[Pkg-openldap-devel] r1172 - in openldap/trunk/debian: . patches

vorlon at alioth.debian.org vorlon at alioth.debian.org
Fri Jul 11 08:41:09 UTC 2008 

tags 488710 pending
thanks

Author: vorlon
Date: 2008-07-11 08:41:08 +0000 (Fri, 11 Jul 2008)
New Revision: 1172

Added:
   openldap/trunk/debian/patches/CVE-2008-2952_BER-decoding-assertion
Modified:
   openldap/trunk/debian/changelog
   openldap/trunk/debian/patches/series
Log:
New patch, CVE-2008-2952_BER-decoding-assertion, to fix a remote DoS
vulnerability in the BER decoder.  Addresses CVE-2008-2952,
closes: #488710.

Modified: openldap/trunk/debian/changelog
===================================================================
--- openldap/trunk/debian/changelog	2008-07-07 07:10:15 UTC (rev 1171)
+++ openldap/trunk/debian/changelog	2008-07-11 08:41:08 UTC (rev 1172)
@@ -1,3 +1,11 @@
+openldap (2.4.10-3) UNRELEASED; urgency=low
+
+  * New patch, CVE-2008-2952_BER-decoding-assertion, to fix a remote DoS
+    vulnerability in the BER decoder.  Addresses CVE-2008-2952,
+    closes: #488710.
+
+ -- Steve Langasek <vorlon at debian.org>  Mon, 07 Jul 2008 00:10:16 -0700
+
 openldap (2.4.10-2) unstable; urgency=low
 
   * Support DEB_BUILD_OPTIONS=nocheck to disable running the test suite at

Added: openldap/trunk/debian/patches/CVE-2008-2952_BER-decoding-assertion
===================================================================
--- openldap/trunk/debian/patches/CVE-2008-2952_BER-decoding-assertion	                        (rev 0)
+++ openldap/trunk/debian/patches/CVE-2008-2952_BER-decoding-assertion	2008-07-11 08:41:08 UTC (rev 1172)
@@ -0,0 +1,42 @@
+Patch from upstream CVS
+
+Remote, unauthenticated attackers can cause a denial of service by
+triggering an assertion in the ASN.1 BER decoder.  Fix this.
+
+Addresses ITS#5580 / CVE-2008-2952 / Debian bug #488710.
+
+Index: libraries/liblber/io.c
+===================================================================
+--- libraries/liblber/io.c.orig
++++ libraries/liblber/io.c
+@@ -522,14 +522,18 @@
+ 	}
+ 
+ 	while (ber->ber_rwptr > (char *)&ber->ber_tag && ber->ber_rwptr <
+-		(char *)&ber->ber_len + LENSIZE*2 -1) {
++		(char *)&ber->ber_len + LENSIZE*2) {
+ 		ber_slen_t sblen;
+ 		char buf[sizeof(ber->ber_len)-1];
+ 		ber_len_t tlen = 0;
+ 
++		/* The tag & len can be at most 9 bytes; we try to read up to 8 here */
+ 		sock_errset(0);
+-		sblen=ber_int_sb_read( sb, ber->ber_rwptr,
+-			((char *)&ber->ber_len + LENSIZE*2 - 1)-ber->ber_rwptr);
++		sblen=((char *)&ber->ber_len + LENSIZE*2 - 1)-ber->ber_rwptr;
++		/* Trying to read the last len byte of a 9 byte tag+len */
++		if (sblen<1)
++			sblen = 1;
++		sblen=ber_int_sb_read( sb, ber->ber_rwptr, sblen );
+ 		if (sblen<=0) return LBER_DEFAULT;
+ 		ber->ber_rwptr += sblen;
+ 
+@@ -579,7 +583,7 @@
+ 			int i;
+ 			unsigned char *p = (unsigned char *)ber->ber_ptr;
+ 			int llen = *p++ & 0x7f;
+-			if (llen > (int)sizeof(ber_len_t)) {
++			if (llen > LENSIZE) {
+ 				sock_errset(ERANGE);
+ 				return LBER_DEFAULT;
+ 			}

Modified: openldap/trunk/debian/patches/series
===================================================================
--- openldap/trunk/debian/patches/series	2008-07-07 07:10:15 UTC (rev 1171)
+++ openldap/trunk/debian/patches/series	2008-07-11 08:41:08 UTC (rev 1172)
@@ -10,3 +10,4 @@
 gnutls-ciphers
 getaddrinfo-is-threadsafe
 no_backend_inter-linking -p0
+CVE-2008-2952_BER-decoding-assertion -p0

More information about the Pkg-openldap-devel mailing list