Re: [PATCH 0/1] Update OpenLDAP, fixing CVE-2015-6908

[Leo Famulari <leo@famulari.name>]

[-- Attachment #1: Type: text/plain, Size: 573 bytes --]

On Fri, Apr 22, 2016 at 11:28:20PM -0400, Mark H Weaver wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> > There is a remote denial of service bug in OpenLDAP in version 2.4.42
> > and earlier [0].
> 
> I think we'll need to graft this.  Would you like to try grafting it on
> your own system, see if anything obvious breaks, and then report back?

I've attached a patch that does seem to work, but as discussed on IRC,
it's ugly. Specifically, I've hand-coded the version into the URI string
rather than setting the "version" field.

Again, your advice requested...

[-- Attachment #2: 0001-gnu-openldap-Update-to-2.4.44-fixes-CVE-2015-6908.patch --]
[-- Type: text/x-diff, Size: 2042 bytes --]

From a096a89674fc52b6554840cacc8d5998b8e22e7c Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Thu, 21 Apr 2016 12:49:48 -0400
Subject: [PATCH] gnu: openldap: Update to 2.4.44 [fixes CVE-2015-6908].

* gnu/packages/openldap.scm (openldap)[replacement]: New field.
(openldap-fixed): New variable.
---
 gnu/packages/openldap.scm | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm
index d416a43..d34458b 100644
--- a/gnu/packages/openldap.scm
+++ b/gnu/packages/openldap.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
+;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -35,6 +36,7 @@
   (package
    (name "openldap")
    (version "2.4.42")
+   (replacement openldap-fixed)
    (source (origin
             (method url-fetch)
 
@@ -76,3 +78,22 @@
     "OpenLDAP is a free implementation of the Lightweight Directory Access Protocol.")
    (license openldap2.8)
    (home-page "http://www.openldap.org/")))
+
+(define openldap-fixed
+  (package
+    (inherit openldap)
+    (source (origin
+             (method url-fetch)
+             ;; We are using version 2.4.44, but the output path will
+             ;; include the version string "2.4.42".
+             (uri (list (string-append
+                         "ftp://mirror.switch.ch/mirror/OpenLDAP/"
+                         "openldap-release/openldap-" "2.4.44" ".tgz")
+                        (string-append
+                         "ftp://ftp.OpenLDAP.org/pub/OpenLDAP/"
+                         "openldap-release/openldap-" "2.4.44" ".tgz")
+                        (string-append
+                         "ftp://ftp.dti.ad.jp/pub/net/OpenLDAP/")))
+             (sha256
+              (base32
+               "0044p20hx07fwgw2mbwj1fkx04615hhs1qyx4mawj2bhqvrnppnp"))))))
-- 
2.7.4