[packages/openldap] fix for CVE-2015-1545, CVE-2015-1546 from upstream git

glen glen at pld-linux.org
Tue Feb 17 11:58:00 CET 2015 

commit a48964e9aac1a2c2ee5a2c87ce8a0192907efb28
Author: Elan Ruusamäe <glen at delfi.ee>
Date:   Tue Feb 17 12:45:43 2015 +0200

    fix for CVE-2015-1545, CVE-2015-1546 from upstream git
    
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1545
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1546

 CVE-2015-1545-CVE-2015-1546.patch | 26 ++++++++++++++++++++++++++
 openldap.spec                     |  4 +++-
 2 files changed, 29 insertions(+), 1 deletion(-)
---
diff --git a/openldap.spec b/openldap.spec
index 740a4ff..06dd097 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -26,7 +26,7 @@ Summary(ru.UTF-8):	Образцы клиентов LDAP
 Summary(uk.UTF-8):	Зразки клієнтів LDAP
 Name:		openldap
 Version:	2.4.40
-Release:	1
+Release:	2
 License:	OpenLDAP Public License
 Group:		Networking/Daemons
 Source0:	ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/%{name}-%{version}.tgz
@@ -63,6 +63,7 @@ Patch19:	%{name}-gcc47.patch
 Patch20:	enable-mdb.patch
 Patch22:	%{name}-am.patch
 Patch23:	%{name}-db.patch
+Patch24:	CVE-2015-1545-CVE-2015-1546.patch
 # Patch for the evolution library
 Patch100:	%{name}-ntlm.diff
 URL:		http://www.openldap.org/
@@ -1244,6 +1245,7 @@ cd %{name}-%{version}
 %patch20 -p1
 %patch22 -p1
 %patch23 -p1
+%patch24 -p1
 %if %{with krb5}
 %patch17 -p1
 %endif
diff --git a/CVE-2015-1545-CVE-2015-1546.patch b/CVE-2015-1545-CVE-2015-1546.patch
new file mode 100644
index 0000000..a642bed
--- /dev/null
+++ b/CVE-2015-1545-CVE-2015-1546.patch
@@ -0,0 +1,26 @@
+From c32e74763f77675b9e144126e375977ed6dc562c Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc at openldap.org>
+Date: Mon, 19 Jan 2015 22:25:53 +0000
+Subject: [PATCH] ITS#8027 require non-empty AttributeList
+
+---
+ servers/slapd/overlays/deref.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/servers/slapd/overlays/deref.c b/servers/slapd/overlays/deref.c
+index 9420e3e..05aa890 100644
+--- a/servers/slapd/overlays/deref.c
++++ b/servers/slapd/overlays/deref.c
+@@ -183,7 +183,8 @@ deref_parseCtrl (
+ 		ber_len_t cnt = sizeof(struct berval);
+ 		ber_len_t off = 0;
+ 
+-		if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR )
++		if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR
++			|| !cnt )
+ 		{
+ 			rs->sr_text = "Dereference control: derefSpec decoding error";
+ 			rs->sr_err = LDAP_PROTOCOL_ERROR;
+-- 
+1.7.10.4
+
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/openldap.git/commitdiff/a48964e9aac1a2c2ee5a2c87ce8a0192907efb28

More information about the pld-cvs-commit mailing list