summaryrefslogtreecommitdiffstats
path: root/meta-openembedded/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-openembedded/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch')
-rw-r--r--meta-openembedded/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch59
1 files changed, 59 insertions, 0 deletions
diff --git a/meta-openembedded/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch b/meta-openembedded/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch
new file mode 100644
index 000000000..de9ca528a
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch
@@ -0,0 +1,59 @@
+openldap CVE-2015-3276
+
+the patch comes from:
+https://bugzilla.redhat.com/show_bug.cgi?id=1238322
+https://bugzilla.redhat.com/attachment.cgi?id=1055640
+
+The nss_parse_ciphers function in libraries/libldap/tls_m.c in
+OpenLDAP does not properly parse OpenSSL-style multi-keyword mode
+cipher strings, which might cause a weaker than intended cipher to
+be used and allow remote attackers to have unspecified impact via
+unknown vectors.
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ libraries/libldap/tls_m.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index 9b101f9..e6f3051 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -621,18 +621,23 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+ */
+ if (mask || strength || protocol) {
+ for (i=0; i<ciphernum; i++) {
+- if (((ciphers_def[i].attr & mask) ||
+- (ciphers_def[i].strength & strength) ||
+- (ciphers_def[i].version & protocol)) &&
+- (cipher_list[i] != -1)) {
+- /* Enable the NULL ciphers only if explicity
+- * requested */
+- if (ciphers_def[i].attr & SSL_eNULL) {
+- if (mask & SSL_eNULL)
+- cipher_list[i] = action;
+- } else
++ /* if more than one mask is provided
++ * then AND logic applies (to match openssl)
++ */
++ if ( cipher_list[i] == -1) )
++ continue;
++ if ( mask && ! (ciphers_def[i].attr & mask) )
++ continue;
++ if ( strength && ! (ciphers_def[i].strength & strength) )
++ continue;
++ if ( protocol && ! (ciphers_def[i].version & protocol) )
++ continue;
++ /* Enable the NULL ciphers only if explicity requested */
++ if (ciphers_def[i].attr & SSL_eNULL) {
++ if (mask & SSL_eNULL)
+ cipher_list[i] = action;
+- }
++ } else
++ cipher_list[i] = action;
+ }
+ } else {
+ for (i=0; i<ciphernum; i++) {
+--
+1.7.9.5
+
OpenPOWER on IntegriCloud