[Pkg-openldap-devel] Bug#777513: unblock: openldap/2.4.40-4 (pre-approval)

Ryan Tandy ryan at nardis.ca
Mon Feb 9 01:59:00 UTC 2015 

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock

Hi,

We would like to fix two recently-discovered upstream bugs in openldap 
that allow an unauthenticated remote user to crash the LDAP server.

#776988, CVE-2015-1545: If the deref overlay is enabled (by default, it 
is not), the query "ldapsearch -E deref=member:" crashes slapd via a 
NULL pointer dereference.

#776991, CVE-2015-1546: The query "ldapsearch -E 'mv=(cn={*)(sn=*)'" 
crashes slapd via a double free (regression in 2.4.40).

The deref overlay is not widely used, but #776991 affects all slapd 
users.

May we upload with these changes?

thanks for considering,
Ryan

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

diff -u openldap-2.4.40/debian/changelog openldap-2.4.40/debian/changelog
--- openldap-2.4.40/debian/changelog
+++ openldap-2.4.40/debian/changelog
@@ -1,3 +1,14 @@
+openldap (2.4.40-4) unstable; urgency=medium
+
+  * debian/patches/ITS8027-deref-reject-empty-attr-list.patch: Import upstream 
+    patch to fix a crash when a search includes the Deref control with an 
+    empty attribute list. (ITS#8027) (CVE-2015-1545, Closes: #776988)
+  * debian/patches/ITS8046-fix-vrFilter_free-crash.patch: Import upstream 
+    patch to fix a double free triggered by certain search queries using the 
+    Matched Values control. (ITS#8046) (CVE-2015-1546, Closes: #776991)
+
+ -- Ryan Tandy <ryan at nardis.ca>  Sun, 08 Feb 2015 20:19:11 +0000
+
 openldap (2.4.40-3) unstable; urgency=medium
 
   * Remove trailing spaces from slapd.templates.
diff -u openldap-2.4.40/debian/patches/series openldap-2.4.40/debian/patches/series
--- openldap-2.4.40/debian/patches/series
+++ openldap-2.4.40/debian/patches/series
@@ -23,0 +24,2 @@
+ITS8027-deref-reject-empty-attr-list.patch
+ITS8046-fix-vrFilter_free-crash.patch
only in patch2:
unchanged:
--- openldap-2.4.40.orig/debian/patches/ITS8027-deref-reject-empty-attr-list.patch
+++ openldap-2.4.40/debian/patches/ITS8027-deref-reject-empty-attr-list.patch
@@ -0,0 +1,20 @@
+commit c32e74763f77675b9e144126e375977ed6dc562c
+Author: Howard Chu <hyc at openldap.org>
+Date:   Mon Jan 19 22:25:53 2015 +0000
+
+    ITS#8027 require non-empty AttributeList
+
+diff --git a/servers/slapd/overlays/deref.c b/servers/slapd/overlays/deref.c
+index 9420e3e..05aa890 100644
+--- a/servers/slapd/overlays/deref.c
++++ b/servers/slapd/overlays/deref.c
+@@ -183,7 +183,8 @@ deref_parseCtrl (
+ 		ber_len_t cnt = sizeof(struct berval);
+ 		ber_len_t off = 0;
+ 
+-		if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR )
++		if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR
++			|| !cnt )
+ 		{
+ 			rs->sr_text = "Dereference control: derefSpec decoding error";
+ 			rs->sr_err = LDAP_PROTOCOL_ERROR;
only in patch2:
unchanged:
--- openldap-2.4.40.orig/debian/patches/ITS8046-fix-vrFilter_free-crash.patch
+++ openldap-2.4.40/debian/patches/ITS8046-fix-vrFilter_free-crash.patch
@@ -0,0 +1,28 @@
+commit 2f1a2dd329b91afe561cd06b872d09630d4edb6a
+Author: Howard Chu <hyc at openldap.org>
+Date:   Wed Feb 4 02:03:55 2015 +0000
+
+    ITS#8046 fix vrFilter_free
+
+diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c
+index b859f73..22c81c8 100644
+--- a/servers/slapd/filter.c
++++ b/servers/slapd/filter.c
+@@ -1158,14 +1158,10 @@ get_vrFilter( Operation *op, BerElement *ber,
+ void
+ vrFilter_free( Operation *op, ValuesReturnFilter *vrf )
+ {
+-	ValuesReturnFilter	*p, *next;
++	ValuesReturnFilter	*next;
+ 
+-	if ( vrf == NULL ) {
+-		return;
+-	}
+-
+-	for ( p = vrf; p != NULL; p = next ) {
+-		next = p->vrf_next;
++	for ( ; vrf != NULL; vrf = next ) {
++		next = vrf->vrf_next;
+ 
+ 		switch ( vrf->vrf_choice & SLAPD_FILTER_MASK ) {
+ 		case LDAP_FILTER_PRESENT:

More information about the Pkg-openldap-devel mailing list