Re: [oe][meta-oe][dunfell][PATCH] openldap: Fix CVE-2023-2953

Tue, 13 Jun 2023 06:50:10 -0700 

On Mon, Jun 12, 2023 at 10:24 PM Vijay Anusuri <[email protected]> wrote:

> Any update on this ?

I'm the maintainer for oe-core and this is a meta-oe patch, so I
believe Armin is the right person for an update :-)

Steve

> On Mon, Jun 5, 2023 at 12:49 PM Vijay Anusuri via lists.openembedded.org 
> <[email protected]> wrote:
>>
>> From: Vijay Anusuri <[email protected]>
>>
>> Upstream-Status: Backport
>> [https://git.openldap.org/openldap/openldap/-/commit/752d320cf96e46f24c0900f1a8f6af0a3fc3c4ce
>> &
>> https://git.openldap.org/openldap/openldap/-/commit/6563fab9e2feccb0a684d0398e78571d09fb808b]
>>
>> Signed-off-by: Vijay Anusuri <[email protected]>
>> ---
>>  .../openldap/openldap/CVE-2023-2953-1.patch   | 30 ++++++++
>>  .../openldap/openldap/CVE-2023-2953-2.patch   | 76 +++++++++++++++++++
>>  .../openldap/openldap_2.4.57.bb               |  2 +
>>  3 files changed, 108 insertions(+)
>>  create mode 100644 
>> meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-1.patch
>>  create mode 100644 
>> meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-2.patch
>>
>> diff --git a/meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-1.patch 
>> b/meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-1.patch
>> new file mode 100644
>> index 000000000..f4b4eb95d
>> --- /dev/null
>> +++ b/meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-1.patch
>> @@ -0,0 +1,30 @@
>> +From 752d320cf96e46f24c0900f1a8f6af0a3fc3c4ce Mon Sep 17 00:00:00 2001
>> +From: Howard Chu <[email protected]>
>> +Date: Wed, 24 Aug 2022 14:40:51 +0100
>> +Subject: [PATCH] ITS#9904 ldif_open_url: check for ber_strdup failure
>> +
>> +Code present since 1999, df8f7cbb9b79be3be9205d116d1dd0b263d6861a
>> +
>> +Upstream-Status: Backport 
>> [https://git.openldap.org/openldap/openldap/-/commit/752d320cf96e46f24c0900f1a8f6af0a3fc3c4ce]
>> +CVE: CVE-2023-2953
>> +Signed-off-by: Vijay Anusuri <[email protected]>
>> +---
>> + libraries/libldap/fetch.c | 2 ++
>> + 1 file changed, 2 insertions(+)
>> +
>> +diff --git a/libraries/libldap/fetch.c b/libraries/libldap/fetch.c
>> +index 9e426dc647..536871bcfe 100644
>> +--- a/libraries/libldap/fetch.c
>> ++++ b/libraries/libldap/fetch.c
>> +@@ -69,6 +69,8 @@ ldif_open_url(
>> +               }
>> +
>> +               p = ber_strdup( urlstr );
>> ++              if ( p == NULL )
>> ++                      return NULL;
>> +
>> +               /* But we should convert to LDAP_DIRSEP before use */
>> +               if ( LDAP_DIRSEP[0] != '/' ) {
>> +--
>> +GitLab
>> +
>> diff --git a/meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-2.patch 
>> b/meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-2.patch
>> new file mode 100644
>> index 000000000..02c43bc44
>> --- /dev/null
>> +++ b/meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-2.patch
>> @@ -0,0 +1,76 @@
>> +From 6563fab9e2feccb0a684d0398e78571d09fb808b Mon Sep 17 00:00:00 2001
>> +From: Howard Chu <[email protected]>
>> +Date: Thu, 25 Aug 2022 16:13:21 +0100
>> +Subject: [PATCH] ITS#9904 ldap_url_parsehosts: check for strdup failure
>> +
>> +Avoid unnecessary strdup in IPv6 addr parsing, check for strdup
>> +failure when dup'ing scheme.
>> +
>> +Code present since 2000, 8da110a9e726dbc612b302feafe0109271e6bc59
>> +
>> +Upstream-Status: Backport 
>> [https://git.openldap.org/openldap/openldap/-/commit/6563fab9e2feccb0a684d0398e78571d09fb808b]
>> +CVE: CVE-2023-2953
>> +Signed-off-by: Vijay Anusuri <[email protected]>
>> +---
>> + libraries/libldap/url.c | 21 ++++++++++++---------
>> + 1 file changed, 12 insertions(+), 9 deletions(-)
>> +
>> +diff --git a/libraries/libldap/url.c b/libraries/libldap/url.c
>> +index dcf2aac9e8..493fd7ce47 100644
>> +--- a/libraries/libldap/url.c
>> ++++ b/libraries/libldap/url.c
>> +@@ -1385,24 +1385,22 @@ ldap_url_parsehosts(
>> +               }
>> +               ludp->lud_port = port;
>> +               ludp->lud_host = specs[i];
>> +-              specs[i] = NULL;
>> +               p = strchr(ludp->lud_host, ':');
>> +               if (p != NULL) {
>> +                       /* more than one :, IPv6 address */
>> +                       if ( strchr(p+1, ':') != NULL ) {
>> +                               /* allow [address] and [address]:port */
>> +                               if ( *ludp->lud_host == '[' ) {
>> +-                                      p = LDAP_STRDUP(ludp->lud_host+1);
>> +-                                      /* copied, make sure we free source 
>> later */
>> +-                                      specs[i] = ludp->lud_host;
>> +-                                      ludp->lud_host = p;
>> +-                                      p = strchr( ludp->lud_host, ']' );
>> ++                                      p = strchr( ludp->lud_host+1, ']' );
>> +                                       if ( p == NULL ) {
>> +                                               LDAP_FREE(ludp);
>> +                                               ldap_charray_free(specs);
>> +                                               return LDAP_PARAM_ERROR;
>> +                                       }
>> +-                                      *p++ = '\0';
>> ++                                      /* Truncate trailing ']' and shift 
>> hostname down 1 char */
>> ++                                      *p = '\0';
>> ++                                      AC_MEMCPY( ludp->lud_host, 
>> ludp->lud_host+1, p - ludp->lud_host );
>> ++                                      p++;
>> +                                       if ( *p != ':' ) {
>> +                                               if ( *p != '\0' ) {
>> +                                                       LDAP_FREE(ludp);
>> +@@ -1428,14 +1426,19 @@ ldap_url_parsehosts(
>> +                               }
>> +                       }
>> +               }
>> +-              ldap_pvt_hex_unescape(ludp->lud_host);
>> +               ludp->lud_scheme = LDAP_STRDUP("ldap");
>> ++              if ( ludp->lud_scheme == NULL ) {
>> ++                      LDAP_FREE(ludp);
>> ++                      ldap_charray_free(specs);
>> ++                      return LDAP_NO_MEMORY;
>> ++              }
>> ++              specs[i] = NULL;
>> ++              ldap_pvt_hex_unescape(ludp->lud_host);
>> +               ludp->lud_next = *ludlist;
>> +               *ludlist = ludp;
>> +       }
>> +
>> +       /* this should be an array of NULLs now */
>> +-      /* except entries starting with [ */
>> +       ldap_charray_free(specs);
>> +       return LDAP_SUCCESS;
>> + }
>> +--
>> +GitLab
>> +
>> diff --git a/meta-oe/recipes-support/openldap/openldap_2.4.57.bb 
>> b/meta-oe/recipes-support/openldap/openldap_2.4.57.bb
>> index e3e9caa1b..1e7e6b3d7 100644
>> --- a/meta-oe/recipes-support/openldap/openldap_2.4.57.bb
>> +++ b/meta-oe/recipes-support/openldap/openldap_2.4.57.bb
>> @@ -24,6 +24,8 @@ SRC_URI = 
>> "http://www.openldap.org/software/download/OpenLDAP/openldap-release/$
>>      file://openldap-CVE-2015-3276.patch \
>>      file://remove-user-host-pwd-from-version.patch \
>>      file://CVE-2022-29155.patch \
>> +    file://CVE-2023-2953-1.patch \
>> +    file://CVE-2023-2953-2.patch \
>>  "
>>  SRC_URI[md5sum] = "e3349456c3a66e5e6155be7ddc3f042c"
>>  SRC_URI[sha256sum] = 
>> "c7ba47e1e6ecb5b436f3d43281df57abeffa99262141aec822628bc220f6b45a"
>> --
>> 2.25.1
>>
>>
>> 
>>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#103269): 
https://lists.openembedded.org/g/openembedded-devel/message/103269
Mute This Topic: https://lists.openembedded.org/mt/99335615/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to