[Pkg-openldap-devel] [openldap] 01/01: Import ITS#8240/CVE-2015-6908 patch

Ryan Tandy rtandy-guest at moszumanska.debian.org
Sat Sep 12 19:09:14 UTC 2015 

This is an automated email from the git hooks/post-receive script.

rtandy-guest pushed a commit to branch squeeze
in repository openldap.

commit ef8c1db446a981b7f38a88c921cdf7d38bf0400b
Author: Ryan Tandy <ryan at nardis.ca>
Date:   Fri Sep 11 08:29:44 2015 -0700

    Import ITS#8240/CVE-2015-6908 patch
---
 debian/changelog                                   |  8 +++++++
 .../patches/ITS8240-remove-obsolete-assert.patch   | 25 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 34 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 2c30cc4..a303190 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+openldap (2.4.23-7.3+deb6u2) squeeze-lts; urgency=high
+
+  * Import upstream patch to remove an unnecessary assert(0) that could be
+    triggered remotely by an unauthenticated user by sending a malformed BER
+    element. (ITS#8240) (CVE-2015-6908) (Closes: #798622)
+
+ -- Ryan Tandy <ryan at nardis.ca>  Fri, 11 Sep 2015 08:28:34 -0700
+
 openldap (2.4.23-7.3+deb6u1) squeeze-lts; urgency=high
 
   * debian/slapd.init.ldif: Disallow modifying one's own entry by default,
diff --git a/debian/patches/ITS8240-remove-obsolete-assert.patch b/debian/patches/ITS8240-remove-obsolete-assert.patch
new file mode 100644
index 0000000..97bf6d7
--- /dev/null
+++ b/debian/patches/ITS8240-remove-obsolete-assert.patch
@@ -0,0 +1,25 @@
+From 6fe51a9ab04fd28bbc171da3cf12f1c1040d6629 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc at openldap.org>
+Date: Thu, 10 Sep 2015 00:37:32 +0100
+Subject: [PATCH] ITS#8240 remove obsolete assert
+
+---
+ libraries/liblber/io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c
+index 85c3e23..c05dcf8 100644
+--- a/libraries/liblber/io.c
++++ b/libraries/liblber/io.c
+@@ -679,7 +679,7 @@ done:
+ 		return (ber->ber_tag);
+ 	}
+ 
+-	assert( 0 ); /* ber structure is messed up ?*/
++	/* invalid input */
+ 	return LBER_DEFAULT;
+ }
+ 
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index f26c7d9..abfd2df 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -21,3 +21,4 @@ CVE-2011-1081
 ITS7723-fix-reference-counting.patch
 ITS8027-deref-reject-empty-attr-list.patch
 ITS7143-fix-attr_dup2-when-attrsOnly.patch
+ITS8240-remove-obsolete-assert.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openldap/openldap.git

More information about the Pkg-openldap-devel mailing list