From d3e7116a2475cf18aa14764dfee1a755445c70f6 Mon Sep 17 00:00:00 2001 From: eaglegai Date: Mon, 1 Aug 2022 08:10:18 +0000 Subject: [PATCH] fix CVE-2022-32746 --- backport-001-CVE-2022-32746.patch | 104 ++++++++++++ backport-002-CVE-2022-32746.patch | 28 +++ backport-003-CVE-2022-32746.patch | 112 ++++++++++++ backport-004-CVE-2022-32746.patch | 121 +++++++++++++ backport-005-CVE-2022-32746.patch | 274 ++++++++++++++++++++++++++++++ libldb.spec | 13 +- 6 files changed, 651 insertions(+), 1 deletion(-) create mode 100644 backport-001-CVE-2022-32746.patch create mode 100644 backport-002-CVE-2022-32746.patch create mode 100644 backport-003-CVE-2022-32746.patch create mode 100644 backport-004-CVE-2022-32746.patch create mode 100644 backport-005-CVE-2022-32746.patch diff --git a/backport-001-CVE-2022-32746.patch b/backport-001-CVE-2022-32746.patch new file mode 100644 index 0000000..66484ad --- /dev/null +++ b/backport-001-CVE-2022-32746.patch @@ -0,0 +1,104 @@ +From 0a3aa5f908e351201dc9c4d4807b09ed9eedff77 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Mon, 21 Feb 2022 16:27:37 +1300 +Subject: [PATCH] CVE-2022-32746 ldb: Make use of functions for appending to an + ldb_message + +This aims to minimise usage of the error-prone pattern of searching for +a just-added message element in order to make modifications to it (and +potentially finding the wrong element). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 + +Signed-off-by: Joseph Sutton +--- + ldb_map/ldb_map.c | 5 +- + ldb_map/ldb_map_inbound.c | 9 +- + modules/rdn_name.c | 22 +--- + 3 files changed, 28 insertions(+), 8 deletions(-) + +diff --git a/ldb_map/ldb_map.c b/ldb_map/ldb_map.c +index b453dff80d25..c7b0c2286311 100644 +--- a/ldb_map/ldb_map.c ++++ b/ldb_map/ldb_map.c +@@ -946,10 +946,7 @@ struct ldb_request *map_build_fixup_req(struct map_context *ac, + if ( ! dn || ! ldb_dn_validate(msg->dn)) { + goto failed; + } +- if (ldb_msg_add_empty(msg, IS_MAPPED, LDB_FLAG_MOD_REPLACE, NULL) != 0) { +- goto failed; +- } +- if (ldb_msg_add_string(msg, IS_MAPPED, dn) != 0) { ++ if (ldb_msg_append_string(msg, IS_MAPPED, dn, LDB_FLAG_MOD_REPLACE) != 0) { + goto failed; + } + +diff --git a/ldb_map/ldb_map_inbound.c b/ldb_map/ldb_map_inbound.c +index 324295737da1..50b9427c26c5 100644 +--- a/ldb_map/ldb_map_inbound.c ++++ b/ldb_map/ldb_map_inbound.c +@@ -569,12 +569,9 @@ static int map_modify_do_local(struct map_context *ac) + /* No local record present, add it instead */ + /* Add local 'IS_MAPPED' */ + /* TODO: use GUIDs here instead */ +- if (ldb_msg_add_empty(ac->local_msg, IS_MAPPED, +- LDB_FLAG_MOD_ADD, NULL) != 0) { +- return LDB_ERR_OPERATIONS_ERROR; +- } +- ret = ldb_msg_add_linearized_dn(ac->local_msg, IS_MAPPED, +- ac->remote_req->op.mod.message->dn); ++ ret = ldb_msg_append_linearized_dn(ac->local_msg, IS_MAPPED, ++ ac->remote_req->op.mod.message->dn, ++ LDB_FLAG_MOD_ADD); + if (ret != 0) { + return LDB_ERR_OPERATIONS_ERROR; + } +diff --git a/modules/rdn_name.c b/modules/rdn_name.c +index 25cffe07591a..3cb62bf567bd 100644 +--- a/modules/rdn_name.c ++++ b/modules/rdn_name.c +@@ -308,16 +308,10 @@ static int rdn_rename_callback(struct ldb_request *req, struct ldb_reply *ares) + } + rdn_val = ldb_val_dup(msg, rdn_val_p); + +- if (ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_REPLACE, NULL) != 0) { ++ if (ldb_msg_append_value(msg, rdn_name, &rdn_val, LDB_FLAG_MOD_REPLACE) != 0) { + goto error; + } +- if (ldb_msg_add_value(msg, rdn_name, &rdn_val, NULL) != 0) { +- goto error; +- } +- if (ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_REPLACE, NULL) != 0) { +- goto error; +- } +- if (ldb_msg_add_value(msg, "name", &rdn_val, NULL) != 0) { ++ if (ldb_msg_append_value(msg, "name", &rdn_val, LDB_FLAG_MOD_REPLACE) != 0) { + goto error; + } + +@@ -466,11 +460,7 @@ static int rdn_name_modify(struct ldb_module *module, struct ldb_request *req) + if (ret != 0) { + return ldb_module_oom(module); + } +- ret = ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_ADD, NULL); +- if (ret != 0) { +- return ldb_module_oom(module); +- } +- ret = ldb_msg_add_value(msg, rdn_name, &rdn_val, NULL); ++ ret = ldb_msg_append_value(msg, rdn_name, &rdn_val, LDB_FLAG_MOD_ADD); + if (ret != 0) { + return ldb_module_oom(module); + } +@@ -479,11 +469,7 @@ static int rdn_name_modify(struct ldb_module *module, struct ldb_request *req) + if (ret != 0) { + return ldb_module_oom(module); + } +- ret = ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_ADD, NULL); +- if (ret != 0) { +- return ldb_module_oom(module); +- } +- ret = ldb_msg_add_value(msg, "name", &rdn_val, NULL); ++ ret = ldb_msg_append_value(msg, "name", &rdn_val, LDB_FLAG_MOD_ADD); + if (ret != 0) { + return ldb_module_oom(module); + } diff --git a/backport-002-CVE-2022-32746.patch b/backport-002-CVE-2022-32746.patch new file mode 100644 index 0000000..5fc201a --- /dev/null +++ b/backport-002-CVE-2022-32746.patch @@ -0,0 +1,28 @@ +From 41b1fe6d4ae1f547b2f1a0ef8d1aee284b4ef93b Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Wed, 16 Feb 2022 12:43:52 +1300 +Subject: [PATCH] CVE-2022-32746 ldb:rdn_name: Use LDB_FLAG_MOD_TYPE() for + flags equality check + +Now unrelated flags will no longer affect the result. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 + +Signed-off-by: Joseph Sutton +--- + lib/ldb/modules/rdn_name.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/rdn_name.c b/modules/rdn_name.c +index e69ad9315aec..25cffe07591a 100644 +--- a/modules/rdn_name.c ++++ b/modules/rdn_name.c +@@ -545,7 +545,7 @@ static int rdn_name_modify(struct ldb_module *module, struct ldb_request *req) + if (e != NULL) { + ldb_asprintf_errstring(ldb, "Modify of 'distinguishedName' on %s not permitted, must use 'rename' operation instead", + ldb_dn_get_linearized(req->op.mod.message->dn)); +- if (e->flags == LDB_FLAG_MOD_REPLACE) { ++ if (LDB_FLAG_MOD_TYPE(e->flags) == LDB_FLAG_MOD_REPLACE) { + return LDB_ERR_CONSTRAINT_VIOLATION; + } else { + return LDB_ERR_UNWILLING_TO_PERFORM; diff --git a/backport-003-CVE-2022-32746.patch b/backport-003-CVE-2022-32746.patch new file mode 100644 index 0000000..dd77047 --- /dev/null +++ b/backport-003-CVE-2022-32746.patch @@ -0,0 +1,112 @@ +From 7efe8182c165fbf17d2f88c173527a7a554e214b Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Mon, 21 Feb 2022 16:10:32 +1300 +Subject: [PATCH] CVE-2022-32746 ldb: Add flag to mark message element values + as shared + +When making a shallow copy of an ldb message, mark the message elements +of the copy as sharing their values with the message elements in the +original message. + +This flag value will be heeded in the next commit. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 + +Signed-off-by: Joseph Sutton +--- + common/ldb_msg.c | 43 +++++++++++++++++++++++++++++++----- + include/ldb_module.h | 6 +++++ + 2 files changed, 43 insertions(+), 6 deletions(-) + +diff --git a/common/ldb_msg.c b/common/ldb_msg.c +index 57dfc5a04c2b..2a9ce384bb98 100644 +--- a/common/ldb_msg.c ++++ b/common/ldb_msg.c +@@ -833,11 +833,7 @@ void ldb_msg_sort_elements(struct ldb_message *msg) + ldb_msg_element_compare_name); + } + +-/* +- shallow copy a message - copying only the elements array so that the caller +- can safely add new elements without changing the message +-*/ +-struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx, ++static struct ldb_message *ldb_msg_copy_shallow_impl(TALLOC_CTX *mem_ctx, + const struct ldb_message *msg) + { + struct ldb_message *msg2; +@@ -863,6 +859,35 @@ struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx, + return NULL; + } + ++/* ++ shallow copy a message - copying only the elements array so that the caller ++ can safely add new elements without changing the message ++*/ ++struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx, ++ const struct ldb_message *msg) ++{ ++ struct ldb_message *msg2; ++ unsigned int i; ++ ++ msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg); ++ if (msg2 == NULL) { ++ return NULL; ++ } ++ ++ for (i = 0; i < msg2->num_elements; ++i) { ++ /* ++ * Mark this message's elements as sharing their values with the ++ * original message, so that we don't inadvertently modify or ++ * free them. We don't mark the original message element as ++ * shared, so the original message element should not be ++ * modified or freed while the shallow copy lives. ++ */ ++ struct ldb_message_element *el = &msg2->elements[i]; ++ el->flags |= LDB_FLAG_INTERNAL_SHARED_VALUES; ++ } ++ ++ return msg2; ++} + + /* + copy a message, allocating new memory for all parts +@@ -873,7 +898,7 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx, + struct ldb_message *msg2; + unsigned int i, j; + +- msg2 = ldb_msg_copy_shallow(mem_ctx, msg); ++ msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg); + if (msg2 == NULL) return NULL; + + if (msg2->dn != NULL) { +@@ -894,6 +919,12 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx, + goto failed; + } + } ++ ++ /* ++ * Since we copied this element's values, we can mark them as ++ * not shared. ++ */ ++ el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES; + } + + return msg2; +diff --git a/include/ldb_module.h b/include/ldb_module.h +index 8c1e5ee7936c..4c7c85a17f00 100644 +--- a/include/ldb_module.h ++++ b/include/ldb_module.h +@@ -96,6 +96,12 @@ struct ldb_module; + */ + #define LDB_FLAG_INTERNAL_FORCE_UNIQUE_INDEX 0x100 + ++/* ++ * indicates that this element's values are shared with another element (for ++ * example, in a shallow copy of an ldb_message) and should not be freed ++ */ ++#define LDB_FLAG_INTERNAL_SHARED_VALUES 0x200 ++ + /* an extended match rule that always fails to match */ + #define SAMBA_LDAP_MATCH_ALWAYS_FALSE "1.3.6.1.4.1.7165.4.5.1" + diff --git a/backport-004-CVE-2022-32746.patch b/backport-004-CVE-2022-32746.patch new file mode 100644 index 0000000..b588ff8 --- /dev/null +++ b/backport-004-CVE-2022-32746.patch @@ -0,0 +1,121 @@ +From a2bb5beee82fd9c4c29decc07024057febeaf1b5 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Wed, 16 Feb 2022 12:35:13 +1300 +Subject: [PATCH] CVE-2022-32746 ldb: Ensure shallow copy modifications do not + affect original message + +Using the newly added ldb flag, we can now detect when a message has +been shallow-copied so that its elements share their values with the +original message elements. Then when adding values to the copied +message, we now make a copy of the shared values array first. + +This should prevent a use-after-free that occurred in LDB modules when +new values were added to a shallow copy of a message by calling +talloc_realloc() on the original values array, invalidating the 'values' +pointer in the original message element. The original values pointer can +later be used in the database audit logging module which logs database +requests, and potentially cause a crash. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 + +Signed-off-by: Joseph Sutton +--- + common/ldb_msg.c | 52 ++++++++++++++++++++++++++++++++------ + include/ldb.h | 6 +++++ + 2 files changed, 56 insertions(+), 22 deletions(-) + +diff --git a/common/ldb_msg.c b/common/ldb_msg.c +index 2a9ce384bb98..44d3b29e9a72 100644 +--- a/common/ldb_msg.c ++++ b/common/ldb_msg.c +@@ -417,6 +417,47 @@ int ldb_msg_add(struct ldb_message *msg, + return LDB_SUCCESS; + } + ++/* ++ * add a value to a message element ++ */ ++int ldb_msg_element_add_value(TALLOC_CTX *mem_ctx, ++ struct ldb_message_element *el, ++ const struct ldb_val *val) ++{ ++ struct ldb_val *vals; ++ ++ if (el->flags & LDB_FLAG_INTERNAL_SHARED_VALUES) { ++ /* ++ * Another message is using this message element's values array, ++ * so we don't want to make any modifications to the original ++ * message, or potentially invalidate its own values by calling ++ * talloc_realloc(). Make a copy instead. ++ */ ++ el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES; ++ ++ vals = talloc_array(mem_ctx, struct ldb_val, ++ el->num_values + 1); ++ if (vals == NULL) { ++ return LDB_ERR_OPERATIONS_ERROR; ++ } ++ ++ if (el->values != NULL) { ++ memcpy(vals, el->values, el->num_values * sizeof(struct ldb_val)); ++ } ++ } else { ++ vals = talloc_realloc(mem_ctx, el->values, struct ldb_val, ++ el->num_values + 1); ++ if (vals == NULL) { ++ return LDB_ERR_OPERATIONS_ERROR; ++ } ++ } ++ el->values = vals; ++ el->values[el->num_values] = *val; ++ el->num_values++; ++ ++ return LDB_SUCCESS; ++} ++ + /* + add a value to a message + */ +@@ -426,7 +467,6 @@ int ldb_msg_add_value(struct ldb_message *msg, + struct ldb_message_element **return_el) + { + struct ldb_message_element *el; +- struct ldb_val *vals; + int ret; + + el = ldb_msg_find_element(msg, attr_name); +@@ -437,14 +477,10 @@ int ldb_msg_add_value(struct ldb_message *msg, + } + } + +- vals = talloc_realloc(msg->elements, el->values, struct ldb_val, +- el->num_values+1); +- if (!vals) { +- return LDB_ERR_OPERATIONS_ERROR; ++ ret = ldb_msg_element_add_value(msg->elements, el, val); ++ if (ret != LDB_SUCCESS) { ++ return ret; + } +- el->values = vals; +- el->values[el->num_values] = *val; +- el->num_values++; + + if (return_el) { + *return_el = el; +diff --git a/include/ldb.h b/include/ldb.h +index bc44157eaf47..129beefeaf56 100644 +--- a/include/ldb.h ++++ b/include/ldb.h +@@ -1981,6 +1981,12 @@ int ldb_msg_add_empty(struct ldb_message *msg, + int flags, + struct ldb_message_element **return_el); + ++/** ++ add a value to a message element ++*/ ++int ldb_msg_element_add_value(TALLOC_CTX *mem_ctx, ++ struct ldb_message_element *el, ++ const struct ldb_val *val); + /** + add a element to a ldb_message + */ diff --git a/backport-005-CVE-2022-32746.patch b/backport-005-CVE-2022-32746.patch new file mode 100644 index 0000000..f68e164 --- /dev/null +++ b/backport-005-CVE-2022-32746.patch @@ -0,0 +1,274 @@ +From df487eb2d713e817660dd3b56bb26ba715fadfea Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Wed, 16 Feb 2022 16:30:03 +1300 +Subject: [PATCH] CVE-2022-32746 ldb: Add functions for appending to an + ldb_message + +Currently, there are many places where we use ldb_msg_add_empty() to add +an empty element to a message, and then call ldb_msg_add_value() or +similar to add values to that element. However, this performs an +unnecessary search of the message's elements to locate the new element. +Moreover, if an element with the same attribute name already exists +earlier in the message, the values will be added to that element, +instead of to the intended newly added element. + +A similar pattern exists where we add values to a message, and then call +ldb_msg_find_element() to locate that message element and sets its flags +to (e.g.) LDB_FLAG_MOD_REPLACE. This also performs an unnecessary +search, and may locate the wrong message element for setting the flags. + +To avoid these problems, add functions for appending a value to a +message, so that a particular value can be added to the end of a message +in a single operation. + +For ADD requests, it is important that no two message elements share the +same attribute name, otherwise things will break. (Normally, +ldb_msg_normalize() is called before processing the request to help +ensure this.) Thus, we must be careful not to append an attribute to an +ADD message, unless we are sure (e.g. through ldb_msg_find_element()) +that an existing element for that attribute is not present. + +These functions will be used in the next commit. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 + +Signed-off-by: Joseph Sutton +--- + common/ldb_msg.c | 165 ++++++++++++++++++++++++++++++++++++++- + include/ldb.h | 24 ++++++ + 2 files changed, 185 insertions(+), 4 deletions(-) + +diff --git a/common/ldb_msg.c b/common/ldb_msg.c +index 44d3b29e9a7..9cd7998e21c 100644 +--- a/common/ldb_msg.c ++++ b/common/ldb_msg.c +@@ -509,12 +509,15 @@ int ldb_msg_add_steal_value(struct ldb_message *msg, + + + /* +- add a string element to a message ++ add a string element to a message, specifying flags + */ +-int ldb_msg_add_string(struct ldb_message *msg, +- const char *attr_name, const char *str) ++int ldb_msg_add_string_flags(struct ldb_message *msg, ++ const char *attr_name, const char *str, ++ int flags) + { + struct ldb_val val; ++ int ret; ++ struct ldb_message_element *el = NULL; + + val.data = discard_const_p(uint8_t, str); + val.length = strlen(str); +@@ -524,7 +527,25 @@ int ldb_msg_add_string(struct ldb_message *msg, + return LDB_SUCCESS; + } + +- return ldb_msg_add_value(msg, attr_name, &val, NULL); ++ ret = ldb_msg_add_value(msg, attr_name, &val, &el); ++ if (ret != LDB_SUCCESS) { ++ return ret; ++ } ++ ++ if (flags != 0) { ++ el->flags = flags; ++ } ++ ++ return LDB_SUCCESS; ++} ++ ++/* ++ add a string element to a message ++*/ ++int ldb_msg_add_string(struct ldb_message *msg, ++ const char *attr_name, const char *str) ++{ ++ return ldb_msg_add_string_flags(msg, attr_name, str, 0); + } + + /* +@@ -586,6 +607,142 @@ int ldb_msg_add_fmt(struct ldb_message *msg, + return ldb_msg_add_steal_value(msg, attr_name, &val); + } + ++static int ldb_msg_append_value_impl(struct ldb_message *msg, ++ const char *attr_name, ++ const struct ldb_val *val, ++ int flags, ++ struct ldb_message_element **return_el) ++{ ++ struct ldb_message_element *el = NULL; ++ int ret; ++ ++ ret = ldb_msg_add_empty(msg, attr_name, flags, &el); ++ if (ret != LDB_SUCCESS) { ++ return ret; ++ } ++ ++ ret = ldb_msg_element_add_value(msg->elements, el, val); ++ if (ret != LDB_SUCCESS) { ++ return ret; ++ } ++ ++ if (return_el != NULL) { ++ *return_el = el; ++ } ++ ++ return LDB_SUCCESS; ++} ++ ++/* ++ append a value to a message ++*/ ++int ldb_msg_append_value(struct ldb_message *msg, ++ const char *attr_name, ++ const struct ldb_val *val, ++ int flags) ++{ ++ return ldb_msg_append_value_impl(msg, attr_name, val, flags, NULL); ++} ++ ++/* ++ append a value to a message, stealing it into the 'right' place ++*/ ++int ldb_msg_append_steal_value(struct ldb_message *msg, ++ const char *attr_name, ++ struct ldb_val *val, ++ int flags) ++{ ++ int ret; ++ struct ldb_message_element *el = NULL; ++ ++ ret = ldb_msg_append_value_impl(msg, attr_name, val, flags, &el); ++ if (ret == LDB_SUCCESS) { ++ talloc_steal(el->values, val->data); ++ } ++ return ret; ++} ++ ++/* ++ append a string element to a message, stealing it into the 'right' place ++*/ ++int ldb_msg_append_steal_string(struct ldb_message *msg, ++ const char *attr_name, char *str, ++ int flags) ++{ ++ struct ldb_val val; ++ ++ val.data = (uint8_t *)str; ++ val.length = strlen(str); ++ ++ if (val.length == 0) { ++ /* allow empty strings as non-existent attributes */ ++ return LDB_SUCCESS; ++ } ++ ++ return ldb_msg_append_steal_value(msg, attr_name, &val, flags); ++} ++ ++/* ++ append a string element to a message ++*/ ++int ldb_msg_append_string(struct ldb_message *msg, ++ const char *attr_name, const char *str, int flags) ++{ ++ struct ldb_val val; ++ ++ val.data = discard_const_p(uint8_t, str); ++ val.length = strlen(str); ++ ++ if (val.length == 0) { ++ /* allow empty strings as non-existent attributes */ ++ return LDB_SUCCESS; ++ } ++ ++ return ldb_msg_append_value(msg, attr_name, &val, flags); ++} ++ ++/* ++ append a DN element to a message ++ WARNING: this uses the linearized string from the dn, and does not ++ copy the string. ++*/ ++int ldb_msg_append_linearized_dn(struct ldb_message *msg, const char *attr_name, ++ struct ldb_dn *dn, int flags) ++{ ++ char *str = ldb_dn_alloc_linearized(msg, dn); ++ ++ if (str == NULL) { ++ /* we don't want to have unknown DNs added */ ++ return LDB_ERR_OPERATIONS_ERROR; ++ } ++ ++ return ldb_msg_append_steal_string(msg, attr_name, str, flags); ++} ++ ++/* ++ append a printf formatted element to a message ++*/ ++int ldb_msg_append_fmt(struct ldb_message *msg, int flags, ++ const char *attr_name, const char *fmt, ...) ++{ ++ struct ldb_val val; ++ va_list ap; ++ char *str = NULL; ++ ++ va_start(ap, fmt); ++ str = talloc_vasprintf(msg, fmt, ap); ++ va_end(ap); ++ ++ if (str == NULL) { ++ return LDB_ERR_OPERATIONS_ERROR; ++ } ++ ++ val.data = (uint8_t *)str; ++ val.length = strlen(str); ++ ++ return ldb_msg_append_steal_value(msg, attr_name, &val, flags); ++} ++ + /* + compare two ldb_message_element structures + assumes case sensitive comparison +diff --git a/include/ldb.h b/include/ldb.h +index 129beefeaf5..63d8aedd672 100644 +--- a/include/ldb.h ++++ b/include/ldb.h +@@ -2002,12 +2002,36 @@ int ldb_msg_add_steal_value(struct ldb_message *msg, + struct ldb_val *val); + int ldb_msg_add_steal_string(struct ldb_message *msg, + const char *attr_name, char *str); ++int ldb_msg_add_string_flags(struct ldb_message *msg, ++ const char *attr_name, const char *str, ++ int flags); + int ldb_msg_add_string(struct ldb_message *msg, + const char *attr_name, const char *str); + int ldb_msg_add_linearized_dn(struct ldb_message *msg, const char *attr_name, + struct ldb_dn *dn); + int ldb_msg_add_fmt(struct ldb_message *msg, + const char *attr_name, const char *fmt, ...) PRINTF_ATTRIBUTE(3,4); ++/** ++ append a element to a ldb_message ++*/ ++int ldb_msg_append_value(struct ldb_message *msg, ++ const char *attr_name, ++ const struct ldb_val *val, ++ int flags); ++int ldb_msg_append_steal_value(struct ldb_message *msg, ++ const char *attr_name, ++ struct ldb_val *val, ++ int flags); ++int ldb_msg_append_steal_string(struct ldb_message *msg, ++ const char *attr_name, char *str, ++ int flags); ++int ldb_msg_append_string(struct ldb_message *msg, ++ const char *attr_name, const char *str, ++ int flags); ++int ldb_msg_append_linearized_dn(struct ldb_message *msg, const char *attr_name, ++ struct ldb_dn *dn, int flags); ++int ldb_msg_append_fmt(struct ldb_message *msg, int flags, ++ const char *attr_name, const char *fmt, ...) PRINTF_ATTRIBUTE(4,5); + + /** + compare two message elements - return 0 on match diff --git a/libldb.spec b/libldb.spec index b28b9a6..9942862 100644 --- a/libldb.spec +++ b/libldb.spec @@ -6,7 +6,7 @@ Name: libldb Version: 2.4.1 -Release: 1 +Release: 2 Summary: A schema-less, ldap like, API and database Requires: libtalloc%{?_isa} >= %{talloc_version} Requires: libtdb%{?_isa} >= %{tdb_version} @@ -17,6 +17,11 @@ Source0: http://samba.org/ftp/ldb/ldb-%{version}.tar.gz Source1: http://samba.org/ftp/ldb/ldb-%{version}.tar.asc Patch0: backport-Skip-ldb_lmdb_free_list_test-on-ppc64el-ppc64-and-sp.patch +Patch1: backport-001-CVE-2022-32746.patch +Patch2: backport-002-CVE-2022-32746.patch +Patch3: backport-003-CVE-2022-32746.patch +Patch4: backport-004-CVE-2022-32746.patch +Patch5: backport-005-CVE-2022-32746.patch BuildRequires: gcc libtalloc-devel >= %{talloc_version} libtdb-devel >= %{tdb_version} BuildRequires: libtevent-devel >= %{tevent_version} lmdb-devel >= 0.9.16 popt-devel @@ -170,6 +175,12 @@ echo "%{_libdir}/ldb" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf %{_mandir}/man1/ldbsearch.1.* %changelog +* Mon Aug 01 2022 gaihuiying - 2.4.1-2 +- Type:CVE +- ID:CVE-2022-32746 +- SUG:NA +- DESC:fix CVE-2022-32746 + * Wed Dec 15 2021 yanglu - 2.4.1-1 - Type:update - ID:NA -- Gitee