openldap: fix CVE-2015-3276

the patch comes from: https://bugzilla.redhat.com/show_bug.cgi?id=1238322 https://bugzilla.redhat.com/attachment.cgi?id=1055640 The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors. Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
author: Li Wang <li.wang@windriver.com> 2016-09-14 02:25:32 -0400
committer: Martin Jansa <Martin.Jansa@gmail.com> 2016-09-19 16:24:10 +0200
commit: 24e387aaf78bc0f68a46abb1fab3a76364804bd1 (patch)
tree: 73a6690c21239d402ba05063be88ad1bdccdeb44
parent: 14a532d78309768756403efb3491f514af7dcdf7 (diff)
download: meta-openembedded-24e387aaf78bc0f68a46abb1fab3a76364804bd1.tar.gz
2 files changed, 60 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch b/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch
new file mode 100644
index 0000000000..de9ca528a2
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch
@@ -0,0 +1,59 @@
+openldap CVE-2015-3276
+the patch comes from:
+https://bugzilla.redhat.com/show_bug.cgi?id=1238322
+https://bugzilla.redhat.com/attachment.cgi?id=1055640
+The nss_parse_ciphers function in libraries/libldap/tls_m.c in
+OpenLDAP does not properly parse OpenSSL-style multi-keyword mode
+cipher strings, which might cause a weaker than intended cipher to
+be used and allow remote attackers to have unspecified impact via
+unknown vectors.
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ libraries/libldap/tls_m.c |   27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index 9b101f9..e6f3051 100644
+--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
+@@ -621,18 +621,23 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+                         */
+                        if (mask || strength || protocol) {
+                                for (i=0; i<ciphernum; i++) {
+-                                       if (((ciphers_def[i].attr & mask) ||
+-                                                (ciphers_def[i].strength & strength) ||
+-                                                (ciphers_def[i].version & protocol)) &&
+-                                               (cipher_list[i] != -1)) {
+-                                               /* Enable the NULL ciphers only if explicity
+-                                                * requested */
+-                                               if (ciphers_def[i].attr & SSL_eNULL) {
+-                                                       if (mask & SSL_eNULL)
+-                                                               cipher_list[i] = action;
+-                                               } else
+                                       /* if more than one mask is provided
+                                        * then AND logic applies (to match openssl)
+                                        */
+                                       if ( cipher_list[i] == -1) )
+                                               continue;
+                                       if ( mask && ! (ciphers_def[i].attr & mask) )
+                                               continue;
+                                       if ( strength && ! (ciphers_def[i].strength & strength) )
+                                               continue;
+                                       if ( protocol && ! (ciphers_def[i].version & protocol) )
+                                               continue;
+                                       /* Enable the NULL ciphers only if explicity requested */
+                                       if (ciphers_def[i].attr & SSL_eNULL) {
+                                               if (mask & SSL_eNULL)
+                                                        cipher_list[i] = action;
+-                                       }
+                                       } else
+                                               cipher_list[i] = action;
+                                }
+                        } else {
+                                for (i=0; i<ciphernum; i++) {
+-- 
+1.7.9.5
diff --git a/meta-oe/recipes-support/openldap/openldap_2.4.44.bb b/meta-oe/recipes-support/openldap/openldap_2.4.44.bb
index 48e9066f9f..41f753e987 100644
--- a/meta-oe/recipes-support/openldap/openldap_2.4.44.bb
+++ b/meta-oe/recipes-support/openldap/openldap_2.4.44.bb
@@ -24,6 +24,7 @@ SRC_URI = "ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/${BP}.tgz \
    file://initscript \
    file://slapd.service \
    file://thread_stub.patch \
+    file://openldap-CVE-2015-3276.patch \
 "
 SRC_URI[md5sum] = "693ac26de86231f8dcae2b4e9d768e51"
author	Li Wang <li.wang@windriver.com>	2016-09-14 02:25:32 -0400
committer	Martin Jansa <Martin.Jansa@gmail.com>	2016-09-19 16:24:10 +0200
commit	24e387aaf78bc0f68a46abb1fab3a76364804bd1 (patch)
tree	73a6690c21239d402ba05063be88ad1bdccdeb44
parent	14a532d78309768756403efb3491f514af7dcdf7 (diff)
download	meta-openembedded-24e387aaf78bc0f68a46abb1fab3a76364804bd1.tar.gz

diff --git a/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch b/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch new file mode 100644 index 0000000000..de9ca528a2 --- /dev/null +++ b/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch
@@ -0,0 +1,59 @@
		1	openldap CVE-2015-3276
		2
		3	the patch comes from:
		4	https://bugzilla.redhat.com/show_bug.cgi?id=1238322
		5	https://bugzilla.redhat.com/attachment.cgi?id=1055640
		6
		7	The nss_parse_ciphers function in libraries/libldap/tls_m.c in
		8	OpenLDAP does not properly parse OpenSSL-style multi-keyword mode
		9	cipher strings, which might cause a weaker than intended cipher to
		10	be used and allow remote attackers to have unspecified impact via
		11	unknown vectors.
		12
		13	Signed-off-by: Li Wang <li.wang@windriver.com>
		14	---
		15	libraries/libldap/tls_m.c \| 27 ++++++++++++++++-----------
		16	1 file changed, 16 insertions(+), 11 deletions(-)
		17
		18	diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
		19	index 9b101f9..e6f3051 100644
		20	--- a/libraries/libldap/tls_m.c
		21	+++ b/libraries/libldap/tls_m.c
		22	@@ -621,18 +621,23 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
		23	*/
		24	if (mask \|\| strength \|\| protocol) {
		25	for (i=0; i<ciphernum; i++) {
		26	- if (((ciphers_def[i].attr & mask) \|\|
		27	- (ciphers_def[i].strength & strength) \|\|
		28	- (ciphers_def[i].version & protocol)) &&
		29	- (cipher_list[i] != -1)) {
		30	- /* Enable the NULL ciphers only if explicity
		31	- * requested */
		32	- if (ciphers_def[i].attr & SSL_eNULL) {
		33	- if (mask & SSL_eNULL)
		34	- cipher_list[i] = action;
		35	- } else
		36	+ /* if more than one mask is provided
		37	+ * then AND logic applies (to match openssl)
		38	+ */
		39	+ if ( cipher_list[i] == -1) )
		40	+ continue;
		41	+ if ( mask && ! (ciphers_def[i].attr & mask) )
		42	+ continue;
		43	+ if ( strength && ! (ciphers_def[i].strength & strength) )
		44	+ continue;
		45	+ if ( protocol && ! (ciphers_def[i].version & protocol) )
		46	+ continue;
		47	+ /* Enable the NULL ciphers only if explicity requested */
		48	+ if (ciphers_def[i].attr & SSL_eNULL) {
		49	+ if (mask & SSL_eNULL)
		50	cipher_list[i] = action;
		51	- }
		52	+ } else
		53	+ cipher_list[i] = action;
		54	}
		55	} else {
		56	for (i=0; i<ciphernum; i++) {
		57	--
		58	1.7.9.5
		59


diff --git a/meta-oe/recipes-support/openldap/openldap_2.4.44.bb b/meta-oe/recipes-support/openldap/openldap_2.4.44.bb index 48e9066f9f..41f753e987 100644 --- a/meta-oe/recipes-support/openldap/openldap_2.4.44.bb +++ b/meta-oe/recipes-support/openldap/openldap_2.4.44.bb
@@ -24,6 +24,7 @@ SRC_URI = "ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/${BP}.tgz \
24	file://initscript \	24	file://initscript \
25	file://slapd.service \	25	file://slapd.service \
26	file://thread_stub.patch \	26	file://thread_stub.patch \
		27	file://openldap-CVE-2015-3276.patch \
27	"	28	"
28		29
29	SRC_URI[md5sum] = "693ac26de86231f8dcae2b4e9d768e51"	30	SRC_URI[md5sum] = "693ac26de86231f8dcae2b4e9d768e51"