From c339e955cf2f1431ef68ecb4c8fd2a847567a291 Mon Sep 17 00:00:00 2001 From: Alessio Sergi Date: Sat, 3 Jun 2017 19:20:48 +0200 Subject: [PATCH] openldap: update to 2.4.45 Fix CVE-2017-9287. --- srcpkgs/openldap/patches/libressl.patch | 105 +++++++++++++++++++++++- srcpkgs/openldap/template | 6 +- 2 files changed, 105 insertions(+), 6 deletions(-) diff --git a/srcpkgs/openldap/patches/libressl.patch b/srcpkgs/openldap/patches/libressl.patch index 04ee8b60e1..aedba30201 100644 --- a/srcpkgs/openldap/patches/libressl.patch +++ b/srcpkgs/openldap/patches/libressl.patch @@ -1,6 +1,105 @@ ---- libraries/libldap/tls_o.c.orig 2014-07-15 18:08:35.841431410 +0200 -+++ libraries/libldap/tls_o.c 2014-07-15 18:09:10.681720371 +0200 -@@ -1128,10 +1128,11 @@ tlso_seed_PRNG( const char *randfile ) +--- libraries/libldap/tls_o.c.orig ++++ libraries/libldap/tls_o.c +@@ -47,7 +47,7 @@ + #include + #endif + +-#if OPENSSL_VERSION_NUMBER >= 0x10100000 ++#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000 + #define ASN1_STRING_data(x) ASN1_STRING_get0_data(x) + #endif + +@@ -62,7 +62,7 @@ static void tlso_info_cb( const SSL *ssl, int where, i + static int tlso_verify_cb( int ok, X509_STORE_CTX *ctx ); + static int tlso_verify_ok( int ok, X509_STORE_CTX *ctx ); + static int tlso_seed_PRNG( const char *randfile ); +-#if OPENSSL_VERSION_NUMBER < 0x10100000 ++#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000 + /* + * OpenSSL 1.1 API and later has new locking code + */ +@@ -157,7 +157,7 @@ tlso_init( void ) + (void) tlso_seed_PRNG( lo->ldo_tls_randfile ); + #endif + +-#if OPENSSL_VERSION_NUMBER < 0x10100000 ++#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000 + SSL_load_error_strings(); + SSL_library_init(); + OpenSSL_add_all_digests(); +@@ -179,7 +179,7 @@ tlso_destroy( void ) + { + struct ldapoptions *lo = LDAP_INT_GLOBAL_OPT(); + +-#if OPENSSL_VERSION_NUMBER < 0x10100000 ++#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000 + EVP_cleanup(); + #if OPENSSL_VERSION_NUMBER < 0x10000000 + ERR_remove_state(0); +@@ -205,7 +205,7 @@ static void + tlso_ctx_ref( tls_ctx *ctx ) + { + tlso_ctx *c = (tlso_ctx *)ctx; +-#if OPENSSL_VERSION_NUMBER < 0x10100000 ++#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000 + #define SSL_CTX_up_ref(ctx) CRYPTO_add( &(ctx->references), 1, CRYPTO_LOCK_SSL_CTX ) + #endif + SSL_CTX_up_ref( c ); +@@ -367,7 +367,7 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls + SSL_CTX_set_verify( ctx, i, + lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW ? + tlso_verify_ok : tlso_verify_cb ); +-#if OPENSSL_VERSION_NUMBER < 0x10100000 ++#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000 + SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb ); + #endif + #ifdef HAVE_OPENSSL_CRL +@@ -464,7 +464,7 @@ tlso_session_my_dn( tls_session *sess, struct berval * + if (!x) return LDAP_INVALID_CREDENTIALS; + + xn = X509_get_subject_name(x); +-#if OPENSSL_VERSION_NUMBER < 0x10100000 ++#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000 + der_dn->bv_len = i2d_X509_NAME( xn, NULL ); + der_dn->bv_val = xn->bytes->data; + #else +@@ -500,7 +500,7 @@ tlso_session_peer_dn( tls_session *sess, struct berval + return LDAP_INVALID_CREDENTIALS; + + xn = X509_get_subject_name(x); +-#if OPENSSL_VERSION_NUMBER < 0x10100000 ++#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000 + der_dn->bv_len = i2d_X509_NAME( xn, NULL ); + der_dn->bv_val = xn->bytes->data; + #else +@@ -721,7 +721,7 @@ struct tls_data { + Sockbuf_IO_Desc *sbiod; + }; + +-#if OPENSSL_VERSION_NUMBER < 0x10100000 ++#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000 + #define BIO_set_init(b, x) b->init = x + #define BIO_set_data(b, x) b->ptr = x + #define BIO_clear_flags(b, x) b->flags &= ~(x) +@@ -822,7 +822,7 @@ tlso_bio_puts( BIO *b, const char *str ) + return tlso_bio_write( b, str, strlen( str ) ); + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10100000 ++#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000 + struct bio_method_st { + int type; + const char *name; +@@ -1138,7 +1138,7 @@ tlso_report_error( void ) + } + } + +-#if OPENSSL_VERSION_NUMBER < 0x10100000 ++#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000 + static RSA * + tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length ) + { +@@ -1186,10 +1186,11 @@ * The fact is that when $HOME is NULL, .rnd is used. */ randfile = RAND_file_name( buffer, sizeof( buffer ) ); diff --git a/srcpkgs/openldap/template b/srcpkgs/openldap/template index 344141150d..ec6b7af14e 100644 --- a/srcpkgs/openldap/template +++ b/srcpkgs/openldap/template @@ -1,7 +1,7 @@ # Template file for 'libldap' pkgname=openldap -version=2.4.44 -revision=5 +version=2.4.45 +revision=1 build_style=gnu-configure configure_args="--prefix=/usr --libexecdir=/usr/libexec @@ -21,7 +21,7 @@ license="OpenLDAP License v2.8 - BSD alike" maintainer="Juan RP " homepage="http://www.openldap.org" distfiles="ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-$version.tgz" -checksum=d7de6bf3c67009c95525dde3a0212cc110d0a70b92af2af8e3ee800e81b88400 +checksum=cdd6cffdebcd95161a73305ec13fc7a78e9707b46ca9f84fb897cd5626df3824 system_accounts="ldap" ldap_homedir="/var/lib/openldap"