diff options
author | Li Wang <li.wang@windriver.com> | 2016-09-14 02:25:32 -0400 |
---|---|---|
committer | Martin Jansa <Martin.Jansa@gmail.com> | 2016-09-19 16:24:10 +0200 |
commit | 24e387aaf78bc0f68a46abb1fab3a76364804bd1 (patch) | |
tree | 73a6690c21239d402ba05063be88ad1bdccdeb44 | |
parent | 14a532d78309768756403efb3491f514af7dcdf7 (diff) | |
download | meta-openembedded-contrib-24e387aaf78bc0f68a46abb1fab3a76364804bd1.tar.gz |
openldap: fix CVE-2015-3276
the patch comes from:
https://bugzilla.redhat.com/show_bug.cgi?id=1238322
https://bugzilla.redhat.com/attachment.cgi?id=1055640
The nss_parse_ciphers function in libraries/libldap/tls_m.c in
OpenLDAP does not properly parse OpenSSL-style multi-keyword mode
cipher strings, which might cause a weaker than intended cipher to
be used and allow remote attackers to have unspecified impact via
unknown vectors.
Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
-rw-r--r-- | meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch | 59 | ||||
-rw-r--r-- | meta-oe/recipes-support/openldap/openldap_2.4.44.bb | 1 |
2 files changed, 60 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch b/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch new file mode 100644 index 0000000000..de9ca528a2 --- /dev/null +++ b/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch @@ -0,0 +1,59 @@ +openldap CVE-2015-3276 + +the patch comes from: +https://bugzilla.redhat.com/show_bug.cgi?id=1238322 +https://bugzilla.redhat.com/attachment.cgi?id=1055640 + +The nss_parse_ciphers function in libraries/libldap/tls_m.c in +OpenLDAP does not properly parse OpenSSL-style multi-keyword mode +cipher strings, which might cause a weaker than intended cipher to +be used and allow remote attackers to have unspecified impact via +unknown vectors. + +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + libraries/libldap/tls_m.c | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +index 9b101f9..e6f3051 100644 +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -621,18 +621,23 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) + */ + if (mask || strength || protocol) { + for (i=0; i<ciphernum; i++) { +- if (((ciphers_def[i].attr & mask) || +- (ciphers_def[i].strength & strength) || +- (ciphers_def[i].version & protocol)) && +- (cipher_list[i] != -1)) { +- /* Enable the NULL ciphers only if explicity +- * requested */ +- if (ciphers_def[i].attr & SSL_eNULL) { +- if (mask & SSL_eNULL) +- cipher_list[i] = action; +- } else ++ /* if more than one mask is provided ++ * then AND logic applies (to match openssl) ++ */ ++ if ( cipher_list[i] == -1) ) ++ continue; ++ if ( mask && ! (ciphers_def[i].attr & mask) ) ++ continue; ++ if ( strength && ! (ciphers_def[i].strength & strength) ) ++ continue; ++ if ( protocol && ! (ciphers_def[i].version & protocol) ) ++ continue; ++ /* Enable the NULL ciphers only if explicity requested */ ++ if (ciphers_def[i].attr & SSL_eNULL) { ++ if (mask & SSL_eNULL) + cipher_list[i] = action; +- } ++ } else ++ cipher_list[i] = action; + } + } else { + for (i=0; i<ciphernum; i++) { +-- +1.7.9.5 + diff --git a/meta-oe/recipes-support/openldap/openldap_2.4.44.bb b/meta-oe/recipes-support/openldap/openldap_2.4.44.bb index 48e9066f9f..41f753e987 100644 --- a/meta-oe/recipes-support/openldap/openldap_2.4.44.bb +++ b/meta-oe/recipes-support/openldap/openldap_2.4.44.bb @@ -24,6 +24,7 @@ SRC_URI = "ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/${BP}.tgz \ file://initscript \ file://slapd.service \ file://thread_stub.patch \ + file://openldap-CVE-2015-3276.patch \ " SRC_URI[md5sum] = "693ac26de86231f8dcae2b4e9d768e51" |