openldap: CVE-2022-29155 OpenLDAP SQL injection

Source: https://git.openldap.org/openldap/openldap MR: 117821 Type: Security Fix Disposition: Backport from https://git.openldap.org/openldap/openldap/-/commit/87df6c19915042430540931d199a39105544a134 ChangeID: d534808c796600ca5994bcda28938d45405bc7b4 Description: CVE-2022-29155 openldap: OpenLDAP SQL injection Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2022-06-21 09:55:29 +0530
committer: Armin Kuster <akuster808@gmail.com> 2022-07-16 12:56:17 -0700
commit: a24773d39edf4d156ecda08bc4317b2b37cc6231 (patch)
tree: 7f99069c5cea84617478f929a14f3404f5bcc483
parent: 1d0b2d78c262eeefe4dcfdfbabac496329efd060 (diff)
download: meta-openembedded-a24773d39edf4d156ecda08bc4317b2b37cc6231.tar.gz
2 files changed, 278 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/openldap/openldap/CVE-2022-29155.patch b/meta-oe/recipes-support/openldap/openldap/CVE-2022-29155.patch
new file mode 100644
index 0000000000..2860b95220
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap/CVE-2022-29155.patch
@@ -0,0 +1,277 @@
+From 11e136f15085a4bda5701e910988966bed699977 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Wed, 18 May 2022 13:57:59 +0530
+Subject: [PATCH] CVE-2022-29155
+Upstream-Status: Backport [https://git.openldap.org/openldap/openldap/-/commit/87df6c19915042430540931d199a39105544a134]
+CVE: CVE-2022-29155
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ servers/slapd/back-sql/search.c | 123 +++++++++++++++++++++++++++-----
+ 1 file changed, 105 insertions(+), 18 deletions(-)
+diff --git a/servers/slapd/back-sql/search.c b/servers/slapd/back-sql/search.c
+index bb0f1e2..1770bde 100644
+--- a/servers/slapd/back-sql/search.c
+++ b/servers/slapd/back-sql/search.c
+@@ -63,6 +63,38 @@ static void send_paged_response(
+        ID  *lastid );
+ #endif /* ! BACKSQL_ARBITRARY_KEY */
+ 
+/* Look for chars that need to be escaped, return count of them.
+ * If out is non-NULL, copy escape'd val to it.
+ */
+static int
+backsql_val_escape( Operation *op, struct berval *in, struct berval *out )
+{
+       char *ptr, *end;
+       int q = 0;
+
+       ptr = in->bv_val;
+       end = ptr + in->bv_len;
+       while (ptr < end) {
+               if ( *ptr == '\'' )
+                       q++;
+               ptr++;
+       }
+       if ( q && out ) {
+               char *dst;
+               out->bv_len = in->bv_len + q;
+               out->bv_val = op->o_tmpalloc( out->bv_len + 1, op->o_tmpmemctx );
+               ptr = in->bv_val;
+               dst = out->bv_val;
+               while (ptr < end ) {
+                       if ( *ptr == '\'' )
+                               *dst++ = '\'';
+                       *dst++ = *ptr++;
+               }
+               *dst = '\0';
+       }
+       return q;
+}
+
+ static int
+ backsql_attrlist_add( backsql_srch_info *bsi, AttributeDescription *ad )
+ {
+@@ -429,6 +461,8 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
+        backsql_info            *bi = (backsql_info *)bsi->bsi_op->o_bd->be_private;
+        int                     i;
+        int                     casefold = 0;
+       int                     escaped = 0;
+       struct berval   escval, *fvalue;
+ 
+        if ( !f ) {
+                return 0;
+@@ -462,50 +496,68 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
+ 
+                BER_BVZERO( &bv );
+                if ( f->f_sub_initial.bv_val ) {
+-                       bv.bv_len += f->f_sub_initial.bv_len;
+                       bv.bv_len += f->f_sub_initial.bv_len + backsql_val_escape( NULL, &f->f_sub_initial, NULL );
+                }
+                if ( f->f_sub_any != NULL ) {
+                        for ( a = 0; f->f_sub_any[ a ].bv_val != NULL; a++ ) {
+-                               bv.bv_len += f->f_sub_any[ a ].bv_len;
+                               bv.bv_len += f->f_sub_any[ a ].bv_len + backsql_val_escape( NULL, &f->f_sub_any[ a ], NULL );
+                        }
+                }
+                if ( f->f_sub_final.bv_val ) {
+-                       bv.bv_len += f->f_sub_final.bv_len;
+                       bv.bv_len += f->f_sub_final.bv_len + backsql_val_escape( NULL, &f->f_sub_final, NULL );
+                }
+                bv.bv_len = 2 * bv.bv_len - 1;
+                bv.bv_val = ch_malloc( bv.bv_len + 1 );
+ 
+                s = 0;
+                if ( !BER_BVISNULL( &f->f_sub_initial ) ) {
+-                       bv.bv_val[ s ] = f->f_sub_initial.bv_val[ 0 ];
+-                       for ( i = 1; i < f->f_sub_initial.bv_len; i++ ) {
+                       fvalue = &f->f_sub_initial;
+                       escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
+                       if ( escaped )
+                               fvalue = &escval;
+                       bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
+                       for ( i = 1; i < fvalue->bv_len; i++ ) {
+                                bv.bv_val[ s + 2 * i - 1 ] = '%';
+-                               bv.bv_val[ s + 2 * i ] = f->f_sub_initial.bv_val[ i ];
+                               bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
+                        }
+                        bv.bv_val[ s + 2 * i - 1 ] = '%';
+                        s += 2 * i;
+                       if ( escaped )
+                               bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+                }
+ 
+                if ( f->f_sub_any != NULL ) {
+                        for ( a = 0; !BER_BVISNULL( &f->f_sub_any[ a ] ); a++ ) {
+-                               bv.bv_val[ s ] = f->f_sub_any[ a ].bv_val[ 0 ];
+-                               for ( i = 1; i < f->f_sub_any[ a ].bv_len; i++ ) {
+                               fvalue = &f->f_sub_any[ a ];
+                               escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
+                               if ( escaped )
+                                       fvalue = &escval;
+                               bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
+                               for ( i = 1; i < fvalue->bv_len; i++ ) {
+                                        bv.bv_val[ s + 2 * i - 1 ] = '%';
+-                                       bv.bv_val[ s + 2 * i ] = f->f_sub_any[ a ].bv_val[ i ];
+                                       bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
+                                }
+                                bv.bv_val[ s + 2 * i - 1 ] = '%';
+                                s += 2 * i;
+                               if ( escaped )
+                                       bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+                        }
+                }
+ 
+                if ( !BER_BVISNULL( &f->f_sub_final ) ) {
+-                       bv.bv_val[ s ] = f->f_sub_final.bv_val[ 0 ];
+-                       for ( i = 1; i < f->f_sub_final.bv_len; i++ ) {
+                       fvalue = &f->f_sub_final;
+                       escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
+                       if ( escaped )
+                               fvalue = &escval;
+                       bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
+                       for ( i = 1; i < fvalue->bv_len; i++ ) {
+                                bv.bv_val[ s + 2 * i - 1 ] = '%';
+-                               bv.bv_val[ s + 2 * i ] = f->f_sub_final.bv_val[ i ];
+                               bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
+                        }
+-                               bv.bv_val[ s + 2 * i - 1 ] = '%';
+                       bv.bv_val[ s + 2 * i - 1 ] = '%';
+                        s += 2 * i;
+                       if ( escaped )
+                               bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+                }
+ 
+                bv.bv_val[ s - 1 ] = '\0';
+@@ -561,11 +613,17 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
+                        f->f_sub_initial.bv_val, 0 );
+ #endif /* BACKSQL_TRACE */
+ 
+               fvalue = &f->f_sub_initial;
+               escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
+               if ( escaped )
+                       fvalue = &escval;
+                start = bsi->bsi_flt_where.bb_val.bv_len;
+                backsql_strfcat_x( &bsi->bsi_flt_where,
+                                bsi->bsi_op->o_tmpmemctx,
+                                "b",
+-                               &f->f_sub_initial );
+                               fvalue );
+               if ( escaped )
+                       bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+                if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
+                        ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] );
+                }
+@@ -586,12 +644,18 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
+                                i, f->f_sub_any[ i ].bv_val );
+ #endif /* BACKSQL_TRACE */
+ 
+                       fvalue = &f->f_sub_any[ i ];
+                       escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
+                       if ( escaped )
+                               fvalue = &escval;
+                        start = bsi->bsi_flt_where.bb_val.bv_len;
+                        backsql_strfcat_x( &bsi->bsi_flt_where,
+                                        bsi->bsi_op->o_tmpmemctx,
+                                        "bc",
+-                                       &f->f_sub_any[ i ],
+                                       fvalue,
+                                        '%' );
+                       if ( escaped )
+                               bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+                        if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
+                                /*
+                                 * Note: toupper('%') = '%'
+@@ -611,11 +675,17 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
+                        f->f_sub_final.bv_val, 0 );
+ #endif /* BACKSQL_TRACE */
+ 
+               fvalue = &f->f_sub_final;
+               escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
+               if ( escaped )
+                       fvalue = &escval;
+                start = bsi->bsi_flt_where.bb_val.bv_len;
+                backsql_strfcat_x( &bsi->bsi_flt_where,
+                                bsi->bsi_op->o_tmpmemctx,
+                                "b",
+-                               &f->f_sub_final );
+                               fvalue );
+               if ( escaped )
+                       bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+                if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
+                        ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] );
+                }
+@@ -1183,6 +1253,8 @@ backsql_process_filter_attr( backsql_srch_info *bsi, Filter *f, backsql_at_map_r
+        struct berval           *filter_value = NULL;
+        MatchingRule            *matching_rule = NULL;
+        struct berval           ordering = BER_BVC("<=");
+       struct berval           escval;
+       int                                     escaped = 0;
+ 
+        Debug( LDAP_DEBUG_TRACE, "==>backsql_process_filter_attr(%s)\n",
+                at->bam_ad->ad_cname.bv_val, 0, 0 );
+@@ -1237,6 +1309,10 @@ equality_match:;
+                        casefold = 1;
+                }
+ 
+               escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
+               if ( escaped )
+                       filter_value = &escval;
+
+                /* FIXME: directoryString filtering should use a similar
+                 * approach to deal with non-prettified values like
+                 * " A  non    prettified   value  ", by using a LIKE
+@@ -1317,6 +1393,10 @@ equality_match:;
+                        casefold = 1;
+                }
+ 
+               escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
+               if ( escaped )
+                       filter_value = &escval;
+
+                /*
+                 * FIXME: should we uppercase the operands?
+                 */
+@@ -1350,7 +1430,7 @@ equality_match:;
+                                        &at->bam_sel_expr,
+                                        &ordering,
+                                        '\'',
+-                                       &f->f_av_value,
+                                       filter_value,
+                                        (ber_len_t)STRLENOF( /* (' */ "')" ),
+                                                /* ( */ "')" );
+                }
+@@ -1374,13 +1454,17 @@ equality_match:;
+        case LDAP_FILTER_APPROX:
+                /* we do our best */
+ 
+               filter_value = &f->f_av_value;
+               escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
+               if ( escaped )
+                       filter_value = &escval;
+                /*
+                 * maybe we should check type of at->sel_expr here somehow,
+                 * to know whether upper_func is applicable, but for now
+                 * upper_func stuff is made for Oracle, where UPPER is
+                 * safely applicable to NUMBER etc.
+                 */
+-               (void)backsql_process_filter_like( bsi, at, 1, &f->f_av_value );
+               (void)backsql_process_filter_like( bsi, at, 1, filter_value );
+                break;
+ 
+        default:
+@@ -1394,6 +1478,9 @@ equality_match:;
+ 
+        }
+ 
+       if ( escaped )
+               bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+
+        Debug( LDAP_DEBUG_TRACE, "<==backsql_process_filter_attr(%s)\n",
+                at->bam_ad->ad_cname.bv_val, 0, 0 );
+ 
+-- 
+2.25.1
diff --git a/meta-oe/recipes-support/openldap/openldap_2.4.57.bb b/meta-oe/recipes-support/openldap/openldap_2.4.57.bb
index a282523a3c..e3e9caa1b1 100644
--- a/meta-oe/recipes-support/openldap/openldap_2.4.57.bb
+++ b/meta-oe/recipes-support/openldap/openldap_2.4.57.bb
@@ -23,8 +23,8 @@ SRC_URI = "http://www.openldap.org/software/download/OpenLDAP/openldap-release/$
    file://thread_stub.patch \
    file://openldap-CVE-2015-3276.patch \
    file://remove-user-host-pwd-from-version.patch \
+    file://CVE-2022-29155.patch \
 "
 SRC_URI[md5sum] = "e3349456c3a66e5e6155be7ddc3f042c"
 SRC_URI[sha256sum] = "c7ba47e1e6ecb5b436f3d43281df57abeffa99262141aec822628bc220f6b45a"
author	Hitendra Prajapati <hprajapati@mvista.com>	2022-06-21 09:55:29 +0530
committer	Armin Kuster <akuster808@gmail.com>	2022-07-16 12:56:17 -0700
commit	a24773d39edf4d156ecda08bc4317b2b37cc6231 (patch)
tree	7f99069c5cea84617478f929a14f3404f5bcc483
parent	1d0b2d78c262eeefe4dcfdfbabac496329efd060 (diff)
download	meta-openembedded-a24773d39edf4d156ecda08bc4317b2b37cc6231.tar.gz

diff --git a/meta-oe/recipes-support/openldap/openldap/CVE-2022-29155.patch b/meta-oe/recipes-support/openldap/openldap/CVE-2022-29155.patch new file mode 100644 index 0000000000..2860b95220 --- /dev/null +++ b/meta-oe/recipes-support/openldap/openldap/CVE-2022-29155.patch
@@ -0,0 +1,277 @@
		1	From 11e136f15085a4bda5701e910988966bed699977 Mon Sep 17 00:00:00 2001
		2	From: Hitendra Prajapati <hprajapati@mvista.com>
		3	Date: Wed, 18 May 2022 13:57:59 +0530
		4	Subject: [PATCH] CVE-2022-29155
		5
		6	Upstream-Status: Backport [https://git.openldap.org/openldap/openldap/-/commit/87df6c19915042430540931d199a39105544a134]
		7	CVE: CVE-2022-29155
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9
		10	---
		11	servers/slapd/back-sql/search.c \| 123 +++++++++++++++++++++++++++-----
		12	1 file changed, 105 insertions(+), 18 deletions(-)
		13
		14	diff --git a/servers/slapd/back-sql/search.c b/servers/slapd/back-sql/search.c
		15	index bb0f1e2..1770bde 100644
		16	--- a/servers/slapd/back-sql/search.c
		17	+++ b/servers/slapd/back-sql/search.c
		18	@@ -63,6 +63,38 @@ static void send_paged_response(
		19	ID *lastid );
		20	#endif /* ! BACKSQL_ARBITRARY_KEY */
		21
		22	+/* Look for chars that need to be escaped, return count of them.
		23	+ * If out is non-NULL, copy escape'd val to it.
		24	+ */
		25	+static int
		26	+backsql_val_escape( Operation op, struct berval in, struct berval *out )
		27	+{
		28	+ char ptr, end;
		29	+ int q = 0;
		30	+
		31	+ ptr = in->bv_val;
		32	+ end = ptr + in->bv_len;
		33	+ while (ptr < end) {
		34	+ if ( *ptr == '\'' )
		35	+ q++;
		36	+ ptr++;
		37	+ }
		38	+ if ( q && out ) {
		39	+ char *dst;
		40	+ out->bv_len = in->bv_len + q;
		41	+ out->bv_val = op->o_tmpalloc( out->bv_len + 1, op->o_tmpmemctx );
		42	+ ptr = in->bv_val;
		43	+ dst = out->bv_val;
		44	+ while (ptr < end ) {
		45	+ if ( *ptr == '\'' )
		46	+ *dst++ = '\'';
		47	+ dst++ = ptr++;
		48	+ }
		49	+ *dst = '\0';
		50	+ }
		51	+ return q;
		52	+}
		53	+
		54	static int
		55	backsql_attrlist_add( backsql_srch_info bsi, AttributeDescription ad )
		56	{
		57	@@ -429,6 +461,8 @@ backsql_process_sub_filter( backsql_srch_info bsi, Filter f,
		58	backsql_info bi = (backsql_info )bsi->bsi_op->o_bd->be_private;
		59	int i;
		60	int casefold = 0;
		61	+ int escaped = 0;
		62	+ struct berval escval, *fvalue;
		63
		64	if ( !f ) {
		65	return 0;
		66	@@ -462,50 +496,68 @@ backsql_process_sub_filter( backsql_srch_info bsi, Filter f,
		67
		68	BER_BVZERO( &bv );
		69	if ( f->f_sub_initial.bv_val ) {
		70	- bv.bv_len += f->f_sub_initial.bv_len;
		71	+ bv.bv_len += f->f_sub_initial.bv_len + backsql_val_escape( NULL, &f->f_sub_initial, NULL );
		72	}
		73	if ( f->f_sub_any != NULL ) {
		74	for ( a = 0; f->f_sub_any[ a ].bv_val != NULL; a++ ) {
		75	- bv.bv_len += f->f_sub_any[ a ].bv_len;
		76	+ bv.bv_len += f->f_sub_any[ a ].bv_len + backsql_val_escape( NULL, &f->f_sub_any[ a ], NULL );
		77	}
		78	}
		79	if ( f->f_sub_final.bv_val ) {
		80	- bv.bv_len += f->f_sub_final.bv_len;
		81	+ bv.bv_len += f->f_sub_final.bv_len + backsql_val_escape( NULL, &f->f_sub_final, NULL );
		82	}
		83	bv.bv_len = 2 * bv.bv_len - 1;
		84	bv.bv_val = ch_malloc( bv.bv_len + 1 );
		85
		86	s = 0;
		87	if ( !BER_BVISNULL( &f->f_sub_initial ) ) {
		88	- bv.bv_val[ s ] = f->f_sub_initial.bv_val[ 0 ];
		89	- for ( i = 1; i < f->f_sub_initial.bv_len; i++ ) {
		90	+ fvalue = &f->f_sub_initial;
		91	+ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
		92	+ if ( escaped )
		93	+ fvalue = &escval;
		94	+ bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
		95	+ for ( i = 1; i < fvalue->bv_len; i++ ) {
		96	bv.bv_val[ s + 2 * i - 1 ] = '%';
		97	- bv.bv_val[ s + 2 * i ] = f->f_sub_initial.bv_val[ i ];
		98	+ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
		99	}
		100	bv.bv_val[ s + 2 * i - 1 ] = '%';
		101	s += 2 * i;
		102	+ if ( escaped )
		103	+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
		104	}
		105
		106	if ( f->f_sub_any != NULL ) {
		107	for ( a = 0; !BER_BVISNULL( &f->f_sub_any[ a ] ); a++ ) {
		108	- bv.bv_val[ s ] = f->f_sub_any[ a ].bv_val[ 0 ];
		109	- for ( i = 1; i < f->f_sub_any[ a ].bv_len; i++ ) {
		110	+ fvalue = &f->f_sub_any[ a ];
		111	+ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
		112	+ if ( escaped )
		113	+ fvalue = &escval;
		114	+ bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
		115	+ for ( i = 1; i < fvalue->bv_len; i++ ) {
		116	bv.bv_val[ s + 2 * i - 1 ] = '%';
		117	- bv.bv_val[ s + 2 * i ] = f->f_sub_any[ a ].bv_val[ i ];
		118	+ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
		119	}
		120	bv.bv_val[ s + 2 * i - 1 ] = '%';
		121	s += 2 * i;
		122	+ if ( escaped )
		123	+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
		124	}
		125	}
		126
		127	if ( !BER_BVISNULL( &f->f_sub_final ) ) {
		128	- bv.bv_val[ s ] = f->f_sub_final.bv_val[ 0 ];
		129	- for ( i = 1; i < f->f_sub_final.bv_len; i++ ) {
		130	+ fvalue = &f->f_sub_final;
		131	+ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
		132	+ if ( escaped )
		133	+ fvalue = &escval;
		134	+ bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
		135	+ for ( i = 1; i < fvalue->bv_len; i++ ) {
		136	bv.bv_val[ s + 2 * i - 1 ] = '%';
		137	- bv.bv_val[ s + 2 * i ] = f->f_sub_final.bv_val[ i ];
		138	+ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
		139	}
		140	- bv.bv_val[ s + 2 * i - 1 ] = '%';
		141	+ bv.bv_val[ s + 2 * i - 1 ] = '%';
		142	s += 2 * i;
		143	+ if ( escaped )
		144	+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
		145	}
		146
		147	bv.bv_val[ s - 1 ] = '\0';
		148	@@ -561,11 +613,17 @@ backsql_process_sub_filter( backsql_srch_info bsi, Filter f,
		149	f->f_sub_initial.bv_val, 0 );
		150	#endif /* BACKSQL_TRACE */
		151
		152	+ fvalue = &f->f_sub_initial;
		153	+ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
		154	+ if ( escaped )
		155	+ fvalue = &escval;
		156	start = bsi->bsi_flt_where.bb_val.bv_len;
		157	backsql_strfcat_x( &bsi->bsi_flt_where,
		158	bsi->bsi_op->o_tmpmemctx,
		159	"b",
		160	- &f->f_sub_initial );
		161	+ fvalue );
		162	+ if ( escaped )
		163	+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
		164	if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
		165	ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] );
		166	}
		167	@@ -586,12 +644,18 @@ backsql_process_sub_filter( backsql_srch_info bsi, Filter f,
		168	i, f->f_sub_any[ i ].bv_val );
		169	#endif /* BACKSQL_TRACE */
		170
		171	+ fvalue = &f->f_sub_any[ i ];
		172	+ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
		173	+ if ( escaped )
		174	+ fvalue = &escval;
		175	start = bsi->bsi_flt_where.bb_val.bv_len;
		176	backsql_strfcat_x( &bsi->bsi_flt_where,
		177	bsi->bsi_op->o_tmpmemctx,
		178	"bc",
		179	- &f->f_sub_any[ i ],
		180	+ fvalue,
		181	'%' );
		182	+ if ( escaped )
		183	+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
		184	if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
		185	/*
		186	* Note: toupper('%') = '%'
		187	@@ -611,11 +675,17 @@ backsql_process_sub_filter( backsql_srch_info bsi, Filter f,
		188	f->f_sub_final.bv_val, 0 );
		189	#endif /* BACKSQL_TRACE */
		190
		191	+ fvalue = &f->f_sub_final;
		192	+ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
		193	+ if ( escaped )
		194	+ fvalue = &escval;
		195	start = bsi->bsi_flt_where.bb_val.bv_len;
		196	backsql_strfcat_x( &bsi->bsi_flt_where,
		197	bsi->bsi_op->o_tmpmemctx,
		198	"b",
		199	- &f->f_sub_final );
		200	+ fvalue );
		201	+ if ( escaped )
		202	+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
		203	if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
		204	ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] );
		205	}
		206	@@ -1183,6 +1253,8 @@ backsql_process_filter_attr( backsql_srch_info bsi, Filter f, backsql_at_map_r
		207	struct berval *filter_value = NULL;
		208	MatchingRule *matching_rule = NULL;
		209	struct berval ordering = BER_BVC("<=");
		210	+ struct berval escval;
		211	+ int escaped = 0;
		212
		213	Debug( LDAP_DEBUG_TRACE, "==>backsql_process_filter_attr(%s)\n",
		214	at->bam_ad->ad_cname.bv_val, 0, 0 );
		215	@@ -1237,6 +1309,10 @@ equality_match:;
		216	casefold = 1;
		217	}
		218
		219	+ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
		220	+ if ( escaped )
		221	+ filter_value = &escval;
		222	+
		223	/* FIXME: directoryString filtering should use a similar
		224	* approach to deal with non-prettified values like
		225	* " A non prettified value ", by using a LIKE
		226	@@ -1317,6 +1393,10 @@ equality_match:;
		227	casefold = 1;
		228	}
		229
		230	+ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
		231	+ if ( escaped )
		232	+ filter_value = &escval;
		233	+
		234	/*
		235	* FIXME: should we uppercase the operands?
		236	*/
		237	@@ -1350,7 +1430,7 @@ equality_match:;
		238	&at->bam_sel_expr,
		239	&ordering,
		240	'\'',
		241	- &f->f_av_value,
		242	+ filter_value,
		243	(ber_len_t)STRLENOF( /* (' */ "')" ),
		244	/* ( */ "')" );
		245	}
		246	@@ -1374,13 +1454,17 @@ equality_match:;
		247	case LDAP_FILTER_APPROX:
		248	/* we do our best */
		249
		250	+ filter_value = &f->f_av_value;
		251	+ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
		252	+ if ( escaped )
		253	+ filter_value = &escval;
		254	/*
		255	* maybe we should check type of at->sel_expr here somehow,
		256	* to know whether upper_func is applicable, but for now
		257	* upper_func stuff is made for Oracle, where UPPER is
		258	* safely applicable to NUMBER etc.
		259	*/
		260	- (void)backsql_process_filter_like( bsi, at, 1, &f->f_av_value );
		261	+ (void)backsql_process_filter_like( bsi, at, 1, filter_value );
		262	break;
		263
		264	default:
		265	@@ -1394,6 +1478,9 @@ equality_match:;
		266
		267	}
		268
		269	+ if ( escaped )
		270	+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
		271	+
		272	Debug( LDAP_DEBUG_TRACE, "<==backsql_process_filter_attr(%s)\n",
		273	at->bam_ad->ad_cname.bv_val, 0, 0 );
		274
		275	--
		276	2.25.1
		277


diff --git a/meta-oe/recipes-support/openldap/openldap_2.4.57.bb b/meta-oe/recipes-support/openldap/openldap_2.4.57.bb index a282523a3c..e3e9caa1b1 100644 --- a/meta-oe/recipes-support/openldap/openldap_2.4.57.bb +++ b/meta-oe/recipes-support/openldap/openldap_2.4.57.bb
@@ -23,8 +23,8 @@ SRC_URI = "http://www.openldap.org/software/download/OpenLDAP/openldap-release/$
23	file://thread_stub.patch \	23	file://thread_stub.patch \
24	file://openldap-CVE-2015-3276.patch \	24	file://openldap-CVE-2015-3276.patch \
25	file://remove-user-host-pwd-from-version.patch \	25	file://remove-user-host-pwd-from-version.patch \
		26	file://CVE-2022-29155.patch \
26	"	27	"
27
28	SRC_URI[md5sum] = "e3349456c3a66e5e6155be7ddc3f042c"	28	SRC_URI[md5sum] = "e3349456c3a66e5e6155be7ddc3f042c"
29	SRC_URI[sha256sum] = "c7ba47e1e6ecb5b436f3d43281df57abeffa99262141aec822628bc220f6b45a"	29	SRC_URI[sha256sum] = "c7ba47e1e6ecb5b436f3d43281df57abeffa99262141aec822628bc220f6b45a"
30		30