!29 fix CVE-2020-36221CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230

From: @liuzy518 Reviewed-by: @zengwefeng Signed-off-by: @zengwefeng
2021-02-20 14:24:43 +08:00 · 2021-02-20 14:24:43 +08:00 · a0286c70f5
commit a0286c70f5
parent a1998ce72e e00ad07183
14 changed files with 522 additions and 1 deletions
--- a/CVE-2020-36221-1.patch
+++ b/CVE-2020-36221-1.patch
@ -0,0 +1,58 @@
+From 38ac838e4150c626bbfa0082b7e2cf3a2bb4df31 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 23 Nov 2020 17:14:00 +0000
+Subject: [PATCH] ITS#9404 fix serialNumberAndIssuerCheck
+
+Tighten validity checks
+---
+ servers/slapd/schema_init.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
+index 834f54593..5b577607d 100644
+--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
+@@ -3193,7 +3193,7 @@ serialNumberAndIssuerCheck(
+ 
+ 	if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
+ 
+-	if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
+	if( in->bv_val[0] != '{' || in->bv_val[in->bv_len-1] != '}' ) {
+ 		/* Parse old format */
+ 		is->bv_val = ber_bvchr( in, '$' );
+ 		if( BER_BVISNULL( is ) ) return LDAP_INVALID_SYNTAX;
+@@ -3224,7 +3224,7 @@ serialNumberAndIssuerCheck(
+ 			HAVE_ALL = ( HAVE_ISSUER | HAVE_SN )
+ 		} have = HAVE_NONE;
+ 
+-		int numdquotes = 0;
+		int numdquotes = 0, gotquote;
+ 		struct berval x = *in;
+ 		struct berval ni;
+ 		x.bv_val++;
+@@ -3266,11 +3266,12 @@ serialNumberAndIssuerCheck(
+ 				is->bv_val = x.bv_val;
+ 				is->bv_len = 0;
+ 
+-				for ( ; is->bv_len < x.bv_len; ) {
+				for ( gotquote=0; is->bv_len < x.bv_len; ) {
+ 					if ( is->bv_val[is->bv_len] != '"' ) {
+ 						is->bv_len++;
+ 						continue;
+ 					}
+					gotquote = 1;
+ 					if ( is->bv_val[is->bv_len+1] == '"' ) {
+ 						/* double dquote */
+ 						numdquotes++;
+@@ -3279,6 +3280,8 @@ serialNumberAndIssuerCheck(
+ 					}
+ 					break;
+ 				}
+				if ( !gotquote ) return LDAP_INVALID_SYNTAX;
+
+ 				x.bv_val += is->bv_len + 1;
+ 				x.bv_len -= is->bv_len + 1;
+ 
+-- 
+GitLab
+
--- a/CVE-2020-36221-2.patch
+++ b/CVE-2020-36221-2.patch
@ -0,0 +1,25 @@
+From 58c1748e81c843c5b6e61648d2a4d1d82b47e842 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 14 Dec 2020 19:03:27 +0000
+Subject: [PATCH] ITS#9424 fix serialNumberAndIssuerSerialCheck
+
+---
+ servers/slapd/schema_init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
+index d697fa108..e035c1a6a 100644
+--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
+@@ -4302,7 +4302,7 @@ serialNumberAndIssuerSerialCheck(
+ 	if ( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
+ 
+ 	/* no old format */
+-	if ( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) return LDAP_INVALID_SYNTAX;
+	if ( in->bv_val[0] != '{' || in->bv_val[in->bv_len-1] != '}' ) return LDAP_INVALID_SYNTAX;
+ 
+ 	x.bv_val++;
+ 	x.bv_len -= 2;
+-- 
+GitLab
+
--- a/CVE-2020-36222-1.patch
+++ b/CVE-2020-36222-1.patch
@ -0,0 +1,33 @@
+From 02dfc32d658fadc25e4040f78e36592f6e1e1ca0 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Fri, 27 Nov 2020 14:48:26 +0000
+Subject: [PATCH] ITS#9406 fix debug msg
+
+---
+ servers/slapd/saslauthz.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
+index 2e59eb559..982fe3120 100644
+--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
+@@ -488,6 +488,7 @@ authzPrettyNormal(
+ 
+ 	assert( val != NULL );
+ 	assert( !BER_BVISNULL( val ) );
+	BER_BVZERO( normalized );
+ 
+ 	/*
+ 	 * 2) dn[.{exact|children|subtree|onelevel}]:{*|<DN>}
+@@ -906,7 +907,7 @@ authzPretty(
+ 	rc = authzPrettyNormal( val, out, ctx, 0 );
+ 
+ 	Debug( LDAP_DEBUG_TRACE, "<<< authzPretty: <%s> (%d)\n",
+-		out->bv_val, rc, 0 );
+		out->bv_val ? out->bv_val : "(null)" , rc, 0 );
+ 
+ 	return rc;
+ }
+-- 
+GitLab
+
--- a/CVE-2020-36222-2.patch
+++ b/CVE-2020-36222-2.patch
@ -0,0 +1,69 @@
+From 6ed057b5b728b50746c869bcc9c1f85d0bbbf6ed Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Fri, 27 Nov 2020 14:37:10 +0000
+Subject: [PATCH] ITS#9406, #9407 remove saslauthz asserts
+
+---
+ servers/slapd/saslauthz.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
+index e05f3f9cf..2e59eb559 100644
+--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
+@@ -180,14 +180,16 @@ int slap_parse_user( struct berval *id, struct berval *user,
+ 	}
+ 
+ 	if ( !BER_BVISNULL( mech ) ) {
+-		assert( mech->bv_val == id->bv_val + 2 );
+		if ( mech->bv_val != id->bv_val + 2 )
+			return LDAP_PROTOCOL_ERROR;
+ 
+ 		AC_MEMCPY( mech->bv_val - 2, mech->bv_val, mech->bv_len + 1 );
+ 		mech->bv_val -= 2;
+ 	}
+ 
+ 	if ( !BER_BVISNULL( realm ) ) {
+-		assert( realm->bv_val >= id->bv_val + 2 );
+		if ( realm->bv_val < id->bv_val + 2 )
+			return LDAP_PROTOCOL_ERROR;
+ 
+ 		AC_MEMCPY( realm->bv_val - 2, realm->bv_val, realm->bv_len + 1 );
+ 		realm->bv_val -= 2;
+@@ -449,9 +451,12 @@ is_dn:		bv.bv_len = in->bv_len - ( bv.bv_val - in->bv_val );
+ 	}
+ 
+ 	/* Grab the searchbase */
+-	assert( ludp->lud_dn != NULL );
+-	ber_str2bv( ludp->lud_dn, 0, 0, &bv );
+-	rc = dnValidate( NULL, &bv );
+	if ( ludp->lud_dn != NULL ) {
+		ber_str2bv( ludp->lud_dn, 0, 0, &bv );
+		rc = dnValidate( NULL, &bv );
+	} else {
+		rc = LDAP_INVALID_SYNTAX;
+	}
+ 
+ done:
+ 	ldap_free_urldesc( ludp );
+@@ -813,7 +818,6 @@ is_dn:		bv.bv_len = val->bv_len - ( bv.bv_val - val->bv_val );
+ 	}
+ 
+ 	/* Grab the searchbase */
+-	assert( ludp->lud_dn != NULL );
+ 	if ( ludp->lud_dn ) {
+ 		struct berval	out = BER_BVNULL;
+ 
+@@ -831,6 +835,9 @@ is_dn:		bv.bv_len = val->bv_len - ( bv.bv_val - val->bv_val );
+ 		}
+ 
+ 		ludp->lud_dn = out.bv_val;
+	} else {
+		rc = LDAP_INVALID_SYNTAX;
+		goto done;
+ 	}
+ 
+ 	ludp->lud_port = 0;
+-- 
+GitLab
+
--- a/CVE-2020-36223.patch
+++ b/CVE-2020-36223.patch
@ -0,0 +1,28 @@
+From 21981053a1195ae1555e23df4d9ac68d34ede9dd Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Sat, 28 Nov 2020 15:54:17 +0000
+Subject: [PATCH] ITS#9408 fix vrfilter double-free
+
+---
+ servers/slapd/controls.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c
+index 345531940..28fa64eb0 100644
+--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
+@@ -1578,7 +1578,10 @@ static int parseValuesReturnFilter (
+ 		} else {
+ 			send_ldap_result( op, rs );
+ 		}
+-		if( op->o_vrFilter != NULL) vrFilter_free( op, op->o_vrFilter ); 
+		if( op->o_vrFilter != NULL) {
+			vrFilter_free( op, op->o_vrFilter );
+			op->o_vrFilter = NULL;
+		}
+ 	}
+ #ifdef LDAP_DEBUG
+ 	else {
+-- 
+GitLab
+
--- a/CVE-2020-36224_36225_36226-1.patch
+++ b/CVE-2020-36224_36225_36226-1.patch
@ -0,0 +1,25 @@
+From c0b61a9486508e5202aa2e0cfb68c9813731b439 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 30 Nov 2020 11:45:46 +0000
+Subject: [PATCH] ITS#9409 saslauthz: use ch_free on normalized DN
+
+---
+ servers/slapd/saslauthz.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
+index 982fe3120..cc5a292de 100644
+--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
+@@ -860,7 +860,7 @@ done:
+ 
+ 	if ( lud_dn ) {
+ 		if ( ludp->lud_dn != lud_dn ) {
+-			ber_memfree( ludp->lud_dn );
+			ch_free( ludp->lud_dn );
+ 		}
+ 		ludp->lud_dn = lud_dn;
+ 	}
+-- 
+GitLab
+
--- a/CVE-2020-36224_36225_36226-2.patch
+++ b/CVE-2020-36224_36225_36226-2.patch
@ -0,0 +1,25 @@
+From 554dff1927176579d652f2fe60c90e9abbad4c65 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 30 Nov 2020 16:20:18 +0000
+Subject: [PATCH] ITS#9409 saslauthz: use slap_sl_free in prev commit
+
+---
+ servers/slapd/saslauthz.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
+index cc5a292de..4a9420b37 100644
+--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
+@@ -860,7 +860,7 @@ done:
+ 
+ 	if ( lud_dn ) {
+ 		if ( ludp->lud_dn != lud_dn ) {
+-			ch_free( ludp->lud_dn );
+			slap_sl_free( ludp->lud_dn, ctx );
+ 		}
+ 		ludp->lud_dn = lud_dn;
+ 	}
+-- 
+GitLab
+
--- a/CVE-2020-36224_36225_36226-3.patch
+++ b/CVE-2020-36224_36225_36226-3.patch
@ -0,0 +1,42 @@
+From 5a2017d4e61a6ddc4dcb4415028e0d08eb6bca26 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Tue, 1 Dec 2020 18:32:35 +0000
+Subject: [PATCH] ITS#9412 fix AVA_Sort on invalid RDN
+
+---
+ servers/slapd/dn.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c
+index 06698b089..7a095ba9e 100644
+--- a/servers/slapd/dn.c
+++ b/servers/slapd/dn.c
+@@ -233,6 +233,7 @@ AVA_Sort( LDAPRDN rdn, int nAVAs )
+ {
+ 	LDAPAVA	*ava_i;
+ 	int		i;
+	int		rc = LDAP_SUCCESS;
+ 
+ 	assert( rdn != NULL );
+ 
+@@ -250,7 +251,7 @@ AVA_Sort( LDAPRDN rdn, int nAVAs )
+ 			/* RFC4512 does not allow multiple AVAs
+ 			 * with the same attribute type in RDN (ITS#5968) */
+ 			if ( a == 0 )
+-				return LDAP_INVALID_DN_SYNTAX;
+				rc = LDAP_INVALID_DN_SYNTAX;
+ 
+ 			if ( a > 0 )
+ 				break;
+@@ -259,7 +260,7 @@ AVA_Sort( LDAPRDN rdn, int nAVAs )
+ 		}
+ 		rdn[ j+1 ] = ava_i;
+ 	}
+-	return LDAP_SUCCESS;
+	return rc;
+ }
+ 
+ static int
+-- 
+GitLab
+
--- a/CVE-2020-36224_36225_36226-4.patch
+++ b/CVE-2020-36224_36225_36226-4.patch
@ -0,0 +1,38 @@
+From d169e7958a3e0dc70f59c8374bf8a59833b7bdd8 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Tue, 1 Dec 2020 19:03:24 +0000
+Subject: [PATCH] ITS#9413 fix slap_parse_user
+
+---
+ servers/slapd/saslauthz.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
+index 4a9420b37..b17f34a21 100644
+--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
+@@ -156,10 +156,9 @@ int slap_parse_user( struct berval *id, struct berval *user,
+ 	user->bv_val++;
+ 	user->bv_len = id->bv_len - ( user->bv_val - id->bv_val );
+ 
+-	mech->bv_val = ber_bvchr( id, '.' );
+-	if ( !BER_BVISNULL( mech ) ) {
+-		mech->bv_val[ 0 ] = '\0';
+-		mech->bv_val++;
+	if ( id->bv_val[1] == '.' ) {
+		id->bv_val[1] = '\0';
+		mech->bv_val = id->bv_val + 2;
+ 		mech->bv_len = user->bv_val - mech->bv_val - 1;
+ 
+ 		realm->bv_val = ber_bvchr( mech, '/' );
+@@ -172,6 +171,7 @@ int slap_parse_user( struct berval *id, struct berval *user,
+ 		}
+ 
+ 	} else {
+		BER_BVZERO( mech );
+ 		BER_BVZERO( realm );
+ 	}
+ 
+-- 
+GitLab
+
--- a/CVE-2020-36227.patch
+++ b/CVE-2020-36227.patch
@ -0,0 +1,28 @@
+From 9d0e8485f3113505743baabf1167e01e4558ccf5 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Sun, 20 Dec 2020 21:31:15 +0000
+Subject: [PATCH] ITS#9428 fix cancel exop
+
+---
+ servers/slapd/cancel.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/servers/slapd/cancel.c b/servers/slapd/cancel.c
+index 206031290..b972b18fc 100644
+--- a/servers/slapd/cancel.c
+++ b/servers/slapd/cancel.c
+@@ -65,6 +65,11 @@ int cancel_extop( Operation *op, SlapReply *rs )
+ 		return LDAP_PROTOCOL_ERROR;
+ 	}
+ 
+	if ( opid == op->o_msgid ) {
+		op->o_cancel = SLAP_CANCEL_DONE;
+		return LDAP_SUCCESS;
+	}
+
+ 	ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
+ 
+ 	if ( op->o_abandon ) {
+-- 
+GitLab
+
--- a/CVE-2020-36228.patch
+++ b/CVE-2020-36228.patch
@ -0,0 +1,25 @@
+From 91dccd25c347733b365adc74cb07d074512ed5ad Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Wed, 16 Dec 2020 18:52:42 +0000
+Subject: [PATCH] ITS#9427 fix issuerAndThisUpdateCheck
+
+---
+ servers/slapd/schema_init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
+index e035c1a6a..cc7c81693 100644
+--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
+@@ -3809,7 +3809,7 @@ issuerAndThisUpdateCheck(
+ 
+ 	if ( in->bv_len < STRLENOF( "{issuer \"\",thisUpdate \"YYMMDDhhmmssZ\"}" ) ) return LDAP_INVALID_SYNTAX;
+ 
+-	if ( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
+	if ( in->bv_val[0] != '{' || in->bv_val[in->bv_len-1] != '}' ) {
+ 		return LDAP_INVALID_SYNTAX;
+ 	}
+ 
+-- 
+GitLab
+
--- a/CVE-2020-36229.patch
+++ b/CVE-2020-36229.patch
@ -0,0 +1,45 @@
+From 4bdfffd2889c0c5cdf58bebafbdc8fce4bb2bff0 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 14 Dec 2020 20:05:44 +0000
+Subject: [PATCH] ITS#9425 add more checks to ldap_X509dn2bv
+
+---
+ libraries/libldap/tls2.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index e0c82fa9f..193d20fdf 100644
+--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
+@@ -1248,6 +1248,8 @@ ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func,
+ 		for ( tag = ber_first_element( ber, &len, &rdn_end );
+ 			tag == LBER_SEQUENCE;
+ 			tag = ber_next_element( ber, &len, rdn_end )) {
+			if ( rdn_end > dn_end )
+				return LDAP_DECODING_ERROR;
+ 			tag = ber_skip_tag( ber, &len );
+ 			ber_skip_data( ber, len );
+ 			navas++;
+@@ -1257,7 +1259,7 @@ ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func,
+ 	/* Rewind and prepare to extract */
+ 	ber_rewind( ber );
+ 	tag = ber_first_element( ber, &len, &dn_end );
+-	if ( tag == LBER_DEFAULT )
+	if ( tag != LBER_SET )
+ 		return LDAP_DECODING_ERROR;
+ 
+ 	/* Allocate the DN/RDN/AVA stuff as a single block */    
+@@ -1370,6 +1372,10 @@ allocd:
+ 				/* X.690 bitString value converted to RFC4517 Bit String */
+ 				rc = der_to_ldap_BitString( &Val, &newAVA->la_value );
+ 				goto allocd;
+			case LBER_DEFAULT:
+				/* decode error */
+				rc = LDAP_DECODING_ERROR;
+				goto nomem;
+ 			default:
+ 				/* Not a string type at all */
+ 				newAVA->la_flags = 0;
+-- 
+GitLab
+
--- a/CVE-2020-36230.patch
+++ b/CVE-2020-36230.patch
@ -0,0 +1,48 @@
+From 8c1d96ee36ed98b32cd0e28b7069c7b8ea09d793 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Sun, 13 Dec 2020 21:48:45 +0000
+Subject: [PATCH] ITS#9423 ldap_X509dn2bv: check for invalid BER after RDN
+ count
+
+---
+ libraries/libldap/tls2.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index ca5a44ab0..e0c82fa9f 100644
+--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
+@@ -1254,6 +1254,12 @@ ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func,
+ 		}
+ 	}
+ 
+	/* Rewind and prepare to extract */
+	ber_rewind( ber );
+	tag = ber_first_element( ber, &len, &dn_end );
+	if ( tag == LBER_DEFAULT )
+		return LDAP_DECODING_ERROR;
+
+ 	/* Allocate the DN/RDN/AVA stuff as a single block */    
+ 	dnsize = sizeof(LDAPRDN) * (nrdns+1);
+ 	dnsize += sizeof(LDAPAVA *) * (navas+nrdns);
+@@ -1265,16 +1271,12 @@ ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func,
+ 	} else {
+ 		newDN = (LDAPDN)(char *)ptrs;
+ 	}
+-	
+
+ 	newDN[nrdns] = NULL;
+ 	newRDN = (LDAPRDN)(newDN + nrdns+1);
+ 	newAVA = (LDAPAVA *)(newRDN + navas + nrdns);
+ 	baseAVA = newAVA;
+ 
+-	/* Rewind and start extracting */
+-	ber_rewind( ber );
+-
+-	tag = ber_first_element( ber, &len, &dn_end );
+ 	for ( i = nrdns - 1; i >= 0; i-- ) {
+ 		newDN[i] = newRDN;
+ 
+-- 
+GitLab
+
--- a/openldap.spec
+++ b/openldap.spec
@ -2,7 +2,7 @@

 Name:           openldap
 Version:        2.4.50
-Release:        4
+Release:        5
 Summary:        LDAP support libraries
 License:        OpenLDAP
 URL:            https://www.openldap.org/
@ -44,6 +44,19 @@ Patch23:        bugfix-openldap-fix-implicit-function-declaration.patch
 Patch24:        bugfix-openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch
 Patch25:        CVE-2020-15719.patch
 Patch26:	CVE-2020-25692.patch
+Patch27:	CVE-2020-36221-1.patch
+Patch28:	CVE-2020-36221-2.patch
+Patch29:	CVE-2020-36222-1.patch
+Patch30:	CVE-2020-36222-2.patch
+Patch31:	CVE-2020-36223.patch
+Patch32:	CVE-2020-36224_36225_36226-1.patch
+Patch33:	CVE-2020-36224_36225_36226-2.patch
+Patch34:	CVE-2020-36224_36225_36226-3.patch
+Patch35:	CVE-2020-36224_36225_36226-4.patch
+Patch36:	CVE-2020-36227.patch
+Patch37:	CVE-2020-36228.patch
+Patch38:	CVE-2020-36230.patch
+Patch39:	CVE-2020-36229.patch

 BuildRequires:  cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel
 BuildRequires:  glibc-devel libtool libtool-ltdl-devel groff perl-interpreter perl-devel perl-generators perl-ExtUtils-Embed
@ -135,6 +148,19 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
 %patch24 -p1
 %patch25 -p1
 %patch26 -p1
+%patch27 -p1
+%patch28 -p1
+%patch29 -p1
+%patch30 -p1
+%patch31 -p1
+%patch32 -p1
+%patch33 -p1
+%patch34 -p1
+%patch35 -p1
+%patch36 -p1
+%patch37 -p1
+%patch38 -p1
+%patch39 -p1

 ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
 mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd
@ -417,6 +443,12 @@ popd
 %doc ltb-project-openldap-ppolicy-check-password-1.1/README.check_pwd

 %changelog
+* Thu Feb 18 2021 liulong <liulong20@huawei.com> - 2.4.50-5
+- Type:cves
+- ID:NA
+- SUG:restart
+- DESC:fix CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230
+
 * Mon Dec 14 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.4.50-4
 - Type:cves
 - ID:CVE-2020-25692