ file://initscript \ file://slapd.service \ file://thread_stub.patch \ + file://openldap-CVE-2015-3276.patch \ " SRC_URI[md5sum] = "693ac26de86231f8dcae2b4e9d768e51" -- 2.8.1 -- _______________________________________________ Openembedded-devel mailing list Openembedded-devel@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-devel