openldap: fix CVE-2015-3276

the patch comes from: https://bugzilla.redhat.com/show_bug.cgi?id=1238322 https://bugzilla.redhat.com/attachment.cgi?id=1055640 The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors. Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
2026-06-04 14:39:54 +00:00 · 2016-09-14 02:25:32 -04:00
parent 14a532d783
commit 24e387aaf7
2 changed files with 60 additions and 0 deletions
@@ -0,0 +1,59 @@
+openldap CVE-2015-3276
+
+the patch comes from:
+https://bugzilla.redhat.com/show_bug.cgi?id=1238322
+https://bugzilla.redhat.com/attachment.cgi?id=1055640
+
+The nss_parse_ciphers function in libraries/libldap/tls_m.c in
+OpenLDAP does not properly parse OpenSSL-style multi-keyword mode
+cipher strings, which might cause a weaker than intended cipher to
+be used and allow remote attackers to have unspecified impact via
+unknown vectors.
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ libraries/libldap/tls_m.c |   27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index 9b101f9..e6f3051 100644
+--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
+@@ -621,18 +621,23 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+ 			 */
+ 			if (mask || strength || protocol) {
+ 				for (i=0; i<ciphernum; i++) {
+-					if (((ciphers_def[i].attr & mask) ||
+-						 (ciphers_def[i].strength & strength) ||
+-						 (ciphers_def[i].version & protocol)) &&
+-						(cipher_list[i] != -1)) {
+-						/* Enable the NULL ciphers only if explicity
+-						 * requested */
+-						if (ciphers_def[i].attr & SSL_eNULL) {
+-							if (mask & SSL_eNULL)
+-								cipher_list[i] = action;
+-						} else
+					/* if more than one mask is provided
+					 * then AND logic applies (to match openssl)
+					 */
+					if ( cipher_list[i] == -1) )
+						continue;
+					if ( mask && ! (ciphers_def[i].attr & mask) )
+						continue;
+					if ( strength && ! (ciphers_def[i].strength & strength) )
+						continue;
+					if ( protocol && ! (ciphers_def[i].version & protocol) )
+						continue;
+					/* Enable the NULL ciphers only if explicity requested */
+					if (ciphers_def[i].attr & SSL_eNULL) {
+						if (mask & SSL_eNULL)
+ 							cipher_list[i] = action;
+-					}
+					} else
+						cipher_list[i] = action;
+ 				}
+ 			} else {
+ 				for (i=0; i<ciphernum; i++) {
+-- 
+1.7.9.5
+
@@ -24,6 +24,7 @@ SRC_URI = "ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/${BP}.tgz \
    file://initscript \
    file://slapd.service \
    file://thread_stub.patch \
+    file://openldap-CVE-2015-3276.patch \
 "

 SRC_URI[md5sum] = "693ac26de86231f8dcae2b4e9d768e51"