Hello community, here is the log from the commit of package sudo for openSUSE:11.4 checked in at Thu Jan 5 17:15:56 CET 2012.
-------- --- old-versions/11.4/UPDATES/all/sudo/sudo.changes 2011-12-13 09:51:02.000000000 +0100 +++ 11.4/sudo/sudo.changes 2012-01-02 17:39:08.000000000 +0100 @@ -1,0 +2,5 @@ +Mon Jan 2 16:23:49 UTC 2012 - vci...@suse.cz + +- escape values passed to ldap_search (bnc#724490) + +------------------------------------------------------------------- calling whatdependson for 11.4-i586 New: ---- sudo-1.7.6p2-ldap_search_escape.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sudo.spec ++++++ --- /var/tmp/diff_new_pack.7Z5R65/_old 2012-01-05 17:15:45.000000000 +0100 +++ /var/tmp/diff_new_pack.7Z5R65/_new 2012-01-05 17:15:45.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package sudo # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -23,7 +23,7 @@ BuildRequires: libselinux-devel PreReq: coreutils Version: 1.7.6p2 -Release: 0.<RELEASE5> +Release: 0.<RELEASE7> Group: System/Base License: BSD3c(or similar) Url: http://www.sudo.ws/ @@ -38,6 +38,7 @@ Patch6: %{name}-ldap.diff Patch7: %{name}-env.diff Patch8: sudo-1.7.6p2-manpage.patch +Patch9: sudo-1.7.6p2-ldap_search_escape.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -66,6 +67,7 @@ %patch6 %patch7 %patch8 -p1 +%patch9 -p1 cp %{S:1} %{S:2} . %build ++++++ sudo-1.7.6p2-ldap_search_escape.patch ++++++ Index: sudo-1.7.6p2/ldap.c =================================================================== --- sudo-1.7.6p2.orig/ldap.c 2011-04-12 17:48:56.000000000 +0200 +++ sudo-1.7.6p2/ldap.c 2011-12-12 12:05:14.443420672 +0100 @@ -994,6 +994,99 @@ } /* + * Determine length of query value after escaping characters + * as per RFC 4515. + */ +static size_t +sudo_ldap_value_len(const char *value) +{ + const char *s; + size_t len = 0; + + for (s = value; *s != '\0'; s++) { + switch (*s) { + case '\\': + case '(': + case ')': + case '*': + len += 2; + break; + } + } + len += (size_t)(s - value); + return len; +} + +/* + * Like strlcat() but escapes characters as per RFC 4515. + */ +static size_t +sudo_ldap_value_cat(char *dst, const char *src, size_t size) +{ + char *d = dst; + const char *s = src; + size_t n = size; + size_t dlen; + + /* Find the end of dst and adjust bytes left but don't go past end */ + while (n-- != 0 && *d != '\0') + d++; + dlen = d - dst; + n = size - dlen; + + if (n == 0) + return dlen + strlen(s); + while (*s != '\0') { + switch (*s) { + case '\\': + if (n < 3) + goto done; + *d++ = '\\'; + *d++ = '5'; + *d++ = 'c'; + n -= 3; + break; + case '(': + if (n < 3) + goto done; + *d++ = '\\'; + *d++ = '2'; + *d++ = '8'; + n -= 3; + break; + case ')': + if (n < 3) + goto done; + *d++ = '\\'; + *d++ = '2'; + *d++ = '9'; + n -= 3; + break; + case '*': + if (n < 3) + goto done; + *d++ = '\\'; + *d++ = '2'; + *d++ = 'a'; + n -= 3; + break; + default: + if (n < 1) + goto done; + *d++ = *s; + n--; + break; + } + s++; + } +done: + *d = '\0'; + while (*s != '\0') + s++; + return dlen + (s - src); /* count does not include NUL */ +} + +/* * Builds up a filter to check against LDAP. */ static char * @@ -1010,18 +1103,18 @@ sz += strlen(ldap_conf.search_filter) + 3; /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */ - sz += 29 + strlen(pw->pw_name); + sz += 29 + sudo_ldap_value_len(pw->pw_name); /* Add space for groups */ if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) { - sz += 12 + strlen(grp->gr_name); /* primary group */ + sz += 12 + sudo_ldap_value_len(grp->gr_name); gr_delref(grp); } for (i = 0; i < user_ngroups; i++) { if (user_groups[i] == pw->pw_gid) continue; if ((grp = sudo_getgrgid(user_groups[i])) != NULL) { - sz += 12 + strlen(grp->gr_name); /* supplementary group */ + sz += 12 + sudo_ldap_value_len(grp->gr_name); gr_delref(grp); } } @@ -1044,13 +1137,13 @@ /* Global OR + sudoUser=user_name filter */ (void) strlcat(buf, "(|(sudoUser=", sz); - (void) strlcat(buf, pw->pw_name, sz); + (void) sudo_ldap_value_cat(buf, pw->pw_name, sz); (void) strlcat(buf, ")", sz); /* Append primary group */ if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) { (void) strlcat(buf, "(sudoUser=%", sz); - (void) strlcat(buf, grp->gr_name, sz); + (void) sudo_ldap_value_cat(buf, grp->gr_name, sz); (void) strlcat(buf, ")", sz); gr_delref(grp); } @@ -1061,7 +1154,7 @@ continue; if ((grp = sudo_getgrgid(user_groups[i])) != NULL) { (void) strlcat(buf, "(sudoUser=%", sz); - (void) strlcat(buf, grp->gr_name, sz); + (void) sudo_ldap_value_cat(buf, grp->gr_name, sz); (void) strlcat(buf, ")", sz); gr_delref(grp); } continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org