[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#777513: marked as done (unblock: openldap/2.4.40-4)



Your message dated Tue, 10 Feb 2015 23:03:28 +0100
with message-id <20150210220328.GM1940@betterave.cristau.org>
and subject line Re: Bug#777513: unblock: openldap/2.4.40-4 (pre-approval)
has caused the Debian Bug report #777513,
regarding unblock: openldap/2.4.40-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
777513: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777513
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi,

We would like to fix two recently-discovered upstream bugs in openldap 
that allow an unauthenticated remote user to crash the LDAP server.

#776988, CVE-2015-1545: If the deref overlay is enabled (by default, it 
is not), the query "ldapsearch -E deref=member:" crashes slapd via a 
NULL pointer dereference.

#776991, CVE-2015-1546: The query "ldapsearch -E 'mv=(cn={*)(sn=*)'" 
crashes slapd via a double free (regression in 2.4.40).

The deref overlay is not widely used, but #776991 affects all slapd 
users.

May we upload with these changes?

thanks for considering,
Ryan

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

diff -u openldap-2.4.40/debian/changelog openldap-2.4.40/debian/changelog
--- openldap-2.4.40/debian/changelog
+++ openldap-2.4.40/debian/changelog
@@ -1,3 +1,14 @@
+openldap (2.4.40-4) unstable; urgency=medium
+
+  * debian/patches/ITS8027-deref-reject-empty-attr-list.patch: Import upstream 
+    patch to fix a crash when a search includes the Deref control with an 
+    empty attribute list. (ITS#8027) (CVE-2015-1545, Closes: #776988)
+  * debian/patches/ITS8046-fix-vrFilter_free-crash.patch: Import upstream 
+    patch to fix a double free triggered by certain search queries using the 
+    Matched Values control. (ITS#8046) (CVE-2015-1546, Closes: #776991)
+
+ -- Ryan Tandy <ryan@nardis.ca>  Sun, 08 Feb 2015 20:19:11 +0000
+
 openldap (2.4.40-3) unstable; urgency=medium
 
   * Remove trailing spaces from slapd.templates.
diff -u openldap-2.4.40/debian/patches/series openldap-2.4.40/debian/patches/series
--- openldap-2.4.40/debian/patches/series
+++ openldap-2.4.40/debian/patches/series
@@ -23,0 +24,2 @@
+ITS8027-deref-reject-empty-attr-list.patch
+ITS8046-fix-vrFilter_free-crash.patch
only in patch2:
unchanged:
--- openldap-2.4.40.orig/debian/patches/ITS8027-deref-reject-empty-attr-list.patch
+++ openldap-2.4.40/debian/patches/ITS8027-deref-reject-empty-attr-list.patch
@@ -0,0 +1,20 @@
+commit c32e74763f77675b9e144126e375977ed6dc562c
+Author: Howard Chu <hyc@openldap.org>
+Date:   Mon Jan 19 22:25:53 2015 +0000
+
+    ITS#8027 require non-empty AttributeList
+
+diff --git a/servers/slapd/overlays/deref.c b/servers/slapd/overlays/deref.c
+index 9420e3e..05aa890 100644
+--- a/servers/slapd/overlays/deref.c
++++ b/servers/slapd/overlays/deref.c
+@@ -183,7 +183,8 @@ deref_parseCtrl (
+ 		ber_len_t cnt = sizeof(struct berval);
+ 		ber_len_t off = 0;
+ 
+-		if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR )
++		if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR
++			|| !cnt )
+ 		{
+ 			rs->sr_text = "Dereference control: derefSpec decoding error";
+ 			rs->sr_err = LDAP_PROTOCOL_ERROR;
only in patch2:
unchanged:
--- openldap-2.4.40.orig/debian/patches/ITS8046-fix-vrFilter_free-crash.patch
+++ openldap-2.4.40/debian/patches/ITS8046-fix-vrFilter_free-crash.patch
@@ -0,0 +1,28 @@
+commit 2f1a2dd329b91afe561cd06b872d09630d4edb6a
+Author: Howard Chu <hyc@openldap.org>
+Date:   Wed Feb 4 02:03:55 2015 +0000
+
+    ITS#8046 fix vrFilter_free
+
+diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c
+index b859f73..22c81c8 100644
+--- a/servers/slapd/filter.c
++++ b/servers/slapd/filter.c
+@@ -1158,14 +1158,10 @@ get_vrFilter( Operation *op, BerElement *ber,
+ void
+ vrFilter_free( Operation *op, ValuesReturnFilter *vrf )
+ {
+-	ValuesReturnFilter	*p, *next;
++	ValuesReturnFilter	*next;
+ 
+-	if ( vrf == NULL ) {
+-		return;
+-	}
+-
+-	for ( p = vrf; p != NULL; p = next ) {
+-		next = p->vrf_next;
++	for ( ; vrf != NULL; vrf = next ) {
++		next = vrf->vrf_next;
+ 
+ 		switch ( vrf->vrf_choice & SLAPD_FILTER_MASK ) {
+ 		case LDAP_FILTER_PRESENT:

--- End Message ---
--- Begin Message ---
On Mon, Feb  9, 2015 at 17:09:33 -0800, Ryan Tandy wrote:

> On Mon, Feb 09, 2015 at 02:52:37PM +0100, Julien Cristau wrote:
> >>May we upload with these changes?
> >>
> >Please do.
> 
> Uploaded, accepted, and built (almost) everywhere.
> 
Unblocked.

Cheers,
Julien

Attachment: signature.asc
Description: Digital signature


--- End Message ---

Reply to: