Debian Bug report logs -
#488710
slapd: CVE-2008-2952 remote denial of service
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
:
Bug#488710
; Package slapd
.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: slapd
Severity: grave
Tags: security, patch
Justification: user security hole
Hi
The following email came over the public security list:
Hi,
Remote unauthenticated attackers can trigger an assertion in the ASN.1
BER
decoding of openlap and crash the server:
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580;selectid=5580
cu
Ludwig
An upstream patch seems to be here:
http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/io.c.diff?r1=1.120&r2=1.121&hideattic=1&sortbydate=0
Please make sure that you upload your package with high urgency or
contact us on the public email list[0] for a possible DTSA coordination.
Cheers
Steffen
[0]: secure-testing-team@lists.alioth.debian.org
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
:
Bug#488710
; Package slapd
.
(full text, mbox, link).
Acknowledgement sent to Steve Langasek <vorlon@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #10 received at 488710@bugs.debian.org (full text, mbox, reply):
severity 488710 important
forwarded 488710 http://www.openldap.org/its/index.cgi?findid=5580
thanks
On Mon, Jun 30, 2008 at 09:26:27PM +0200, Steffen Joeris wrote:
> Package: slapd
> Severity: grave
> Tags: security, patch
> Justification: user security hole
Unless something's changed, this justification (and bug description) is
inconsistent with the guidelines for security bug severities...
> The following email came over the public security list:
> Remote unauthenticated attackers can trigger an assertion in the ASN.1
> BER
> decoding of openlap and crash the server:
> http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580;selectid=5580
> An upstream patch seems to be here:
> http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/io.c.diff?r1=1.120&r2=1.121&hideattic=1&sortbydate=0
According to the bug state, this bug fix is still being tested upstream, so
it would be premature to upload this patch yet.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
Severity set to `important' from `grave'
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org
.
(Mon, 30 Jun 2008 20:51:18 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
:
Bug#488710
; Package slapd
.
(full text, mbox, link).
Acknowledgement sent to Quanah Gibson-Mount <quanah@zimbra.com>
:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #19 received at 488710@bugs.debian.org (full text, mbox, reply):
--On Monday, June 30, 2008 1:34 PM -0700 Steve Langasek <vorlon@debian.org>
wrote:
>> An upstream patch seems to be here:
>> http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/io.c.diff?r1=
>> 1.120&r2=1.121&hideattic=1&sortbydate=0
>
> According to the bug state, this bug fix is still being tested upstream,
> so it would be premature to upload this patch yet.
You may wish to read the commit message. ;)
1.121 Fri Jun 27 00:36:41 2008 UTC; 3 days, 20 hours ago by hyc
CVS Tags: HEAD
Changed since 1.120: +6 -8 lines
Diffs to 1.120 (colored diff)
ITS#5580 fix length decoding, verified with PROTOS
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
:
Bug#488710
; Package slapd
.
(full text, mbox, link).
Acknowledgement sent to Steve Langasek <vorlon@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #24 received at 488710@bugs.debian.org (full text, mbox, reply):
On Mon, Jun 30, 2008 at 01:58:32PM -0700, Quanah Gibson-Mount wrote:
> --On Monday, June 30, 2008 1:34 PM -0700 Steve Langasek <vorlon@debian.org>
> wrote:
> >> An upstream patch seems to be here:
> >> http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/io.c.diff?r1=
> >> 1.120&r2=1.121&hideattic=1&sortbydate=0
> > According to the bug state, this bug fix is still being tested upstream,
> > so it would be premature to upload this patch yet.
> You may wish to read the commit message. ;)
> 1.121 Fri Jun 27 00:36:41 2008 UTC; 3 days, 20 hours ago by hyc
> CVS Tags: HEAD
> Changed since 1.120: +6 -8 lines
> Diffs to 1.120 (colored diff)
> ITS#5580 fix length decoding, verified with PROTOS
Well, that can only prove that it's no longer vulnerable, right, not that it
still works after the fact? ;)
I'm still inclined to wait until I see upstream bless this patch before
pushing out a fix to unstable.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
:
Bug#488710
; Package slapd
.
(full text, mbox, link).
Acknowledgement sent to Quanah Gibson-Mount <quanah@zimbra.com>
:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #29 received at 488710@bugs.debian.org (full text, mbox, reply):
--On Monday, June 30, 2008 3:09 PM -0700 Steve Langasek <vorlon@debian.org>
wrote:
>> 1.121 Fri Jun 27 00:36:41 2008 UTC; 3 days, 20 hours ago by hyc
>> CVS Tags: HEAD
>> Changed since 1.120: +6 -8 lines
>> Diffs to 1.120 (colored diff)
>
>> ITS#5580 fix length decoding, verified with PROTOS
>
> Well, that can only prove that it's no longer vulnerable, right, not that
> it still works after the fact? ;)
>
> I'm still inclined to wait until I see upstream bless this patch before
> pushing out a fix to unstable.
Ok, I'll reword this slightly.
We at upstream believe the issue to be fixed and the ITS closed. :)
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
:
Bug#488710
; Package slapd
.
(full text, mbox, link).
Acknowledgement sent to Quanah Gibson-Mount <quanah@zimbra.com>
:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #34 received at 488710@bugs.debian.org (full text, mbox, reply):
--On Tuesday, July 01, 2008 9:13 AM -0700 Quanah Gibson-Mount
<quanah@zimbra.com> wrote:
> --On Monday, June 30, 2008 3:09 PM -0700 Steve Langasek
> <vorlon@debian.org> wrote:
>
>>> 1.121 Fri Jun 27 00:36:41 2008 UTC; 3 days, 20 hours ago by hyc
>>> CVS Tags: HEAD
>>> Changed since 1.120: +6 -8 lines
>>> Diffs to 1.120 (colored diff)
>>
>>> ITS#5580 fix length decoding, verified with PROTOS
>>
>> Well, that can only prove that it's no longer vulnerable, right, not that
>> it still works after the fact? ;)
>>
>> I'm still inclined to wait until I see upstream bless this patch before
>> pushing out a fix to unstable.
>
> Ok, I'll reword this slightly.
>
> We at upstream believe the issue to be fixed and the ITS closed. :)
(Closed from further work unless shown otherwise). :P It will be
incorporated into 2.4.11 (and I'm going to drop it into the 2.3 sources as
well, although it is unlikely there'll be another 2.3 release).
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
:
Bug#488710
; Package slapd
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #39 received at 488710@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
CVE-2008-2952 was assigned to this issue:
======================================================
Name: CVE-2008-2952
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2952
Reference: CONFIRM:http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580;selectid=5580
liblber/io.c in OpenLDAP 2.3.41, 2.3.42, and possibly other versions
allows remote attackers to cause a denial of service (program
termination) via crafted ASN.1 BER datagrams, which triggers an
assertion error.
Please reference this id if you fix the bug in the next upload.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Changed Bug title to `slapd: CVE-2008-2952 remote denial of service' from `slapd: remote DoS'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org
.
(Tue, 01 Jul 2008 21:36:08 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
:
Bug#488710
; Package slapd
.
(full text, mbox, link).
Acknowledgement sent to Quanah Gibson-Mount <quanah@zimbra.com>
:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #46 received at 488710@bugs.debian.org (full text, mbox, reply):
--On Tuesday, July 01, 2008 11:34 PM +0200 Nico Golde <nion@debian.org>
wrote:
> Hi,
> CVE-2008-2952 was assigned to this issue:
> ======================================================
> Name: CVE-2008-2952
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2952
> Reference:
> CONFIRM:http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580;sel
> ectid=5580
>
> liblber/io.c in OpenLDAP 2.3.41, 2.3.42, and possibly other versions
> allows remote attackers to cause a denial of service (program
> termination) via crafted ASN.1 BER datagrams, which triggers an
> assertion error.
All versions of OpenLDAP since 2001, really.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
:
Bug#488710
; Package slapd
.
(full text, mbox, link).
Acknowledgement sent to Quanah Gibson-Mount <quanah@zimbra.com>
:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #51 received at 488710@bugs.debian.org (full text, mbox, reply):
--On Tuesday, July 01, 2008 9:14 AM -0700 Quanah Gibson-Mount
<quanah@zimbra.com> wrote:
>> Ok, I'll reword this slightly.
>>
>> We at upstream believe the issue to be fixed and the ITS closed. :)
>
> (Closed from further work unless shown otherwise). :P It will be
> incorporated into 2.4.11 (and I'm going to drop it into the 2.3 sources
> as well, although it is unlikely there'll be another 2.3 release).
Of course, as fate would have it, all I have to do is ask Howard a
question, get an answer, send an email, and then the world reverses. :P
So now there's a new different commit for this problem in upstream.
Update of /repo/OpenLDAP/pkg/ldap/libraries/liblber
Modified Files:
io.c 1.121 -> 1.122
Log Message:
ITS#5580: Revert prev commit, failed on byte-at-a-time input. Different
approach used here.
CVS Web URLs:
http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/
http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/io.c
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
Bug marked as found in version 2.3.30-5.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org
.
(Fri, 11 Jul 2008 08:39:12 GMT) (full text, mbox, link).
Tags added: pending
Request was from vorlon@alioth.debian.org
to control@bugs.debian.org
.
(Fri, 11 Jul 2008 08:42:09 GMT) (full text, mbox, link).
Reply sent to Steve Langasek <vorlon@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #60 received at 488710-close@bugs.debian.org (full text, mbox, reply):
Source: openldap
Source-Version: 2.4.10-3
We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive:
ldap-utils_2.4.10-3_amd64.deb
to pool/main/o/openldap/ldap-utils_2.4.10-3_amd64.deb
libldap-2.4-2-dbg_2.4.10-3_amd64.deb
to pool/main/o/openldap/libldap-2.4-2-dbg_2.4.10-3_amd64.deb
libldap-2.4-2_2.4.10-3_amd64.deb
to pool/main/o/openldap/libldap-2.4-2_2.4.10-3_amd64.deb
libldap2-dev_2.4.10-3_amd64.deb
to pool/main/o/openldap/libldap2-dev_2.4.10-3_amd64.deb
openldap_2.4.10-3.diff.gz
to pool/main/o/openldap/openldap_2.4.10-3.diff.gz
openldap_2.4.10-3.dsc
to pool/main/o/openldap/openldap_2.4.10-3.dsc
slapd-dbg_2.4.10-3_amd64.deb
to pool/main/o/openldap/slapd-dbg_2.4.10-3_amd64.deb
slapd_2.4.10-3_amd64.deb
to pool/main/o/openldap/slapd_2.4.10-3_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 488710@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated openldap package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 28 Jul 2008 15:26:06 -0700
Source: openldap
Binary: slapd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg libldap2-dev slapd-dbg
Architecture: source amd64
Version: 2.4.10-3
Distribution: unstable
Urgency: low
Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description:
ldap-utils - OpenLDAP utilities
libldap-2.4-2 - OpenLDAP libraries
libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
libldap2-dev - OpenLDAP development libraries
slapd - OpenLDAP server (slapd)
slapd-dbg - Debugging information for the OpenLDAP server (slapd)
Closes: 473796 485263 488710 490754 492748
Changes:
openldap (2.4.10-3) unstable; urgency=low
.
[ Steve Langasek ]
* New patch, CVE-2008-2952_BER-decoding-assertion, to fix a remote DoS
vulnerability in the BER decoder. Addresses CVE-2008-2952,
closes: #488710.
* debian/slapd.scripts-common, debian/slapd.postinst: drop
update_path_argsfile_pidfile function, not needed for updates from etch
or newer.
* Drop the code to check for and upgrade ldbm databases. The etch
release of slapd had already dropped support for them and direct
upgrades from sarge are not supported.
.
[ Russ Allbery ]
* Apply upstream patch to convert GnuTLS cipher strength from bytes to
bits, as expected by OpenLDAP. (Closes: #473796)
* Add Build-Depends on time, used by the test suite and only a shell
built-in with bash. Thanks, Daniel Schepler. (Closes: #490754)
* Refresh all patches, convert all patches to -p1, and remove extraneous
Index: lines. (Closes: #485263)
* Unless DFSG_NONFREE is set, also check whether the upstream schemas
with RFC comments are included.
* Update standards version to 3.8.0.
- Include debian/README.source pointing to the quilt README.source.
- Wrap Uploaders for readability.
* Wrap slapd's Depends for readability.
.
[ Updated debconf translations ]
* Swedish, thanks to Martin Ågren <martin.agren@gmail.com>.
Closes: #492748.
Checksums-Sha1:
bbb194d86f21dc1624678bf762878f195a7f4e6b 1794 openldap_2.4.10-3.dsc
71309c8797b2f38e0fd4f48df8d5e6c65d08bc8d 146965 openldap_2.4.10-3.diff.gz
c1888e4a0a5c52d9eecc6bb11a8d50e8a89d3ee0 1497908 slapd_2.4.10-3_amd64.deb
4f9c437c4e0d0a486234e87e91ca96ca20d65d64 267102 ldap-utils_2.4.10-3_amd64.deb
442f6c942dd7721b3e4665a4b4cfdae1940d1e26 204256 libldap-2.4-2_2.4.10-3_amd64.deb
829131b127bb37c7cfd6139c67dbe39393165beb 298480 libldap-2.4-2-dbg_2.4.10-3_amd64.deb
5ecdc457d3faf55162963f2964af541e8973ff66 876134 libldap2-dev_2.4.10-3_amd64.deb
f36d856f9082e1a65ff08300a409bf21755aad9b 3662856 slapd-dbg_2.4.10-3_amd64.deb
Checksums-Sha256:
5b44e5c6fef13dfb6cb4695007480e676680ef91b4ca4661b4d1bed47f19e117 1794 openldap_2.4.10-3.dsc
36c7f13eaa6e030184e1af01c5a7aa6b866e6889a8f30d67dfedcdb494794670 146965 openldap_2.4.10-3.diff.gz
54580b4e37090e02fbd77e2c81c5937c1ed109110a5510b147b335f18ce6e9bc 1497908 slapd_2.4.10-3_amd64.deb
9dc1d2d4e8a442d2d623393c5c30ccf139c91c10053781b51e8fa97b800a09b8 267102 ldap-utils_2.4.10-3_amd64.deb
d96c2a9b96f6dbdd61dee778a548a2f6d9b712453a8e93086efca35d3852c631 204256 libldap-2.4-2_2.4.10-3_amd64.deb
c36ab54817eb27c1f01c4345d8e5ecf7450765eb01a157fc2ba7489084cab732 298480 libldap-2.4-2-dbg_2.4.10-3_amd64.deb
4e1aecb2f02e460c8a5865f26e2e5d3b002f143ed471d95476111affa8edaa09 876134 libldap2-dev_2.4.10-3_amd64.deb
6aca38b72911d23d132bfa43ce139748308a2936a1efcbb397860a36e6dea15f 3662856 slapd-dbg_2.4.10-3_amd64.deb
Files:
df9433c9a05befee59192f8990bffd24 1794 net optional openldap_2.4.10-3.dsc
dd3fe79784639de231459e886101d190 146965 net optional openldap_2.4.10-3.diff.gz
2f3af73520602ce2b067f5901e867bae 1497908 net optional slapd_2.4.10-3_amd64.deb
37a9b8c6017840c0304e3dad11ffc4b7 267102 net optional ldap-utils_2.4.10-3_amd64.deb
1e04eda09b5319cf1cb1550221dc3b15 204256 libs optional libldap-2.4-2_2.4.10-3_amd64.deb
54a1c255f08c18155eced6889bd33696 298480 libdevel extra libldap-2.4-2-dbg_2.4.10-3_amd64.deb
173f04f85b3259a85d2cbd209f7114ec 876134 libdevel extra libldap2-dev_2.4.10-3_amd64.deb
b3ad8347968466412452eac76b583cf7 3662856 net extra slapd-dbg_2.4.10-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFIjlFdKN6ufymYLloRAuFmAJ9DAmqBZsn2yBwrSDo/ntAKGWvxnACfe09P
t9RUDlVvvUUqWI5tz/BcI8A=
=e/ro
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 26 May 2009 07:26:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:55:43 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.