!35 update libldb version to 2.6.1

From: @yangl777 Reviewed-by: @yanan-rock Signed-off-by: @yanan-rock
2022-11-08 03:24:33 +00:00 · 2022-11-08 03:24:33 +00:00 · ae9c976d1a
commit ae9c976d1a
parent 16c72bba32 44271633af
10 changed files with 22 additions and 660 deletions
--- a/backport-001-CVE-2022-32746.patch
+++ b/backport-001-CVE-2022-32746.patch
@ -1,104 +0,0 @@
 From 0a3aa5f908e351201dc9c4d4807b09ed9eedff77 Mon Sep 17 00:00:00 2001
 From: Joseph Sutton <josephsutton@catalyst.net.nz>
 Date: Mon, 21 Feb 2022 16:27:37 +1300
 Subject: [PATCH] CVE-2022-32746 ldb: Make use of functions for appending to an
 ldb_message
 This aims to minimise usage of the error-prone pattern of searching for
 a just-added message element in order to make modifications to it (and
 potentially finding the wrong element).
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 ---
 ldb_map/ldb_map.c                     |   5 +-
 ldb_map/ldb_map_inbound.c             |   9 +-
 modules/rdn_name.c                    |  22 +---
 3 files changed, 28 insertions(+), 8 deletions(-)
 diff --git a/ldb_map/ldb_map.c b/ldb_map/ldb_map.c
 index b453dff80d25..c7b0c2286311 100644
 --- a/ldb_map/ldb_map.c
 +++ b/ldb_map/ldb_map.c
@@ -946,10 +946,7 @@ struct ldb_request *map_build_fixup_req(struct map_context *ac,
 	if ( ! dn || ! ldb_dn_validate(msg->dn)) {
 		goto failed;
 	}
 -	if (ldb_msg_add_empty(msg, IS_MAPPED, LDB_FLAG_MOD_REPLACE, NULL) != 0) {
 -		goto failed;
 -	}
 -	if (ldb_msg_add_string(msg, IS_MAPPED, dn) != 0) {
 +	if (ldb_msg_append_string(msg, IS_MAPPED, dn, LDB_FLAG_MOD_REPLACE) != 0) {
 		goto failed;
 	}
 diff --git a/ldb_map/ldb_map_inbound.c b/ldb_map/ldb_map_inbound.c
 index 324295737da1..50b9427c26c5 100644
 --- a/ldb_map/ldb_map_inbound.c
 +++ b/ldb_map/ldb_map_inbound.c
@@ -569,12 +569,9 @@ static int map_modify_do_local(struct map_context *ac)
 		/* No local record present, add it instead */
 		/* Add local 'IS_MAPPED' */
 		/* TODO: use GUIDs here instead */
 -		if (ldb_msg_add_empty(ac->local_msg, IS_MAPPED,
 -					LDB_FLAG_MOD_ADD, NULL) != 0) {
 -			return LDB_ERR_OPERATIONS_ERROR;
 -		}
 -		ret = ldb_msg_add_linearized_dn(ac->local_msg, IS_MAPPED,
 -						ac->remote_req->op.mod.message->dn);
 +		ret = ldb_msg_append_linearized_dn(ac->local_msg, IS_MAPPED,
 +						   ac->remote_req->op.mod.message->dn,
 +						   LDB_FLAG_MOD_ADD);
 		if (ret != 0) {
 			return LDB_ERR_OPERATIONS_ERROR;
 		}
 diff --git a/modules/rdn_name.c b/modules/rdn_name.c
 index 25cffe07591a..3cb62bf567bd 100644
 --- a/modules/rdn_name.c
 +++ b/modules/rdn_name.c
@@ -308,16 +308,10 @@ static int rdn_rename_callback(struct ldb_request *req, struct ldb_reply *ares)
 	}
 	rdn_val = ldb_val_dup(msg, rdn_val_p);
 -	if (ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_REPLACE, NULL) != 0) {
 +	if (ldb_msg_append_value(msg, rdn_name, &rdn_val, LDB_FLAG_MOD_REPLACE) != 0) {
 		goto error;
 	}
 -	if (ldb_msg_add_value(msg, rdn_name, &rdn_val, NULL) != 0) {
 -		goto error;
 -	}
 -	if (ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_REPLACE, NULL) != 0) {
 -		goto error;
 -	}
 -	if (ldb_msg_add_value(msg, "name", &rdn_val, NULL) != 0) {
 +	if (ldb_msg_append_value(msg, "name", &rdn_val, LDB_FLAG_MOD_REPLACE) != 0) {
 		goto error;
 	}
@@ -466,11 +460,7 @@ static int rdn_name_modify(struct ldb_module *module, struct ldb_request *req)
 		if (ret != 0) {
 			return ldb_module_oom(module);
 		}
 -		ret = ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_ADD, NULL);
 -		if (ret != 0) {
 -			return ldb_module_oom(module);
 -		}
 -		ret = ldb_msg_add_value(msg, rdn_name, &rdn_val, NULL);
 +		ret = ldb_msg_append_value(msg, rdn_name, &rdn_val, LDB_FLAG_MOD_ADD);
 		if (ret != 0) {
 			return ldb_module_oom(module);
 		}
@@ -479,11 +469,7 @@ static int rdn_name_modify(struct ldb_module *module, struct ldb_request *req)
 		if (ret != 0) {
 			return ldb_module_oom(module);
 		}
 -		ret = ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_ADD, NULL);
 -		if (ret != 0) {
 -			return ldb_module_oom(module);
 -		}
 -		ret = ldb_msg_add_value(msg, "name", &rdn_val, NULL);
 +		ret = ldb_msg_append_value(msg, "name", &rdn_val, LDB_FLAG_MOD_ADD);
 		if (ret != 0) {
 			return ldb_module_oom(module);
 		}
--- a/backport-002-CVE-2022-32746.patch
+++ b/backport-002-CVE-2022-32746.patch
@ -1,28 +0,0 @@
 From 41b1fe6d4ae1f547b2f1a0ef8d1aee284b4ef93b Mon Sep 17 00:00:00 2001
 From: Joseph Sutton <josephsutton@catalyst.net.nz>
 Date: Wed, 16 Feb 2022 12:43:52 +1300
 Subject: [PATCH] CVE-2022-32746 ldb:rdn_name: Use LDB_FLAG_MOD_TYPE() for
 flags equality check
 Now unrelated flags will no longer affect the result.
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 ---
 lib/ldb/modules/rdn_name.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/modules/rdn_name.c b/modules/rdn_name.c
 index e69ad9315aec..25cffe07591a 100644
 --- a/modules/rdn_name.c
 +++ b/modules/rdn_name.c
@@ -545,7 +545,7 @@ static int rdn_name_modify(struct ldb_module *module, struct ldb_request *req)
 	if (e != NULL) {
 		ldb_asprintf_errstring(ldb, "Modify of 'distinguishedName' on %s not permitted, must use 'rename' operation instead",
 				       ldb_dn_get_linearized(req->op.mod.message->dn));
 -		if (e->flags == LDB_FLAG_MOD_REPLACE) {
 +		if (LDB_FLAG_MOD_TYPE(e->flags) == LDB_FLAG_MOD_REPLACE) {
 			return LDB_ERR_CONSTRAINT_VIOLATION;
 		} else {
 			return LDB_ERR_UNWILLING_TO_PERFORM;
--- a/backport-003-CVE-2022-32746.patch
+++ b/backport-003-CVE-2022-32746.patch
@ -1,112 +0,0 @@
 From 7efe8182c165fbf17d2f88c173527a7a554e214b Mon Sep 17 00:00:00 2001
 From: Joseph Sutton <josephsutton@catalyst.net.nz>
 Date: Mon, 21 Feb 2022 16:10:32 +1300
 Subject: [PATCH] CVE-2022-32746 ldb: Add flag to mark message element values
 as shared
 When making a shallow copy of an ldb message, mark the message elements
 of the copy as sharing their values with the message elements in the
 original message.
 This flag value will be heeded in the next commit.
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 ---
 common/ldb_msg.c     | 43 +++++++++++++++++++++++++++++++-----
 include/ldb_module.h |  6 +++++
 2 files changed, 43 insertions(+), 6 deletions(-)
 diff --git a/common/ldb_msg.c b/common/ldb_msg.c
 index 57dfc5a04c2b..2a9ce384bb98 100644
 --- a/common/ldb_msg.c
 +++ b/common/ldb_msg.c
@@ -833,11 +833,7 @@ void ldb_msg_sort_elements(struct ldb_message *msg)
 		       ldb_msg_element_compare_name);
 }
 -/*
 -  shallow copy a message - copying only the elements array so that the caller
 -  can safely add new elements without changing the message
 -*/
 -struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx,
 +static struct ldb_message *ldb_msg_copy_shallow_impl(TALLOC_CTX *mem_ctx,
 					 const struct ldb_message *msg)
 {
 	struct ldb_message *msg2;
@@ -863,6 +859,35 @@ struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx,
 	return NULL;
 }
 +/*
 +  shallow copy a message - copying only the elements array so that the caller
 +  can safely add new elements without changing the message
 +*/
 +struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx,
 +					 const struct ldb_message *msg)
 +{
 +	struct ldb_message *msg2;
 +	unsigned int i;
 +
 +	msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg);
 +	if (msg2 == NULL) {
 +		return NULL;
 +	}
 +
 +	for (i = 0; i < msg2->num_elements; ++i) {
 +		/*
 +		 * Mark this message's elements as sharing their values with the
 +		 * original message, so that we don't inadvertently modify or
 +		 * free them. We don't mark the original message element as
 +		 * shared, so the original message element should not be
 +		 * modified or freed while the shallow copy lives.
 +		 */
 +		struct ldb_message_element *el = &msg2->elements[i];
 +		el->flags |= LDB_FLAG_INTERNAL_SHARED_VALUES;
 +	}
 +
 +        return msg2;
 +}
 /*
   copy a message, allocating new memory for all parts
@@ -873,7 +898,7 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx,
 	struct ldb_message *msg2;
 	unsigned int i, j;
 -	msg2 = ldb_msg_copy_shallow(mem_ctx, msg);
 +	msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg);
 	if (msg2 == NULL) return NULL;
 	if (msg2->dn != NULL) {
@@ -894,6 +919,12 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx,
 				goto failed;
 			}
 		}
 +
 +                /*
 +                 * Since we copied this element's values, we can mark them as
 +                 * not shared.
 +		 */
 +		el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES;
 	}
 	return msg2;
 diff --git a/include/ldb_module.h b/include/ldb_module.h
 index 8c1e5ee7936c..4c7c85a17f00 100644
 --- a/include/ldb_module.h
 +++ b/include/ldb_module.h
@@ -96,6 +96,12 @@ struct ldb_module;
  */
 #define LDB_FLAG_INTERNAL_FORCE_UNIQUE_INDEX 0x100
 +/*
 + * indicates that this element's values are shared with another element (for
 + * example, in a shallow copy of an ldb_message) and should not be freed
 + */
 +#define LDB_FLAG_INTERNAL_SHARED_VALUES 0x200
 +
 /* an extended match rule that always fails to match */
 #define SAMBA_LDAP_MATCH_ALWAYS_FALSE "1.3.6.1.4.1.7165.4.5.1"
--- a/backport-004-CVE-2022-32746.patch
+++ b/backport-004-CVE-2022-32746.patch
@ -1,121 +0,0 @@
 From a2bb5beee82fd9c4c29decc07024057febeaf1b5 Mon Sep 17 00:00:00 2001
 From: Joseph Sutton <josephsutton@catalyst.net.nz>
 Date: Wed, 16 Feb 2022 12:35:13 +1300
 Subject: [PATCH] CVE-2022-32746 ldb: Ensure shallow copy modifications do not
 affect original message
 Using the newly added ldb flag, we can now detect when a message has
 been shallow-copied so that its elements share their values with the
 original message elements. Then when adding values to the copied
 message, we now make a copy of the shared values array first.
 This should prevent a use-after-free that occurred in LDB modules when
 new values were added to a shallow copy of a message by calling
 talloc_realloc() on the original values array, invalidating the 'values'
 pointer in the original message element. The original values pointer can
 later be used in the database audit logging module which logs database
 requests, and potentially cause a crash.
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 ---
 common/ldb_msg.c   | 52 ++++++++++++++++++++++++++++++++------
 include/ldb.h      |  6 +++++
 2 files changed, 56 insertions(+), 22 deletions(-)
 diff --git a/common/ldb_msg.c b/common/ldb_msg.c
 index 2a9ce384bb98..44d3b29e9a72 100644
 --- a/common/ldb_msg.c
 +++ b/common/ldb_msg.c
@@ -417,6 +417,47 @@ int ldb_msg_add(struct ldb_message *msg,
 	return LDB_SUCCESS;
 }
 +/*
 + * add a value to a message element
 + */
 +int ldb_msg_element_add_value(TALLOC_CTX *mem_ctx,
 +			      struct ldb_message_element *el,
 +			      const struct ldb_val *val)
 +{
 +	struct ldb_val *vals;
 +
 +	if (el->flags & LDB_FLAG_INTERNAL_SHARED_VALUES) {
 +		/*
 +		 * Another message is using this message element's values array,
 +		 * so we don't want to make any modifications to the original
 +		 * message, or potentially invalidate its own values by calling
 +		 * talloc_realloc(). Make a copy instead.
 +		 */
 +		el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES;
 +
 +		vals = talloc_array(mem_ctx, struct ldb_val,
 +				    el->num_values + 1);
 +		if (vals == NULL) {
 +			return LDB_ERR_OPERATIONS_ERROR;
 +		}
 +
 +		if (el->values != NULL) {
 +			memcpy(vals, el->values, el->num_values * sizeof(struct ldb_val));
 +		}
 +	} else {
 +		vals = talloc_realloc(mem_ctx, el->values, struct ldb_val,
 +				      el->num_values + 1);
 +		if (vals == NULL) {
 +			return LDB_ERR_OPERATIONS_ERROR;
 +		}
 +	}
 +	el->values = vals;
 +	el->values[el->num_values] = *val;
 +	el->num_values++;
 +
 +	return LDB_SUCCESS;
 +}
 +
 /*
   add a value to a message
 */
@@ -426,7 +467,6 @@ int ldb_msg_add_value(struct ldb_message *msg,
 		      struct ldb_message_element **return_el)
 {
 	struct ldb_message_element *el;
 -	struct ldb_val *vals;
 	int ret;
 	el = ldb_msg_find_element(msg, attr_name);
@@ -437,14 +477,10 @@ int ldb_msg_add_value(struct ldb_message *msg,
 		}
 	}
 -	vals = talloc_realloc(msg->elements, el->values, struct ldb_val,
 -			      el->num_values+1);
 -	if (!vals) {
 -		return LDB_ERR_OPERATIONS_ERROR;
 +	ret = ldb_msg_element_add_value(msg->elements, el, val);
 +	if (ret != LDB_SUCCESS) {
 +		return ret;
 	}
 -	el->values = vals;
 -	el->values[el->num_values] = *val;
 -	el->num_values++;
 	if (return_el) {
 		*return_el = el;
 diff --git a/include/ldb.h b/include/ldb.h
 index bc44157eaf47..129beefeaf56 100644
 --- a/include/ldb.h
 +++ b/include/ldb.h
@@ -1981,6 +1981,12 @@ int ldb_msg_add_empty(struct ldb_message *msg,
 		int flags,
 		struct ldb_message_element **return_el);
 +/**
 +   add a value to a message element
 +*/
 +int ldb_msg_element_add_value(TALLOC_CTX *mem_ctx,
 +			      struct ldb_message_element *el,
 +			      const struct ldb_val *val);
 /**
    add a element to a ldb_message
 */
--- a/backport-005-CVE-2022-32746.patch
+++ b/backport-005-CVE-2022-32746.patch
@ -1,274 +0,0 @@
 From df487eb2d713e817660dd3b56bb26ba715fadfea Mon Sep 17 00:00:00 2001
 From: Joseph Sutton <josephsutton@catalyst.net.nz>
 Date: Wed, 16 Feb 2022 16:30:03 +1300
 Subject: [PATCH] CVE-2022-32746 ldb: Add functions for appending to an
 ldb_message
 Currently, there are many places where we use ldb_msg_add_empty() to add
 an empty element to a message, and then call ldb_msg_add_value() or
 similar to add values to that element. However, this performs an
 unnecessary search of the message's elements to locate the new element.
 Moreover, if an element with the same attribute name already exists
 earlier in the message, the values will be added to that element,
 instead of to the intended newly added element.
 A similar pattern exists where we add values to a message, and then call
 ldb_msg_find_element() to locate that message element and sets its flags
 to (e.g.) LDB_FLAG_MOD_REPLACE. This also performs an unnecessary
 search, and may locate the wrong message element for setting the flags.
 To avoid these problems, add functions for appending a value to a
 message, so that a particular value can be added to the end of a message
 in a single operation.
 For ADD requests, it is important that no two message elements share the
 same attribute name, otherwise things will break. (Normally,
 ldb_msg_normalize() is called before processing the request to help
 ensure this.) Thus, we must be careful not to append an attribute to an
 ADD message, unless we are sure (e.g. through ldb_msg_find_element())
 that an existing element for that attribute is not present.
 These functions will be used in the next commit.
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 ---
 common/ldb_msg.c | 165 ++++++++++++++++++++++++++++++++++++++-
 include/ldb.h    |  24 ++++++
 2 files changed, 185 insertions(+), 4 deletions(-)
 diff --git a/common/ldb_msg.c b/common/ldb_msg.c
 index 44d3b29e9a7..9cd7998e21c 100644
 --- a/common/ldb_msg.c
 +++ b/common/ldb_msg.c
@@ -509,12 +509,15 @@ int ldb_msg_add_steal_value(struct ldb_message *msg,
 /*
 -  add a string element to a message
 +  add a string element to a message, specifying flags
 */
 -int ldb_msg_add_string(struct ldb_message *msg,
 -		       const char *attr_name, const char *str)
 +int ldb_msg_add_string_flags(struct ldb_message *msg,
 +			     const char *attr_name, const char *str,
 +			     int flags)
 {
 	struct ldb_val val;
 +	int ret;
 +	struct ldb_message_element *el = NULL;
 	val.data = discard_const_p(uint8_t, str);
 	val.length = strlen(str);
@@ -524,7 +527,25 @@ int ldb_msg_add_string(struct ldb_message *msg,
 		return LDB_SUCCESS;
 	}
 -	return ldb_msg_add_value(msg, attr_name, &val, NULL);
 +	ret = ldb_msg_add_value(msg, attr_name, &val, &el);
 +	if (ret != LDB_SUCCESS) {
 +		return ret;
 +	}
 +
 +	if (flags != 0) {
 +		el->flags = flags;
 +	}
 +
 +	return LDB_SUCCESS;
 +}
 +
 +/*
 +  add a string element to a message
 +*/
 +int ldb_msg_add_string(struct ldb_message *msg,
 +		       const char *attr_name, const char *str)
 +{
 +	return ldb_msg_add_string_flags(msg, attr_name, str, 0);
 }
 /*
@@ -586,6 +607,142 @@ int ldb_msg_add_fmt(struct ldb_message *msg,
 	return ldb_msg_add_steal_value(msg, attr_name, &val);
 }
 +static int ldb_msg_append_value_impl(struct ldb_message *msg,
 +				     const char *attr_name,
 +				     const struct ldb_val *val,
 +				     int flags,
 +				     struct ldb_message_element **return_el)
 +{
 +	struct ldb_message_element *el = NULL;
 +	int ret;
 +
 +	ret = ldb_msg_add_empty(msg, attr_name, flags, &el);
 +	if (ret != LDB_SUCCESS) {
 +		return ret;
 +	}
 +
 +	ret = ldb_msg_element_add_value(msg->elements, el, val);
 +	if (ret != LDB_SUCCESS) {
 +		return ret;
 +	}
 +
 +	if (return_el != NULL) {
 +		*return_el = el;
 +	}
 +
 +	return LDB_SUCCESS;
 +}
 +
 +/*
 +  append a value to a message
 +*/
 +int ldb_msg_append_value(struct ldb_message *msg,
 +			 const char *attr_name,
 +			 const struct ldb_val *val,
 +			 int flags)
 +{
 +	return ldb_msg_append_value_impl(msg, attr_name, val, flags, NULL);
 +}
 +
 +/*
 +  append a value to a message, stealing it into the 'right' place
 +*/
 +int ldb_msg_append_steal_value(struct ldb_message *msg,
 +			       const char *attr_name,
 +			       struct ldb_val *val,
 +			       int flags)
 +{
 +	int ret;
 +	struct ldb_message_element *el = NULL;
 +
 +	ret = ldb_msg_append_value_impl(msg, attr_name, val, flags, &el);
 +	if (ret == LDB_SUCCESS) {
 +		talloc_steal(el->values, val->data);
 +	}
 +	return ret;
 +}
 +
 +/*
 +  append a string element to a message, stealing it into the 'right' place
 +*/
 +int ldb_msg_append_steal_string(struct ldb_message *msg,
 +				const char *attr_name, char *str,
 +				int flags)
 +{
 +	struct ldb_val val;
 +
 +	val.data = (uint8_t *)str;
 +	val.length = strlen(str);
 +
 +	if (val.length == 0) {
 +		/* allow empty strings as non-existent attributes */
 +		return LDB_SUCCESS;
 +	}
 +
 +	return ldb_msg_append_steal_value(msg, attr_name, &val, flags);
 +}
 +
 +/*
 +  append a string element to a message
 +*/
 +int ldb_msg_append_string(struct ldb_message *msg,
 +			  const char *attr_name, const char *str, int flags)
 +{
 +	struct ldb_val val;
 +
 +	val.data = discard_const_p(uint8_t, str);
 +	val.length = strlen(str);
 +
 +	if (val.length == 0) {
 +		/* allow empty strings as non-existent attributes */
 +		return LDB_SUCCESS;
 +	}
 +
 +	return ldb_msg_append_value(msg, attr_name, &val, flags);
 +}
 +
 +/*
 +  append a DN element to a message
 +  WARNING: this uses the linearized string from the dn, and does not
 +  copy the string.
 +*/
 +int ldb_msg_append_linearized_dn(struct ldb_message *msg, const char *attr_name,
 +				 struct ldb_dn *dn, int flags)
 +{
 +	char *str = ldb_dn_alloc_linearized(msg, dn);
 +
 +	if (str == NULL) {
 +		/* we don't want to have unknown DNs added */
 +		return LDB_ERR_OPERATIONS_ERROR;
 +	}
 +
 +	return ldb_msg_append_steal_string(msg, attr_name, str, flags);
 +}
 +
 +/*
 +  append a printf formatted element to a message
 +*/
 +int ldb_msg_append_fmt(struct ldb_message *msg, int flags,
 +		       const char *attr_name, const char *fmt, ...)
 +{
 +	struct ldb_val val;
 +	va_list ap;
 +	char *str = NULL;
 +
 +	va_start(ap, fmt);
 +	str = talloc_vasprintf(msg, fmt, ap);
 +	va_end(ap);
 +
 +	if (str == NULL) {
 +		return LDB_ERR_OPERATIONS_ERROR;
 +	}
 +
 +	val.data   = (uint8_t *)str;
 +	val.length = strlen(str);
 +
 +	return ldb_msg_append_steal_value(msg, attr_name, &val, flags);
 +}
 +
 /*
   compare two ldb_message_element structures
   assumes case sensitive comparison
 diff --git a/include/ldb.h b/include/ldb.h
 index 129beefeaf5..63d8aedd672 100644
 --- a/include/ldb.h
 +++ b/include/ldb.h
@@ -2002,12 +2002,36 @@ int ldb_msg_add_steal_value(struct ldb_message *msg,
 		      struct ldb_val *val);
 int ldb_msg_add_steal_string(struct ldb_message *msg,
 			     const char *attr_name, char *str);
 +int ldb_msg_add_string_flags(struct ldb_message *msg,
 +			     const char *attr_name, const char *str,
 +			     int flags);
 int ldb_msg_add_string(struct ldb_message *msg,
 		       const char *attr_name, const char *str);
 int ldb_msg_add_linearized_dn(struct ldb_message *msg, const char *attr_name,
 			      struct ldb_dn *dn);
 int ldb_msg_add_fmt(struct ldb_message *msg,
 		    const char *attr_name, const char *fmt, ...) PRINTF_ATTRIBUTE(3,4);
 +/**
 +   append a element to a ldb_message
 +*/
 +int ldb_msg_append_value(struct ldb_message *msg,
 +			 const char *attr_name,
 +			 const struct ldb_val *val,
 +			 int flags);
 +int ldb_msg_append_steal_value(struct ldb_message *msg,
 +			       const char *attr_name,
 +			       struct ldb_val *val,
 +			       int flags);
 +int ldb_msg_append_steal_string(struct ldb_message *msg,
 +				const char *attr_name, char *str,
 +				int flags);
 +int ldb_msg_append_string(struct ldb_message *msg,
 +			  const char *attr_name, const char *str,
 +			  int flags);
 +int ldb_msg_append_linearized_dn(struct ldb_message *msg, const char *attr_name,
 +				 struct ldb_dn *dn, int flags);
 +int ldb_msg_append_fmt(struct ldb_message *msg, int flags,
 +		       const char *attr_name, const char *fmt, ...) PRINTF_ATTRIBUTE(4,5);
 /**
    compare two message elements - return 0 on match
--- a/ldb-2.4.1.tar.asc
+++ b/ldb-2.4.1.tar.asc
@ -1,11 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmF5NesACgkQR5ORYRMI
 QCW4Mwf9F08o0VWPyvCrYdqnpOT6D5HFsrJwwuisMptoflDLfH4a+MRBPlcRBhMT
 Ss6DSFb36bmjcNlSJeLdHtqp9LxaoQA4xOw4mWhxnrzQimrIass1h24FOwv5RpCu
 EXmNCbRwp22e/e8ntFeKd7wiYBcoOHqM39jMjGbfhksbglemhMpyL92zjyzuHXPD
 QeHibpPIZYlCy89LHQgHcUyyLzYN06lRQ5MKKojrerQ7LlsyvGM+EHS0X81683CM
 lW2CkQKjFCKRS6tjXCEX1NEj3Xw4gltI3MiaH96ZnecftlINp8vIloqi1NkOK7hl
 QylusnpzRqOXL2hr514wJr9F21Mslg==
 =RW3H
 -----END PGP SIGNATURE-----
--- a/ldb-2.4.1.tar.gz
+++ b/ldb-2.4.1.tar.gz
--- a/ldb-2.6.1.tar.asc
+++ b/ldb-2.6.1.tar.asc
@ -0,0 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
 iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmLhN68ACgkQR5ORYRMI
 QCWqKAgAswqnQft1oEc4c2DIJIF9jcXfLeOz4czUndBu5st6h3KVqZDCWjUAdPdX
 BrYV+6cLTtDSjH0nQocnvtwm3AbVPxwukBglVtEuq0DU4fk8DptzRJvyLy2vU5VP
 sKQQ+uwgYSWnKeds0PjPNMxpompeurDbQ1n4XgW4BzRQpK4Gvg6ZXBGg+q5nKht2
 +PfQTVuaPi4O6gUWfxDbLBBPNDf97gz21Sa8pS1K3sspcPQJzMNumXs/d9LBhU1G
 BaDanganpN1Ru724J18jvZ8NEogldHuSk29DljreHiiWY2hEVlp5rZDTgrlYOP50
 b9kfHAnpBcHhQZlLf2/hponIccDo6A==
 =ccfS
 -----END PGP SIGNATURE-----
--- a/ldb-2.6.1.tar.gz
+++ b/ldb-2.6.1.tar.gz
--- a/libldb.spec
+++ b/libldb.spec
@ -1,12 +1,12 @@
 %global with_lmdb 1
 %global with_python3 1
-%global talloc_version 2.3.3
+%global talloc_version 2.3.4
-%global tdb_version 1.4.4
+%global tdb_version 1.4.7
-%global tevent_version 0.11.0
+%global tevent_version 0.13.0
 Name:          libldb
-Version:       2.4.1
+Version:       2.6.1
-Release:       2
+Release:       1
 Summary:       A schema-less, ldap like, API and database
 Requires:      libtalloc%{?_isa} >= %{talloc_version}
 Requires:      libtdb%{?_isa} >= %{tdb_version}
@ -17,11 +17,6 @@ Source0:       http://samba.org/ftp/ldb/ldb-%{version}.tar.gz
 Source1:       http://samba.org/ftp/ldb/ldb-%{version}.tar.asc
 Patch0:        backport-Skip-ldb_lmdb_free_list_test-on-ppc64el-ppc64-and-sp.patch
 Patch1:        backport-001-CVE-2022-32746.patch
 Patch2:        backport-002-CVE-2022-32746.patch
 Patch3:        backport-003-CVE-2022-32746.patch
 Patch4:        backport-004-CVE-2022-32746.patch
 Patch5:        backport-005-CVE-2022-32746.patch
 BuildRequires: gcc libtalloc-devel >= %{talloc_version} libtdb-devel >= %{tdb_version}
 BuildRequires: libtevent-devel >= %{tevent_version} lmdb-devel >= 0.9.16 popt-devel
@ -175,6 +170,12 @@ echo "%{_libdir}/ldb" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 %{_mandir}/man1/ldbsearch.1.*
 %changelog
 * Fri Nov 04 2022 yanglu <yanglu72@h-partners.com> - 2.6.1-1
 - Type:requirement
 - ID:NA
 - SUG:NA
 - DESC:update libldb version to 2.6.1
 * Mon Aug 01 2022 gaihuiying <eaglegai@163.com> - 2.4.1-2
 - Type:CVE
 - ID:CVE-2022-32746