Hello community, here is the log from the commit of package openldap2 for openSUSE:Leap:15.2 checked in at 2020-05-12 11:32:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/openldap2 (Old) and /work/SRC/openSUSE:Leap:15.2/.openldap2.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openldap2" Tue May 12 11:32:18 2020 rev:45 rq:801999 version:unknown Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/openldap2/openldap2.changes 2020-02-16 18:25:51.522640673 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.openldap2.new.2738/openldap2.changes 2020-05-12 11:32:22.831741864 +0200 @@ -1,0 +2,6 @@ +Thu Apr 30 02:38:49 UTC 2020 - William Brown <[email protected]> + +- bsc#1170771 (CVE-2020-12243) - recursive filters may crash server + * patch: 0205-bsc-1170771-limit-depth-of-nested-filters.patch + +------------------------------------------------------------------- New: ---- 0205-bsc-1170771-limit-depth-of-nested-filters.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openldap2.spec ++++++ --- /var/tmp/diff_new_pack.PzKE85/_old 2020-05-12 11:32:23.607743495 +0200 +++ /var/tmp/diff_new_pack.PzKE85/_new 2020-05-12 11:32:23.607743495 +0200 @@ -79,6 +79,7 @@ Patch202: 0202-ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch Patch203: 0203-ITS-9038-Update-test028-to-test-this-is-enforced.patch Patch204: 0204-ITS-9038-Another-test028-typo.patch +Patch205: 0205-bsc-1170771-limit-depth-of-nested-filters.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: cyrus-sasl-devel @@ -278,6 +279,7 @@ %patch202 -p1 %patch203 -p1 %patch204 -p1 +%patch205 -p1 cp %{SOURCE5} . # Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/ ++++++ 0205-bsc-1170771-limit-depth-of-nested-filters.patch ++++++ >From 7a96c04e0f8bd325a00bd846ea3d244465474e2a Mon Sep 17 00:00:00 2001 From: William Brown <[email protected]> Date: Thu, 30 Apr 2020 08:57:57 +1000 Subject: [PATCH] bsc#1170771 - limit depth of nested filters Original Commit Message: d38d48fc8f572dedfb67b9da61a2ba3b125ced91 [PATCH] ITS#9202 limit depth of nested filters Using a hardcoded limit for now; no reasonable apps should ever run into it. --- servers/slapd/filter.c | 40 +++++++++++++++++++++++++++++++--------- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c index e76dc08..95a20fe 100644 --- a/servers/slapd/filter.c +++ b/servers/slapd/filter.c @@ -37,11 +37,16 @@ const Filter *slap_filter_objectClass_pres; const struct berval *slap_filterstr_objectClass_pres; +#ifndef SLAPD_MAX_FILTER_DEPTH +#define SLAPD_MAX_FILTER_DEPTH 5000 +#endif + static int get_filter_list( Operation *op, BerElement *ber, Filter **f, - const char **text ); + const char **text, + int depth ); static int get_ssa( Operation *op, @@ -80,12 +85,13 @@ filter_destroy( void ) return; } -int -get_filter( +static int +get_filter0( Operation *op, BerElement *ber, Filter **filt, - const char **text ) + const char **text, + int depth ) { ber_tag_t tag; ber_len_t len; @@ -126,6 +132,11 @@ get_filter( * */ + if( depth > SLAPD_MAX_FILTER_DEPTH ) { + *text = "filter nested too deeply"; + return SLAPD_DISCONNECT; + } + tag = ber_peek_tag( ber, &len ); if( tag == LBER_ERROR ) { @@ -221,7 +232,7 @@ get_filter( case LDAP_FILTER_AND: Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 ); - err = get_filter_list( op, ber, &f.f_and, text ); + err = get_filter_list( op, ber, &f.f_and, text, depth+1 ); if ( err != LDAP_SUCCESS ) { break; } @@ -234,7 +245,7 @@ get_filter( case LDAP_FILTER_OR: Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 ); - err = get_filter_list( op, ber, &f.f_or, text ); + err = get_filter_list( op, ber, &f.f_or, text, depth+1 ); if ( err != LDAP_SUCCESS ) { break; } @@ -248,7 +259,7 @@ get_filter( case LDAP_FILTER_NOT: Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 ); (void) ber_skip_tag( ber, &len ); - err = get_filter( op, ber, &f.f_not, text ); + err = get_filter0( op, ber, &f.f_not, text, depth+1 ); if ( err != LDAP_SUCCESS ) { break; } @@ -311,10 +322,21 @@ get_filter( return( err ); } +int +get_filter( + Operation *op, + BerElement *ber, + Filter **filt, + const char **text ) +{ + return get_filter0( op, ber, filt, text, 0 ); +} + static int get_filter_list( Operation *op, BerElement *ber, Filter **f, - const char **text ) + const char **text, + int depth ) { Filter **new; int err; @@ -328,7 +350,7 @@ get_filter_list( Operation *op, BerElement *ber, tag != LBER_DEFAULT; tag = ber_next_element( ber, &len, last ) ) { - err = get_filter( op, ber, new, text ); + err = get_filter0( op, ber, new, text, depth ); if ( err != LDAP_SUCCESS ) return( err ); new = &(*new)->f_next; -- 2.26.2
