Package: openldap
Version: 2.4.23-6
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu natty ubuntu-patch
*** /tmp/tmplKX1Up
In Ubuntu, the attached patch was applied to achieve the following:
* SECURITY UPDATE: fix successful anonymous bind via chain overlay when
using forwarded authentication failures
- debian/patches/CVE-2011-1024
- CVE-2011-1024
* SECURITY UPDATE: verify password when authenticating to rootdn and using ndb
backend. Note: Ubuntu is not compiled with --enable-ndb by default
- debian/patches/CVE-2011-1025
- CVE-2011-1025
* SECURITY UPDATE: fix DoS when processing unauthenticated modrdn requests
and requestDN is empty
- debian/patches/CVE-2011-1081
- CVE-2011-1081
- LP: #742104
Upstream patchsets and information are located in DEP-3 comments of the
patch. While CVE-2011-1024 and CVE-2011-1025 are pretty minor,
CVE-2011-1081 is at least a medium as a crafted unauthenticated modrdn
request can DoS the server. Attaching all patches here since the Debian
CVE tracker[1] lists this bug for CVE-2011-1081. Thanks for considering
the patch.
Jamie
[1] http://security-tracker.debian.org/tracker/CVE-2011-1081
-- System Information:
Debian Release: squeeze/sid
APT prefers natty-updates
APT policy: (500, 'natty-updates'), (500, 'natty-security'), (500, 'natty')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38-8-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -u openldap-2.4.23/debian/changelog openldap-2.4.23/debian/changelog
diff -u openldap-2.4.23/debian/patches/series openldap-2.4.23/debian/patches/series
--- openldap-2.4.23/debian/patches/series
+++ openldap-2.4.23/debian/patches/series
@@ -20,0 +21,3 @@
+CVE-2011-1024
+CVE-2011-1025
+CVE-2011-1081
only in patch2:
unchanged:
--- openldap-2.4.23.orig/debian/patches/CVE-2011-1081
+++ openldap-2.4.23/debian/patches/CVE-2011-1081
@@ -0,0 +1,21 @@
+Origin: cvs PatchSet 24550 from OPENLDAP_REL_ENG_2_4
+Description: fix DoS when processing unauthenticated modrdn requests and
+ requestDN is empty
+Bug: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6768
+Bug-Novell: https://bugzilla.novell.com/show_bug.cgi?id=674985#c1
+
+Index: openldap-2.4.23/servers/slapd/modrdn.c
+===================================================================
+--- openldap-2.4.23.orig/servers/slapd/modrdn.c 2011-03-16 09:44:03.000000000 -0500
++++ openldap-2.4.23/servers/slapd/modrdn.c 2011-03-16 09:44:07.000000000 -0500
+@@ -392,7 +392,9 @@
+ LDAPRDN new_rdn = NULL;
+
+ assert( !BER_BVISEMPTY( &op->oq_modrdn.rs_newrdn ) );
+- assert( !op->orr_deleteoldrdn || !BER_BVISEMPTY( &op->o_req_dn ) );
++
++ /* if requestDN is empty, silently reset deleteOldRDN */
++ if ( BER_BVISEMPTY( &op->o_req_dn ) ) op->orr_deleteoldrdn = 0;
+
+ if ( ldap_bv2rdn_x( &op->oq_modrdn.rs_newrdn, &new_rdn,
+ (char **)&rs->sr_text, LDAP_DN_FORMAT_LDAP, op->o_tmpmemctx ) ) {
only in patch2:
unchanged:
--- openldap-2.4.23.orig/debian/patches/CVE-2011-1024
+++ openldap-2.4.23/debian/patches/CVE-2011-1024
@@ -0,0 +1,44 @@
+Origin: cvs PatchSet 24620 from OPENLDAP_REL_ENG_2_4
+Description: fix successful anonymous bind via chain overlay when using
+ forwarded authentication failures
+Bug: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6607
+
+Index: openldap-2.4.23/servers/slapd/back-ldap/chain.c
+===================================================================
+--- openldap-2.4.23.orig/servers/slapd/back-ldap/chain.c 2011-03-16 09:21:55.000000000 -0500
++++ openldap-2.4.23/servers/slapd/back-ldap/chain.c 2011-03-16 09:22:02.000000000 -0500
+@@ -854,6 +854,7 @@
+
+ /* we need this to know if back-ldap returned any result */
+ lb.lb_lc = lc;
++ sc2.sc_next = sc->sc_next;
+ sc2.sc_private = &lb;
+ sc2.sc_response = ldap_chain_cb_response;
+ op->o_callback = &sc2;
+@@ -947,6 +948,7 @@
+
+ case LDAP_SUCCESS:
+ case LDAP_REFERRAL:
++ sr_err = rs->sr_err;
+ /* slapd-ldap sent response */
+ if ( !op->o_abandon && lb.lb_status != LDAP_CH_RES ) {
+ /* FIXME: should we send response? */
+@@ -974,7 +976,7 @@
+ default:
+ #endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
+ if ( LDAP_CHAIN_RETURN_ERR( lc ) ) {
+- rs->sr_err = rc;
++ sr_err = rs->sr_err = rc;
+ rs->sr_type = sr_type;
+
+ } else {
+@@ -992,7 +994,8 @@
+ }
+
+ if ( lb.lb_status == LDAP_CH_NONE && rc != SLAPD_ABANDON ) {
+- op->o_callback = NULL;
++ /* give the remaining callbacks a chance */
++ op->o_callback = sc->sc_next;
+ rc = rs->sr_err = slap_map_api2result( rs );
+ send_ldap_result( op, rs );
+ }
only in patch2:
unchanged:
--- openldap-2.4.23.orig/debian/patches/CVE-2011-1025
+++ openldap-2.4.23/debian/patches/CVE-2011-1025
@@ -0,0 +1,29 @@
+Origin: cvs PatchSets 24176 and 24177 from HEAD
+Description: verify password when authenticating to rootdn and using ndb
+ backend
+Bug: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6661
+
+Index: openldap-2.4.23/servers/slapd/back-ndb/bind.cpp
+===================================================================
+--- openldap-2.4.23.orig/servers/slapd/back-ndb/bind.cpp 2011-03-16 09:35:42.000000000 -0500
++++ openldap-2.4.23/servers/slapd/back-ndb/bind.cpp 2011-03-16 09:37:17.000000000 -0500
+@@ -42,11 +42,17 @@
+ op->o_req_dn.bv_val, 0, 0);
+
+ /* allow noauth binds */
+- switch ( be_rootdn_bind( op, NULL ) ) {
++ rs->sr_err = be_rootdn_bind( op, NULL );
++ switch ( rs->sr_err ) {
+ case SLAP_CB_CONTINUE:
+ break;
+
+- default:
++ case LDAP_INVALID_CREDENTIALS:
++ send_ldap_result( op, rs );
++ /* fallthru */
++
++ case LDAP_SUCCESS:
++ /* frontend will send result */
+ return rs->sr_err;
+ }
+
