aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Peter Korsgaard <peter@korsgaard.com>2021-02-27 00:13:17 +0100
committerGravatar Yann E. MORIN <yann.morin.1998@free.fr>2021-02-27 09:10:45 +0100
commit2d6a0ea93e8adf53377b6c1ab06e07ce1ba4961a (patch)
treee67da19fb05fde3aca9d069d27496c9ad4a502b0
parent6ca1a7c2773cc13f71e284d0b3b4b3b35101d1db (diff)
downloadbuildroot-2d6a0ea93e8adf53377b6c1ab06e07ce1ba4961a.tar.gz
buildroot-2d6a0ea93e8adf53377b6c1ab06e07ce1ba4961a.tar.bz2
package/openldap: add upstream security fix for CVE-2021-27212
In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. For more details, see the bugtracker: https://bugs.openldap.org/show_bug.cgi?id=9454 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
-rw-r--r--package/openldap/0005-ITS-9454-fix-issuerAndThisUpdateCheck.patch26
-rw-r--r--package/openldap/openldap.mk3
2 files changed, 29 insertions, 0 deletions
diff --git a/package/openldap/0005-ITS-9454-fix-issuerAndThisUpdateCheck.patch b/package/openldap/0005-ITS-9454-fix-issuerAndThisUpdateCheck.patch
new file mode 100644
index 0000000000..a611b9ff59
--- /dev/null
+++ b/package/openldap/0005-ITS-9454-fix-issuerAndThisUpdateCheck.patch
@@ -0,0 +1,26 @@
+From 9badb73425a67768c09bcaed1a9c26c684af6c30 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Sat, 6 Feb 2021 20:52:06 +0000
+Subject: [PATCH] ITS#9454 fix issuerAndThisUpdateCheck
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ servers/slapd/schema_init.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
+index 31be1154e..8b1e25539 100644
+--- a/servers/slapd/schema_init.c
++++ b/servers/slapd/schema_init.c
+@@ -3900,6 +3900,8 @@ issuerAndThisUpdateCheck(
+ break;
+ }
+ }
++ if ( tu->bv_len < STRLENOF("YYYYmmddHHmmssZ") ) return LDAP_INVALID_SYNTAX;
++
+ x.bv_val += tu->bv_len + 1;
+ x.bv_len -= tu->bv_len + 1;
+
+--
+2.20.1
+
diff --git a/package/openldap/openldap.mk b/package/openldap/openldap.mk
index b4c06d8640..ec11e4fa7d 100644
--- a/package/openldap/openldap.mk
+++ b/package/openldap/openldap.mk
@@ -13,6 +13,9 @@ OPENLDAP_CPE_ID_VENDOR = openldap
OPENLDAP_INSTALL_STAGING = YES
OPENLDAP_DEPENDENCIES = host-pkgconf
+# 0005-ITS-9454-fix-issuerAndThisUpdateCheck.patch
+OPENLDAP_IGNORE_CVES += CVE-2021-27212
+
ifeq ($(BR2_PACKAGE_OPENSSL),y)
OPENLDAP_TLS = openssl
OPENLDAP_DEPENDENCIES += openssl