[oe] [meta-oe][PATCH] openldap: fix CVE-2015-3276
wenzong.fan at windriver.com
wenzong.fan at windriver.com
Wed Sep 14 06:25:32 UTC 2016
From: Li Wang <li.wang at windriver.com>
the patch comes from:
https://bugzilla.redhat.com/show_bug.cgi?id=1238322
https://bugzilla.redhat.com/attachment.cgi?id=1055640
The nss_parse_ciphers function in libraries/libldap/tls_m.c in
OpenLDAP does not properly parse OpenSSL-style multi-keyword mode
cipher strings, which might cause a weaker than intended cipher to
be used and allow remote attackers to have unspecified impact via
unknown vectors.
Signed-off-by: Li Wang <li.wang at windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
---
.../openldap/openldap/openldap-CVE-2015-3276.patch | 59 ++++++++++++++++++++++
.../recipes-support/openldap/openldap_2.4.44.bb | 1 +
2 files changed, 60 insertions(+)
create mode 100644 meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch
diff --git a/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch b/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch
new file mode 100644
index 0000000..de9ca52
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch
@@ -0,0 +1,59 @@
+openldap CVE-2015-3276
+
+the patch comes from:
+https://bugzilla.redhat.com/show_bug.cgi?id=1238322
+https://bugzilla.redhat.com/attachment.cgi?id=1055640
+
+The nss_parse_ciphers function in libraries/libldap/tls_m.c in
+OpenLDAP does not properly parse OpenSSL-style multi-keyword mode
+cipher strings, which might cause a weaker than intended cipher to
+be used and allow remote attackers to have unspecified impact via
+unknown vectors.
+
+Signed-off-by: Li Wang <li.wang at windriver.com>
+---
+ libraries/libldap/tls_m.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index 9b101f9..e6f3051 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -621,18 +621,23 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+ */
+ if (mask || strength || protocol) {
+ for (i=0; i<ciphernum; i++) {
+- if (((ciphers_def[i].attr & mask) ||
+- (ciphers_def[i].strength & strength) ||
+- (ciphers_def[i].version & protocol)) &&
+- (cipher_list[i] != -1)) {
+- /* Enable the NULL ciphers only if explicity
+- * requested */
+- if (ciphers_def[i].attr & SSL_eNULL) {
+- if (mask & SSL_eNULL)
+- cipher_list[i] = action;
+- } else
++ /* if more than one mask is provided
++ * then AND logic applies (to match openssl)
++ */
++ if ( cipher_list[i] == -1) )
++ continue;
++ if ( mask && ! (ciphers_def[i].attr & mask) )
++ continue;
++ if ( strength && ! (ciphers_def[i].strength & strength) )
++ continue;
++ if ( protocol && ! (ciphers_def[i].version & protocol) )
++ continue;
++ /* Enable the NULL ciphers only if explicity requested */
++ if (ciphers_def[i].attr & SSL_eNULL) {
++ if (mask & SSL_eNULL)
+ cipher_list[i] = action;
+- }
++ } else
++ cipher_list[i] = action;
+ }
+ } else {
+ for (i=0; i<ciphernum; i++) {
+--
+1.7.9.5
+
diff --git a/meta-oe/recipes-support/openldap/openldap_2.4.44.bb b/meta-oe/recipes-support/openldap/openldap_2.4.44.bb
index 48e9066..41f753e 100644
--- a/meta-oe/recipes-support/openldap/openldap_2.4.44.bb
+++ b/meta-oe/recipes-support/openldap/openldap_2.4.44.bb
@@ -24,6 +24,7 @@ SRC_URI = "ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/${BP}.tgz \
file://initscript \
file://slapd.service \
file://thread_stub.patch \
+ file://openldap-CVE-2015-3276.patch \
"
SRC_URI[md5sum] = "693ac26de86231f8dcae2b4e9d768e51"
--
2.8.1
More information about the Openembedded-devel
mailing list