[Pkg-openldap-devel] Bug#820244: libldap: use-after-free in GnuTLS-related code (patch available)

Maciej Puzio mkp37215 at gmail.com
Wed Apr 6 21:58:22 UTC 2016


Package: openldap
Version: 2.4.42+dfsg-2

Code located in file libraries/libldap/tls_g.c, containing an
interface to GnuTLS, suffers from a bug causing the configuration
variable tls_reqcert to be read from previously freed memory, thus
assuming random values or causing a segfault. This has been observed
in slapd during syncrepl connection retries, but may possibly happen
in other circumstances. Depending on the configuration, this can lead
to TLS handshake failures, a silent omission of certificate
verification (a security issue) or slapd unexpectedly crashing. This
bug cannot be worked around by configuration changes. In order to
avoid it, it is necessary to recompile package openldap either with a
patch or with OpenSSL support (in which case the problematic code path
is avoided).

Known affected versions are 2.4.41 to 2.4.44, but it is likely that
earlier versions also contain this bug. The bug has been reported to
OpenLDAP project and fixed in their git master:
OpenLDAP commit: 283f3ae1713df449cc170965b311b19157f7b7ea
Link: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=283f3ae1713df449cc170965b311b19157f7b7ea
More details are available on OpenLDAP bug tracker at:
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8385

Related Ubuntu bug:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1557248

Thank you



More information about the Pkg-openldap-devel mailing list