diff options
author | fan.xin <fan.xin@jp.fujitsu.com> | 2017-06-09 14:45:49 +0900 |
---|---|---|
committer | Martin Jansa <Martin.Jansa@gmail.com> | 2017-06-14 14:51:15 +0200 |
commit | 990b2ecf2c041d615ad0d07bd28a9ca77d0b2521 (patch) | |
tree | fb8164233bcc6c57917111fed959f4a414b51cf0 /meta-oe/recipes-support/openldap | |
parent | 69b4796d191af025771c4032bb3e3bce04b27986 (diff) | |
download | meta-openembedded-contrib-990b2ecf2c041d615ad0d07bd28a9ca77d0b2521.tar.gz |
openldap: Fix CVE-2017-9287
servers/slapd/back-mdb/search.c in OpenLDAP through 2.4.44 is
prone to a double free vulnerability. A user with access to
search the directory can crash slapd by issuing a search including the
Paged Results control with a page size of 0.
Patch reference:
http://www.openldap.org/its/?findid=8655
Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Diffstat (limited to 'meta-oe/recipes-support/openldap')
-rw-r--r-- | meta-oe/recipes-support/openldap/openldap/openldap-CVE-2017-9287.patch | 30 | ||||
-rw-r--r-- | meta-oe/recipes-support/openldap/openldap_2.4.44.bb | 1 |
2 files changed, 31 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2017-9287.patch b/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2017-9287.patch new file mode 100644 index 0000000000..93e9243eed --- /dev/null +++ b/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2017-9287.patch @@ -0,0 +1,30 @@ +From e0e65f309dc0eb5582387acf1b2c2b5b3955f6b6 Mon Sep 17 00:00:00 2001 +From: Ryan Tandy <ryan@nardis.ca> +Date: Wed, 17 May 2017 20:07:39 -0700 +Subject: [PATCH] Fix double free of search base with page size 0 + +CVE: CVE-2017-9287 +Upstream-Status: Submitted + +Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> +--- + servers/slapd/back-mdb/search.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/servers/slapd/back-mdb/search.c b/servers/slapd/back-mdb/search.c +index 009939d..d0db918 100644 +--- a/servers/slapd/back-mdb/search.c ++++ b/servers/slapd/back-mdb/search.c +@@ -1066,7 +1066,8 @@ notfound: + /* check size limit */ + if ( get_pagedresults(op) > SLAP_CONTROL_IGNORED ) { + if ( rs->sr_nentries >= ((PagedResultsState *)op->o_pagedresults_state)->ps_size ) { +- mdb_entry_return( op, e ); ++ if (e != base) ++ mdb_entry_return( op, e ); + e = NULL; + send_paged_response( op, rs, &lastid, tentries ); + goto done; +-- +2.1.4 + diff --git a/meta-oe/recipes-support/openldap/openldap_2.4.44.bb b/meta-oe/recipes-support/openldap/openldap_2.4.44.bb index 4b7ed35977..2d3cfc0d03 100644 --- a/meta-oe/recipes-support/openldap/openldap_2.4.44.bb +++ b/meta-oe/recipes-support/openldap/openldap_2.4.44.bb @@ -25,6 +25,7 @@ SRC_URI = "ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/${BP}.tgz \ file://slapd.service \ file://thread_stub.patch \ file://openldap-CVE-2015-3276.patch \ + file://openldap-CVE-2017-9287.patch \ " SRC_URI[md5sum] = "693ac26de86231f8dcae2b4e9d768e51" |