[Pkg-openldap-devel] [openldap] 01/03: cherry-pick fix for CVE-2013-4449 (#729367)

Tue Apr 8 17:16:21 UTC 2014

This is an automated email from the git hooks/post-receive script.

rtandy-guest pushed a commit to branch master
in repository openldap.

commit f4d1aa9a02c2332deba5056209a076cdce4d2572
Author: Ryan Tandy <ryan at nardis.ca>
Date:   Mon Apr 7 19:39:56 2014 -0700

    cherry-pick fix for CVE-2013-4449 (#729367)
---
 debian/changelog                                   |  7 ++++
 .../0001-ITS-7723-fix-reference-counting.patch     | 46 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 54 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index f8334f5..7b2ab3c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+openldap (2.4.39-2) UNRELEASED; urgency=low
+
+  * 0001-ITS-7723-fix-reference-counting.patch: import upstream fix for 
+    CVE-2013-4449. Thanks to Hideki Yamane for the patch. (Closes: #729367)
+
+ -- Ryan Tandy <ryan at nardis.ca>  Mon, 07 Apr 2014 19:36:18 -0700
+
 openldap (2.4.39-1) unstable; urgency=low
 
   [ Peter Marschall ]
diff --git a/debian/patches/0001-ITS-7723-fix-reference-counting.patch b/debian/patches/0001-ITS-7723-fix-reference-counting.patch
new file mode 100644
index 0000000..644bfa5
--- /dev/null
+++ b/debian/patches/0001-ITS-7723-fix-reference-counting.patch
@@ -0,0 +1,46 @@
+Description: fix remote DoS (CVE-2013-4449)
+ taken from RHEL (and Fedora)
+ for detail, see https://bugzilla.redhat.com/show_bug.cgi?id=1019490#c0
+
+ and upstrea: http://www.openldap.org/its/index.cgi/Incoming?id=7723
+
+Author: Jan Synacek <jsynacek at redhat.com>
+Origin: vendor
+Bug-Debian: http://bugs.debian.org/729367
+Forwarded: not-need
+Last-Update: 2013-11-13
+
+
+
+From 742d3e4a6a1f62c3c3ae1e9341f3615b4705a701 Mon Sep 17 00:00:00 2001
+From: Jan Synacek <jsynacek at redhat.com>
+Date: Wed, 13 Nov 2013 09:06:54 +0100
+Subject: [PATCH] ITS#7723 fix reference counting
+
+---
+ libraries/librewrite/session.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libraries/librewrite/session.c b/libraries/librewrite/session.c
+index 28f2551..7c59d14 100644
+--- a/libraries/librewrite/session.c
++++ b/libraries/librewrite/session.c
+@@ -161,6 +161,7 @@ rewrite_session_find(
+ #ifdef USE_REWRITE_LDAP_PVT_THREADS
+ 	if ( session ) {
+ 		ldap_pvt_thread_mutex_lock( &session->ls_mutex );
++		session->ls_count++;
+ 	}
+ 	ldap_pvt_thread_rdwr_runlock( &info->li_cookies_mutex );
+ #endif /* USE_REWRITE_LDAP_PVT_THREADS */
+@@ -178,6 +179,7 @@ rewrite_session_return(
+ )
+ {
+ 	assert( session != NULL );
++	session->ls_count--;
+ 	ldap_pvt_thread_mutex_unlock( &session->ls_mutex );
+ }
+ 
+-- 
+1.8.3.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 2f47de3..aa9f65a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -19,3 +19,4 @@ no-AM_INIT_AUTOMAKE
 switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
 no-bdb-ABI-second-guessing
 heimdal-fix
+0001-ITS-7723-fix-reference-counting.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openldap/openldap.git

