slapd: CVE-2008-2952 remote denial of service

Debian Bug report logs - #488710
slapd: CVE-2008-2952 remote denial of service

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: slapd: remote DoS

Date: Mon, 30 Jun 2008 21:26:27 +0200

Package: slapd
Severity: grave
Tags: security, patch
Justification: user security hole

Hi

The following email came over the public security list:

Hi,

Remote unauthenticated attackers can trigger an assertion in the ASN.1
BER
decoding of openlap and crash the server:
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580;selectid=5580

cu
Ludwig

An upstream patch seems to be here:
http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/io.c.diff?r1=1.120&r2=1.121&hideattic=1&sortbydate=0

Please make sure that you upload your package with high urgency or
contact us on the public email list[0] for a possible DTSA coordination.

Cheers
Steffen

[0]: secure-testing-team@lists.alioth.debian.org

Message #10 received at 488710@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Steffen Joeris <steffen.joeris@skolelinux.de>, 488710@bugs.debian.org

Subject: Re: Bug#488710: slapd: remote DoS

Date: Mon, 30 Jun 2008 13:34:50 -0700

severity 488710 important
forwarded 488710 http://www.openldap.org/its/index.cgi?findid=5580
thanks

On Mon, Jun 30, 2008 at 09:26:27PM +0200, Steffen Joeris wrote:
> Package: slapd
> Severity: grave
> Tags: security, patch
> Justification: user security hole

Unless something's changed, this justification (and bug description) is
inconsistent with the guidelines for security bug severities...

> The following email came over the public security list:

> Remote unauthenticated attackers can trigger an assertion in the ASN.1
> BER
> decoding of openlap and crash the server:
> http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580;selectid=5580

> An upstream patch seems to be here:
> http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/io.c.diff?r1=1.120&r2=1.121&hideattic=1&sortbydate=0

According to the bug state, this bug fix is still being tested upstream, so
it would be premature to upload this patch yet.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Message #19 received at 488710@bugs.debian.org (full text, mbox, reply):

From: Quanah Gibson-Mount <quanah@zimbra.com>

To: 488710@bugs.debian.org

Cc: Steve Langasek <vorlon@debian.org>, Steffen Joeris <steffen.joeris@skolelinux.de>

Subject: Re: [Pkg-openldap-devel] Bug#488710: slapd: remote DoS

Date: Mon, 30 Jun 2008 13:58:32 -0700

--On Monday, June 30, 2008 1:34 PM -0700 Steve Langasek <vorlon@debian.org> 
wrote:

>> An upstream patch seems to be here:
>> http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/io.c.diff?r1=
>> 1.120&r2=1.121&hideattic=1&sortbydate=0
>
> According to the bug state, this bug fix is still being tested upstream,
> so it would be premature to upload this patch yet.

You may wish to read the commit message. ;)

1.121 Fri Jun 27 00:36:41 2008 UTC; 3 days, 20 hours ago by hyc
CVS Tags: HEAD
Changed since 1.120: +6 -8 lines
Diffs to 1.120 (colored diff)

ITS#5580 fix length decoding, verified with PROTOS


--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Message #24 received at 488710@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Quanah Gibson-Mount <quanah@zimbra.com>, 488710@bugs.debian.org

Cc: Steffen Joeris <steffen.joeris@skolelinux.de>

Subject: Re: [Pkg-openldap-devel] Bug#488710: Bug#488710: slapd: remote DoS

Date: Mon, 30 Jun 2008 15:09:57 -0700

On Mon, Jun 30, 2008 at 01:58:32PM -0700, Quanah Gibson-Mount wrote:
> --On Monday, June 30, 2008 1:34 PM -0700 Steve Langasek <vorlon@debian.org> 
> wrote:

> >> An upstream patch seems to be here:
> >> http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/io.c.diff?r1=
> >> 1.120&r2=1.121&hideattic=1&sortbydate=0

> > According to the bug state, this bug fix is still being tested upstream,
> > so it would be premature to upload this patch yet.

> You may wish to read the commit message. ;)

> 1.121 Fri Jun 27 00:36:41 2008 UTC; 3 days, 20 hours ago by hyc
> CVS Tags: HEAD
> Changed since 1.120: +6 -8 lines
> Diffs to 1.120 (colored diff)

> ITS#5580 fix length decoding, verified with PROTOS

Well, that can only prove that it's no longer vulnerable, right, not that it
still works after the fact? ;)

I'm still inclined to wait until I see upstream bless this patch before
pushing out a fix to unstable.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Message #29 received at 488710@bugs.debian.org (full text, mbox, reply):

From: Quanah Gibson-Mount <quanah@zimbra.com>

To: Steve Langasek <vorlon@debian.org>, 488710@bugs.debian.org

Cc: Steffen Joeris <steffen.joeris@skolelinux.de>

Subject: Re: [Pkg-openldap-devel] Bug#488710: Bug#488710: slapd: remote DoS

Date: Tue, 01 Jul 2008 09:13:22 -0700

--On Monday, June 30, 2008 3:09 PM -0700 Steve Langasek <vorlon@debian.org> 
wrote:

>> 1.121 Fri Jun 27 00:36:41 2008 UTC; 3 days, 20 hours ago by hyc
>> CVS Tags: HEAD
>> Changed since 1.120: +6 -8 lines
>> Diffs to 1.120 (colored diff)
>
>> ITS#5580 fix length decoding, verified with PROTOS
>
> Well, that can only prove that it's no longer vulnerable, right, not that
> it still works after the fact? ;)
>
> I'm still inclined to wait until I see upstream bless this patch before
> pushing out a fix to unstable.

Ok, I'll reword this slightly.

We at upstream believe the issue to be fixed and the ITS closed. :)

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Message #34 received at 488710@bugs.debian.org (full text, mbox, reply):

From: Quanah Gibson-Mount <quanah@zimbra.com>

To: Steve Langasek <vorlon@debian.org>, 488710@bugs.debian.org

Cc: Steffen Joeris <steffen.joeris@skolelinux.de>

Subject: Re: [Pkg-openldap-devel] Bug#488710: Bug#488710: slapd: remote DoS

Date: Tue, 01 Jul 2008 09:14:35 -0700

--On Tuesday, July 01, 2008 9:13 AM -0700 Quanah Gibson-Mount 
<quanah@zimbra.com> wrote:

> --On Monday, June 30, 2008 3:09 PM -0700 Steve Langasek
> <vorlon@debian.org> wrote:
>
>>> 1.121 Fri Jun 27 00:36:41 2008 UTC; 3 days, 20 hours ago by hyc
>>> CVS Tags: HEAD
>>> Changed since 1.120: +6 -8 lines
>>> Diffs to 1.120 (colored diff)
>>
>>> ITS#5580 fix length decoding, verified with PROTOS
>>
>> Well, that can only prove that it's no longer vulnerable, right, not that
>> it still works after the fact? ;)
>>
>> I'm still inclined to wait until I see upstream bless this patch before
>> pushing out a fix to unstable.
>
> Ok, I'll reword this slightly.
>
> We at upstream believe the issue to be fixed and the ITS closed. :)

(Closed from further work unless shown otherwise). :P  It will be 
incorporated into 2.4.11 (and I'm going to drop it into the 2.3 sources as 
well, although it is unlikely there'll be another 2.3 release).

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Message #39 received at 488710@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 488710@bugs.debian.org

Subject: CVE id assigned

Date: Tue, 1 Jul 2008 23:34:25 +0200

[Message part 1 (text/plain, inline)]

Hi,
CVE-2008-2952 was assigned to this issue:
======================================================
Name: CVE-2008-2952
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2952
Reference: CONFIRM:http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580;selectid=5580

liblber/io.c in OpenLDAP 2.3.41, 2.3.42, and possibly other versions
allows remote attackers to cause a denial of service (program
termination) via crafted ASN.1 BER datagrams, which triggers an
assertion error.


Please reference this id if you fix the bug in the next upload.
Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #46 received at 488710@bugs.debian.org (full text, mbox, reply):

From: Quanah Gibson-Mount <quanah@zimbra.com>

To: Nico Golde <nion@debian.org>, 488710@bugs.debian.org

Subject: Re: [Pkg-openldap-devel] Bug#488710: CVE id assigned

Date: Tue, 01 Jul 2008 14:46:09 -0700

--On Tuesday, July 01, 2008 11:34 PM +0200 Nico Golde <nion@debian.org> 
wrote:

> Hi,
> CVE-2008-2952 was assigned to this issue:
> ======================================================
> Name: CVE-2008-2952
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2952
> Reference:
> CONFIRM:http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580;sel
> ectid=5580
>
> liblber/io.c in OpenLDAP 2.3.41, 2.3.42, and possibly other versions
> allows remote attackers to cause a denial of service (program
> termination) via crafted ASN.1 BER datagrams, which triggers an
> assertion error.

All versions of OpenLDAP since 2001, really.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Message #51 received at 488710@bugs.debian.org (full text, mbox, reply):

From: Quanah Gibson-Mount <quanah@zimbra.com>

To: Quanah Gibson-Mount <quanah@zimbra.com>, Steve Langasek <vorlon@debian.org>, 488710@bugs.debian.org

Cc: Steffen Joeris <steffen.joeris@skolelinux.de>

Subject: Re: [Pkg-openldap-devel] Bug#488710: Bug#488710: Bug#488710: slapd: remote DoS

Date: Tue, 01 Jul 2008 16:51:24 -0700

--On Tuesday, July 01, 2008 9:14 AM -0700 Quanah Gibson-Mount 
<quanah@zimbra.com> wrote:


>> Ok, I'll reword this slightly.
>>
>> We at upstream believe the issue to be fixed and the ITS closed. :)
>
> (Closed from further work unless shown otherwise). :P  It will be
> incorporated into 2.4.11 (and I'm going to drop it into the 2.3 sources
> as  well, although it is unlikely there'll be another 2.3 release).

Of course, as fate would have it, all I have to do is ask Howard a 
question, get an answer, send an email, and then the world reverses. :P

So now there's a new different commit for this problem in upstream.

Update of /repo/OpenLDAP/pkg/ldap/libraries/liblber

Modified Files:
	io.c  1.121 -> 1.122

Log Message:
ITS#5580: Revert prev commit, failed on byte-at-a-time input. Different
approach used here.


CVS Web URLs:
 http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/
   http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/io.c

--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Message #60 received at 488710-close@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: 488710-close@bugs.debian.org

Subject: Bug#488710: fixed in openldap 2.4.10-3

Date: Mon, 28 Jul 2008 23:32:04 +0000

Source: openldap
Source-Version: 2.4.10-3

We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive:

ldap-utils_2.4.10-3_amd64.deb
  to pool/main/o/openldap/ldap-utils_2.4.10-3_amd64.deb
libldap-2.4-2-dbg_2.4.10-3_amd64.deb
  to pool/main/o/openldap/libldap-2.4-2-dbg_2.4.10-3_amd64.deb
libldap-2.4-2_2.4.10-3_amd64.deb
  to pool/main/o/openldap/libldap-2.4-2_2.4.10-3_amd64.deb
libldap2-dev_2.4.10-3_amd64.deb
  to pool/main/o/openldap/libldap2-dev_2.4.10-3_amd64.deb
openldap_2.4.10-3.diff.gz
  to pool/main/o/openldap/openldap_2.4.10-3.diff.gz
openldap_2.4.10-3.dsc
  to pool/main/o/openldap/openldap_2.4.10-3.dsc
slapd-dbg_2.4.10-3_amd64.deb
  to pool/main/o/openldap/slapd-dbg_2.4.10-3_amd64.deb
slapd_2.4.10-3_amd64.deb
  to pool/main/o/openldap/slapd_2.4.10-3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 488710@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated openldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 28 Jul 2008 15:26:06 -0700
Source: openldap
Binary: slapd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg libldap2-dev slapd-dbg
Architecture: source amd64
Version: 2.4.10-3
Distribution: unstable
Urgency: low
Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description: 
 ldap-utils - OpenLDAP utilities
 libldap-2.4-2 - OpenLDAP libraries
 libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
 libldap2-dev - OpenLDAP development libraries
 slapd      - OpenLDAP server (slapd)
 slapd-dbg  - Debugging information for the OpenLDAP server (slapd)
Closes: 473796 485263 488710 490754 492748
Changes: 
 openldap (2.4.10-3) unstable; urgency=low
 .
   [ Steve Langasek ]
   * New patch, CVE-2008-2952_BER-decoding-assertion, to fix a remote DoS
     vulnerability in the BER decoder.  Addresses CVE-2008-2952,
     closes: #488710.
   * debian/slapd.scripts-common, debian/slapd.postinst: drop
     update_path_argsfile_pidfile function, not needed for updates from etch
     or newer.
   * Drop the code to check for and upgrade ldbm databases.  The etch
     release of slapd had already dropped support for them and direct
     upgrades from sarge are not supported.
 .
   [ Russ Allbery ]
   * Apply upstream patch to convert GnuTLS cipher strength from bytes to
     bits, as expected by OpenLDAP.  (Closes: #473796)
   * Add Build-Depends on time, used by the test suite and only a shell
     built-in with bash.  Thanks, Daniel Schepler.  (Closes: #490754)
   * Refresh all patches, convert all patches to -p1, and remove extraneous
     Index: lines.  (Closes: #485263)
   * Unless DFSG_NONFREE is set, also check whether the upstream schemas
     with RFC comments are included.
   * Update standards version to 3.8.0.
     - Include debian/README.source pointing to the quilt README.source.
     - Wrap Uploaders for readability.
   * Wrap slapd's Depends for readability.
 .
   [ Updated debconf translations ]
   * Swedish, thanks to Martin Ågren <martin.agren@gmail.com>.
     Closes: #492748.
Checksums-Sha1: 
 bbb194d86f21dc1624678bf762878f195a7f4e6b 1794 openldap_2.4.10-3.dsc
 71309c8797b2f38e0fd4f48df8d5e6c65d08bc8d 146965 openldap_2.4.10-3.diff.gz
 c1888e4a0a5c52d9eecc6bb11a8d50e8a89d3ee0 1497908 slapd_2.4.10-3_amd64.deb
 4f9c437c4e0d0a486234e87e91ca96ca20d65d64 267102 ldap-utils_2.4.10-3_amd64.deb
 442f6c942dd7721b3e4665a4b4cfdae1940d1e26 204256 libldap-2.4-2_2.4.10-3_amd64.deb
 829131b127bb37c7cfd6139c67dbe39393165beb 298480 libldap-2.4-2-dbg_2.4.10-3_amd64.deb
 5ecdc457d3faf55162963f2964af541e8973ff66 876134 libldap2-dev_2.4.10-3_amd64.deb
 f36d856f9082e1a65ff08300a409bf21755aad9b 3662856 slapd-dbg_2.4.10-3_amd64.deb
Checksums-Sha256: 
 5b44e5c6fef13dfb6cb4695007480e676680ef91b4ca4661b4d1bed47f19e117 1794 openldap_2.4.10-3.dsc
 36c7f13eaa6e030184e1af01c5a7aa6b866e6889a8f30d67dfedcdb494794670 146965 openldap_2.4.10-3.diff.gz
 54580b4e37090e02fbd77e2c81c5937c1ed109110a5510b147b335f18ce6e9bc 1497908 slapd_2.4.10-3_amd64.deb
 9dc1d2d4e8a442d2d623393c5c30ccf139c91c10053781b51e8fa97b800a09b8 267102 ldap-utils_2.4.10-3_amd64.deb
 d96c2a9b96f6dbdd61dee778a548a2f6d9b712453a8e93086efca35d3852c631 204256 libldap-2.4-2_2.4.10-3_amd64.deb
 c36ab54817eb27c1f01c4345d8e5ecf7450765eb01a157fc2ba7489084cab732 298480 libldap-2.4-2-dbg_2.4.10-3_amd64.deb
 4e1aecb2f02e460c8a5865f26e2e5d3b002f143ed471d95476111affa8edaa09 876134 libldap2-dev_2.4.10-3_amd64.deb
 6aca38b72911d23d132bfa43ce139748308a2936a1efcbb397860a36e6dea15f 3662856 slapd-dbg_2.4.10-3_amd64.deb
Files: 
 df9433c9a05befee59192f8990bffd24 1794 net optional openldap_2.4.10-3.dsc
 dd3fe79784639de231459e886101d190 146965 net optional openldap_2.4.10-3.diff.gz
 2f3af73520602ce2b067f5901e867bae 1497908 net optional slapd_2.4.10-3_amd64.deb
 37a9b8c6017840c0304e3dad11ffc4b7 267102 net optional ldap-utils_2.4.10-3_amd64.deb
 1e04eda09b5319cf1cb1550221dc3b15 204256 libs optional libldap-2.4-2_2.4.10-3_amd64.deb
 54a1c255f08c18155eced6889bd33696 298480 libdevel extra libldap-2.4-2-dbg_2.4.10-3_amd64.deb
 173f04f85b3259a85d2cbd209f7114ec 876134 libdevel extra libldap2-dev_2.4.10-3_amd64.deb
 b3ad8347968466412452eac76b583cf7 3662856 net extra slapd-dbg_2.4.10-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIjlFdKN6ufymYLloRAuFmAJ9DAmqBZsn2yBwrSDo/ntAKGWvxnACfe09P
t9RUDlVvvUUqWI5tz/BcI8A=
=e/ro
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.