On Tue, Nov 09, 2010 at 03:25:20PM +0100, Pierre-Emmanuel André wrote: > Hi, > > Our version of OpenLDAP is a "bit" outdated.. > The following diff will upgrade it to the latest > stable version aka 2.4.23. > > As discussed with anothers porters, the "best" plan seems > to be: > > + upgrade databases/openldap to 2.4.23 > + provide databases/openldap23 wich will contain only > the -server part of our current version (2.3.43). > > Important thing to know about this upgrade: > + ldbm backend has been removed. You must backup all > your data *before* the upgrade (pkg_add will warn you) > + the default backend will be bdb > + slurp has been removed > > You will need the following diff to unbreak some apps (evolution-data-server, > evolution, evolution-exchange, seahorse, zarafa, ruby-ldap). All of > these has been found by landry@ while doing a bulk with this upgrade (thanks). > > Stephan@ tried it on his production server (with success). I use it too. > I would like to thanks ajacoutot@,bernd@,jasper@,landry@,sthen@ and stephan@ > for their help/avdices/comments/tests ! > > Please test this upgrade and give me feedbacks. >
Updated diff: + fix a typo in PLIST-server (spotted by Mikolaj Kucharski) + add a rc script -- Pierre-Emmanuel André <pea at raveland.org> GPG key: 0x7AE329DC
Index: Makefile =================================================================== RCS file: /cvs/ports/databases/openldap/Makefile,v retrieving revision 1.96 diff -u -p -r1.96 Makefile --- Makefile 6 Nov 2010 22:50:02 -0000 1.96 +++ Makefile 10 Nov 2010 14:01:44 -0000 @@ -3,18 +3,16 @@ COMMENT-main= Open source LDAP software (client) COMMENT-server= Open source LDAP software (server) -DISTNAME= openldap-2.3.43 +DISTNAME= openldap-2.4.23 PKGNAME-main= ${DISTNAME:S/-/-client-/} PKGNAME-server= ${DISTNAME:S/-/-server-/} -REVISION-main= 2 -REVISION-server= 4 -SHARED_LIBS += lber 9.1 # .2.15 -SHARED_LIBS += ldap 9.1 # .2.15 -SHARED_LIBS += ldap_r 9.1 # .2.15 -SHARED_LIBS += lber-2.3 9.1 # .2.15 -SHARED_LIBS += ldap-2.3 9.1 # .2.15 -SHARED_LIBS += ldap_r-2.3 9.1 # .2.15 +SHARED_LIBS += lber 10.0 # .7.6 +SHARED_LIBS += ldap 10.0 # .7.6 +SHARED_LIBS += ldap_r 10.0 # .7.6 +SHARED_LIBS += lber-2.4 10.0 # .7.6 +SHARED_LIBS += ldap-2.4 10.0 # .7.6 +SHARED_LIBS += ldap_r-2.4 10.0 # .7.6 CATEGORIES= databases net HOMEPAGE= http://www.openldap.org/ @@ -23,7 +21,7 @@ PERMIT_PACKAGE_CDROM= Yes PERMIT_PACKAGE_FTP= Yes PERMIT_DISTFILES_CDROM= Yes PERMIT_DISTFILES_FTP= Yes -WANTLIB= c crypto ssl asn1 com_err gssapi krb5 +WANTLIB= c crypto ssl asn1 com_err gssapi krb5 sasl2 MASTER_SITES= ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/ \ ftp://sunsite.cnlab-switch.ch/mirror/OpenLDAP/openldap-release/ \ @@ -35,12 +33,14 @@ MASTER_SITES= ftp://ftp.OpenLDAP.org/pub EXTRACT_SUFX= .tgz SEPARATE_BUILD= concurrent -CONFIGURE_STYLE= gnu +AUTOCONF_VERSION= 2.61 +CONFIGURE_STYLE= gnu autoconf USE_GROFF = Yes CONFIGURE_ARGS+= ${CONFIGURE_SHARED} \ --localstatedir="/var" \ - --enable-ipv6 + --enable-ipv6 \ + --with-tls=openssl # slapd options CONFIGURE_ARGS+= --enable-slapd \ @@ -52,9 +52,10 @@ CONFIGURE_ARGS+= --enable-slapd \ --enable-spasswd # slapd modules -CONFIGURE_ARGS+= --enable-dnssrv \ +CONFIGURE_ARGS+= --enable-bdb \ + --enable-dnssrv \ + --enable-hdb \ --enable-ldap \ - --enable-ldbm \ --enable-meta \ --enable-monitor \ --enable-null \ @@ -62,37 +63,23 @@ CONFIGURE_ARGS+= --enable-dnssrv \ --enable-perl \ --enable-shell -# slurpd modules -CONFIGURE_ARGS+= --enable-slurpd MODGNU_CONFIG_GUESS_DIRS= ${WRKSRC} ${WRKSRC}/build REGRESS_TARGET= test -FLAVORS= bdb -FLAVOR?= - MULTI_PACKAGES= -main -server LIB_DEPENDS += ::security/cyrus-sasl2 WANTLIB += sasl2 CPPFLAGS += -I${LOCALBASE}/include/sasl -.if ${FLAVOR:L:Mbdb} -BROKEN = OpenLDAP 2.3 is incompatible with Berkeley DB 4.6 -CONFIGURE_ARGS += --enable-bdb --enable-hdb -LIB_DEPENDS += :db->=4,<5:databases/db/v4 -WANTLIB += lib/db4/db.>=4 -CPPFLAGS += -I${LOCALBASE}/include/db4 -LDFLAGS += -L${LOCALBASE}/lib/db4 -LIBS += -ldb -.else -CONFIGURE_ARGS+= --disable-bdb --disable-hdb -.endif - -CONFIGURE_ENV+= CPPFLAGS="${CPPFLAGS}" \ - LDFLAGS="-L${LOCALBASE}/lib ${LDFLAGS}" \ - LIBS="${LIBS}" +LIB_DEPENDS-server= ${LIB_DEPENDS-main} \ + icudata,icuuc::textproc/icu4c \ + lib/db4/db.>=4:db->=4.6.21,<5:databases/db/v4 + +CONFIGURE_ENV+= CPPFLAGS="-I${LOCALBASE}/include/sasl -I${LOCALBASE}/include/db4 -I${LOCALBASE}/include" \ + LDFLAGS="-L${LOCALBASE}/lib/db4 -L${LOCALBASE}/lib" RUN_DEPENDS-server= :${FULLPKGNAME-main}:databases/openldap WANTLIB-server= ${WANTLIB} perl util wrap m pthread @@ -102,14 +89,6 @@ USE_LIBTOOL= Yes pre-build: @cd ${WRKBUILD}; ${MAKE_PROGRAM} depend -pre-configure: - @perl -pi -e 's,KRB5_LIBS=,KRB5_LIBS="-lgssapi -lkrb5 -lasn1 \ - -lcom_err",g' ${WRKSRC}/configure -.if ${FLAVOR} != "bdb" - @perl -pi -e 's,database bdb,database ldbm,' \ - ${WRKSRC}/servers/slapd/slapd.conf -.endif - post-install: ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/openldap ${INSTALL_DATA} ${DESTDIR}${SYSCONFDIR}/openldap/*.conf \ @@ -119,7 +98,6 @@ post-install: ${PREFIX}/share/examples/openldap/schema ${INSTALL_DATA} ${WRKSRC}/servers/slapd/DB_CONFIG \ ${PREFIX}/share/examples/openldap - @rm -r ${DESTDIR}${SYSCONFDIR}/openldap - @rm -r ${DESTDIR}/var/openldap-data ${DESTDIR}/var/openldap-slurp + @rm -rf ${DESTDIR}${SYSCONFDIR}/openldap .include <bsd.port.mk> Index: distinfo =================================================================== RCS file: /cvs/ports/databases/openldap/distinfo,v retrieving revision 1.31 diff -u -p -r1.31 distinfo --- distinfo 21 Jul 2008 06:07:10 -0000 1.31 +++ distinfo 10 Nov 2010 14:01:44 -0000 @@ -1,5 +1,5 @@ -MD5 (openldap-2.3.43.tgz) = GyUoEIbrFGuOEevTPeCG3A== -RMD160 (openldap-2.3.43.tgz) = Pst4nl9NTJOTV+LnIg15PrBUAuc= -SHA1 (openldap-2.3.43.tgz) = eWtds3rlJDuE97nBEhe77ETg2ow= -SHA256 (openldap-2.3.43.tgz) = 19LeoFNiyKx+Ebt78dpM3rByJbqNwWl0v/n1Gp89N+E= -SIZE (openldap-2.3.43.tgz) = 3803011 +MD5 (openldap-2.4.23.tgz) = kBULjA0BkuELMBV+aIRN3w== +RMD160 (openldap-2.4.23.tgz) = 0iaOj7iUaA0dmSb+3Kc28ZXgoL4= +SHA1 (openldap-2.4.23.tgz) = JgJ+cCAlbF9H4XeH8X7osxr0I3g= +SHA256 (openldap-2.4.23.tgz) = Wl7ekdXoqzx/Y3YgqimjuW6zQxiosmyO7y0seJ/AVeM= +SIZE (openldap-2.4.23.tgz) = 5182440 Index: patches/patch-aclocal_m4 =================================================================== RCS file: patches/patch-aclocal_m4 diff -N patches/patch-aclocal_m4 --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-aclocal_m4 10 Nov 2010 14:01:44 -0000 @@ -0,0 +1,11 @@ +$OpenBSD$ +--- aclocal.m4.orig Mon Dec 7 14:37:50 2009 ++++ aclocal.m4 Mon Dec 7 14:38:06 2009 +@@ -2071,7 +2071,6 @@ openbsd*) + *) need_version=no ;; + esac + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' +- finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' + shlibpath_var=LD_LIBRARY_PATH + if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then + case $host_os in Index: patches/patch-build_openldap_m4 =================================================================== RCS file: patches/patch-build_openldap_m4 diff -N patches/patch-build_openldap_m4 --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-build_openldap_m4 10 Nov 2010 14:01:44 -0000 @@ -0,0 +1,12 @@ +$OpenBSD$ +--- build/openldap.m4.orig Mon Dec 7 14:39:00 2009 ++++ build/openldap.m4 Mon Dec 7 14:39:15 2009 +@@ -251,7 +251,7 @@ AC_DEFUN([OL_ICU], + AC_CHECK_HEADERS( unicode/utypes.h ) + if test $ac_cv_header_unicode_utypes_h = yes ; then + dnl OL_ICULIBS="-licui18n -licuuc -licudata" +- OL_ICULIBS="-licuuc -licudata" ++ OL_ICULIBS="-licuuc -licudata -pthread" + + AC_CACHE_CHECK([for ICU libraries], [ol_cv_lib_icu], [ + ol_LIBS="$LIBS" Index: patches/patch-build_top_mk =================================================================== RCS file: /cvs/ports/databases/openldap/patches/patch-build_top_mk,v retrieving revision 1.5 diff -u -p -r1.5 patch-build_top_mk --- patches/patch-build_top_mk 14 Jan 2008 21:01:11 -0000 1.5 +++ patches/patch-build_top_mk 10 Nov 2010 14:01:44 -0000 @@ -1,7 +1,7 @@ $OpenBSD: patch-build_top_mk,v 1.5 2008/01/14 21:01:11 mbalmer Exp $ ---- build/top.mk.orig Wed Jan 3 00:42:47 2007 -+++ build/top.mk Mon Jan 14 11:55:23 2008 -@@ -121,7 +121,7 @@ LTLINK_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=link \ +--- build/top.mk.orig Mon Jul 6 21:22:52 2009 ++++ build/top.mk Mon Nov 2 12:09:42 2009 +@@ -122,7 +122,7 @@ LTLINK_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=link \ $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_MOD) LTINSTALL = $(LIBTOOL) --mode=install $(INSTALL) Index: patches/patch-configure =================================================================== RCS file: patches/patch-configure diff -N patches/patch-configure --- patches/patch-configure 14 Jan 2008 21:01:11 -0000 1.4 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,30 +0,0 @@ -$OpenBSD: patch-configure,v 1.4 2008/01/14 21:01:11 mbalmer Exp $ ---- configure.orig Mon Oct 8 18:38:57 2007 -+++ configure Mon Jan 14 11:56:10 2008 -@@ -9502,7 +9502,6 @@ openbsd*) - *) need_version=no ;; - esac - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' -- finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' - shlibpath_var=LD_LIBRARY_PATH - if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then - case $host_os in -@@ -35855,8 +35854,8 @@ cat >>conftest.$ac_ext <<_ACEOF - # define DB_VERSION_MINOR 0 - #endif - --/* require 4.2-4.5 */ --#if (DB_VERSION_MAJOR >= 4) && (DB_VERSION_MINOR >= 2) && (DB_VERSION_MINOR < 6) -+/* require 4.2-4.6 */ -+#if (DB_VERSION_MAJOR >= 4) && (DB_VERSION_MINOR >= 2) && (DB_VERSION_MINOR < 7) - __db_version_compat - #endif - -@@ -37236,6 +37235,7 @@ cat confdefs.h >>conftest.$ac_ext - cat >>conftest.$ac_ext <<_ACEOF - /* end confdefs.h. */ - -+#include <sys/types.h> - #include <tcpd.h> - int allow_severity = 0; - int deny_severity = 0; Index: patches/patch-configure_in =================================================================== RCS file: patches/patch-configure_in diff -N patches/patch-configure_in --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-configure_in 10 Nov 2010 14:01:44 -0000 @@ -0,0 +1,20 @@ +$OpenBSD$ +--- configure.in.orig Wed Sep 30 02:24:39 2009 ++++ configure.in Mon May 3 18:32:18 2010 +@@ -582,7 +582,7 @@ SLAPD_SQL_LIBS= + SLAPD_SQL_INCLUDES= + + KRB4_LIBS= +-KRB5_LIBS= ++KRB5_LIBS="-lgssapi -lkrb5 -lasn1 -lcom_err" + SASL_LIBS= + TLS_LIBS= + MODULES_LIBS= +@@ -1901,6 +1901,7 @@ if test $ol_enable_wrappers != no ; then + save_LIBS="$LIBS" + LIBS="$LIBS -lwrap" + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ ++#include <sys/types.h> + #include <tcpd.h> + int allow_severity = 0; + int deny_severity = 0; Index: patches/patch-libraries_libldap_tls_c =================================================================== RCS file: patches/patch-libraries_libldap_tls_c diff -N patches/patch-libraries_libldap_tls_c --- patches/patch-libraries_libldap_tls_c 4 Dec 2009 15:26:48 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,120 +0,0 @@ -$OpenBSD: patch-libraries_libldap_tls_c,v 1.1 2009/12/04 15:26:48 pea Exp $ ---- libraries/libldap/tls.c.orig Tue Feb 12 00:24:12 2008 -+++ libraries/libldap/tls.c Thu Dec 3 12:03:47 2009 -@@ -981,7 +981,7 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const - X509 *x; - const char *name; - char *ptr; -- int ntype = IS_DNS; -+ int ntype = IS_DNS, nlen; - #ifdef LDAP_PF_INET6 - struct in6_addr addr; - #else -@@ -995,6 +995,7 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const - } else { - name = name_in; - } -+ nlen = strlen(name); - - x = tls_get_cert((SSL *)s); - if (!x) { -@@ -1028,15 +1029,14 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const - ex = X509_get_ext(x, i); - alt = X509V3_EXT_d2i(ex); - if (alt) { -- int n, len1 = 0, len2 = 0; -+ int n, len2 = 0; - char *domain = NULL; - GENERAL_NAME *gn; - - if (ntype == IS_DNS) { -- len1 = strlen(name); - domain = strchr(name, '.'); - if (domain) { -- len2 = len1 - (domain-name); -+ len2 = nlen - (domain-name); - } - } - n = sk_GENERAL_NAME_num(alt); -@@ -1054,7 +1054,7 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const - if (sl == 0) continue; - - /* Is this an exact match? */ -- if ((len1 == sl) && !strncasecmp(name, sn, len1)) { -+ if ((nlen == sl) && !strncasecmp(name, sn, nlen)) { - break; - } - -@@ -1094,13 +1094,28 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const - - if (ret != LDAP_SUCCESS) { - X509_NAME *xn; -- char buf[2048]; -- buf[0] = '\0'; -+ X509_NAME_ENTRY *ne; -+ ASN1_OBJECT *obj; -+ ASN1_STRING *cn = NULL; -+ int navas; - -+ /* find the last CN */ -+ obj = OBJ_nid2obj( NID_commonName ); -+ if ( !obj ) goto no_cn; /* should never happen */ -+ - xn = X509_get_subject_name(x); -- if( X509_NAME_get_text_by_NID( xn, NID_commonName, -- buf, sizeof(buf)) == -1) -+ navas = X509_NAME_entry_count( xn ); -+ for ( i=navas-1; i>=0; i-- ) { -+ ne = X509_NAME_get_entry( xn, i ); -+ if ( !OBJ_cmp( ne->object, obj )) { -+ cn = X509_NAME_ENTRY_get_data( ne ); -+ break; -+ } -+ } -+ -+ if( !cn ) - { -+no_cn: - Debug( LDAP_DEBUG_ANY, - "TLS: unable to get common name from peer certificate.\n", - 0, 0, 0 ); -@@ -1111,21 +1126,20 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const - ld->ld_error = LDAP_STRDUP( - _("TLS: unable to get CN from peer certificate")); - -- } else if (strcasecmp(name, buf) == 0 ) { -+ } else if ( cn->length == nlen && -+ strncasecmp( name, (char *) cn->data, nlen ) == 0 ) { - ret = LDAP_SUCCESS; - -- } else if (( buf[0] == '*' ) && ( buf[1] == '.' )) { -+ } else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) { - char *domain = strchr(name, '.'); - if( domain ) { -- size_t dlen = 0; -- size_t sl; -+ size_t dlen; - -- sl = strlen(name); -- dlen = sl - (domain-name); -- sl = strlen(buf); -+ dlen = nlen - (domain-name); - - /* Is this a wildcard match? */ -- if ((dlen == sl-1) && !strncasecmp(domain, &buf[1], dlen)) { -+ if ((dlen == cn->length-1) && -+ !strncasecmp(domain, (char *) &cn->data[1], dlen)) { - ret = LDAP_SUCCESS; - } - } -@@ -1133,8 +1147,8 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const - - if( ret == LDAP_LOCAL_ERROR ) { - Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match " -- "common name in certificate (%s).\n", -- name, buf, 0 ); -+ "common name in certificate (%.*s).\n", -+ name, cn->length, cn->data ); - ret = LDAP_CONNECT_ERROR; - if ( ld->ld_error ) { - LDAP_FREE( ld->ld_error ); Index: patches/patch-servers_slapd_Makefile_in =================================================================== RCS file: patches/patch-servers_slapd_Makefile_in diff -N patches/patch-servers_slapd_Makefile_in --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-servers_slapd_Makefile_in 10 Nov 2010 14:01:44 -0000 @@ -0,0 +1,12 @@ +$OpenBSD$ +--- servers/slapd/Makefile.in.orig Tue Oct 19 13:18:41 2010 ++++ servers/slapd/Makefile.in Tue Oct 19 13:19:40 2010 +@@ -432,8 +432,6 @@ install-db-config: FORCE + @-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir) + @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data + $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ +- $(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example +- $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ + $(DESTDIR)$(sysconfdir)/DB_CONFIG.example + + install-tools: FORCE Index: patches/patch-servers_slapd_dn_c =================================================================== RCS file: /cvs/ports/databases/openldap/patches/patch-servers_slapd_dn_c,v retrieving revision 1.1 diff -u -p -r1.1 patch-servers_slapd_dn_c --- patches/patch-servers_slapd_dn_c 6 Aug 2010 02:52:05 -0000 1.1 +++ patches/patch-servers_slapd_dn_c 10 Nov 2010 14:01:44 -0000 @@ -6,31 +6,16 @@ Resolves CVE-2010-0211 and CVE-2010-0212 from upstream ---- servers/slapd/dn.c.orig Mon Feb 11 18:24:16 2008 -+++ servers/slapd/dn.c Tue Aug 3 10:24:27 2010 -@@ -352,12 +352,9 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ct - ava->la_attr = ad->ad_cname; - - if( ava->la_flags & LDAP_AVA_BINARY ) { -- if( ava->la_value.bv_len == 0 ) { -- /* BER encoding is empty */ -- return LDAP_INVALID_SYNTAX; -- } -+ /* AVA is binary encoded, not supported */ -+ return LDAP_INVALID_SYNTAX; - -- /* AVA is binary encoded, don't muck with it */ - } else if( flags & SLAP_LDAPDN_PRETTY ) { - transf = ad->ad_type->sat_syntax->ssyn_pretty; - if( !transf ) { -@@ -424,6 +421,10 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ct - ber_memfree_x( ava->la_value.bv_val, ctx ); - ava->la_value = bv; - ava->la_flags |= LDAP_AVA_FREE_VALUE; -+ } +--- servers/slapd/dn.c.orig Thu Jun 10 19:48:06 2010 ++++ servers/slapd/dn.c Tue Sep 7 15:11:59 2010 +@@ -380,6 +380,10 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ct + if (!ava->la_value.bv_len) { + return LDAP_INVALID_SYNTAX; + } + /* reject empty values */ + if (!ava->la_value.bv_len) { + return LDAP_INVALID_SYNTAX; - } ++ } } rc = LDAP_SUCCESS; + Index: patches/patch-servers_slapd_modrdn_c =================================================================== RCS file: patches/patch-servers_slapd_modrdn_c diff -N patches/patch-servers_slapd_modrdn_c --- patches/patch-servers_slapd_modrdn_c 6 Aug 2010 02:52:05 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,31 +0,0 @@ -$OpenBSD: patch-servers_slapd_modrdn_c,v 1.1 2010/08/06 02:52:05 william Exp $ - -SECURITY FIX - -Resolves CVE-2010-0211 and CVE-2010-0212 (ITS#6570) -from upstream - - ---- servers/slapd/modrdn.c.orig Mon Feb 11 18:24:16 2008 -+++ servers/slapd/modrdn.c Tue Aug 3 10:26:21 2010 -@@ -481,12 +481,19 @@ slap_modrdn2mods( - mod_tmp->sml_values[1].bv_val = NULL; - if( desc->ad_type->sat_equality->smr_normalize) { - mod_tmp->sml_nvalues = &mod_tmp->sml_values[2]; -- (void) (*desc->ad_type->sat_equality->smr_normalize)( -+ rs->sr_err = desc->ad_type->sat_equality->smr_normalize( - SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, - desc->ad_type->sat_syntax, - desc->ad_type->sat_equality, - &mod_tmp->sml_values[0], - &mod_tmp->sml_nvalues[0], op->o_tmpmemctx ); -+ if (rs->sr_err != LDAP_SUCCESS) { -+ ch_free(mod_tmp->sml_nvalues); -+ ch_free(mod_tmp->sml_values[0].bv_val); -+ ch_free(mod_tmp->sml_values); -+ ch_free(mod_tmp); -+ goto done; -+ } - mod_tmp->sml_nvalues[1].bv_val = NULL; - } else { - mod_tmp->sml_nvalues = NULL; Index: patches/patch-servers_slapd_schema_init_c =================================================================== RCS file: patches/patch-servers_slapd_schema_init_c diff -N patches/patch-servers_slapd_schema_init_c --- patches/patch-servers_slapd_schema_init_c 6 Aug 2010 02:52:05 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,54 +0,0 @@ -$OpenBSD: patch-servers_slapd_schema_init_c,v 1.1 2010/08/06 02:52:05 william Exp $ - -SECURITY FIX - -Resolves CVE-2010-0211 and CVE-2010-0212 (ITS#6570) -from upstream - -Also cure a crash in IA5StringNormalize() by sync'ing it with the same -function from 2.4.23 - - ---- servers/slapd/schema_init.c.orig Mon Feb 11 18:24:17 2008 -+++ servers/slapd/schema_init.c Tue Aug 3 15:35:45 2010 -@@ -1439,8 +1439,9 @@ UTF8StringNormalize( - ? LDAP_UTF8_APPROX : 0; - - val = UTF8bvnormalize( val, &tmp, flags, ctx ); -+ /* out of memory or syntax error, the former is unlikely */ - if( val == NULL ) { -- return LDAP_OTHER; -+ return LDAP_INVALID_SYNTAX; - } - - /* collapse spaces (in place) */ -@@ -2101,14 +2102,18 @@ IA5StringNormalize( - char *p, *q; - int casefold = !SLAP_MR_ASSOCIATED(mr, slap_schema.si_mr_caseExactIA5Match); - -- assert( SLAP_MR_IS_VALUE_OF_SYNTAX( use )); -+ assert( SLAP_MR_IS_VALUE_OF_SYNTAX( use ) != 0); - - p = val->bv_val; - - /* Ignore initial whitespace */ - while ( ASCII_SPACE( *p ) ) p++; - -- normalized->bv_val = ber_strdup_x( p, ctx ); -+ normalized->bv_len = val->bv_len - ( p - val->bv_val ); -+ normalized->bv_val = slap_sl_malloc( normalized->bv_len + 1, ctx ); -+ AC_MEMCPY( normalized->bv_val, p, normalized->bv_len ); -+ normalized->bv_val[normalized->bv_len] = '\0'; -+ - p = q = normalized->bv_val; - - while ( *p ) { -@@ -2137,7 +2142,7 @@ IA5StringNormalize( - * position. One is enough because the above loop collapsed - * all whitespace to a single space. - */ -- if ( ASCII_SPACE( q[-1] ) ) --q; -+ if ( q > normalized->bv_val && ASCII_SPACE( q[-1] ) ) --q; - - /* null terminate */ - *q = '\0'; Index: pkg/DESCR-server =================================================================== RCS file: /cvs/ports/databases/openldap/pkg/DESCR-server,v retrieving revision 1.3 diff -u -p -r1.3 DESCR-server --- pkg/DESCR-server 7 Nov 2005 15:59:08 -0000 1.3 +++ pkg/DESCR-server 10 Nov 2010 14:01:44 -0000 @@ -9,6 +9,3 @@ is distributed under a Perl-style "Artis This is the server portion of OpenLDAP, it provides the server as well as various administrative binaries. - -Flavors: - bdb enable the bdb and hdb backends Index: pkg/MESSAGE-server =================================================================== RCS file: /cvs/ports/databases/openldap/pkg/MESSAGE-server,v retrieving revision 1.1 diff -u -p -r1.1 MESSAGE-server --- pkg/MESSAGE-server 13 Feb 2008 09:45:54 -0000 1.1 +++ pkg/MESSAGE-server 10 Nov 2010 14:01:44 -0000 @@ -3,11 +3,3 @@ the following line to /etc/rc.conf.local slapd_flags="-u _openldap" -and to /etc/rc.local (be sure to start it _before_ any daemon that may -need it): - -if [ "$slapd_flags" != "NO" -a -x ${PREFIX}/libexec/slapd ]; then - install -d -o _openldap /var/run/openldap - ${PREFIX}/libexec/slapd $slapd_flags - echo -n ' slapd' -fi Index: pkg/PFRAG.shared-main =================================================================== RCS file: /cvs/ports/databases/openldap/pkg/PFRAG.shared-main,v retrieving revision 1.1 diff -u -p -r1.1 PFRAG.shared-main --- pkg/PFRAG.shared-main 25 Nov 2006 16:50:24 -0000 1.1 +++ pkg/PFRAG.shared-main 10 Nov 2010 14:01:44 -0000 @@ -1,7 +1,7 @@ @comment $OpenBSD: PFRAG.shared-main,v 1.1 2006/11/25 16:50:24 espie Exp $ -...@lib lib/liblber-2.3.so.${LIBlber-2.3_VERSION} +...@lib lib/liblber-2.4.so.${LIBlber-2.4_VERSION} @lib lib/liblber.so.${LIBlber_VERSION} -...@lib lib/libldap-2.3.so.${LIBldap-2.3_VERSION} +...@lib lib/libldap-2.4.so.${LIBldap-2.4_VERSION} @lib lib/libldap.so.${LIBldap_VERSION} -...@lib lib/libldap_r-2.3.so.${LIBldap_r-2.3_VERSION} +...@lib lib/libldap_r-2.4.so.${LIBldap_r-2.4_VERSION} @lib lib/libldap_r.so.${LIBldap_r_VERSION} Index: pkg/PLIST-main =================================================================== RCS file: /cvs/ports/databases/openldap/pkg/PLIST-main,v retrieving revision 1.3 diff -u -p -r1.3 PLIST-main --- pkg/PLIST-main 15 Jul 2008 18:25:53 -0000 1.3 +++ pkg/PLIST-main 10 Nov 2010 14:01:44 -0000 @@ -3,10 +3,12 @@ bin/ldapadd @bin bin/ldapcompare @bin bin/ldapdelete +...@bin bin/ldapexop @bin bin/ldapmodify @bin bin/ldapmodrdn @bin bin/ldappasswd @bin bin/ldapsearch +...@bin bin/ldapurl @bin bin/ldapwhoami include/lber.h include/lber_types.h @@ -25,10 +27,12 @@ lib/libldap_r.la @man man/man1/ldapadd.1 @man man/man1/ldapcompare.1 @man man/man1/ldapdelete.1 +...@man man/man1/ldapexop.1 @man man/man1/ldapmodify.1 @man man/man1/ldapmodrdn.1 @man man/man1/ldappasswd.1 @man man/man1/ldapsearch.1 +...@man man/man1/ldapurl.1 @man man/man1/ldapwhoami.1 @man man/man3/ber_alloc_t.3 @man man/man3/ber_bvarray_add.3 @@ -68,6 +72,7 @@ lib/libldap_r.la @man man/man3/lber-decode.3 @man man/man3/lber-encode.3 @man man/man3/lber-memory.3 +...@man man/man3/lber-sockbuf.3 @man man/man3/lber-types.3 @man man/man3/ld_errno.3 @man man/man3/ldap.3 @@ -86,6 +91,13 @@ lib/libldap_r.la @man man/man3/ldap_compare_ext.3 @man man/man3/ldap_compare_ext_s.3 @man man/man3/ldap_compare_s.3 +...@man man/man3/ldap_control_create.3 +...@man man/man3/ldap_control_dup.3 +...@man man/man3/ldap_control_find.3 +...@man man/man3/ldap_control_free.3 +...@man man/man3/ldap_controls.3 +...@man man/man3/ldap_controls_dup.3 +...@man man/man3/ldap_controls_free.3 @man man/man3/ldap_count_entries.3 @man man/man3/ldap_count_messages.3 @man man/man3/ldap_count_references.3 @@ -105,19 +117,30 @@ lib/libldap_r.la @man man/man3/ldap_error.3 @man man/man3/ldap_explode_dn.3 @man man/man3/ldap_explode_rdn.3 +...@man man/man3/ldap_extended_operation.3 +...@man man/man3/ldap_extended_operation_s.3 @man man/man3/ldap_first_attribute.3 @man man/man3/ldap_first_entry.3 @man man/man3/ldap_first_message.3 @man man/man3/ldap_first_reference.3 @man man/man3/ldap_free_urldesc.3 @man man/man3/ldap_get_dn.3 +...@man man/man3/ldap_get_option.3 @man man/man3/ldap_get_values.3 @man man/man3/ldap_get_values_len.3 @man man/man3/ldap_init.3 +...@man man/man3/ldap_initialize.3 +...@man man/man3/ldap_install_tls.3 @man man/man3/ldap_is_ldap_url.3 @man man/man3/ldap_matchingrule2name.3 @man man/man3/ldap_matchingrule2str.3 @man man/man3/ldap_matchingrule_free.3 +...@man man/man3/ldap_memalloc.3 +...@man man/man3/ldap_memcalloc.3 +...@man man/man3/ldap_memfree.3 +...@man man/man3/ldap_memory.3 +...@man man/man3/ldap_memrealloc.3 +...@man man/man3/ldap_memvfree.3 @man man/man3/ldap_modify.3 @man man/man3/ldap_modify_ext.3 @man man/man3/ldap_modify_ext_s.3 @@ -142,7 +165,11 @@ lib/libldap_r.la @man man/man3/ldap_parse_reference.3 @man man/man3/ldap_parse_result.3 @man man/man3/ldap_parse_sasl_bind_result.3 +...@man man/man3/ldap_parse_sort_control.3 +...@man man/man3/ldap_parse_vlv_control.3 @man man/man3/ldap_perror.3 +...@man man/man3/ldap_rename.3 +...@man man/man3/ldap_rename_s.3 @man man/man3/ldap_result.3 @man man/man3/ldap_result2error.3 @man man/man3/ldap_sasl_bind.3 @@ -154,20 +181,28 @@ lib/libldap_r.la @man man/man3/ldap_search_ext_s.3 @man man/man3/ldap_search_s.3 @man man/man3/ldap_search_st.3 +...@man man/man3/ldap_set_option.3 +...@man man/man3/ldap_set_rebind_proc.3 @man man/man3/ldap_simple_bind.3 @man man/man3/ldap_simple_bind_s.3 @man man/man3/ldap_sort.3 @man man/man3/ldap_sort_entries.3 @man man/man3/ldap_sort_strcasecmp.3 @man man/man3/ldap_sort_values.3 +...@man man/man3/ldap_start_tls.3 +...@man man/man3/ldap_start_tls_s.3 @man man/man3/ldap_str2attributetype.3 @man man/man3/ldap_str2dn.3 @man man/man3/ldap_str2matchingrule.3 @man man/man3/ldap_str2objectclass.3 @man man/man3/ldap_str2syntax.3 +...@man man/man3/ldap_strdup.3 +...@man man/man3/ldap_sync.3 @man man/man3/ldap_syntax2name.3 @man man/man3/ldap_syntax2str.3 @man man/man3/ldap_syntax_free.3 +...@man man/man3/ldap_tls.3 +...@man man/man3/ldap_tls_inplace.3 @man man/man3/ldap_unbind.3 @man man/man3/ldap_unbind_ext.3 @man man/man3/ldap_unbind_ext_s.3 @@ -178,20 +213,7 @@ lib/libldap_r.la @man man/man3/ldap_value_free_len.3 @man man/man5/ldap.conf.5 @man man/man5/ldif.5 -...@man man/man5/slapo-accesslog.5 -...@man man/man5/slapo-auditlog.5 -...@man man/man5/slapo-chain.5 -...@man man/man5/slapo-dynlist.5 -...@man man/man5/slapo-lastmod.5 -...@man man/man5/slapo-pcache.5 -...@man man/man5/slapo-ppolicy.5 -...@man man/man5/slapo-refint.5 -...@man man/man5/slapo-retcode.5 -...@man man/man5/slapo-rwm.5 -...@man man/man5/slapo-syncprov.5 -...@man man/man5/slapo-translucent.5 -...@man man/man5/slapo-unique.5 -...@man man/man5/slapo-valsort.5 +...@man man/man5/slapo-pbind.5 share/examples/openldap/ @sample ${SYSCONFDIR}/openldap/ share/examples/openldap/ldap.conf Index: pkg/PLIST-server =================================================================== RCS file: /cvs/ports/databases/openldap/pkg/PLIST-server,v retrieving revision 1.18 diff -u -p -r1.18 PLIST-server --- pkg/PLIST-server 21 Aug 2009 13:21:19 -0000 1.18 +++ pkg/PLIST-server 10 Nov 2010 14:01:44 -0000 @@ -1,10 +1,12 @@ @comment $OpenBSD: PLIST-server,v 1.18 2009/08/21 13:21:19 ajacoutot Exp $ @conflict openldap-client->=2.3.11,<=2.3.11p3 +...@pkgpath databases/openldap,-server,bdb +...@ask-update openldap-server-<2.4 Make sure your existing database is backed up @newgroup _openldap:544 @newuser _openldap:544:_openldap:daemon:OpenLDAP Account:/nonexistent:/sbin/nologin @bin libexec/slapd -...@bin libexec/slurpd @man man/man5/slapd-bdb.5 +...@man man/man5/slapd-config.5 @man man/man5/slapd-dnssrv.5 @man man/man5/slapd-hdb.5 @man man/man5/slapd-ldap.5 @@ -12,17 +14,38 @@ @man man/man5/slapd-ldif.5 @man man/man5/slapd-meta.5 @man man/man5/slapd-monitor.5 +...@man man/man5/slapd-ndb.5 @man man/man5/slapd-null.5 @man man/man5/slapd-passwd.5 @man man/man5/slapd-perl.5 @man man/man5/slapd-relay.5 @man man/man5/slapd-shell.5 +...@man man/man5/slapd-sock.5 @man man/man5/slapd-sql.5 -...@man man/man5/slapd-tcl.5 @man man/man5/slapd.access.5 +...@man man/man5/slapd.backends.5 @man man/man5/slapd.conf.5 +...@man man/man5/slapd.overlays.5 @man man/man5/slapd.plugin.5 -...@man man/man5/slapd.replog.5 +...@man man/man5/slapo-accesslog.5 +...@man man/man5/slapo-auditlog.5 +...@man man/man5/slapo-chain.5 +...@man man/man5/slapo-collect.5 +...@man man/man5/slapo-constraint.5 +...@man man/man5/slapo-dds.5 +...@man man/man5/slapo-dyngroup.5 +...@man man/man5/slapo-dynlist.5 +...@man man/man5/slapo-memberof.5 +...@man man/man5/slapo-pcache.5 +...@man man/man5/slapo-ppolicy.5 +...@man man/man5/slapo-refint.5 +...@man man/man5/slapo-retcode.5 +...@man man/man5/slapo-rwm.5 +...@man man/man5/slapo-sssvlv.5 +...@man man/man5/slapo-syncprov.5 +...@man man/man5/slapo-translucent.5 +...@man man/man5/slapo-unique.5 +...@man man/man5/slapo-valsort.5 @man man/man8/slapacl.8 @man man/man8/slapadd.8 @man man/man8/slapauth.8 @@ -31,8 +54,8 @@ @man man/man8/slapdn.8 @man man/man8/slapindex.8 @man man/man8/slappasswd.8 +...@man man/man8/slapschema.8 @man man/man8/slaptest.8 -...@man man/man8/slurpd.8 sbin/slapacl sbin/slapadd sbin/slapauth @@ -40,15 +63,27 @@ sbin/slapcat sbin/slapdn sbin/slapindex sbin/slappasswd +sbin/slapschema sbin/slaptest +...@mode 700 +...@owner _openldap +...@sample /var/openldap-data/ +...@group _openldap +share/examples/openldap/DB_CONFIG +...@sample /var/openldap-data/DB_CONFIG +...@mode +...@owner +...@group share/examples/openldap/schema/ @sample ${SYSCONFDIR}/openldap/schema/ +share/examples/openldap/schema/collective.schema share/examples/openldap/schema/corba.schema @sample ${SYSCONFDIR}/openldap/schema/corba.schema share/examples/openldap/schema/core.schema @sample ${SYSCONFDIR}/openldap/schema/core.schema share/examples/openldap/schema/cosine.schema @sample ${SYSCONFDIR}/openldap/schema/cosine.schema +share/examples/openldap/schema/duaconf.schema share/examples/openldap/schema/dyngroup.schema @sample ${SYSCONFDIR}/openldap/schema/dyngroup.schema share/examples/openldap/schema/inetorgperson.schema @@ -61,6 +96,7 @@ share/examples/openldap/schema/nis.schem @sample ${SYSCONFDIR}/openldap/schema/nis.schema share/examples/openldap/schema/openldap.schema @sample ${SYSCONFDIR}/openldap/schema/openldap.schema +share/examples/openldap/schema/pmi.schema share/examples/openldap/schema/ppolicy.schema @sample ${SYSCONFDIR}/openldap/schema/ppolicy.schema @mode 0640 @@ -69,10 +105,4 @@ share/examples/openldap/slapd.conf @sample ${SYSCONFDIR}/openldap/slapd.conf @mode @group -...@mode 700 -...@owner _openldap -...@group _openldap -...@sample /var/openldap-data/ -...@sample /var/openldap-slurp/ -share/examples/openldap/DB_CONFIG -...@sample /var/openldap-data/DB_CONFIG +...@rcscript ${RCDIR}/slapd Index: pkg/slapd.rc =================================================================== RCS file: pkg/slapd.rc diff -N pkg/slapd.rc --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ pkg/slapd.rc 10 Nov 2010 14:01:44 -0000 @@ -0,0 +1,13 @@ +#!/bin/sh +# +# $OpenBSD$ + +. /etc/rc.d/rc.subr + +daemon="${TRUEPREFIX}/libexec/slapd" + +rc_reload() { + rc_err "$0: reload is not supported" +} + +rc_cmd $1