openldap: fix CVE-2015-3276

the patch comes from:
https://bugzilla.redhat.com/show_bug.cgi?id=1238322
https://bugzilla.redhat.com/attachment.cgi?id=1055640

The nss_parse_ciphers function in libraries/libldap/tls_m.c in
OpenLDAP does not properly parse OpenSSL-style multi-keyword mode
cipher strings, which might cause a weaker than intended cipher to
be used and allow remote attackers to have unspecified impact via
unknown vectors.

Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>

2 files changed, 60 insertions, 0 deletions

diff --git a/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch b/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch
new file mode 100644
index 0000000000..de9ca528a2
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch
@@ -0,0 +1,59 @@
+openldap CVE-2015-3276
+
+the patch comes from:
+https://bugzilla.redhat.com/show_bug.cgi?id=1238322
+https://bugzilla.redhat.com/attachment.cgi?id=1055640
+
+The nss_parse_ciphers function in libraries/libldap/tls_m.c in
+OpenLDAP does not properly parse OpenSSL-style multi-keyword mode
+cipher strings, which might cause a weaker than intended cipher to
+be used and allow remote attackers to have unspecified impact via
+unknown vectors.
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ libraries/libldap/tls_m.c |   27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index 9b101f9..e6f3051 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -621,18 +621,23 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+ 			 */
+ 			if (mask || strength || protocol) {
+ 				for (i=0; i<ciphernum; i++) {
+-					if (((ciphers_def[i].attr & mask) ||
+-						 (ciphers_def[i].strength & strength) ||
+-						 (ciphers_def[i].version & protocol)) &&
+-						(cipher_list[i] != -1)) {
+-						/* Enable the NULL ciphers only if explicity
+-						 * requested */
+-						if (ciphers_def[i].attr & SSL_eNULL) {
+-							if (mask & SSL_eNULL)
+-								cipher_list[i] = action;
+-						} else
++					/* if more than one mask is provided
++					 * then AND logic applies (to match openssl)
++					 */
++					if ( cipher_list[i] == -1) )
++						continue;
++					if ( mask && ! (ciphers_def[i].attr & mask) )
++						continue;
++					if ( strength && ! (ciphers_def[i].strength & strength) )
++						continue;
++					if ( protocol && ! (ciphers_def[i].version & protocol) )
++						continue;
++					/* Enable the NULL ciphers only if explicity requested */
++					if (ciphers_def[i].attr & SSL_eNULL) {
++						if (mask & SSL_eNULL)
+ 							cipher_list[i] = action;
+-					}
++					} else
++						cipher_list[i] = action;
+ 				}
+ 			} else {
+ 				for (i=0; i<ciphernum; i++) {
+-- 
+1.7.9.5
+
diff --git a/meta-oe/recipes-support/openldap/openldap_2.4.44.bb b/meta-oe/recipes-support/openldap/openldap_2.4.44.bb
index 48e9066f9f..41f753e987 100644
--- a/meta-oe/recipes-support/openldap/openldap_2.4.44.bb
+++ b/meta-oe/recipes-support/openldap/openldap_2.4.44.bb
@@ -24,6 +24,7 @@ SRC_URI = "ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/${BP}.tgz \
     file://initscript \
     file://slapd.service \
     file://thread_stub.patch \
+    file://openldap-CVE-2015-3276.patch \
 "
 
 SRC_URI[md5sum] = "693ac26de86231f8dcae2b4e9d768e51"