Version in base suite: 2.4.47+dfsg-3+deb10u1

Base version: openldap_2.4.47+dfsg-3+deb10u1
Target version: openldap_2.4.47+dfsg-3+deb10u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openldap/openldap_2.4.47+dfsg-3+deb10u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openldap/openldap_2.4.47+dfsg-3+deb10u2.dsc

 changelog                                            |    7 +
 patches/ITS-9202-limit-depth-of-nested-filters.patch |  125 +++++++++++++++++++
 patches/series                                       |    1 
 3 files changed, 133 insertions(+)

diff -Nru openldap-2.4.47+dfsg/debian/changelog openldap-2.4.47+dfsg/debian/changelog
--- openldap-2.4.47+dfsg/debian/changelog	2019-08-10 18:58:18.000000000 +0000
+++ openldap-2.4.47+dfsg/debian/changelog	2020-04-20 18:19:54.000000000 +0000
@@ -1,3 +1,10 @@
+openldap (2.4.47+dfsg-3+deb10u2) buster-security; urgency=high
+
+  * Fix slapd to limit depth of nested expressions in search filters
+    (ITS#9202)
+
+ -- Ryan Tandy <ryan@nardis.ca>  Mon, 20 Apr 2020 11:19:54 -0700
+
 openldap (2.4.47+dfsg-3+deb10u1) buster; urgency=medium
 
   * Fix slapd to restrict rootDN proxyauthz to its own databases
diff -Nru openldap-2.4.47+dfsg/debian/patches/ITS-9202-limit-depth-of-nested-filters.patch openldap-2.4.47+dfsg/debian/patches/ITS-9202-limit-depth-of-nested-filters.patch
--- openldap-2.4.47+dfsg/debian/patches/ITS-9202-limit-depth-of-nested-filters.patch	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.4.47+dfsg/debian/patches/ITS-9202-limit-depth-of-nested-filters.patch	2020-04-20 18:19:54.000000000 +0000
@@ -0,0 +1,125 @@
+From 45c18dbd0b2e91841e642ffbe835c46f189f19ee Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Thu, 16 Apr 2020 01:08:19 +0100
+Subject: [PATCH] ITS#9202 limit depth of nested filters
+
+Using a hardcoded limit for now; no reasonable apps
+should ever run into it.
+---
+ servers/slapd/filter.c | 41 ++++++++++++++++++++++++++++++++---------
+ 1 file changed, 32 insertions(+), 9 deletions(-)
+
+diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c
+index cf5ae3daef..e397bebe87 100644
+--- a/servers/slapd/filter.c
++++ b/servers/slapd/filter.c
+@@ -37,11 +37,16 @@
+ const Filter *slap_filter_objectClass_pres;
+ const struct berval *slap_filterstr_objectClass_pres;
+ 
++#ifndef SLAPD_MAX_FILTER_DEPTH
++#define SLAPD_MAX_FILTER_DEPTH	5000
++#endif
++
+ static int	get_filter_list(
+ 	Operation *op,
+ 	BerElement *ber,
+ 	Filter **f,
+-	const char **text );
++	const char **text,
++	int depth );
+ 
+ static int	get_ssa(
+ 	Operation *op,
+@@ -80,12 +85,13 @@ filter_destroy( void )
+ 	return;
+ }
+ 
+-int
+-get_filter(
++static int
++get_filter0(
+ 	Operation *op,
+ 	BerElement *ber,
+ 	Filter **filt,
+-	const char **text )
++	const char **text,
++	int depth )
+ {
+ 	ber_tag_t	tag;
+ 	ber_len_t	len;
+@@ -126,6 +132,11 @@ get_filter(
+ 	 *
+ 	 */
+ 
++	if( depth > SLAPD_MAX_FILTER_DEPTH ) {
++		*text = "filter nested too deeply";
++		return SLAPD_DISCONNECT;
++	}
++
+ 	tag = ber_peek_tag( ber, &len );
+ 
+ 	if( tag == LBER_ERROR ) {
+@@ -221,7 +232,7 @@ get_filter(
+ 
+ 	case LDAP_FILTER_AND:
+ 		Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
+-		err = get_filter_list( op, ber, &f.f_and, text );
++		err = get_filter_list( op, ber, &f.f_and, text, depth+1 );
+ 		if ( err != LDAP_SUCCESS ) {
+ 			break;
+ 		}
+@@ -234,7 +245,7 @@ get_filter(
+ 
+ 	case LDAP_FILTER_OR:
+ 		Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
+-		err = get_filter_list( op, ber, &f.f_or, text );
++		err = get_filter_list( op, ber, &f.f_or, text, depth+1 );
+ 		if ( err != LDAP_SUCCESS ) {
+ 			break;
+ 		}
+@@ -248,7 +259,7 @@ get_filter(
+ 	case LDAP_FILTER_NOT:
+ 		Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
+ 		(void) ber_skip_tag( ber, &len );
+-		err = get_filter( op, ber, &f.f_not, text );
++		err = get_filter0( op, ber, &f.f_not, text, depth+1 );
+ 		if ( err != LDAP_SUCCESS ) {
+ 			break;
+ 		}
+@@ -311,10 +322,22 @@ get_filter(
+ 	return( err );
+ }
+ 
++int
++get_filter(
++	Operation *op,
++	BerElement *ber,
++	Filter **filt,
++	const char **text )
++{
++	return get_filter0( op, ber, filt, text, 0 );
++}
++
++
+ static int
+ get_filter_list( Operation *op, BerElement *ber,
+ 	Filter **f,
+-	const char **text )
++	const char **text,
++	int depth )
+ {
+ 	Filter		**new;
+ 	int		err;
+@@ -328,7 +351,7 @@ get_filter_list( Operation *op, BerElement *ber,
+ 		tag != LBER_DEFAULT;
+ 		tag = ber_next_element( ber, &len, last ) )
+ 	{
+-		err = get_filter( op, ber, new, text );
++		err = get_filter0( op, ber, new, text, depth );
+ 		if ( err != LDAP_SUCCESS )
+ 			return( err );
+ 		new = &(*new)->f_next;
+-- 
+2.20.1
+
diff -Nru openldap-2.4.47+dfsg/debian/patches/series openldap-2.4.47+dfsg/debian/patches/series
--- openldap-2.4.47+dfsg/debian/patches/series	2019-08-10 18:58:18.000000000 +0000
+++ openldap-2.4.47+dfsg/debian/patches/series	2020-04-20 18:19:54.000000000 +0000
@@ -26,3 +26,4 @@
 ITS-9038-Another-test028-typo.patch
 ITS-9052-zero-out-sasl_ssf-in-connection_init.patch
 ITS-8964-Do-not-free-original-filter.patch
+ITS-9202-limit-depth-of-nested-filters.patch