Bug#934508: stretch-pu: package openldap/2.4.44+dfsg-5+deb9u3

[Ryan Tandy]

On Tue, Aug 13, 2019 at 06:24:32PM +0100, Adam D. Barratt wrote:

Please go ahead.


Thank you. Uploaded, accepted, and visible on the queue page now.

Bug#934508: stretch-pu: package openldap/2.4.44+dfsg-5+deb9u3

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sun, 2019-08-11 at 11:45 -0700, Ryan Tandy wrote:
> I would like to update openldap in stretch to fix two CVEs and one
> additional important bug. I already discussed the CVEs with the
> security
> team and we agreed on fixing them in a point release.
> 

Please go ahead.

Regards,

Adam

Bug#934508: stretch-pu: package openldap/2.4.44+dfsg-5+deb9u3

[Ryan Tandy]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear SRM,

I would like to update openldap in stretch to fix two CVEs and one
additional important bug. I already discussed the CVEs with the security
team and we agreed on fixing them in a point release.

The changes are in testing, backports, and Ubuntu already; no
regressions that I'm aware of. Changelog as follows:

openldap (2.4.44+dfsg-5+deb9u3) stretch; urgency=medium

  * Fix slapd to restrict rootDN proxyauthz to its own databases
(CVE-2019-13057) (ITS#9038) (Closes: #932997)

-> No-DSA CVE fix for an admin of one database being able to pivot their
privileges to other databases in the same slapd instance.

  * Fix slapd to enforce sasl_ssf ACL statement on every connection
(CVE-2019-13565) (ITS#9052) (Closes: #932998)

-> No-DSA CVE fix for the sasl_ssf ACL variable being uninitialized on
non-SASL binds, keeping the value from the previous SASL bind.

  * Fix slapo-rwm to not free original filter when rewritten filter is invalid
(ITS#8964) (Closes: #934277, LP: #1838370)

-> Fix a double-free that can be triggered remotely by a search request 
with a crafted search filter, if the slapo-rwm module is loaded and 
search filter rewriting is enabled.

Thank you,
Ryan
diff -Nru openldap-2.4.44+dfsg/debian/changelog 
openldap-2.4.44+dfsg/debian/changelog
--- openldap-2.4.44+dfsg/debian/changelog   2018-05-22 21:25:19.0 
-0700
+++ openldap-2.4.44+dfsg/debian/changelog   2019-08-10 12:17:00.0 
-0700
@@ -1,3 +1,14 @@
+openldap (2.4.44+dfsg-5+deb9u3) stretch; urgency=medium
+
+  * Fix slapd to restrict rootDN proxyauthz to its own databases
+(CVE-2019-13057) (ITS#9038) (Closes: #932997)
+  * Fix slapd to enforce sasl_ssf ACL statement on every connection
+(CVE-2019-13565) (ITS#9052) (Closes: #932998)
+  * Fix slapo-rwm to not free original filter when rewritten filter is invalid
+(ITS#8964) (Closes: #934277, LP: #1838370)
+
+ -- Ryan Tandy   Sat, 10 Aug 2019 12:17:00 -0700
+
 openldap (2.4.44+dfsg-5+deb9u2) stretch; urgency=medium
 
   * Import upstream patch to fix an out-of-sync issue with delta-syncrepl
diff -Nru 
openldap-2.4.44+dfsg/debian/patches/ITS-8964-Do-not-free-original-filter.patch 
openldap-2.4.44+dfsg/debian/patches/ITS-8964-Do-not-free-original-filter.patch
--- 
openldap-2.4.44+dfsg/debian/patches/ITS-8964-Do-not-free-original-filter.patch  
1969-12-31 16:00:00.0 -0800
+++ 
openldap-2.4.44+dfsg/debian/patches/ITS-8964-Do-not-free-original-filter.patch  
2019-08-10 12:17:00.0 -0700
@@ -0,0 +1,36 @@
+From 0f7ec3a81258bb2c33b5d7c7434ef1c11d7fa7cb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= 
+Date: Mon, 17 Jun 2019 12:49:25 +0200
+Subject: [PATCH] ITS#8964 Do not free original filter
+
+---
+ servers/slapd/overlays/rwm.c | 12 
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/servers/slapd/overlays/rwm.c b/servers/slapd/overlays/rwm.c
+index 36bceaffe..2e24f24cc 100644
+--- a/servers/slapd/overlays/rwm.c
 b/servers/slapd/overlays/rwm.c
+@@ -125,11 +125,15 @@ rwm_op_rollback( Operation *op, SlapReply *rs, 
rwm_op_state *ros )
+   break;
+   case LDAP_REQ_SEARCH:
+   op->o_tmpfree( ros->mapped_attrs, op->o_tmpmemctx );
+-  filter_free_x( op, op->ors_filter, 1 );
+-  op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
+   op->ors_attrs = ros->ors_attrs;
+-  op->ors_filter = ros->ors_filter;
+-  op->ors_filterstr = ros->ors_filterstr;
++  if ( op->ors_filter != ros->ors_filter ) {
++  filter_free_x( op, op->ors_filter, 1 );
++  op->ors_filter = ros->ors_filter;
++  }
++  if ( op->ors_filterstr.bv_val != ros->ors_filterstr.bv_val ) {
++  op->o_tmpfree( op->ors_filterstr.bv_val, 
op->o_tmpmemctx );
++  op->ors_filterstr = ros->ors_filterstr;
++  }
+   break;
+   case LDAP_REQ_EXTENDED:
+   if ( op->ore_reqdata != ros->ore_reqdata ) {
+-- 
+2.20.1
+
diff -Nru 
openldap-2.4.44+dfsg/debian/patches/ITS-9038-Another-test028-typo.patch 
openldap-2.4.44+dfsg/debian/patches/ITS-9038-Another-test028-typo.patch
--- openldap-2.4.44+dfsg/debian/patches/ITS-9038-Another-test028-typo.patch 
1969-12-31 16:00:00.0 -0800
+++ openldap-2.4.44+dfsg/debian/patches/ITS-9038-Another-test028-typo.patch 
2019-08-10 12:15:41.0 -0700
@@ -0,0 +1,25 @@
+From 0832ec02f0679cf0862dca2cca5280be1e4fdb37 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= 
+Date: Thu, 27 Jun 2019 00:45:29 +0200
+Subject: [PATCH] ITS#9038 Another test028 typo
+
+---
+ tests/scripts/test028-idassert | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/scripts/test028-idassert