diff --git a/ITS-9531-back-mdb-fix-delete-of-context-entry.patch b/ITS-9531-back-mdb-fix-delete-of-context-entry.patch new file mode 100644 index 0000000000000000000000000000000000000000..22be10abb9d0a95851697a2549c6f27170ca7552 --- /dev/null +++ b/ITS-9531-back-mdb-fix-delete-of-context-entry.patch @@ -0,0 +1,117 @@ +From 0c90b8c0011fdb80fc2f8a2d7192f8b40217c7e3 Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Mon, 26 Apr 2021 18:27:40 +0100 +Subject: [PATCH] ITS#9531 back-mdb: fix delete of context entry + Conflict:NA +Reference:https://git.openldap.org/openldap/openldap/commit/0c90b8c0011fdb80fc2f8a2d7192f8b40217c7e3 + We already checked if attempting to delete the suffix, but +didn't skip the parent check as we should have. +--- + servers/slapd/back-mdb/delete.c | 83 +++++++++++++++++---------------- + 1 file changed, 42 insertions(+), 41 deletions(-) + diff --git a/servers/slapd/back-mdb/delete.c b/servers/slapd/back-mdb/delete.c +index 7dab5ee8f1..12ec56d904 100644 +--- a/servers/slapd/back-mdb/delete.c ++++ b/servers/slapd/back-mdb/delete.c +@@ -71,57 +71,58 @@ mdb_delete( Operation *op, SlapReply *rs ) + slap_get_csn( op, &csn, 1 ); + } + +- if ( !be_issuffix( op->o_bd, &op->o_req_ndn ) ) { +- dnParent( &op->o_req_ndn, &pdn ); +- } +- + rs->sr_err = mdb_cursor_open( txn, mdb->mi_dn2id, &mc ); + if ( rs->sr_err ) { + rs->sr_err = LDAP_OTHER; + rs->sr_text = "internal error"; + goto return_results; + } +- /* get parent */ +- rs->sr_err = mdb_dn2entry( op, txn, mc, &pdn, &p, NULL, 1 ); +- switch( rs->sr_err ) { +- case 0: +- case MDB_NOTFOUND: +- break; +- case LDAP_BUSY: +- rs->sr_text = "ldap server busy"; +- goto return_results; +- default: +- rs->sr_err = LDAP_OTHER; +- rs->sr_text = "internal error"; +- goto return_results; +- } +- if ( rs->sr_err == MDB_NOTFOUND ) { +- Debug( LDAP_DEBUG_ARGS, +- "<=- " LDAP_XSTRING(mdb_delete) ": no such object %s\n", +- op->o_req_dn.bv_val, 0, 0); + +- if ( p && !BER_BVISEMPTY( &p->e_name )) { +- rs->sr_matched = ch_strdup( p->e_name.bv_val ); +- if ( is_entry_referral( p )) { +- BerVarray ref = get_entry_referrals( op, p ); +- rs->sr_ref = referral_rewrite( ref, &p->e_name, +- &op->o_req_dn, LDAP_SCOPE_DEFAULT ); +- ber_bvarray_free( ref ); ++ if ( !be_issuffix( op->o_bd, &op->o_req_ndn ) ) { ++ dnParent( &op->o_req_ndn, &pdn ); ++ ++ /* get parent */ ++ rs->sr_err = mdb_dn2entry( op, txn, mc, &pdn, &p, NULL, 1 ); ++ switch( rs->sr_err ) { ++ case 0: ++ case MDB_NOTFOUND: ++ break; ++ case LDAP_BUSY: ++ rs->sr_text = "ldap server busy"; ++ goto return_results; ++ default: ++ rs->sr_err = LDAP_OTHER; ++ rs->sr_text = "internal error"; ++ goto return_results; ++ } ++ if ( rs->sr_err == MDB_NOTFOUND ) { ++ Debug( LDAP_DEBUG_ARGS, ++ "<=- " LDAP_XSTRING(mdb_delete) ": no such object %s\n", ++ op->o_req_dn.bv_val, 0, 0); ++ ++ if ( p && !BER_BVISEMPTY( &p->e_name )) { ++ rs->sr_matched = ch_strdup( p->e_name.bv_val ); ++ if ( is_entry_referral( p )) { ++ BerVarray ref = get_entry_referrals( op, p ); ++ rs->sr_ref = referral_rewrite( ref, &p->e_name, ++ &op->o_req_dn, LDAP_SCOPE_DEFAULT ); ++ ber_bvarray_free( ref ); ++ } else { ++ rs->sr_ref = NULL; ++ } + } else { +- rs->sr_ref = NULL; ++ rs->sr_ref = referral_rewrite( default_referral, NULL, ++ &op->o_req_dn, LDAP_SCOPE_DEFAULT ); ++ } ++ if ( p ) { ++ mdb_entry_return( op, p ); ++ p = NULL; + } +- } else { +- rs->sr_ref = referral_rewrite( default_referral, NULL, +- &op->o_req_dn, LDAP_SCOPE_DEFAULT ); +- } +- if ( p ) { +- mdb_entry_return( op, p ); +- p = NULL; +- } + +- rs->sr_err = LDAP_REFERRAL; +- rs->sr_flags = REP_MATCHED_MUSTBEFREED | REP_REF_MUSTBEFREED; +- goto return_results; ++ rs->sr_err = LDAP_REFERRAL; ++ rs->sr_flags = REP_MATCHED_MUSTBEFREED | REP_REF_MUSTBEFREED; ++ goto return_results; ++ } + } + + /* get entry */ +-- +GitLab diff --git a/add-test-log.patch b/add-test-log.patch new file mode 100644 index 0000000000000000000000000000000000000000..b80c083bf07805e6801be1f0a5823ca4a2c2bfa3 --- /dev/null +++ b/add-test-log.patch @@ -0,0 +1,39 @@ +diff -urNp a/openldap-2.4.50/tests/scripts/test018-syncreplication-persist b/openldap-2.4.50/tests/scripts/test018-syncreplication-persist +--- a/tests/scripts/test018-syncreplication-persist 2020-04-28 22:05:54.000000000 +0800 ++++ b/tests/scripts/test018-syncreplication-persist 2021-06-28 21:09:51.690952258 +0800 +@@ -146,7 +146,7 @@ echo "Filtering consumer results..." + $LDIFFILTER < $SLAVEOUT > $SLAVEFLT + + echo "Comparing retrieved entries from provider and consumer..." +-$CMP $MASTERFLT $SLAVEFLT > $CMPOUT ++$CMP $MASTERFLT $SLAVEFLT + + if test $? != 0 ; then + echo "test failed - provider and consumer databases differ" +@@ -355,7 +355,7 @@ echo "Filtering consumer results..." + $LDIFFILTER < $SLAVEOUT > $SLAVEFLT + + echo "Comparing retrieved entries from provider and consumer..." +-$CMP $MASTERFLT $SLAVEFLT > $CMPOUT ++$CMP $MASTERFLT $SLAVEFLT + + if test $? != 0 ; then + echo "test failed - provider and consumer databases differ" +@@ -452,7 +452,7 @@ echo "Filtering consumer results..." + $LDIFFILTER < $SLAVEOUT > $SLAVEFLT + + echo "Comparing retrieved entries from provider and consumer..." +-$CMP $MASTERFLT $SLAVEFLT > $CMPOUT ++$CMP $MASTERFLT $SLAVEFLT + + if test $? != 0 ; then + echo "test failed - provider and consumer databases differ" +@@ -531,7 +531,7 @@ echo "Filtering consumer results..." + $LDIFFILTER < $SLAVEOUT > $SLAVEFLT + + echo "Comparing retrieved entries from provider and consumer..." +-$CMP $MASTERFLT $SLAVEFLT > $CMPOUT ++$CMP $MASTERFLT $SLAVEFLT + + if test $? != 0 ; then + echo "test failed - provider and consumer databases differ" diff --git a/openldap.spec b/openldap.spec index 6fd22c8a9e7bab29b5981b52296aec2a6e296ccf..e4890b8790a59ffdccb21d10f78e1cbf59457c7b 100644 --- a/openldap.spec +++ b/openldap.spec @@ -2,7 +2,7 @@ Name: openldap Version: 2.4.50 -Release: 7 +Release: 8 Summary: LDAP support libraries License: OpenLDAP URL: https://www.openldap.org/ @@ -62,6 +62,8 @@ Patch41: backport-Fix-test-suite.patch Patch42: backport-ITS-9010-regenerate-configure.patch Patch43: backport-ITS-9010-More-BDB-HDB-cleanup.patch Patch44: CVE-2021-27212.patch +Patch45: ITS-9531-back-mdb-fix-delete-of-context-entry.patch +Patch46: add-test-log.patch BuildRequires: cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel @@ -172,6 +174,8 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch42 -p1 %patch43 -p1 %patch44 -p1 +%patch45 -p1 +%patch46 -p1 ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd @@ -451,6 +455,12 @@ popd %doc ltb-project-openldap-ppolicy-check-password-1.1/README.check_pwd %changelog +* Mon Jun 28 2021 anonymous_z - 2.4.50-8 +- Type:bugfix +- ID:NA +- SUG:restart +- DESC:fix shutdown leak and context entry delete failed. + * Sat Feb 27 2021 orange-snn - 2.4.50-7 - fix CVE-2021-27212