[pkgsrc/trunk]: pkgsrc/databases Add patch to fix a libBER Denial of Service ...

[tonnerre <tonnerre%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/6bad09350eca
branches:  trunk
changeset: 544032:6bad09350eca
user:      tonnerre <tonnerre%pkgsrc.org@localhost>
date:      Thu Jul 03 22:14:50 2008 +0000

description:
Add patch to fix a libBER Denial of Service in OpenLDAP. (CVE-2008-2952)

diffstat:

 databases/openldap-client/Makefile  |   3 ++-
 databases/openldap/distinfo         |   3 ++-
 databases/openldap/patches/patch-aa |  23 +++++++++++++++++++++++
 3 files changed, 27 insertions(+), 2 deletions(-)

diffs (54 lines):

diff -r 684f22c87cd6 -r 6bad09350eca databases/openldap-client/Makefile
--- a/databases/openldap-client/Makefile        Thu Jul 03 22:01:48 2008 +0000
+++ b/databases/openldap-client/Makefile        Thu Jul 03 22:14:50 2008 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.8 2008/02/24 20:15:05 ghen Exp $
+# $NetBSD: Makefile,v 1.9 2008/07/03 22:14:50 tonnerre Exp $
 
 PKGNAME=               ${DISTNAME:S/-/-client-/}
 COMMENT=               Lightweight Directory Access Protocol libraries and client programs
+PKGREVISION=           1
 
 CONFLICTS+=            openldap<2.3.23nb1
 
diff -r 684f22c87cd6 -r 6bad09350eca databases/openldap/distinfo
--- a/databases/openldap/distinfo       Thu Jul 03 22:01:48 2008 +0000
+++ b/databases/openldap/distinfo       Thu Jul 03 22:14:50 2008 +0000
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.63 2008/06/09 09:07:38 ghen Exp $
+$NetBSD: distinfo,v 1.64 2008/07/03 22:14:50 tonnerre Exp $
 
 SHA1 (openldap-2.4.9.tgz) = 7c63d8552fd97e2e2e20310ef8c75e0202a624ee
 RMD160 (openldap-2.4.9.tgz) = bd6f9a4cf0d36c7def4ee002f2a2b445a8a1e711
 Size (openldap-2.4.9.tgz) = 4440456 bytes
+SHA1 (patch-aa) = 8c5c68ef53decb013114d606698cbd8a1c1b4e49
 SHA1 (patch-ac) = 905b08c4dea8c61e044ccf66d6af22cc685a3ccc
 SHA1 (patch-ad) = 24e7ec27d592dd76bdec1e4805801c5304951daf
 SHA1 (patch-af) = 1ae9137e76e885e03d0f44727197a444893ec7c5
diff -r 684f22c87cd6 -r 6bad09350eca databases/openldap/patches/patch-aa
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/databases/openldap/patches/patch-aa       Thu Jul 03 22:14:50 2008 +0000
@@ -0,0 +1,23 @@
+$NetBSD: patch-aa,v 1.10 2008/07/03 22:14:50 tonnerre Exp $
+
+--- libraries/liblber/io.c.orig        2008-02-12 00:26:41.000000000 +0100
++++ libraries/liblber/io.c
+@@ -584,13 +584,11 @@ ber_get_next(
+                               return LBER_DEFAULT;
+                       }
+                       /* Not enough bytes? */
+-                      if (ber->ber_rwptr - (char *)p < llen) {
+-#if defined( EWOULDBLOCK )
+-                              sock_errset(EWOULDBLOCK);
+-#elif defined( EAGAIN )
+-                              sock_errset(EAGAIN);
+-#endif                        
+-                              return LBER_DEFAULT;
++                      i = ber->ber_rwptr - (char *)p;
++                      if (i < llen) {
++                              sblen=ber_int_sb_read( sb, ber->ber_rwptr, i );
++                              if (sblen<i) return LBER_DEFAULT;
++                              ber->ber_rwptr += sblen;
+                       }
+                       for (i=0; i<llen; i++) {
+                               tlen <<=8;