[Pkg-freeipa-devel] Bug#1135820: trixie-pu: package 389-ds-base/3.1.2+dfsg1-1.1
Adrian Bunk
bunk at debian.org
Wed May 6 09:12:42 BST 2026
Package: release.debian.org
Severity: normal
Tags: trixie moreinfo
X-Debbugs-Cc: 389-ds-base at packages.debian.org, security at debian.org
Control: affects -1 + src:389-ds-base
User: release.debian.org at packages.debian.org
Usertags: pu
* Fix CVE-2025-14905. (Closes: #1130910)
Tagged moreinfo, as question to the security team whether they want
this in pu or as DSA.
-------------- next part --------------
diffstat for 389-ds-base-3.1.2+dfsg1 389-ds-base-3.1.2+dfsg1
changelog | 9 ++
patches/0001-Security-fix-for-CVE-2025-14905.patch | 93 +++++++++++++++++++++
patches/series | 1
3 files changed, 103 insertions(+)
diff -Nru 389-ds-base-3.1.2+dfsg1/debian/changelog 389-ds-base-3.1.2+dfsg1/debian/changelog
--- 389-ds-base-3.1.2+dfsg1/debian/changelog 2025-04-10 14:06:13.000000000 +0300
+++ 389-ds-base-3.1.2+dfsg1/debian/changelog 2026-05-05 10:09:43.000000000 +0300
@@ -1,3 +1,12 @@
+389-ds-base (3.1.2+dfsg1-1.1) trixie; urgency=medium
+
+ * Non-maintainer upload.
+
+ [ Timo Aaltonen ]
+ * patches: Fix CVE-2025-14905. (Closes: #1130910)
+
+ -- Adrian Bunk <bunk at debian.org> Tue, 05 May 2026 10:09:43 +0300
+
389-ds-base (3.1.2+dfsg1-1) unstable; urgency=medium
* New upstream release.
diff -Nru 389-ds-base-3.1.2+dfsg1/debian/patches/0001-Security-fix-for-CVE-2025-14905.patch 389-ds-base-3.1.2+dfsg1/debian/patches/0001-Security-fix-for-CVE-2025-14905.patch
--- 389-ds-base-3.1.2+dfsg1/debian/patches/0001-Security-fix-for-CVE-2025-14905.patch 1970-01-01 02:00:00.000000000 +0200
+++ 389-ds-base-3.1.2+dfsg1/debian/patches/0001-Security-fix-for-CVE-2025-14905.patch 2026-05-05 10:08:45.000000000 +0300
@@ -0,0 +1,93 @@
+From e2562f5894dd05a3b062e7820f471f2f8e12b85d Mon Sep 17 00:00:00 2001
+From: tbordaz <tbordaz at redhat.com>
+Date: Wed, 25 Feb 2026 14:06:42 +0100
+Subject: [PATCH] Security fix for CVE-2025-14905
+
+Description:
+ A vulnerability was found in the 389 Directory Server.
+ The 389 Directory Server present a risk of heap buffer overflow that
+ can be exploited to excute a Denial of Service and potential Remote
+ Code Execution
+
+References:
+ - https://access.redhat.com/security/cve/CVE-2025-14905
+ - https://bugzilla.redhat.com/show_bug.cgi?id=2423624
+---
+ ldap/servers/slapd/schema.c | 47 ++++++++++++++++++++++++++++++-------
+ 1 file changed, 38 insertions(+), 9 deletions(-)
+
+diff --git a/ldap/servers/slapd/schema.c b/ldap/servers/slapd/schema.c
+index 9ef4ee4bf..7712a720d 100644
+--- a/ldap/servers/slapd/schema.c
++++ b/ldap/servers/slapd/schema.c
+@@ -1410,6 +1410,7 @@ schema_attr_enum_callback(struct asyntaxinfo *asip, void *arg)
+ const char *attr_desc, *syntaxoid;
+ char *outp, syntaxlengthbuf[128];
+ int i;
++ int nb_aliases = 0;
+
+ vals[0] = &val;
+
+@@ -1435,6 +1436,7 @@ schema_attr_enum_callback(struct asyntaxinfo *asip, void *arg)
+ if (asip->asi_aliases != NULL) {
+ for (i = 0; asip->asi_aliases[i] != NULL; ++i) {
+ aliaslen += strlen(asip->asi_aliases[i]);
++ nb_aliases++;
+ }
+ }
+
+@@ -1452,15 +1454,42 @@ schema_attr_enum_callback(struct asyntaxinfo *asip, void *arg)
+ * XXX: 256 is a magic number... it must be big enough to account for
+ * all of the fixed sized items we output.
+ */
+- sizedbuffer_allocate(aew->psbAttrTypes, 256 + strlen(asip->asi_oid) +
+- strlen(asip->asi_name) +
+- aliaslen + strlen_null_ok(attr_desc) +
+- strlen(syntaxoid) +
+- strlen_null_ok(asip->asi_superior) +
+- strlen_null_ok(asip->asi_mr_equality) +
+- strlen_null_ok(asip->asi_mr_ordering) +
+- strlen_null_ok(asip->asi_mr_substring) +
+- strcat_extensions(NULL, asip->asi_extensions));
++ {
++ int asi_oid_strlen = strlen(asip->asi_oid) + 8; /* "( %s NAME " */
++ int asi_name_strlen = strlen(asip->asi_name) + 6; /* "( '%s' ...)" */
++ int asi_aliases_strlen = aliaslen + nb_aliases * 3; /* "'%s' " */
++ int asi_desc_strlen = strlen_null_ok(attr_desc) + 7; /* "DESC '%s'" */
++ int asi_syntaxoid_strlen = strlen("SYNTAX ") + strlen(syntaxoid) + strlen(syntaxlengthbuf);
++ int asi_superior_strlen = strlen("SUP ") + strlen_null_ok(asip->asi_superior);
++ int asi_mr_equality_strlen = strlen("EQUALITY ") + strlen_null_ok(asip->asi_mr_equality);
++ int asi_mr_ordering_strlen = strlen("ORDERING ") + strlen_null_ok(asip->asi_mr_ordering);
++ int asi_mr_substring_strlen = strlen("SUBSTR ") + strlen_null_ok(asip->asi_mr_substring);
++ int asi_flags_strlen = strlen("SINGLE-VALUE ") +
++ strlen(schema_obsolete_with_spaces) +
++ strlen(schema_collective_with_spaces) +
++ strlen(schema_nousermod_with_spaces) +
++ strlen("USAGE distributedOperation ") +
++ strlen("USAGE dSAOperation ") +
++ strlen("USAGE directoryOperation ");
++ int asi_extension_strlen = strcat_extensions(NULL, asip->asi_extensions);
++
++ if (aew->enquote_sup_oc) {
++ /* it enquote the syntax oid */
++ asi_syntaxoid_strlen += 2;
++ }
++
++ sizedbuffer_allocate(aew->psbAttrTypes, 256 + asi_oid_strlen +
++ asi_name_strlen +
++ asi_aliases_strlen +
++ asi_desc_strlen +
++ asi_syntaxoid_strlen +
++ asi_superior_strlen +
++ asi_mr_equality_strlen +
++ asi_mr_ordering_strlen +
++ asi_mr_substring_strlen +
++ asi_extension_strlen +
++ asi_flags_strlen);
++ }
+
+ /*
+ * Overall strategy is to maintain a pointer to the next location in
+--
+2.53.0
+
diff -Nru 389-ds-base-3.1.2+dfsg1/debian/patches/series 389-ds-base-3.1.2+dfsg1/debian/patches/series
--- 389-ds-base-3.1.2+dfsg1/debian/patches/series 2025-04-10 13:56:01.000000000 +0300
+++ 389-ds-base-3.1.2+dfsg1/debian/patches/series 2026-05-05 10:08:58.000000000 +0300
@@ -3,3 +3,4 @@
allow-newer-crates.diff
base64.diff
0001-Security-fix-for-CVE-2025-2487.patch
+0001-Security-fix-for-CVE-2025-14905.patch
More information about the Pkg-freeipa-devel
mailing list