packages/openldap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add make check

Browse Source
This commit is contained in:
orange-snn 2020-02-21 17:48:15 +08:00
parent 6043d9b1c4
commit 8e0d5d6fda
3 changed files with 108 additions and 374 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
0001-openldap-bugfix-make-test.patch Normal file
View File

@ -0,0 +1,95 @@
From c88b4c85db310ecd0f2f5bb02478cc56f5590d53 Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Wed, 3 Oct 2018 20:28:54 +0000
Subject: [PATCH] Update test044 to catch ITS#8923
DTS/AR:
reason:
---
openldap-2.4.46/tests/scripts/test044-dynlist | 30 +++++++++++++++++++++++++++
openldap-2.4.46/tests/scripts/defines.sh | 1 +
openldap-2.4.46/tests/scripts/test044-dynlist | 8 ++++----
3 file changed, 35 insertions(+), 4 deletions(-)
diff --git a/tests/scripts/test044-dynlist b/tests/scripts/test044-dynlist
index 07b65c5..4c6390e 100755
--- a/tests/scripts/test044-dynlist
+++ b/tests/scripts/test044-dynlist
@@ -468,6 +468,36 @@ case $RC in
esac
echo "" >> $SEARCHOUT
+CMPDN="$BADBJORNSDN"
+echo "Testing list compare (should return FALSE)..."
+echo "# Testing list compare... (should return FALSE)" >> $SEARCHOUT
+$LDAPCOMPARE -h $LOCALHOST -p $PORT1 \
+ "cn=Dynamic List of Members,$LISTDN" "member:$CMPDN" \
+ >> $SEARCHOUT 2>&1
+RC=$?
+case $RC in
+5)
+ echo "ldapcompare returned FALSE ($RC)"
+ ;;
+6)
+ echo "ldapcompare returned TRUE ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+ ;;
+0)
+ echo "ldapcompare returned success ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit -1
+ ;;
+*)
+ echo "ldapcompare failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+ ;;
+esac
+echo "" >> $SEARCHOUT
+
+
CMPDN="$BJORNSDN"
echo "Testing list compare (should return FALSE)..."
echo "# Testing list compare (should return FALSE)..." >> $SEARCHOUT
diff --git a/openldap-2.4.46/tests/scripts/defines.sh b/openldap-2.4.46/tests/scripts/defines.sh
index 97cf08f..7d62023 100755
--- a/tests/scripts/defines.sh
+++ b/tests/scripts/defines.sh
@@ -261,6 +261,7 @@ UPDATEDN="cn=Replica,$BASEDN"
PASSWD=secret
BABSDN="cn=Barbara Jensen,ou=Information Technology DivisioN,ou=People,$BASEDN"
BJORNSDN="cn=Bjorn Jensen,ou=Information Technology DivisioN,ou=People,$BASEDN"
+BADBJORNSDN="cn=Bjorn JensenNotReally,ou=Information Technology DivisioN,ou=People,$BASEDN"
JAJDN="cn=James A Jones 1,ou=Alumni Association,ou=People,$BASEDN"
JOHNDDN="cn=John Doe,ou=Information Technology Division,ou=People,$BASEDN"
MELLIOTDN="cn=Mark Elliot,ou=Alumni Association,ou=People,$BASEDN"
diff --git a/tests/scripts/test044-dynlist b/tests/scripts/test044-dynlist
index 4c6390e..8ace1a8 100755
--- a/tests/scripts/test044-dynlist
+++ b/tests/scripts/test044-dynlist
@@ -448,13 +448,13 @@ $LDAPCOMPARE -h $LOCALHOST -p $PORT1 \
RC=$?
case $RC in
5)
- echo "ldapcompare returned FALSE ($RC)"
- ;;
-6)
- echo "ldapcompare returned TRUE ($RC)!"
+ echo "ldapcompare returned FALSE ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
;;
+6)
+ echo "ldapcompare returned TRUE ($RC)"
+ ;;
0)
echo "ldapcompare returned success ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
--
1.8.3.1

372
CVE-2017-17740.patch
View File

@ -1,372 +0,0 @@
From ce896d538052d20f56f440d1a23fd99da950ed07 Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Wed, 19 Dec 2018 12:34:13 +0000
Subject: [PATCH 1/2] Fix segfault in nops when used with membersof overlay
Allow problematic variables to be defined on heap so modifications
to modlist can happen in other overlay modules
Signed-off-by: Noel Power <noel.power@suse.com>
---
servers/slapd/overlays/memberof.c | 64 +++++++++++++++++++++++++--------------
1 file changed, 41 insertions(+), 23 deletions(-)
diff --git a/servers/slapd/overlays/memberof.c b/servers/slapd/overlays/memberof.c
index 40ad6e2..358d5f9 100644
--- a/servers/slapd/overlays/memberof.c
+++ b/servers/slapd/overlays/memberof.c
@@ -355,10 +355,13 @@ memberof_value_modify(
unsigned long opid = op->o_opid;
SlapReply rs2 = { REP_RESULT };
slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
- Modifications mod[ 2 ] = { { { 0 } } }, *ml;
- struct berval values[ 4 ], nvalues[ 4 ];
+ Modifications *mod[2] = {NULL, NULL};
+ Modifications *ml = NULL;
int mcnt = 0;
+ mod[0] = (Modifications*)ch_calloc( sizeof(Modifications), 1 );
+ mod[1] = (Modifications*)ch_calloc( sizeof(Modifications), 1 );
+
op2.o_tag = LDAP_REQ_MODIFY;
op2.o_req_dn = *ndn;
@@ -375,13 +378,17 @@ memberof_value_modify(
op2.o_dont_replicate = 1;
if ( !BER_BVISNULL( &mo->mo_ndn ) ) {
- ml = &mod[ mcnt ];
+ ml = mod[ mcnt ];
ml->sml_numvals = 1;
- ml->sml_values = &values[ 0 ];
- ml->sml_values[ 0 ] = mo->mo_dn;
+ ml->sml_values =
+ (BerVarray)ch_malloc(
+ (ml->sml_numvals + 1) * sizeof( struct berval ));
+ ber_dupbv(&ml->sml_values[ 0 ], &mo->mo_ndn);
BER_BVZERO( &ml->sml_values[ 1 ] );
- ml->sml_nvalues = &nvalues[ 0 ];
- ml->sml_nvalues[ 0 ] = mo->mo_ndn;
+ ml->sml_nvalues =
+ (BerVarray)ch_malloc(
+ (ml->sml_numvals + 1) * sizeof( struct berval ));
+ ber_dupbv(&ml->sml_nvalues[ 0 ], &mo->mo_ndn);
BER_BVZERO( &ml->sml_nvalues[ 1 ] );
ml->sml_desc = slap_schema.si_ad_modifiersName;
ml->sml_type = ml->sml_desc->ad_cname;
@@ -393,11 +400,17 @@ memberof_value_modify(
mcnt++;
}
- ml = &mod[ mcnt ];
+ ml = mod[ mcnt ];
ml->sml_numvals = 1;
- ml->sml_values = &values[ 2 ];
+ ml->sml_values =
+ (BerVarray)ch_malloc(
+ (ml->sml_numvals + 1) * sizeof( struct berval ));
+ BER_BVZERO( &ml->sml_values[ 0 ] );
BER_BVZERO( &ml->sml_values[ 1 ] );
- ml->sml_nvalues = &nvalues[ 2 ];
+ ml->sml_nvalues =
+ (BerVarray)ch_malloc(
+ (ml->sml_numvals + 1) * sizeof( struct berval ));
+ BER_BVZERO( &ml->sml_nvalues[ 0 ] );
BER_BVZERO( &ml->sml_nvalues[ 1 ] );
ml->sml_desc = ad;
ml->sml_type = ml->sml_desc->ad_cname;
@@ -412,11 +425,13 @@ memberof_value_modify(
assert( !BER_BVISNULL( new_dn ) );
assert( !BER_BVISNULL( new_ndn ) );
- ml = &mod[ mcnt ];
+ ml = mod[ mcnt ];
ml->sml_op = LDAP_MOD_ADD;
- ml->sml_values[ 0 ] = *new_dn;
- ml->sml_nvalues[ 0 ] = *new_ndn;
+ ber_memfree(ml->sml_values[ 0 ].bv_val);
+ ber_memfree(ml->sml_nvalues[ 0 ].bv_val);
+ ber_dupbv(&ml->sml_values[ 0 ], new_dn);
+ ber_dupbv(&ml->sml_nvalues[ 0 ], new_dn);
oex.oe_key = (void *)&memberof;
LDAP_SLIST_INSERT_HEAD(&op2.o_extra, &oex, oe_next);
@@ -433,18 +448,18 @@ memberof_value_modify(
op->o_log_prefix, buf, 0 );
}
- assert( op2.orm_modlist == &mod[ mcnt ] );
- assert( mcnt == 0 || op2.orm_modlist->sml_next == &mod[ 0 ] );
+ assert( op2.orm_modlist == mod[ mcnt ] );
+ assert( mcnt == 0 || op2.orm_modlist->sml_next == mod[ 0 ] );
ml = op2.orm_modlist->sml_next;
if ( mcnt == 1 ) {
- assert( ml == &mod[ 0 ] );
+ assert( ml == mod[ 0 ] );
ml = ml->sml_next;
}
if ( ml != NULL ) {
slap_mods_free( ml, 1 );
}
- mod[ 0 ].sml_next = NULL;
+ mod[ 0 ]->sml_next = NULL;
}
if ( old_ndn != NULL ) {
@@ -454,11 +469,13 @@ memberof_value_modify(
assert( !BER_BVISNULL( old_dn ) );
assert( !BER_BVISNULL( old_ndn ) );
- ml = &mod[ mcnt ];
+ ml = mod[ mcnt ];
ml->sml_op = LDAP_MOD_DELETE;
-
- ml->sml_values[ 0 ] = *old_dn;
- ml->sml_nvalues[ 0 ] = *old_ndn;
+
+ ber_memfree(ml->sml_values[ 0 ].bv_val);
+ ber_memfree(ml->sml_nvalues[ 0 ].bv_val);
+ ber_dupbv(&ml->sml_values[ 0 ], old_dn);
+ ber_dupbv(&ml->sml_nvalues[ 0 ], old_dn);
oex.oe_key = (void *)&memberof;
LDAP_SLIST_INSERT_HEAD(&op2.o_extra, &oex, oe_next);
@@ -475,10 +492,10 @@ memberof_value_modify(
op->o_log_prefix, buf, 0 );
}
- assert( op2.orm_modlist == &mod[ mcnt ] );
+ assert( op2.orm_modlist == mod[ mcnt ] );
ml = op2.orm_modlist->sml_next;
if ( mcnt == 1 ) {
- assert( ml == &mod[ 0 ] );
+ assert( ml == mod[ 0 ] );
ml = ml->sml_next;
}
if ( ml != NULL ) {
@@ -488,6 +505,7 @@ memberof_value_modify(
/* restore original opid */
op->o_opid = opid;
+ slap_mods_free( op2.orm_modlist, 1 );
/* FIXME: if old_group_ndn doesn't exist, both delete __and__
* add will fail; better split in two operations, although
* not optimal in terms of performance. At least it would
--
2.16.4
From 6bd3ce920e750c21cedf4a118027043d37056950 Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Wed, 19 Dec 2018 15:51:37 +0000
Subject: [PATCH 2/2] Remove asserts to allow nops to process.
The asserts present seem to:
a) ensure that only additions can happen to the modlist
b) that we only delete Modifications that have been added
These asserts are bound to the assumption that no other overlay
will delete Modifications from the modlist and additionally are
there to protect illegal deletion of Modifications allocated on
the stack. These changes allow Modifications to be deleted via
other overlay modules that could be called. Additionally since
now the modlist elements are allocated on the heap we can delete
them freely now.
Signed-off-by: Noel Power <noel.power@suse.com>
---
servers/slapd/overlays/memberof.c | 129 +++++++++++++++++---------------------
1 file changed, 57 insertions(+), 72 deletions(-)
diff --git a/servers/slapd/overlays/memberof.c b/servers/slapd/overlays/memberof.c
index 358d5f9..d49f2d3 100644
--- a/servers/slapd/overlays/memberof.c
+++ b/servers/slapd/overlays/memberof.c
@@ -334,6 +334,55 @@ memberof_isGroupOrMember( Operation *op, memberof_cbinfo_t *mci )
return LDAP_SUCCESS;
}
+static Modifications*
+memberof_value_modlist(
+ Operation *op2,
+ memberof_t *mo,
+ AttributeDescription *ad)
+{
+ Modifications *ml = NULL;
+ Modifications *result = NULL;
+ if ( !BER_BVISNULL( &mo->mo_ndn ) ) {
+ ml = (Modifications*)ch_calloc( sizeof(Modifications), 1 );
+ ml->sml_numvals = 1;
+ ml->sml_values =
+ (BerVarray)ch_malloc(
+ (ml->sml_numvals + 1) * sizeof( struct berval ));
+ ber_dupbv(&ml->sml_values[ 0 ], &mo->mo_ndn);
+ BER_BVZERO( &ml->sml_values[ 1 ] );
+ ml->sml_nvalues =
+ (BerVarray)ch_malloc(
+ (ml->sml_numvals + 1) * sizeof( struct berval ));
+ ber_dupbv(&ml->sml_nvalues[ 0 ], &mo->mo_ndn);
+ BER_BVZERO( &ml->sml_nvalues[ 1 ] );
+ ml->sml_desc = slap_schema.si_ad_modifiersName;
+ ml->sml_type = ml->sml_desc->ad_cname;
+ ml->sml_op = LDAP_MOD_REPLACE;
+ ml->sml_flags = SLAP_MOD_INTERNAL;
+ ml->sml_next = result;
+ result = ml;
+ }
+
+ ml = (Modifications*)ch_calloc( sizeof(Modifications), 1 );
+ ml->sml_numvals = 1;
+ ml->sml_values =
+ (BerVarray)ch_malloc(
+ (ml->sml_numvals + 1) * sizeof( struct berval ));
+ BER_BVZERO( &ml->sml_values[ 0 ] );
+ BER_BVZERO( &ml->sml_values[ 1 ] );
+ ml->sml_nvalues =
+ (BerVarray)ch_malloc(
+ (ml->sml_numvals + 1) * sizeof( struct berval ));
+ BER_BVZERO( &ml->sml_nvalues[ 0 ] );
+ BER_BVZERO( &ml->sml_nvalues[ 1 ] );
+ ml->sml_desc = ad;
+ ml->sml_type = ml->sml_desc->ad_cname;
+ ml->sml_flags = SLAP_MOD_INTERNAL;
+ ml->sml_next = result;
+ result = ml;
+ return result;
+}
+
/*
* response callback that adds memberof values when a group is modified.
*/
@@ -355,12 +404,7 @@ memberof_value_modify(
unsigned long opid = op->o_opid;
SlapReply rs2 = { REP_RESULT };
slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
- Modifications *mod[2] = {NULL, NULL};
Modifications *ml = NULL;
- int mcnt = 0;
-
- mod[0] = (Modifications*)ch_calloc( sizeof(Modifications), 1 );
- mod[1] = (Modifications*)ch_calloc( sizeof(Modifications), 1 );
op2.o_tag = LDAP_REQ_MODIFY;
@@ -377,47 +421,6 @@ memberof_value_modify(
op2.orm_no_opattrs = 1;
op2.o_dont_replicate = 1;
- if ( !BER_BVISNULL( &mo->mo_ndn ) ) {
- ml = mod[ mcnt ];
- ml->sml_numvals = 1;
- ml->sml_values =
- (BerVarray)ch_malloc(
- (ml->sml_numvals + 1) * sizeof( struct berval ));
- ber_dupbv(&ml->sml_values[ 0 ], &mo->mo_ndn);
- BER_BVZERO( &ml->sml_values[ 1 ] );
- ml->sml_nvalues =
- (BerVarray)ch_malloc(
- (ml->sml_numvals + 1) * sizeof( struct berval ));
- ber_dupbv(&ml->sml_nvalues[ 0 ], &mo->mo_ndn);
- BER_BVZERO( &ml->sml_nvalues[ 1 ] );
- ml->sml_desc = slap_schema.si_ad_modifiersName;
- ml->sml_type = ml->sml_desc->ad_cname;
- ml->sml_op = LDAP_MOD_REPLACE;
- ml->sml_flags = SLAP_MOD_INTERNAL;
- ml->sml_next = op2.orm_modlist;
- op2.orm_modlist = ml;
-
- mcnt++;
- }
-
- ml = mod[ mcnt ];
- ml->sml_numvals = 1;
- ml->sml_values =
- (BerVarray)ch_malloc(
- (ml->sml_numvals + 1) * sizeof( struct berval ));
- BER_BVZERO( &ml->sml_values[ 0 ] );
- BER_BVZERO( &ml->sml_values[ 1 ] );
- ml->sml_nvalues =
- (BerVarray)ch_malloc(
- (ml->sml_numvals + 1) * sizeof( struct berval ));
- BER_BVZERO( &ml->sml_nvalues[ 0 ] );
- BER_BVZERO( &ml->sml_nvalues[ 1 ] );
- ml->sml_desc = ad;
- ml->sml_type = ml->sml_desc->ad_cname;
- ml->sml_flags = SLAP_MOD_INTERNAL;
- ml->sml_next = op2.orm_modlist;
- op2.orm_modlist = ml;
-
if ( new_ndn != NULL ) {
BackendInfo *bi = op2.o_bd->bd_info;
OpExtra oex;
@@ -425,7 +428,9 @@ memberof_value_modify(
assert( !BER_BVISNULL( new_dn ) );
assert( !BER_BVISNULL( new_ndn ) );
- ml = mod[ mcnt ];
+ ml = memberof_value_modlist(&op2, mo, ad);
+ op2.orm_modlist = ml;
+
ml->sml_op = LDAP_MOD_ADD;
ber_memfree(ml->sml_values[ 0 ].bv_val);
@@ -447,19 +452,7 @@ memberof_value_modify(
Debug( LDAP_DEBUG_ANY, "%s: %s\n",
op->o_log_prefix, buf, 0 );
}
-
- assert( op2.orm_modlist == mod[ mcnt ] );
- assert( mcnt == 0 || op2.orm_modlist->sml_next == mod[ 0 ] );
- ml = op2.orm_modlist->sml_next;
- if ( mcnt == 1 ) {
- assert( ml == mod[ 0 ] );
- ml = ml->sml_next;
- }
- if ( ml != NULL ) {
- slap_mods_free( ml, 1 );
- }
-
- mod[ 0 ]->sml_next = NULL;
+ slap_mods_free( op2.orm_modlist, 1 );
}
if ( old_ndn != NULL ) {
@@ -469,7 +462,9 @@ memberof_value_modify(
assert( !BER_BVISNULL( old_dn ) );
assert( !BER_BVISNULL( old_ndn ) );
- ml = mod[ mcnt ];
+ ml = memberof_value_modlist(&op2, mo, ad);
+ op2.orm_modlist = ml;
+
ml->sml_op = LDAP_MOD_DELETE;
ber_memfree(ml->sml_values[ 0 ].bv_val);
@@ -491,21 +486,11 @@ memberof_value_modify(
Debug( LDAP_DEBUG_ANY, "%s: %s\n",
op->o_log_prefix, buf, 0 );
}
-
- assert( op2.orm_modlist == mod[ mcnt ] );
- ml = op2.orm_modlist->sml_next;
- if ( mcnt == 1 ) {
- assert( ml == mod[ 0 ] );
- ml = ml->sml_next;
- }
- if ( ml != NULL ) {
- slap_mods_free( ml, 1 );
- }
+ slap_mods_free( op2.orm_modlist, 1 );
}
/* restore original opid */
op->o_opid = opid;
- slap_mods_free( op2.orm_modlist, 1 );
/* FIXME: if old_group_ndn doesn't exist, both delete __and__
* add will fail; better split in two operations, although
* not optimal in terms of performance. At least it would
--
2.16.4

15
openldap.spec
View File

@ -2,7 +2,7 @@
Name: openldap
Version: 2.4.46
Release: 13
Release: 14
Summary: LDAP support libraries
License: OpenLDAP
URL: https://www.openldap.org/
@ -68,7 +68,7 @@ Patch6035: CVE-2019-13057-2.patch
Patch6036: CVE-2019-13057-3.patch
Patch6037: CVE-2019-13057-4.patch
Patch6038: CVE-2019-13565.patch
Patch6039: CVE-2017-17740.patch
Patch6039: 0001-openldap-bugfix-make-test.patch
BuildRequires: cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel
BuildRequires: glibc-devel libtool libtool-ltdl-devel groff perl-interpreter perl-devel perl-generators perl-ExtUtils-Embed
@ -182,6 +182,7 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
%patch6036 -p1
%patch6037 -p1
%patch6038 -p1
%patch6039 -p1
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd
@ -407,6 +408,10 @@ fi
exit 0
%check
pushd openldap-%{version}
make check
popd
%files
%defattr(-,root,root)
@ -461,6 +466,12 @@ exit 0
%doc ltb-project-openldap-ppolicy-check-password-1.1/README.check_pwd
%changelog
* Fri Feb 21 2020 songnannan<songnannan2@huawei.com> - 2.4.46-14
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:bugfix about make check
* Sat Jan 11 2020 zhangrui<zhangrui182@huawei.com> - 2.4.46-13
- Type:cves
- ID:CVE-2017-17740