diffstat of debian/ for ldb_1.1.4-1 ldb_1.1.4-1ubuntu0.1

 changelog                   |   13 +++
 control                     |    3 
 patches/CVE-2015-3223.patch |   74 +++++++++++++++++++++
 patches/CVE-2015-5330.patch |  151 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    2 
 5 files changed, 242 insertions(+), 1 deletion(-)

diff -Nru ldb-1.1.4/debian/changelog ldb-1.1.4/debian/changelog
--- ldb-1.1.4/debian/changelog	2011-12-02 23:42:05.000000000 +0000
+++ ldb-1.1.4/debian/changelog	2016-01-04 15:16:11.000000000 +0000
@@ -1,3 +1,16 @@
+ldb (1:1.1.4-1ubuntu0.1) precise-security; urgency=medium
+
+  * SECURITY UPDATE: denial of service in ldb_wildcard_compare function
+    - debian/patches/CVE-2015-3223.patch: handle empty strings and
+      embedded zeros in lib/ldb/common/ldb_match.c.
+    - CVE-2015-3223
+  * SECURITY UPDATE: information leak via incorrect string length handling
+    - debian/patches/CVE-2015-5330.patch: fix string length handling in
+      lib/ldb/common/ldb_dn.c.
+    - CVE-2015-5330
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 04 Jan 2016 10:16:11 -0500
+
 ldb (1:1.1.4-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru ldb-1.1.4/debian/control ldb-1.1.4/debian/control
--- ldb-1.1.4/debian/control	2011-12-02 23:42:05.000000000 +0000
+++ ldb-1.1.4/debian/control	2016-01-04 15:16:18.000000000 +0000
@@ -1,7 +1,8 @@
 Source: ldb
 Section: devel
 Priority: optional
-Maintainer: Jelmer Vernooij <jelmer@debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Jelmer Vernooij <jelmer@debian.org>
 Build-Depends: debhelper (>> 8.1.3),
                docbook-xml,
                docbook-xsl,
diff -Nru ldb-1.1.4/debian/patches/CVE-2015-3223.patch ldb-1.1.4/debian/patches/CVE-2015-3223.patch
--- ldb-1.1.4/debian/patches/CVE-2015-3223.patch	1970-01-01 00:00:00.000000000 +0000
+++ ldb-1.1.4/debian/patches/CVE-2015-3223.patch	2016-01-04 15:16:04.000000000 +0000
@@ -0,0 +1,74 @@
+Description: fix denial of service in ldb_wildcard_compare function
+Origin: upstream, https://git.samba.org/?p=samba.git;a=commit;h=fb456954f332c07a645226d59b3b00ec252f8b26
+Origin: upstream, https://git.samba.org/?p=samba.git;a=commit;h=bb1b783ee9d7259cfc6a1fe882f22189747f8684
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=11325
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=11636
+
+Index: ldb-1.1.4/common/ldb_match.c
+===================================================================
+--- ldb-1.1.4.orig/common/ldb_match.c	2016-01-04 10:16:02.655817271 -0500
++++ ldb-1.1.4/common/ldb_match.c	2016-01-04 10:16:02.655817271 -0500
+@@ -240,7 +240,6 @@
+ 	struct ldb_val val;
+ 	struct ldb_val cnk;
+ 	struct ldb_val *chunk;
+-	char *p, *g;
+ 	uint8_t *save_p = NULL;
+ 	unsigned int c = 0;
+ 
+@@ -265,6 +264,14 @@
+ 		if (cnk.length > val.length) {
+ 			goto mismatch;
+ 		}
++		/*
++		 * Empty strings are returned as length 0. Ensure
++		 * we can cope with this.
++		 */
++		if (cnk.length == 0) {
++			goto mismatch;
++		}
++
+ 		if (memcmp((char *)val.data, (char *)cnk.data, cnk.length) != 0) goto mismatch;
+ 		val.length -= cnk.length;
+ 		val.data += cnk.length;
+@@ -274,20 +281,36 @@
+ 	}
+ 
+ 	while (tree->u.substring.chunks[c]) {
++		uint8_t *p;
+ 
+ 		chunk = tree->u.substring.chunks[c];
+ 		if(a->syntax->canonicalise_fn(ldb, ldb, chunk, &cnk) != 0) goto mismatch;
+ 
+-		/* FIXME: case of embedded nulls */
+-		p = strstr((char *)val.data, (char *)cnk.data);
++		/*
++		 * Empty strings are returned as length 0. Ensure
++		 * we can cope with this.
++		 */
++		if (cnk.length == 0) {
++			goto mismatch;
++		}
++		/*
++		 * Values might be binary blobs. Don't use string
++		 * search, but memory search instead.
++		 */
++		p = memmem((const void *)val.data,val.length,
++			   (const void *)cnk.data, cnk.length);
+ 		if (p == NULL) goto mismatch;
+ 		if ( (! tree->u.substring.chunks[c + 1]) && (! tree->u.substring.end_with_wildcard) ) {
++			uint8_t *g;
+ 			do { /* greedy */
+-				g = strstr((char *)p + cnk.length, (char *)cnk.data);
++				g = memmem(p + cnk.length,
++					val.length - (p - val.data),
++					(const uint8_t *)cnk.data,
++					cnk.length);
+ 				if (g) p = g;
+ 			} while(g);
+ 		}
+-		val.length = val.length - (p - (char *)(val.data)) - cnk.length;
++		val.length = val.length - (p - (uint8_t *)(val.data)) - cnk.length;
+ 		val.data = (uint8_t *)(p + cnk.length);
+ 		c++;
+ 		talloc_free(cnk.data);
diff -Nru ldb-1.1.4/debian/patches/CVE-2015-5330.patch ldb-1.1.4/debian/patches/CVE-2015-5330.patch
--- ldb-1.1.4/debian/patches/CVE-2015-5330.patch	1970-01-01 00:00:00.000000000 +0000
+++ ldb-1.1.4/debian/patches/CVE-2015-5330.patch	2016-01-04 15:16:07.000000000 +0000
@@ -0,0 +1,151 @@
+Description: fix information leak via incorrect string length handling
+Origin: upstream, https://git.samba.org/?p=samba.git;a=commit;h=1aef718f3cc175d90d40202a333042a38ba382b1
+Origin: upstream, https://git.samba.org/?p=samba.git;a=commit;h=7bcac237656083e67bbac9b50be9b319bb2d7eb8
+Origin: upstream, https://git.samba.org/?p=samba.git;a=commit;h=83f1d39cd9ab9b8b548602f9ee806a994fca9d0c
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=11636
+
+Index: ldb-1.1.20/common/ldb_dn.c
+===================================================================
+--- ldb-1.1.20.orig/common/ldb_dn.c	2015-04-25 10:12:45.000000000 -0400
++++ ldb-1.1.20/common/ldb_dn.c	2016-01-04 10:01:34.938065920 -0500
+@@ -189,33 +189,23 @@
+ /* see RFC2253 section 2.4 */
+ static int ldb_dn_escape_internal(char *dst, const char *src, int len)
+ {
+-	const char *p, *s;
++	char c;
+ 	char *d;
+-	size_t l;
+-
+-	p = s = src;
++	int i;
+ 	d = dst;
+ 
+-	while (p - src < len) {
+-		p += strcspn(p, ",=\n\r+<>#;\\\" ");
+-
+-		if (p - src == len) /* found no escapable chars */
+-			break;
+-
+-		/* copy the part of the string before the stop */
+-		memcpy(d, s, p - s);
+-		d += (p - s); /* move to current position */
+-		
+-		switch (*p) {
++	for (i = 0; i < len; i++){
++		c = src[i];
++		switch (c) {
+ 		case ' ':
+-			if (p == src || (p-src)==(len-1)) {
++			if (i == 0 || i == len - 1) {
+ 				/* if at the beginning or end
+ 				 * of the string then escape */
+ 				*d++ = '\\';
+-				*d++ = *p++;					 
++				*d++ = c;
+ 			} else {
+ 				/* otherwise don't escape */
+-				*d++ = *p++;
++				*d++ = c;
+ 			}
+ 			break;
+ 
+@@ -231,36 +221,36 @@
+ 		case '?':
+ 			/* these must be escaped using \c form */
+ 			*d++ = '\\';
+-			*d++ = *p++;
++			*d++ = c;
+ 			break;
+ 
+-		default: {
++		case ';':
++		case '\r':
++		case '\n':
++		case '=':
++		case '\0': {
+ 			/* any others get \XX form */
+ 			unsigned char v;
+ 			const char *hexbytes = "0123456789ABCDEF";
+-			v = *(const unsigned char *)p;
++			v = (const unsigned char)c;
+ 			*d++ = '\\';
+ 			*d++ = hexbytes[v>>4];
+ 			*d++ = hexbytes[v&0xF];
+-			p++;
+ 			break;
+ 		}
++		default:
++			*d++ = c;
+ 		}
+-		s = p; /* move forward */
+ 	}
+ 
+-	/* copy the last part (with zero) and return */
+-	l = len - (s - src);
+-	memcpy(d, s, l + 1);
+-
+ 	/* return the length of the resulting string */
+-	return (l + (d - dst));
++	return (d - dst);
+ }
+ 
+ char *ldb_dn_escape_value(TALLOC_CTX *mem_ctx, struct ldb_val value)
+ {
+ 	char *dst;
+-
++	size_t len;
+ 	if (!value.length)
+ 		return NULL;
+ 
+@@ -271,10 +261,14 @@
+ 		return NULL;
+ 	}
+ 
+-	ldb_dn_escape_internal(dst, (const char *)value.data, value.length);
+-
+-	dst = talloc_realloc(mem_ctx, dst, char, strlen(dst) + 1);
++	len = ldb_dn_escape_internal(dst, (const char *)value.data, value.length);
+ 
++	dst = talloc_realloc(mem_ctx, dst, char, len + 1);
++	if ( ! dst) {
++		talloc_free(dst);
++		return NULL;
++	}
++	dst[len] = '\0';
+ 	return dst;
+ }
+ 
+@@ -592,12 +586,15 @@
+ 
+ 				p++;
+ 				*d++ = '\0';
+-				dn->components[dn->comp_num].value.data = (uint8_t *)talloc_strdup(dn->components, dt);
++				dn->components[dn->comp_num].value.data = \
++					(uint8_t *)talloc_memdup(dn->components, dt, l + 1);
+ 				dn->components[dn->comp_num].value.length = l;
+ 				if ( ! dn->components[dn->comp_num].value.data) {
+ 					/* ouch ! */
+ 					goto failed;
+ 				}
++				talloc_set_name_const(dn->components[dn->comp_num].value.data,
++						      (const char *)dn->components[dn->comp_num].value.data);
+ 
+ 				dt = d;
+ 
+@@ -713,11 +710,13 @@
+ 	*d++ = '\0';
+ 	dn->components[dn->comp_num].value.length = l;
+ 	dn->components[dn->comp_num].value.data =
+-				(uint8_t *)talloc_strdup(dn->components, dt);
++		(uint8_t *)talloc_memdup(dn->components, dt, l + 1);
+ 	if ( ! dn->components[dn->comp_num].value.data) {
+ 		/* ouch */
+ 		goto failed;
+ 	}
++	talloc_set_name_const(dn->components[dn->comp_num].value.data,
++			      (const char *)dn->components[dn->comp_num].value.data);
+ 
+ 	dn->comp_num++;
+ 
diff -Nru ldb-1.1.4/debian/patches/series ldb-1.1.4/debian/patches/series
--- ldb-1.1.4/debian/patches/series	2011-12-02 23:42:05.000000000 +0000
+++ ldb-1.1.4/debian/patches/series	2016-01-04 15:16:07.000000000 +0000
@@ -0,0 +1,2 @@
+CVE-2015-3223.patch
+CVE-2015-5330.patch