diff --git a/0001-add-debug-info-to-print-var.patch b/0001-add-debug-info-to-print-var.patch new file mode 100644 index 0000000000000000000000000000000000000000..6ba8e87047f1df863c4ce07830ee944233162252 --- /dev/null +++ b/0001-add-debug-info-to-print-var.patch @@ -0,0 +1,145 @@ +From a999dd0dc89e46ba8d013c9a6151e5bf2ecad1f9 Mon Sep 17 00:00:00 2001 +From: eaglegai +Date: Thu, 3 Jun 2021 14:34:43 +0800 +Subject: [PATCH] add debug info to print var + +--- + tests/scripts/test018-syncreplication-persist | 38 ++++++++++++++++++++------- + 1 file changed, 29 insertions(+), 9 deletions(-) + +diff --git a/tests/scripts/test018-syncreplication-persist b/tests/scripts/test018-syncreplication-persist +index b18dbab..e8cb714 100755 +--- a/tests/scripts/test018-syncreplication-persist ++++ b/tests/scripts/test018-syncreplication-persist +@@ -128,7 +128,7 @@ if test $RC != 0 ; then + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi +- ++sleep $SLEEP1 + echo "Using ldapsearch to read all the entries from the consumer..." + $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT4 \ + '(objectclass=*)' '*' $OPATTRS > $SLAVEOUT 2>&1 +@@ -139,7 +139,7 @@ if test $RC != 0 ; then + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi +- ++sleep $SLEEP1 + echo "Filtering provider results..." + $LDIFFILTER < $MASTEROUT > $MASTERFLT + echo "Filtering consumer results..." +@@ -150,6 +150,11 @@ $CMP $MASTERFLT $SLAVEFLT > $CMPOUT + + if test $? != 0 ; then + echo "test failed - provider and consumer databases differ" ++ echo $? ++ echo "ghy 154" ++ cat $CMPOUT ++ cat $MASTERFLT ++ cat $SLAVEFLT + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 + fi +@@ -337,7 +342,7 @@ if test $RC != 0 ; then + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi +- ++sleep $SLEEP1 + echo "Using ldapsearch to read all the entries from the consumer..." + $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT4 \ + '(objectclass=*)' '*' $OPATTRS > $SLAVEOUT 2>&1 +@@ -348,7 +353,7 @@ if test $RC != 0 ; then + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi +- ++sleep $SLEEP1 + echo "Filtering provider results..." + $LDIFFILTER < $MASTEROUT > $MASTERFLT + echo "Filtering consumer results..." +@@ -359,6 +364,11 @@ $CMP $MASTERFLT $SLAVEFLT > $CMPOUT + + if test $? != 0 ; then + echo "test failed - provider and consumer databases differ" ++ echo $? ++ echo "ghy 367" ++ echo $CMPOUT ++ echo $MASTERFLT ++ echo $SLAVEFLT + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 + fi +@@ -434,7 +444,7 @@ if test $RC != 0 ; then + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi +- ++sleep $SLEEP1 + echo "Using ldapsearch to read all the entries from the consumer..." + $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT4 \ + '(objectclass=*)' '*' $OPATTRS > $SLAVEOUT 2>&1 +@@ -445,7 +455,7 @@ if test $RC != 0 ; then + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi +- ++sleep $SLEEP1 + echo "Filtering provider results..." + $LDIFFILTER < $MASTEROUT > $MASTERFLT + echo "Filtering consumer results..." +@@ -456,6 +466,11 @@ $CMP $MASTERFLT $SLAVEFLT > $CMPOUT + + if test $? != 0 ; then + echo "test failed - provider and consumer databases differ" ++ echo $? ++ echo "ghy 469" ++ echo $CMPOUT ++ echo $MASTERFLT ++ echo $SLAVEFLT + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 + fi +@@ -502,7 +517,7 @@ $LDAPSEARCH -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD \ + RC=$? + # cancelled operation returns -1, so no point of checking return code, either + # it's cancelled or we get stuck forever +- ++sleep $SLEEP1 + echo "Using ldapsearch to read all the entries from the provider..." + $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ + '(objectclass=*)' '*' $OPATTRS > $MASTEROUT 2>&1 +@@ -513,7 +528,7 @@ if test $RC != 0 ; then + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi +- ++sleep $SLEEP1 + echo "Using ldapsearch to read all the entries from the consumer..." + $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT4 \ + '(objectclass=*)' '*' $OPATTRS > $SLAVEOUT 2>&1 +@@ -524,7 +539,7 @@ if test $RC != 0 ; then + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi +- ++sleep $SLEEP1 + echo "Filtering provider results..." + $LDIFFILTER < $MASTEROUT > $MASTERFLT + echo "Filtering consumer results..." +@@ -535,6 +550,11 @@ $CMP $MASTERFLT $SLAVEFLT > $CMPOUT + + if test $? != 0 ; then + echo "test failed - provider and consumer databases differ" ++ echo $? ++ echo "ghy 553" ++ echo $CMPOUT ++ echo $MASTERFLT ++ echo $SLAVEFLT + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 + fi +-- +1.8.3.1 + diff --git a/0002-add-debug-info-to-print-var-2.patch b/0002-add-debug-info-to-print-var-2.patch new file mode 100644 index 0000000000000000000000000000000000000000..ec9ed53ceb193a2543f1221326dc2a3a96f7253d --- /dev/null +++ b/0002-add-debug-info-to-print-var-2.patch @@ -0,0 +1,233 @@ +From f4af0c3f2d5131453b53eee66c2d89d18ef0324f Mon Sep 17 00:00:00 2001 +From: eaglegai +Date: Fri, 4 Jun 2021 11:42:48 +0800 +Subject: [PATCH] add debug info to print var 2 + +--- + tests/scripts/test018-syncreplication-persist | 120 +++++++++++++++++--------- + 1 file changed, 78 insertions(+), 42 deletions(-) + +diff --git a/tests/scripts/test018-syncreplication-persist b/tests/scripts/test018-syncreplication-persist +index e8cb714..c29e2fb 100755 +--- a/tests/scripts/test018-syncreplication-persist ++++ b/tests/scripts/test018-syncreplication-persist +@@ -47,7 +47,7 @@ KILLPIDS="$PID" + + sleep 1 + +-echo "Using ldapsearch to check that provider slapd is running..." ++echo "Using ldapsearch to check that provider slapd is running...50" + for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \ + 'objectclass=*' > /dev/null 2>&1 +@@ -85,18 +85,20 @@ if test $WAIT != 0 ; then + fi + KILLPIDS="$KILLPIDS $SLAVEPID" + +-sleep 1 ++sleep 30 + +-echo "Using ldapsearch to check that consumer slapd is running..." ++echo "Using ldapsearch to check that consumer slapd is running...90" + for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT4 \ +- 'objectclass=*' > /dev/null 2>&1 ++ 'objectclass=*' + RC=$? + if test $RC = 0 ; then + break + fi +- echo "Waiting 5 seconds for slapd to start..." +- sleep 5 ++ echo "Waiting 20 seconds for slapd to start..." ++ systemctl status slapd ++ sleep 20 ++ systemctl status slapd + done + + if test $RC != 0 ; then +@@ -107,7 +109,7 @@ fi + + echo "Using ldapadd to populate the provider directory..." + $LDAPADD -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD < \ +- $LDIFORDEREDNOCP > /dev/null 2>&1 ++ $LDIFORDEREDNOCP + RC=$? + if test $RC != 0 ; then + echo "ldapadd failed ($RC)!" +@@ -116,11 +118,11 @@ if test $RC != 0 ; then + fi + + echo "Waiting $SLEEP1 seconds for syncrepl to receive changes..." +-sleep $SLEEP1 ++sleep 30 + + echo "Using ldapsearch to read all the entries from the provider..." + $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ +- '(objectclass=*)' '*' $OPATTRS > $MASTEROUT 2>&1 ++ '(objectclass=*)' '*' $OPATTRS > $MASTEROUT + RC=$? + + if test $RC != 0 ; then +@@ -128,10 +130,15 @@ if test $RC != 0 ; then + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi +-sleep $SLEEP1 ++sleep 30 ++ ++echo "-------- ghy cat masterout 135 --------" ++cat $MASTEROUT ++echo "--------------------------------------" ++ + echo "Using ldapsearch to read all the entries from the consumer..." + $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT4 \ +- '(objectclass=*)' '*' $OPATTRS > $SLAVEOUT 2>&1 ++ '(objectclass=*)' '*' $OPATTRS > $SLAVEOUT + RC=$? + + if test $RC != 0 ; then +@@ -139,7 +146,12 @@ if test $RC != 0 ; then + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi +-sleep $SLEEP1 ++sleep 30 ++ ++echo "-------- ghy cat slaveout 150 --------" ++cat $SLAVEOUT ++echo "-------------------------------------" ++ + echo "Filtering provider results..." + $LDIFFILTER < $MASTEROUT > $MASTERFLT + echo "Filtering consumer results..." +@@ -202,7 +214,7 @@ echo "Using ldapmodify to modify provider directory..." + # + + $LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \ +- $TESTOUT 2>&1 << EOMODS ++ $TESTOUT << EOMODS + dn: cn=James A Jones 1, ou=Alumni Association, ou=People, dc=example,dc=com + changetype: modify + add: drink +@@ -318,23 +330,33 @@ if test $RC != 0 ; then + exit $RC + fi + +-echo "Using ldappasswd to change some passwords..." +-$LDAPPASSWD -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD \ +- 'cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com' \ +- > $TESTOUT 2>&1 +-RC=$? +-if test $RC != 0 ; then +- echo "ldapmodify failed ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC +-fi +- +-echo "Waiting $SLEEP1 seconds for syncrepl to receive changes..." +-sleep $SLEEP1 +- +-echo "Using ldapsearch to read all the entries from the provider..." ++sleep 30 ++ ++#echo "Using ldappasswd to change some passwords...323" ++#$LDAPPASSWD -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD \ ++# 'cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com' \ ++# > $TESTOUT ++#RC=$? ++#if test $RC != 0 ; then ++# echo "ldapmodify failed ($RC)!" ++# test $KILLSERVERS != no && kill -HUP $KILLPIDS ++# exit $RC ++#fi ++ ++echo "Waiting $SLEEP1 seconds for syncrepl to receive changes...334" ++sleep 30 ++ ++echo "ghy 337" ++echo "$LDAPSEARCH" ++echo "$BASEDN" ++echo $LOCALHOST ++echo $PORT1 ++echo $OPATTRS ++echo $PORT4 ++ ++echo "Using ldapsearch to read all the entries from the provider...345" + $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ +- '(objectclass=*)' '*' $OPATTRS > $MASTEROUT 2>&1 ++ '(objectclass=*)' '*' $OPATTRS > $MASTEROUT + RC=$? + + if test $RC != 0 ; then +@@ -342,10 +364,15 @@ if test $RC != 0 ; then + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi +-sleep $SLEEP1 +-echo "Using ldapsearch to read all the entries from the consumer..." ++sleep 30 ++ ++echo "------- ghy cat masterout 367 -------" ++cat $MASTEROUT ++echo "-------------------------------------" ++ ++echo "Using ldapsearch to read all the entries from the consumer...356" + $LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT4 \ +- '(objectclass=*)' '*' $OPATTRS > $SLAVEOUT 2>&1 ++ '(objectclass=*)' '*' $OPATTRS > $SLAVEOUT + RC=$? + + if test $RC != 0 ; then +@@ -353,22 +380,29 @@ if test $RC != 0 ; then + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi +-sleep $SLEEP1 +-echo "Filtering provider results..." ++sleep 30 ++ ++echo "-------- ghy cat slaveout 371 --------" ++cat $SLAVEOUT ++echo "-------------------------------------" ++ ++diff -ruNa $MASTEROUT $SLAVEOUT ++echo "Filtering provider results...368" + $LDIFFILTER < $MASTEROUT > $MASTERFLT +-echo "Filtering consumer results..." ++sleep $SLEEP1 ++echo "Filtering consumer results...371" + $LDIFFILTER < $SLAVEOUT > $SLAVEFLT +- +-echo "Comparing retrieved entries from provider and consumer..." ++sleep $SLEEP1 ++echo "Comparing retrieved entries from provider and consumer...374" ++diff -ruNa $MASTERFLT $SLAVEFLT + $CMP $MASTERFLT $SLAVEFLT > $CMPOUT + +-if test $? != 0 ; then ++GHYR=$? ++ ++if test $GHYR != 0 ; then + echo "test failed - provider and consumer databases differ" +- echo $? ++ echo $GHYR + echo "ghy 367" +- echo $CMPOUT +- echo $MASTERFLT +- echo $SLAVEFLT + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit 1 + fi +@@ -550,6 +584,8 @@ $CMP $MASTERFLT $SLAVEFLT > $CMPOUT + + if test $? != 0 ; then + echo "test failed - provider and consumer databases differ" ++ echo "ghy slapd log 587" ++ tail -100 /var/log/ldap.log + echo $? + echo "ghy 553" + echo $CMPOUT +-- +1.8.3.1 + diff --git a/CVE-2020-25709.patch b/CVE-2020-25709.patch new file mode 100644 index 0000000000000000000000000000000000000000..6aa13ca5e0b8a14eaa493c6eb320764ba4e741b5 --- /dev/null +++ b/CVE-2020-25709.patch @@ -0,0 +1,25 @@ +From 67670f4544e28fb09eb7319c39f404e1d3229e65 Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Mon, 2 Nov 2020 13:12:10 +0000 +Subject: [PATCH] ITS#9383 remove assert in certificateListValidate + +--- + servers/slapd/schema_init.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index ea0d67aa62..28f9e71a16 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -371,8 +371,7 @@ certificateListValidate( Syntax *syntax, struct berval *in ) + /* Optional version */ + if ( tag == LBER_INTEGER ) { + tag = ber_get_int( ber, &version ); +- assert( tag == LBER_INTEGER ); +- if ( version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX; ++ if ( tag != LBER_INTEGER || version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX; + } + tag = ber_skip_tag( ber, &len ); /* Signature Algorithm */ + if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX; +-- +GitLab diff --git a/openldap.spec b/openldap.spec index 6fd22c8a9e7bab29b5981b52296aec2a6e296ccf..cb1037a48c347ec7a0dcc1e604397d6229a220b0 100644 --- a/openldap.spec +++ b/openldap.spec @@ -2,7 +2,7 @@ Name: openldap Version: 2.4.50 -Release: 7 +Release: 8 Summary: LDAP support libraries License: OpenLDAP URL: https://www.openldap.org/ @@ -62,7 +62,9 @@ Patch41: backport-Fix-test-suite.patch Patch42: backport-ITS-9010-regenerate-configure.patch Patch43: backport-ITS-9010-More-BDB-HDB-cleanup.patch Patch44: CVE-2021-27212.patch - +Patch45: CVE-2020-25709.patch +Patch46: 0001-add-debug-info-to-print-var.patch +Patch47: 0002-add-debug-info-to-print-var-2.patch BuildRequires: cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel BuildRequires: glibc-devel libtool libtool-ltdl-devel groff perl-interpreter perl-devel perl-generators perl-ExtUtils-Embed @@ -172,6 +174,9 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch42 -p1 %patch43 -p1 %patch44 -p1 +%patch45 -p1 +%patch46 -p1 +%patch47 -p1 ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd @@ -451,6 +456,9 @@ popd %doc ltb-project-openldap-ppolicy-check-password-1.1/README.check_pwd %changelog +* Thu May 27 2021 gaihuiying - 2.4.50-8 +- fix CVE-2020-25709 + * Sat Feb 27 2021 orange-snn - 2.4.50-7 - fix CVE-2021-27212