Hi, I have just prepared a Jessie security update for 389-ds-base, addressing CVE-2018-14624. I will go through the test procedure myself, however I am not a 389-ds user, so it might be good if someone more experienced with this LDAP server could double check the update before upload. Test packages are available on my Debian webpage[0]. You can find a debdiff in attachment. Thanks ! Regards, Hugo [0] https://people.debian.org/~hle/lts/389-ds-base/ -- Hugo Lefeuvre (hle) | www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru 389-ds-base-1.3.3.5/debian/changelog 389-ds-base-1.3.3.5/debian/changelog --- 389-ds-base-1.3.3.5/debian/changelog 2018-08-30 10:40:44.000000000 -0400 +++ 389-ds-base-1.3.3.5/debian/changelog 2018-09-15 10:11:57.000000000 -0400 @@ -1,3 +1,14 @@ +389-ds-base (1.3.3.5-4+deb8u3) UNRELEASED; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2018-14624: The emergency logging system is affected by a race + condition caused by the invalidation of the concurrently used log + file FD without proper locking. This issue might be triggered by + remote attackers to cause DoS (crash) and cause any other undefined + behavior. + + -- Hugo Lefeuvre <hle@debian.org> Sat, 15 Sep 2018 10:11:57 -0400 + 389-ds-base (1.3.3.5-4+deb8u2) jessie-security; urgency=medium * Non-maintainer upload by the LTS Team. diff -Nru 389-ds-base-1.3.3.5/debian/patches/CVE-2018-14624.patch 389-ds-base-1.3.3.5/debian/patches/CVE-2018-14624.patch --- 389-ds-base-1.3.3.5/debian/patches/CVE-2018-14624.patch 1969-12-31 19:00:00.000000000 -0500 +++ 389-ds-base-1.3.3.5/debian/patches/CVE-2018-14624.patch 2018-09-15 10:11:57.000000000 -0400 @@ -0,0 +1,48 @@ +Description: CVE-2018-14624: fix race condition in emergency logging system + The emergency logging function log__error_emergency() is affected by a race + condition caused by the invalidation of the concurrently used log file FD + without proper locking. This issue might be triggered by remote attackers to + cause DoS (crash) and cause any other undefined behavior. + . + This patch modifies log__error_emergency() to acquire the lock before + invalidating the log file FD. +Author: Mark Reynolds <mreynolds@redhat.com> +Origin: https://pagure.io/389-ds-base/c/8ff8cb850 +Bug: https://pagure.io/389-ds-base/issue/49937 +--- a/ldap/servers/slapd/log.c 2018-09-15 09:57:27.568790949 -0400 ++++ b/ldap/servers/slapd/log.c 2018-09-15 09:56:38.924764163 -0400 +@@ -1854,7 +1854,7 @@ + tz = -tz; + } + (void)strftime( tbuf, (size_t)TBUFSIZE, "%d/%b/%Y:%H:%M:%S", tmsp); +- sprintf( buffer, "[%s %c%02d%02d] - %s", tbuf, sign, (int)( tz / 3600 ), (int)( tz % 3600 ), msg); ++ sprintf( buffer, "[%s %c%02d%02d] - %s\n", tbuf, sign, (int)( tz / 3600 ), (int)( tz % 3600 ), msg); + size = strlen(buffer); + + if(!locked) +@@ -3731,6 +3731,13 @@ + if (!reopen) { + return; + } ++ if (!locked) { ++ /* ++ * Take the lock because we are closing and reopening the error log (fd), ++ * and we don't want any other threads trying to use this fd ++ */ ++ LOG_ERROR_LOCK_WRITE(); ++ } + if (NULL != loginfo.log_error_fdes) { + LOG_CLOSE(loginfo.log_error_fdes); + } +@@ -3739,7 +3746,10 @@ + PRErrorCode prerr = PR_GetError(); + syslog(LOG_ERR, "Failed to reopen errors log file, " SLAPI_COMPONENT_NAME_NSPR " error %d (%s)\n", prerr, slapd_pr_strerror(prerr)); + } else { +- vslapd_log_emergency_error(loginfo.log_error_fdes, errstr, locked); ++ vslapd_log_emergency_error(loginfo.log_error_fdes, errstr, 1 /* locked */); ++ } ++ if (!locked) { ++ LOG_ERROR_UNLOCK_WRITE(); + } + return; + } diff -Nru 389-ds-base-1.3.3.5/debian/patches/series 389-ds-base-1.3.3.5/debian/patches/series --- 389-ds-base-1.3.3.5/debian/patches/series 2018-08-30 10:30:39.000000000 -0400 +++ 389-ds-base-1.3.3.5/debian/patches/series 2018-09-15 10:11:53.000000000 -0400 @@ -18,3 +18,5 @@ cve-2018-10935.patch cve-2018-10871.patch + +CVE-2018-14624.patch
Attachment:
signature.asc
Description: PGP signature