Package: slapd Version: 2.4.21-1 Severity: important Tags: security Control: fixed -1 2.4.48+dfsg-1 Control: forwarded -1 https://openldap.org/its/?findid=8964
This is already fixed in unstable, but filing this for tracking anyway as I think it warrants fixing in stable as well. If rwm modifies the search filter and the resulting filter is invalid, slapd crashes while cleaning up the operation. I believe it ends up freeing the same pointer twice (where the happy path frees two different ones). Depending on the rwm configuration, users (possibly even anonymous/unprivileged ones) with access to search the directory in a way that causes the search filter to be rewritten can crash slapd remotely. Fixed in master by d40b357, in RE24 by 0f7ec3a. Also reported in Ubuntu: https://bugs.launchpad.net/bugs/1838370
