Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Hi,
We would like to fix two recently-discovered upstream bugs in openldap
that allow an unauthenticated remote user to crash the LDAP server.
#776988, CVE-2015-1545: If the deref overlay is enabled (by default, it
is not), the query "ldapsearch -E deref=member:" crashes slapd via a
NULL pointer dereference.
#776991, CVE-2015-1546: The query "ldapsearch -E 'mv=(cn={*)(sn=*)'"
crashes slapd via a double free (regression in 2.4.40).
The deref overlay is not widely used, but #776991 affects all slapd
users.
May we upload with these changes?
thanks for considering,
Ryan
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
diff -u openldap-2.4.40/debian/changelog openldap-2.4.40/debian/changelog
--- openldap-2.4.40/debian/changelog
+++ openldap-2.4.40/debian/changelog
@@ -1,3 +1,14 @@
+openldap (2.4.40-4) unstable; urgency=medium
+
+ * debian/patches/ITS8027-deref-reject-empty-attr-list.patch: Import upstream
+ patch to fix a crash when a search includes the Deref control with an
+ empty attribute list. (ITS#8027) (CVE-2015-1545, Closes: #776988)
+ * debian/patches/ITS8046-fix-vrFilter_free-crash.patch: Import upstream
+ patch to fix a double free triggered by certain search queries using the
+ Matched Values control. (ITS#8046) (CVE-2015-1546, Closes: #776991)
+
+ -- Ryan Tandy <r...@nardis.ca> Sun, 08 Feb 2015 20:19:11 +0000
+
openldap (2.4.40-3) unstable; urgency=medium
* Remove trailing spaces from slapd.templates.
diff -u openldap-2.4.40/debian/patches/series
openldap-2.4.40/debian/patches/series
--- openldap-2.4.40/debian/patches/series
+++ openldap-2.4.40/debian/patches/series
@@ -23,0 +24,2 @@
+ITS8027-deref-reject-empty-attr-list.patch
+ITS8046-fix-vrFilter_free-crash.patch
only in patch2:
unchanged:
---
openldap-2.4.40.orig/debian/patches/ITS8027-deref-reject-empty-attr-list.patch
+++ openldap-2.4.40/debian/patches/ITS8027-deref-reject-empty-attr-list.patch
@@ -0,0 +1,20 @@
+commit c32e74763f77675b9e144126e375977ed6dc562c
+Author: Howard Chu <h...@openldap.org>
+Date: Mon Jan 19 22:25:53 2015 +0000
+
+ ITS#8027 require non-empty AttributeList
+
+diff --git a/servers/slapd/overlays/deref.c b/servers/slapd/overlays/deref.c
+index 9420e3e..05aa890 100644
+--- a/servers/slapd/overlays/deref.c
++++ b/servers/slapd/overlays/deref.c
+@@ -183,7 +183,8 @@ deref_parseCtrl (
+ ber_len_t cnt = sizeof(struct berval);
+ ber_len_t off = 0;
+
+- if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt,
off ) == LBER_ERROR )
++ if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt,
off ) == LBER_ERROR
++ || !cnt )
+ {
+ rs->sr_text = "Dereference control: derefSpec decoding
error";
+ rs->sr_err = LDAP_PROTOCOL_ERROR;
only in patch2:
unchanged:
--- openldap-2.4.40.orig/debian/patches/ITS8046-fix-vrFilter_free-crash.patch
+++ openldap-2.4.40/debian/patches/ITS8046-fix-vrFilter_free-crash.patch
@@ -0,0 +1,28 @@
+commit 2f1a2dd329b91afe561cd06b872d09630d4edb6a
+Author: Howard Chu <h...@openldap.org>
+Date: Wed Feb 4 02:03:55 2015 +0000
+
+ ITS#8046 fix vrFilter_free
+
+diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c
+index b859f73..22c81c8 100644
+--- a/servers/slapd/filter.c
++++ b/servers/slapd/filter.c
+@@ -1158,14 +1158,10 @@ get_vrFilter( Operation *op, BerElement *ber,
+ void
+ vrFilter_free( Operation *op, ValuesReturnFilter *vrf )
+ {
+- ValuesReturnFilter *p, *next;
++ ValuesReturnFilter *next;
+
+- if ( vrf == NULL ) {
+- return;
+- }
+-
+- for ( p = vrf; p != NULL; p = next ) {
+- next = p->vrf_next;
++ for ( ; vrf != NULL; vrf = next ) {
++ next = vrf->vrf_next;
+
+ switch ( vrf->vrf_choice & SLAPD_FILTER_MASK ) {
+ case LDAP_FILTER_PRESENT:
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
