Your message dated Tue, 10 Feb 2015 23:03:28 +0100 with message-id <20150210220328.GM1940@betterave.cristau.org> and subject line Re: Bug#777513: unblock: openldap/2.4.40-4 (pre-approval) has caused the Debian Bug report #777513, regarding unblock: openldap/2.4.40-4 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 777513: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777513 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: openldap/2.4.40-4 (pre-approval)
- From: Ryan Tandy <ryan@nardis.ca>
- Date: Sun, 08 Feb 2015 17:59:00 -0800
- Message-id: <[🔎] 1423447140.182723.14711.nullmailer@kiwi>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Hi, We would like to fix two recently-discovered upstream bugs in openldap that allow an unauthenticated remote user to crash the LDAP server. #776988, CVE-2015-1545: If the deref overlay is enabled (by default, it is not), the query "ldapsearch -E deref=member:" crashes slapd via a NULL pointer dereference. #776991, CVE-2015-1546: The query "ldapsearch -E 'mv=(cn={*)(sn=*)'" crashes slapd via a double free (regression in 2.4.40). The deref overlay is not widely used, but #776991 affects all slapd users. May we upload with these changes? thanks for considering, Ryan -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: unable to detect diff -u openldap-2.4.40/debian/changelog openldap-2.4.40/debian/changelog --- openldap-2.4.40/debian/changelog +++ openldap-2.4.40/debian/changelog @@ -1,3 +1,14 @@ +openldap (2.4.40-4) unstable; urgency=medium + + * debian/patches/ITS8027-deref-reject-empty-attr-list.patch: Import upstream + patch to fix a crash when a search includes the Deref control with an + empty attribute list. (ITS#8027) (CVE-2015-1545, Closes: #776988) + * debian/patches/ITS8046-fix-vrFilter_free-crash.patch: Import upstream + patch to fix a double free triggered by certain search queries using the + Matched Values control. (ITS#8046) (CVE-2015-1546, Closes: #776991) + + -- Ryan Tandy <ryan@nardis.ca> Sun, 08 Feb 2015 20:19:11 +0000 + openldap (2.4.40-3) unstable; urgency=medium * Remove trailing spaces from slapd.templates. diff -u openldap-2.4.40/debian/patches/series openldap-2.4.40/debian/patches/series --- openldap-2.4.40/debian/patches/series +++ openldap-2.4.40/debian/patches/series @@ -23,0 +24,2 @@ +ITS8027-deref-reject-empty-attr-list.patch +ITS8046-fix-vrFilter_free-crash.patch only in patch2: unchanged: --- openldap-2.4.40.orig/debian/patches/ITS8027-deref-reject-empty-attr-list.patch +++ openldap-2.4.40/debian/patches/ITS8027-deref-reject-empty-attr-list.patch @@ -0,0 +1,20 @@ +commit c32e74763f77675b9e144126e375977ed6dc562c +Author: Howard Chu <hyc@openldap.org> +Date: Mon Jan 19 22:25:53 2015 +0000 + + ITS#8027 require non-empty AttributeList + +diff --git a/servers/slapd/overlays/deref.c b/servers/slapd/overlays/deref.c +index 9420e3e..05aa890 100644 +--- a/servers/slapd/overlays/deref.c ++++ b/servers/slapd/overlays/deref.c +@@ -183,7 +183,8 @@ deref_parseCtrl ( + ber_len_t cnt = sizeof(struct berval); + ber_len_t off = 0; + +- if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR ) ++ if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR ++ || !cnt ) + { + rs->sr_text = "Dereference control: derefSpec decoding error"; + rs->sr_err = LDAP_PROTOCOL_ERROR; only in patch2: unchanged: --- openldap-2.4.40.orig/debian/patches/ITS8046-fix-vrFilter_free-crash.patch +++ openldap-2.4.40/debian/patches/ITS8046-fix-vrFilter_free-crash.patch @@ -0,0 +1,28 @@ +commit 2f1a2dd329b91afe561cd06b872d09630d4edb6a +Author: Howard Chu <hyc@openldap.org> +Date: Wed Feb 4 02:03:55 2015 +0000 + + ITS#8046 fix vrFilter_free + +diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c +index b859f73..22c81c8 100644 +--- a/servers/slapd/filter.c ++++ b/servers/slapd/filter.c +@@ -1158,14 +1158,10 @@ get_vrFilter( Operation *op, BerElement *ber, + void + vrFilter_free( Operation *op, ValuesReturnFilter *vrf ) + { +- ValuesReturnFilter *p, *next; ++ ValuesReturnFilter *next; + +- if ( vrf == NULL ) { +- return; +- } +- +- for ( p = vrf; p != NULL; p = next ) { +- next = p->vrf_next; ++ for ( ; vrf != NULL; vrf = next ) { ++ next = vrf->vrf_next; + + switch ( vrf->vrf_choice & SLAPD_FILTER_MASK ) { + case LDAP_FILTER_PRESENT:
--- End Message ---
--- Begin Message ---
- To: 777513-done@bugs.debian.org, pkg-openldap-devel@lists.alioth.debian.org
- Subject: Re: Bug#777513: unblock: openldap/2.4.40-4 (pre-approval)
- From: Julien Cristau <jcristau@debian.org>
- Date: Tue, 10 Feb 2015 23:03:28 +0100
- Message-id: <20150210220328.GM1940@betterave.cristau.org>
- In-reply-to: <[🔎] 20150210010933.GC3318@kiwi>
- References: <[🔎] 1423447140.182723.14711.nullmailer@kiwi> <[🔎] 20150209135237.GH1940@betterave.cristau.org> <[🔎] 20150210010933.GC3318@kiwi>
On Mon, Feb 9, 2015 at 17:09:33 -0800, Ryan Tandy wrote: > On Mon, Feb 09, 2015 at 02:52:37PM +0100, Julien Cristau wrote: > >>May we upload with these changes? > >> > >Please do. > > Uploaded, accepted, and built (almost) everywhere. > Unblocked. Cheers, JulienAttachment: signature.asc
Description: Digital signature
--- End Message ---