packages/openldap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!69 fix cve-2022-29155

Browse Source 
From: @compile_success 
Reviewed-by: @orange-snn, @seuzw 
Signed-off-by: @seuzw
This commit is contained in:
openeuler-ci-bot 2022-05-16 03:39:28 +00:00 committed by Gitee
commit 24f5da58aa
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 282 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

273
backport-fix-cve-2022-29155.patch Normal file
View File

@ -0,0 +1,273 @@
From 87df6c19915042430540931d199a39105544a134 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 23 Mar 2022 12:43:31 +0000
Subject: [PATCH] ITS#9815 slapd-sql: escape filter values
---
servers/slapd/back-sql/search.c | 123 +++++++++++++++++++++++++++-----
1 file changed, 105 insertions(+), 18 deletions(-)
diff --git a/servers/slapd/back-sql/search.c b/servers/slapd/back-sql/search.c
index 2168a1553b..d4177f6292 100644
--- a/servers/slapd/back-sql/search.c
+++ b/servers/slapd/back-sql/search.c
@@ -63,6 +63,38 @@ static void send_paged_response(
ID *lastid );
#endif /* ! BACKSQL_ARBITRARY_KEY */
+/* Look for chars that need to be escaped, return count of them.
+ * If out is non-NULL, copy escape'd val to it.
+ */
+static int
+backsql_val_escape( Operation *op, struct berval *in, struct berval *out )
+{
+ char *ptr, *end;
+ int q = 0;
+
+ ptr = in->bv_val;
+ end = ptr + in->bv_len;
+ while (ptr < end) {
+ if ( *ptr == '\'' )
+ q++;
+ ptr++;
+ }
+ if ( q && out ) {
+ char *dst;
+ out->bv_len = in->bv_len + q;
+ out->bv_val = op->o_tmpalloc( out->bv_len + 1, op->o_tmpmemctx );
+ ptr = in->bv_val;
+ dst = out->bv_val;
+ while (ptr < end ) {
+ if ( *ptr == '\'' )
+ *dst++ = '\'';
+ *dst++ = *ptr++;
+ }
+ *dst = '\0';
+ }
+ return q;
+}
+
static int
backsql_attrlist_add( backsql_srch_info *bsi, AttributeDescription *ad )
{
@@ -429,6 +461,8 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
backsql_info *bi = (backsql_info *)bsi->bsi_op->o_bd->be_private;
int i;
int casefold = 0;
+ int escaped = 0;
+ struct berval escval, *fvalue;
if ( !f ) {
return 0;
@@ -462,50 +496,68 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
BER_BVZERO( &bv );
if ( f->f_sub_initial.bv_val ) {
- bv.bv_len += f->f_sub_initial.bv_len;
+ bv.bv_len += f->f_sub_initial.bv_len + backsql_val_escape( NULL, &f->f_sub_initial, NULL );
}
if ( f->f_sub_any != NULL ) {
for ( a = 0; f->f_sub_any[ a ].bv_val != NULL; a++ ) {
- bv.bv_len += f->f_sub_any[ a ].bv_len;
+ bv.bv_len += f->f_sub_any[ a ].bv_len + backsql_val_escape( NULL, &f->f_sub_any[ a ], NULL );
}
}
if ( f->f_sub_final.bv_val ) {
- bv.bv_len += f->f_sub_final.bv_len;
+ bv.bv_len += f->f_sub_final.bv_len + backsql_val_escape( NULL, &f->f_sub_final, NULL );
}
bv.bv_len = 2 * bv.bv_len - 1;
bv.bv_val = ch_malloc( bv.bv_len + 1 );
s = 0;
if ( !BER_BVISNULL( &f->f_sub_initial ) ) {
- bv.bv_val[ s ] = f->f_sub_initial.bv_val[ 0 ];
- for ( i = 1; i < f->f_sub_initial.bv_len; i++ ) {
+ fvalue = &f->f_sub_initial;
+ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
+ if ( escaped )
+ fvalue = &escval;
+ bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
+ for ( i = 1; i < fvalue->bv_len; i++ ) {
bv.bv_val[ s + 2 * i - 1 ] = '%';
- bv.bv_val[ s + 2 * i ] = f->f_sub_initial.bv_val[ i ];
+ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
}
bv.bv_val[ s + 2 * i - 1 ] = '%';
s += 2 * i;
+ if ( escaped )
+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
}
if ( f->f_sub_any != NULL ) {
for ( a = 0; !BER_BVISNULL( &f->f_sub_any[ a ] ); a++ ) {
- bv.bv_val[ s ] = f->f_sub_any[ a ].bv_val[ 0 ];
- for ( i = 1; i < f->f_sub_any[ a ].bv_len; i++ ) {
+ fvalue = &f->f_sub_any[ a ];
+ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
+ if ( escaped )
+ fvalue = &escval;
+ bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
+ for ( i = 1; i < fvalue->bv_len; i++ ) {
bv.bv_val[ s + 2 * i - 1 ] = '%';
- bv.bv_val[ s + 2 * i ] = f->f_sub_any[ a ].bv_val[ i ];
+ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
}
bv.bv_val[ s + 2 * i - 1 ] = '%';
s += 2 * i;
+ if ( escaped )
+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
}
}
if ( !BER_BVISNULL( &f->f_sub_final ) ) {
- bv.bv_val[ s ] = f->f_sub_final.bv_val[ 0 ];
- for ( i = 1; i < f->f_sub_final.bv_len; i++ ) {
+ fvalue = &f->f_sub_final;
+ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
+ if ( escaped )
+ fvalue = &escval;
+ bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
+ for ( i = 1; i < fvalue->bv_len; i++ ) {
bv.bv_val[ s + 2 * i - 1 ] = '%';
- bv.bv_val[ s + 2 * i ] = f->f_sub_final.bv_val[ i ];
+ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
}
- bv.bv_val[ s + 2 * i - 1 ] = '%';
+ bv.bv_val[ s + 2 * i - 1 ] = '%';
s += 2 * i;
+ if ( escaped )
+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
}
bv.bv_val[ s - 1 ] = '\0';
@@ -561,11 +613,17 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
f->f_sub_initial.bv_val );
#endif /* BACKSQL_TRACE */
+ fvalue = &f->f_sub_initial;
+ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
+ if ( escaped )
+ fvalue = &escval;
start = bsi->bsi_flt_where.bb_val.bv_len;
backsql_strfcat_x( &bsi->bsi_flt_where,
bsi->bsi_op->o_tmpmemctx,
"b",
- &f->f_sub_initial );
+ fvalue );
+ if ( escaped )
+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] );
}
@@ -586,12 +644,18 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
i, f->f_sub_any[ i ].bv_val );
#endif /* BACKSQL_TRACE */
+ fvalue = &f->f_sub_any[ i ];
+ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
+ if ( escaped )
+ fvalue = &escval;
start = bsi->bsi_flt_where.bb_val.bv_len;
backsql_strfcat_x( &bsi->bsi_flt_where,
bsi->bsi_op->o_tmpmemctx,
"bc",
- &f->f_sub_any[ i ],
+ fvalue,
'%' );
+ if ( escaped )
+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
/*
* Note: toupper('%') = '%'
@@ -611,11 +675,17 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
f->f_sub_final.bv_val );
#endif /* BACKSQL_TRACE */
+ fvalue = &f->f_sub_final;
+ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
+ if ( escaped )
+ fvalue = &escval;
start = bsi->bsi_flt_where.bb_val.bv_len;
backsql_strfcat_x( &bsi->bsi_flt_where,
bsi->bsi_op->o_tmpmemctx,
"b",
- &f->f_sub_final );
+ fvalue );
+ if ( escaped )
+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] );
}
@@ -1182,6 +1252,8 @@ backsql_process_filter_attr( backsql_srch_info *bsi, Filter *f, backsql_at_map_r
struct berval *filter_value = NULL;
MatchingRule *matching_rule = NULL;
struct berval ordering = BER_BVC("<=");
+ struct berval escval;
+ int escaped = 0;
Debug( LDAP_DEBUG_TRACE, "==>backsql_process_filter_attr(%s)\n",
at->bam_ad->ad_cname.bv_val );
@@ -1236,6 +1308,10 @@ equality_match:;
casefold = 1;
}
+ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
+ if ( escaped )
+ filter_value = &escval;
+
/* FIXME: directoryString filtering should use a similar
* approach to deal with non-prettified values like
* " A non prettified value ", by using a LIKE
@@ -1316,6 +1392,10 @@ equality_match:;
casefold = 1;
}
+ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
+ if ( escaped )
+ filter_value = &escval;
+
/*
* FIXME: should we uppercase the operands?
*/
@@ -1349,7 +1429,7 @@ equality_match:;
&at->bam_sel_expr,
&ordering,
'\'',
- &f->f_av_value,
+ filter_value,
(ber_len_t)STRLENOF( /* (' */ "')" ),
/* ( */ "')" );
}
@@ -1373,13 +1453,17 @@ equality_match:;
case LDAP_FILTER_APPROX:
/* we do our best */
+ filter_value = &f->f_av_value;
+ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
+ if ( escaped )
+ filter_value = &escval;
/*
* maybe we should check type of at->sel_expr here somehow,
* to know whether upper_func is applicable, but for now
* upper_func stuff is made for Oracle, where UPPER is
* safely applicable to NUMBER etc.
*/
- (void)backsql_process_filter_like( bsi, at, 1, &f->f_av_value );
+ (void)backsql_process_filter_like( bsi, at, 1, filter_value );
break;
default:
@@ -1393,6 +1477,9 @@ equality_match:;
}
+ if ( escaped )
+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+
Debug( LDAP_DEBUG_TRACE, "<==backsql_process_filter_attr(%s)\n",
at->bam_ad->ad_cname.bv_val );
--
GitLab

10
openldap.spec
View File

@ -2,7 +2,7 @@
Name: openldap
Version: 2.6.0
Release: 2
Release: 3
Summary: LDAP support libraries
License: OpenLDAP
URL: https://www.openldap.org/
@ -25,6 +25,7 @@ Patch5: backport-openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-s
Patch7: backport-check-password-makefile.patch
Patch8: backport-check-password.patch
Patch9: add-ber_sockbuf_io_udp-to-liber.map.patch
Patch10: backport-fix-cve-2022-29155.patch
BuildRequires: cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel
BuildRequires: glibc-devel libtool libtool-ltdl-devel groff perl-interpreter perl-devel perl-generators perl-ExtUtils-Embed
@ -98,6 +99,7 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
%patch5 -p1
%patch9 -p1
%patch10 -p1
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd
@ -379,6 +381,12 @@ popd
%doc ltb-project-openldap-ppolicy-check-password-1.1/README.check_pwd
%changelog
* Mon May 16 2022 zhujunhao <zhujunhao11@huawei.com> - 2.6.0-3
- Type:bugfix
- ID:NA
- SUG:restart
- DESC:fix cve-2022-29155
* Tue Mar 22 2022 gaihuiying <eaglegai@163.com> - 2.6.0-2
- Type:bugfix
- ID:NA