Control: retitle -1 trixie-pu: package 389-ds-base/3.1.2+dfsg1-1+deb13u1 On Wed, May 06, 2026 at 11:12:42AM +0300, Adrian Bunk wrote: > Package: release.debian.org > Severity: normal > Tags: trixie moreinfo > X-Debbugs-Cc: [email protected], [email protected] > Control: affects -1 + src:389-ds-base > User: [email protected] > Usertags: pu > > * Fix CVE-2025-14905. (Closes: #1130910) > > Tagged moreinfo, as question to the security team whether they want > this in pu or as DSA.
This is the same as the previous debdiff, except for the corrected version number. cu Adrian
diffstat for 389-ds-base-3.1.2+dfsg1 389-ds-base-3.1.2+dfsg1 changelog | 9 ++ patches/0001-Security-fix-for-CVE-2025-14905.patch | 93 +++++++++++++++++++++ patches/series | 1 3 files changed, 103 insertions(+) diff -Nru 389-ds-base-3.1.2+dfsg1/debian/changelog 389-ds-base-3.1.2+dfsg1/debian/changelog --- 389-ds-base-3.1.2+dfsg1/debian/changelog 2025-04-10 14:06:13.000000000 +0300 +++ 389-ds-base-3.1.2+dfsg1/debian/changelog 2026-05-05 10:09:43.000000000 +0300 @@ -1,3 +1,12 @@ +389-ds-base (3.1.2+dfsg1-1+deb13u1) trixie; urgency=medium + + * Non-maintainer upload. + + [ Timo Aaltonen ] + * patches: Fix CVE-2025-14905. (Closes: #1130910) + + -- Adrian Bunk <[email protected]> Tue, 05 May 2026 10:09:43 +0300 + 389-ds-base (3.1.2+dfsg1-1) unstable; urgency=medium * New upstream release. diff -Nru 389-ds-base-3.1.2+dfsg1/debian/patches/0001-Security-fix-for-CVE-2025-14905.patch 389-ds-base-3.1.2+dfsg1/debian/patches/0001-Security-fix-for-CVE-2025-14905.patch --- 389-ds-base-3.1.2+dfsg1/debian/patches/0001-Security-fix-for-CVE-2025-14905.patch 1970-01-01 02:00:00.000000000 +0200 +++ 389-ds-base-3.1.2+dfsg1/debian/patches/0001-Security-fix-for-CVE-2025-14905.patch 2026-05-05 10:08:45.000000000 +0300 @@ -0,0 +1,93 @@ +From e2562f5894dd05a3b062e7820f471f2f8e12b85d Mon Sep 17 00:00:00 2001 +From: tbordaz <[email protected]> +Date: Wed, 25 Feb 2026 14:06:42 +0100 +Subject: [PATCH] Security fix for CVE-2025-14905 + +Description: + A vulnerability was found in the 389 Directory Server. + The 389 Directory Server present a risk of heap buffer overflow that + can be exploited to excute a Denial of Service and potential Remote + Code Execution + +References: + - https://access.redhat.com/security/cve/CVE-2025-14905 + - https://bugzilla.redhat.com/show_bug.cgi?id=2423624 +--- + ldap/servers/slapd/schema.c | 47 ++++++++++++++++++++++++++++++------- + 1 file changed, 38 insertions(+), 9 deletions(-) + +diff --git a/ldap/servers/slapd/schema.c b/ldap/servers/slapd/schema.c +index 9ef4ee4bf..7712a720d 100644 +--- a/ldap/servers/slapd/schema.c ++++ b/ldap/servers/slapd/schema.c +@@ -1410,6 +1410,7 @@ schema_attr_enum_callback(struct asyntaxinfo *asip, void *arg) + const char *attr_desc, *syntaxoid; + char *outp, syntaxlengthbuf[128]; + int i; ++ int nb_aliases = 0; + + vals[0] = &val; + +@@ -1435,6 +1436,7 @@ schema_attr_enum_callback(struct asyntaxinfo *asip, void *arg) + if (asip->asi_aliases != NULL) { + for (i = 0; asip->asi_aliases[i] != NULL; ++i) { + aliaslen += strlen(asip->asi_aliases[i]); ++ nb_aliases++; + } + } + +@@ -1452,15 +1454,42 @@ schema_attr_enum_callback(struct asyntaxinfo *asip, void *arg) + * XXX: 256 is a magic number... it must be big enough to account for + * all of the fixed sized items we output. + */ +- sizedbuffer_allocate(aew->psbAttrTypes, 256 + strlen(asip->asi_oid) + +- strlen(asip->asi_name) + +- aliaslen + strlen_null_ok(attr_desc) + +- strlen(syntaxoid) + +- strlen_null_ok(asip->asi_superior) + +- strlen_null_ok(asip->asi_mr_equality) + +- strlen_null_ok(asip->asi_mr_ordering) + +- strlen_null_ok(asip->asi_mr_substring) + +- strcat_extensions(NULL, asip->asi_extensions)); ++ { ++ int asi_oid_strlen = strlen(asip->asi_oid) + 8; /* "( %s NAME " */ ++ int asi_name_strlen = strlen(asip->asi_name) + 6; /* "( '%s' ...)" */ ++ int asi_aliases_strlen = aliaslen + nb_aliases * 3; /* "'%s' " */ ++ int asi_desc_strlen = strlen_null_ok(attr_desc) + 7; /* "DESC '%s'" */ ++ int asi_syntaxoid_strlen = strlen("SYNTAX ") + strlen(syntaxoid) + strlen(syntaxlengthbuf); ++ int asi_superior_strlen = strlen("SUP ") + strlen_null_ok(asip->asi_superior); ++ int asi_mr_equality_strlen = strlen("EQUALITY ") + strlen_null_ok(asip->asi_mr_equality); ++ int asi_mr_ordering_strlen = strlen("ORDERING ") + strlen_null_ok(asip->asi_mr_ordering); ++ int asi_mr_substring_strlen = strlen("SUBSTR ") + strlen_null_ok(asip->asi_mr_substring); ++ int asi_flags_strlen = strlen("SINGLE-VALUE ") + ++ strlen(schema_obsolete_with_spaces) + ++ strlen(schema_collective_with_spaces) + ++ strlen(schema_nousermod_with_spaces) + ++ strlen("USAGE distributedOperation ") + ++ strlen("USAGE dSAOperation ") + ++ strlen("USAGE directoryOperation "); ++ int asi_extension_strlen = strcat_extensions(NULL, asip->asi_extensions); ++ ++ if (aew->enquote_sup_oc) { ++ /* it enquote the syntax oid */ ++ asi_syntaxoid_strlen += 2; ++ } ++ ++ sizedbuffer_allocate(aew->psbAttrTypes, 256 + asi_oid_strlen + ++ asi_name_strlen + ++ asi_aliases_strlen + ++ asi_desc_strlen + ++ asi_syntaxoid_strlen + ++ asi_superior_strlen + ++ asi_mr_equality_strlen + ++ asi_mr_ordering_strlen + ++ asi_mr_substring_strlen + ++ asi_extension_strlen + ++ asi_flags_strlen); ++ } + + /* + * Overall strategy is to maintain a pointer to the next location in +-- +2.53.0 + diff -Nru 389-ds-base-3.1.2+dfsg1/debian/patches/series 389-ds-base-3.1.2+dfsg1/debian/patches/series --- 389-ds-base-3.1.2+dfsg1/debian/patches/series 2025-04-10 13:56:01.000000000 +0300 +++ 389-ds-base-3.1.2+dfsg1/debian/patches/series 2026-05-05 10:08:58.000000000 +0300 @@ -3,3 +3,4 @@ allow-newer-crates.diff base64.diff 0001-Security-fix-for-CVE-2025-2487.patch +0001-Security-fix-for-CVE-2025-14905.patch
