diff options
Diffstat (limited to 'meta-openembedded/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch')
-rw-r--r-- | meta-openembedded/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/meta-openembedded/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch b/meta-openembedded/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch new file mode 100644 index 000000000..de9ca528a --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch @@ -0,0 +1,59 @@ +openldap CVE-2015-3276 + +the patch comes from: +https://bugzilla.redhat.com/show_bug.cgi?id=1238322 +https://bugzilla.redhat.com/attachment.cgi?id=1055640 + +The nss_parse_ciphers function in libraries/libldap/tls_m.c in +OpenLDAP does not properly parse OpenSSL-style multi-keyword mode +cipher strings, which might cause a weaker than intended cipher to +be used and allow remote attackers to have unspecified impact via +unknown vectors. + +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + libraries/libldap/tls_m.c | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +index 9b101f9..e6f3051 100644 +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -621,18 +621,23 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) + */ + if (mask || strength || protocol) { + for (i=0; i<ciphernum; i++) { +- if (((ciphers_def[i].attr & mask) || +- (ciphers_def[i].strength & strength) || +- (ciphers_def[i].version & protocol)) && +- (cipher_list[i] != -1)) { +- /* Enable the NULL ciphers only if explicity +- * requested */ +- if (ciphers_def[i].attr & SSL_eNULL) { +- if (mask & SSL_eNULL) +- cipher_list[i] = action; +- } else ++ /* if more than one mask is provided ++ * then AND logic applies (to match openssl) ++ */ ++ if ( cipher_list[i] == -1) ) ++ continue; ++ if ( mask && ! (ciphers_def[i].attr & mask) ) ++ continue; ++ if ( strength && ! (ciphers_def[i].strength & strength) ) ++ continue; ++ if ( protocol && ! (ciphers_def[i].version & protocol) ) ++ continue; ++ /* Enable the NULL ciphers only if explicity requested */ ++ if (ciphers_def[i].attr & SSL_eNULL) { ++ if (mask & SSL_eNULL) + cipher_list[i] = action; +- } ++ } else ++ cipher_list[i] = action; + } + } else { + for (i=0; i<ciphernum; i++) { +-- +1.7.9.5 + |