[Pkg-openldap-devel] Bug#934277: slapd segfault on rwm filter parse error
Ryan Tandy
ryan at nardis.ca
Fri Aug 9 03:19:04 BST 2019
Package: slapd
Version: 2.4.21-1
Severity: important
Tags: security
Control: fixed -1 2.4.48+dfsg-1
Control: forwarded -1 https://openldap.org/its/?findid=8964
This is already fixed in unstable, but filing this for tracking anyway
as I think it warrants fixing in stable as well.
If rwm modifies the search filter and the resulting filter is invalid,
slapd crashes while cleaning up the operation. I believe it ends up
freeing the same pointer twice (where the happy path frees two different
ones).
Depending on the rwm configuration, users (possibly even
anonymous/unprivileged ones) with access to search the directory in a
way that causes the search filter to be rewritten can crash slapd
remotely.
Fixed in master by d40b357, in RE24 by 0f7ec3a.
Also reported in Ubuntu: https://bugs.launchpad.net/bugs/1838370
More information about the Pkg-openldap-devel
mailing list