openldap: CVE-2015-1546: crash in valueReturnFilter cleanup

Debian Bug report logs - #776991
openldap: CVE-2015-1546: crash in valueReturnFilter cleanup

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ryan Tandy <ryan@nardis.ca>

To: submit@bugs.debian.org

Subject: slapd: crash in valueReturnFilter cleanup

Date: Tue, 3 Feb 2015 12:38:39 -0800

Package: slapd
Version: 2.4.40-3
Severity: important
Tags: upstream
Control: forwarded -1 http://www.openldap.org/its/?findid=8046

Bill MacAllister discovered that certain queries cause slapd to crash 
while freeing operation controls. Details to follow.

This is a 2.4.40 regression. Earlier releases are not affected.

Message #12 received at 776991@bugs.debian.org (full text, mbox, reply):

From: Luca BRUNO <lucab@debian.org>

To: 776991@bugs.debian.org

Cc: Ryan Tandy <ryan@nardis.ca>

Subject: Re: slapd: crash in valueReturnFilter cleanup

Date: Tue, 3 Feb 2015 22:37:24 +0100

On Tue, 3 Feb 2015 12:38:39 -0800 Ryan Tandy <ryan@nardis.ca> wrote:

> Bill MacAllister discovered that certain queries cause slapd to crash 
> while freeing operation controls. Details to follow.

I've some problems in understanding this comment from upstream bug
report:

> The system exhibiting this problem was running a beta release of
> 2.4.40.  When I installed from a build of the current stable the
> problem disappeared.  Apologies for the bother, I didn't realize
> the system had not been updated.
> 
> I think that documenting the query would be useful anyway, but I
> want to hold off on that because I know the problem exists in the
> build that is in debian backports.  I would like to give Ryan a
> chance to fix it before I publish it.  I was able to reproduce the
> problem with ldapsearch and it is a trival and very effective
> denial of service attack.

Is it something that we introduced with our patching? Where did he get
a beta release of 2.4.40? Does "a build of current stable" mean
2.4.31-1+nmu2 from wheezy or some upstream version he built? In the
last paragraph, is he implying that he is unable to reproduce the bug
with vanilla openldap?

Cheers, Luca

-- 
  .''`.  |               ~<[ Luca BRUNO ~ (kaeso) ]>~
 : :'  : | Email: lucab (AT) debian.org ~ Debian Developer
 `. `'`  | GPG Key ID: 0x3BFB9FB3       ~ Free Software supporter
   `-    | HAM-radio callsign: IZ1WGT   ~ Networking sorcerer

Message #17 received at 776991@bugs.debian.org (full text, mbox, reply):

From: Ryan Tandy <ryan@nardis.ca>

To: Luca BRUNO <lucab@debian.org>

Cc: 776991@bugs.debian.org

Subject: Re: slapd: crash in valueReturnFilter cleanup

Date: Tue, 3 Feb 2015 13:50:38 -0800

Hi,

On Tue, Feb 03, 2015 at 10:37:24PM +0100, Luca BRUNO wrote:
>Is it something that we introduced with our patching?

No. I have reproduced it in upstream git master and 2.4 branches, as 
well as in 2.4.40-3 in sid.

>Where did he get a beta release of 2.4.40?

I believe he means a git snapshot from between 2.4.39 and 2.4.40.

>Does "a build of current stable" mean 2.4.31-1+nmu2 from wheezy or some 
>upstream version he built?

I believe that refers to the final 2.4.40 tarball.

>In the last paragraph, is he implying that he is unable to reproduce 
>the bug with vanilla openldap?

I think so, but I'm hoping to receive some clarification once upstream 
responds to the bug. Like I wrote above, I reproduced it with our 
2.4.40-3 as well as with unmodified upstream git sources, while Bill 
wrote that in some cases it didn't reproduce. As it's a memory-related 
bug, it's possible it's not 100% reproducible, or that the allocator 
plays a role (note tcmalloc in his backtrace, while I use glibc's).

Before I filed this, Bill wrote to me privately about his ITS, and I 
have provided a minimal test case and git bisection result to upstream, 
also privately.

We will most likely want to fix this for jessie, and probably #776988 as 
well, since both result in remotely-triggered DoS.

hope that helps,
Ryan

Message #22 received at 776991@bugs.debian.org (full text, mbox, reply):

From: Ryan Tandy <ryan@nardis.ca>

To: 776991@bugs.debian.org

Subject: Re: [Pkg-openldap-devel] Bug#776991: slapd: crash in valueReturnFilter cleanup

Date: Tue, 3 Feb 2015 20:34:14 -0800

Control: tags -1 + fixed-upstream

This is fixed upstream in git master now.

http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=2f1a2dd329b91afe561cd06b872d09630d4edb6a

Test case: ldapsearch -E 'mv=(cn={*)(sn=*)'

Message #35 received at 776991-close@bugs.debian.org (full text, mbox, reply):

From: Ryan Tandy <ryan@nardis.ca>

To: 776991-close@bugs.debian.org

Subject: Bug#776991: fixed in openldap 2.4.40-4

Date: Mon, 09 Feb 2015 21:22:23 +0000

Source: openldap
Source-Version: 2.4.40-4

We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 776991@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ryan Tandy <ryan@nardis.ca> (supplier of updated openldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 08 Feb 2015 20:19:11 +0000
Source: openldap
Binary: slapd slapd-smbk5pwd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg libldap2-dev slapd-dbg
Architecture: source amd64
Version: 2.4.40-4
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Changed-By: Ryan Tandy <ryan@nardis.ca>
Description:
 ldap-utils - OpenLDAP utilities
 libldap-2.4-2 - OpenLDAP libraries
 libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
 libldap2-dev - OpenLDAP development libraries
 slapd      - OpenLDAP server (slapd)
 slapd-dbg  - Debugging information for the OpenLDAP server (slapd)
 slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd.
Closes: 776988 776991
Changes:
 openldap (2.4.40-4) unstable; urgency=medium
 .
   * debian/patches/ITS8027-deref-reject-empty-attr-list.patch: Import upstream
     patch to fix a crash when a search includes the Deref control with an
     empty attribute list. (ITS#8027) (CVE-2015-1545, Closes: #776988)
   * debian/patches/ITS8046-fix-vrFilter_free-crash.patch: Import upstream
     patch to fix a double free triggered by certain search queries using the
     Matched Values control. (ITS#8046) (CVE-2015-1546, Closes: #776991)
Checksums-Sha1:
 6916d2f8bc6887a28fecad20ab7b6c453fb26b17 2756 openldap_2.4.40-4.dsc
 da5218904f2f5e221143e42b69938c039e0d1515 177329 openldap_2.4.40-4.diff.gz
 1b43f58f2890204b23434a7ea19770ab329bf16a 1419858 slapd_2.4.40-4_amd64.deb
 d7bfa33906f1fea02e78f75e18be59603497f638 82750 slapd-smbk5pwd_2.4.40-4_amd64.deb
 c9a0f3cf0f1ff13423d87d70fa0970f9fd855cfa 187856 ldap-utils_2.4.40-4_amd64.deb
 f0636e63420ad391a0185ae1b4a53eeb45b9544a 217322 libldap-2.4-2_2.4.40-4_amd64.deb
 21915916c3c65add67ec5fdf7de7b80f290fbdda 441688 libldap-2.4-2-dbg_2.4.40-4_amd64.deb
 fad1b3b56d1671ed7c11fdc1bcf7169d53e694b2 323568 libldap2-dev_2.4.40-4_amd64.deb
 19c4d3274b94cc8387650c306ab6b9ee916c2233 4902624 slapd-dbg_2.4.40-4_amd64.deb
Checksums-Sha256:
 5dcc3b9b7703e341c8878e6dc407ac3956aa314edc8404af8efd1738236e00a5 2756 openldap_2.4.40-4.dsc
 3be4cc54cfdcdb8d17fd535bd4a374744bc84c9b4ae843521511683cc7439302 177329 openldap_2.4.40-4.diff.gz
 b66b4e92f6cdf4759330234ddb81ad67413f4b8875644682a052afc2e9415abe 1419858 slapd_2.4.40-4_amd64.deb
 389e1e6c655aba6707e37a437489784aba753240fcc8120a17c1c59a56f3dfda 82750 slapd-smbk5pwd_2.4.40-4_amd64.deb
 d3031cfb280c988f9fa75cf0bcfe66f9f7690617bf61a0f6f42238342e8a3c23 187856 ldap-utils_2.4.40-4_amd64.deb
 30cb149047edec729662178925fbf06a6eab6d534527c5ae8de4c5e6950bd304 217322 libldap-2.4-2_2.4.40-4_amd64.deb
 7713b0bfabf7c38b807055cbb1835d6c3705c9ff79be0970f0cfdf2f87b1da43 441688 libldap-2.4-2-dbg_2.4.40-4_amd64.deb
 9e26e2d23ed7794ae9d6d56dbbf35f1a8e276612f3338b312950027a7bf92198 323568 libldap2-dev_2.4.40-4_amd64.deb
 3945b83f2116d9738983adf052282ef12f2d82b42e20c66a70ec76968db09b32 4902624 slapd-dbg_2.4.40-4_amd64.deb
Files:
 e82089d8b0454af877cd977019c4e198 2756 net optional openldap_2.4.40-4.dsc
 ee2a355182429e1e1a44ed5023066bc2 177329 net optional openldap_2.4.40-4.diff.gz
 21a3dbd738dc25f79406b82f3c918d29 1419858 net optional slapd_2.4.40-4_amd64.deb
 598e3eed03cd2e3551e86c1037a28c43 82750 net extra slapd-smbk5pwd_2.4.40-4_amd64.deb
 8b1a4599560f5a70f6a5a62dd499d68b 187856 net optional ldap-utils_2.4.40-4_amd64.deb
 cf939f6113367fdae5ab9efa025e7434 217322 libs standard libldap-2.4-2_2.4.40-4_amd64.deb
 2b5c75b5bdfc14e94366315ac8b12701 441688 debug extra libldap-2.4-2-dbg_2.4.40-4_amd64.deb
 2f20eb1930bb2698e1c2106ed06f742d 323568 libdevel extra libldap2-dev_2.4.40-4_amd64.deb
 90bb744295d0b68568f3ad0ef2a565db 4902624 debug extra slapd-dbg_2.4.40-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJU2RC/AAoJEKmDSiJSB45OqwcQALjHqhyE+2cKByq6HEAlXjCv
ZMT4XhpChsMAKfBi81/9L/yOmFp+8GS180hJvwU5Gvx0Ip8VN4S7aW81Mui1BEGX
b4+AK5EbTLWf5nolo93o2ivXQnDDLP+kd5KJSwbgto99DuSeYxt/YBtZ9KuBqubP
qpuf+1xp7h4X+qI2mG8WfE0s/Yy9K1xPt+NwcbGVPD92Oo9JR/cAtMZqLAAlKU9j
wsXw0ozAiQY8jxMDAsanRzJpDsRA4VQ1cET2l+sTyBFWXtXqD7V1tgF2Uc0U2/zJ
8cB8kSDBJCw4+MqPzigC4q/adqR7wO7eU+qyAJBwZko2uH4VBRqkF40PzjeHdkRB
xcru++8xcFI3t+mm/Jt7EeyLJemj63XByXKMQ4dWG0ZNtfOOMqfERGtxofSF0Nug
mUs01XM/rXMvYtb0Mujh5Z5GmGZB4xW426UE7H00WKxbNRTMLy4fYbdgLbcZ9VIS
651Z/wcg53uv9nALK1mLLFznPez8Zz9pXAxstm7nwzJs0UZQqeUMOc3cXtjw+S+d
2gQxRKzwMOfaDiDtRJ+A/q54YDQ/2et8wVdcGfhzEzAroVfyv26qF64dK8Q1egKP
vMG1MXvMh0bByxuzxDLWEKM2jGjkELe/iohlNgwH0w+8PWXSdh42zxVQEeMpBOu8
n/A3TrWlaW3I54AQUlZ5
=egnU
-----END PGP SIGNATURE-----

Message #40 received at 776991@bugs.debian.org (full text, mbox, reply):

From: Geoff Crompton <geoffc@trinity.unimelb.edu.au>

To: 776991@bugs.debian.org

Subject: is wheezy backports vulnerable?

Date: Thu, 26 Feb 2015 12:29:28 +1100

Given the fix for this went into -4, it seems likely 
2.4.31+really2.4.40-3~bpo70+1 (the wheezy backport) is vulnerable.

Could someone confirm that?

-- 
Geoff Crompton, System Administrator
T: +61 (0)3 9348 7138
Trinity College | University of Melbourne | Royal Parade, Parkville | 
Victoria 3052, Australia
www.trinity.unimelb.edu.au

Message #45 received at 776991@bugs.debian.org (full text, mbox, reply):

From: Ryan Tandy <ryan@nardis.ca>

To: Geoff Crompton <geoffc@trinity.unimelb.edu.au>, 776991@bugs.debian.org

Subject: Re: [Pkg-openldap-devel] Bug#776991: is wheezy backports vulnerable?

Date: Wed, 25 Feb 2015 18:01:04 -0800

[Message part 1 (text/plain, inline)]

On Thu, Feb 26, 2015 at 12:29:28PM +1100, Geoff Crompton wrote:
>Given the fix for this went into -4, it seems likely 
>2.4.31+really2.4.40-3~bpo70+1 (the wheezy backport) is vulnerable.
>
>Could someone confirm that?

It is, yes.

An updated backport has been uploaded, we're waiting for ftpmaster to 
let it into the repository now.

https://ftp-master.debian.org/backports-new.html

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.