Hi,
I have just prepared a Jessie security update for 389-ds-base, addressing
CVE-2018-14624. I will go through the test procedure myself, however I am
not a 389-ds user, so it might be good if someone more experienced with
this LDAP server could double check the update before upload.
Test packages are available on my Debian webpage[0]. You can find a debdiff
in attachment.
Thanks !
Regards,
Hugo
[0] https://people.debian.org/~hle/lts/389-ds-base/
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru 389-ds-base-1.3.3.5/debian/changelog 389-ds-base-1.3.3.5/debian/changelog
--- 389-ds-base-1.3.3.5/debian/changelog 2018-08-30 10:40:44.000000000 -0400
+++ 389-ds-base-1.3.3.5/debian/changelog 2018-09-15 10:11:57.000000000 -0400
@@ -1,3 +1,14 @@
+389-ds-base (1.3.3.5-4+deb8u3) UNRELEASED; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2018-14624: The emergency logging system is affected by a race
+ condition caused by the invalidation of the concurrently used log
+ file FD without proper locking. This issue might be triggered by
+ remote attackers to cause DoS (crash) and cause any other undefined
+ behavior.
+
+ -- Hugo Lefeuvre <hle@debian.org> Sat, 15 Sep 2018 10:11:57 -0400
+
389-ds-base (1.3.3.5-4+deb8u2) jessie-security; urgency=medium
* Non-maintainer upload by the LTS Team.
diff -Nru 389-ds-base-1.3.3.5/debian/patches/CVE-2018-14624.patch 389-ds-base-1.3.3.5/debian/patches/CVE-2018-14624.patch
--- 389-ds-base-1.3.3.5/debian/patches/CVE-2018-14624.patch 1969-12-31 19:00:00.000000000 -0500
+++ 389-ds-base-1.3.3.5/debian/patches/CVE-2018-14624.patch 2018-09-15 10:11:57.000000000 -0400
@@ -0,0 +1,48 @@
+Description: CVE-2018-14624: fix race condition in emergency logging system
+ The emergency logging function log__error_emergency() is affected by a race
+ condition caused by the invalidation of the concurrently used log file FD
+ without proper locking. This issue might be triggered by remote attackers to
+ cause DoS (crash) and cause any other undefined behavior.
+ .
+ This patch modifies log__error_emergency() to acquire the lock before
+ invalidating the log file FD.
+Author: Mark Reynolds <mreynolds@redhat.com>
+Origin: https://pagure.io/389-ds-base/c/8ff8cb850
+Bug: https://pagure.io/389-ds-base/issue/49937
+--- a/ldap/servers/slapd/log.c 2018-09-15 09:57:27.568790949 -0400
++++ b/ldap/servers/slapd/log.c 2018-09-15 09:56:38.924764163 -0400
+@@ -1854,7 +1854,7 @@
+ tz = -tz;
+ }
+ (void)strftime( tbuf, (size_t)TBUFSIZE, "%d/%b/%Y:%H:%M:%S", tmsp);
+- sprintf( buffer, "[%s %c%02d%02d] - %s", tbuf, sign, (int)( tz / 3600 ), (int)( tz % 3600 ), msg);
++ sprintf( buffer, "[%s %c%02d%02d] - %s\n", tbuf, sign, (int)( tz / 3600 ), (int)( tz % 3600 ), msg);
+ size = strlen(buffer);
+
+ if(!locked)
+@@ -3731,6 +3731,13 @@
+ if (!reopen) {
+ return;
+ }
++ if (!locked) {
++ /*
++ * Take the lock because we are closing and reopening the error log (fd),
++ * and we don't want any other threads trying to use this fd
++ */
++ LOG_ERROR_LOCK_WRITE();
++ }
+ if (NULL != loginfo.log_error_fdes) {
+ LOG_CLOSE(loginfo.log_error_fdes);
+ }
+@@ -3739,7 +3746,10 @@
+ PRErrorCode prerr = PR_GetError();
+ syslog(LOG_ERR, "Failed to reopen errors log file, " SLAPI_COMPONENT_NAME_NSPR " error %d (%s)\n", prerr, slapd_pr_strerror(prerr));
+ } else {
+- vslapd_log_emergency_error(loginfo.log_error_fdes, errstr, locked);
++ vslapd_log_emergency_error(loginfo.log_error_fdes, errstr, 1 /* locked */);
++ }
++ if (!locked) {
++ LOG_ERROR_UNLOCK_WRITE();
+ }
+ return;
+ }
diff -Nru 389-ds-base-1.3.3.5/debian/patches/series 389-ds-base-1.3.3.5/debian/patches/series
--- 389-ds-base-1.3.3.5/debian/patches/series 2018-08-30 10:30:39.000000000 -0400
+++ 389-ds-base-1.3.3.5/debian/patches/series 2018-09-15 10:11:53.000000000 -0400
@@ -18,3 +18,5 @@
cve-2018-10935.patch
cve-2018-10871.patch
+
+CVE-2018-14624.patch
Attachment:
signature.asc
Description: PGP signature