openldap-bugs

openldap-bugs@openldap.org

1 participants
20967 discussions

Re: (ITS#8574) bconfig support for DNs that need escaping
by okuznik＠symas.com 22 Feb '17

22 Feb '17

On Wed, Feb 22, 2017 at 06:34:18PM +0000, Ond=C5=99ej Kuzn=C3=ADk wrote: > On Wed, Feb 22, 2017 at 05:42:39PM +0000, Howard Chu wrote: >> okuznik(a)symas.com wrote: >>> When an rdn under cn=3Dconfig needs escaping, incorrect value gets pa= ssed to the >>> attribute and, if the attribute is single-value, the entry is rejecte= d by >>> entry_naming_check(). >>>=20 >>> Patch against master is attached. >>=20 >> Why are you running the normalizer in a for-loop: >>=20 >> + for ( cnt =3D 0; rDN[cnt]; cnt++ ) { >>=20 >> but always setting value #0? >>=20 >> + free( a->a_vals[0].bv_val ); >> + ber_dupbv( &a->a_vals[0], &ava->la_value ); >>=20 >> If the RDN is actually a compound with multiple AVAs you need to conca= tenate >> them into a single value. Otherwise, if you don't intend to support co= mpound >> RDNs, there's no point in using a for-loop. Just return an error if th= ere's >> more than one AVA. >=20 > While X-ORDERED 'SIBLINGS' are required to the single-valued in the > draft and back-config doesn't actually use multi-valued rDNs, it might > break if the latter ever changes. An updated fix is here: >=20 > ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20170222-Deal-with-rDN-co= rrectly.patch >=20 > This will still pick the value if the rDN is multi-valued, this time > regardless of the attribute's position in the rDN. As pointed out by Howard, the patch was not against master (although my git doesn't complain anyway). The following patch is and also tests that the attribute we were asked to update is actually present in the rDN provided: ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20170222b-Deal-with-rDN-cor= rectly.patch

1 0

Re: (ITS#8574) bconfig support for DNs that need escaping
by okuznik＠symas.com 22 Feb '17

22 Feb '17

On Wed, Feb 22, 2017 at 05:42:39PM +0000, Howard Chu wrote: > okuznik(a)symas.com wrote: >> When an rdn under cn=config needs escaping, incorrect value gets passed to the >> attribute and, if the attribute is single-value, the entry is rejected by >> entry_naming_check(). >> >> Patch against master is attached. > > Why are you running the normalizer in a for-loop: > > + for ( cnt = 0; rDN[cnt]; cnt++ ) { > > but always setting value #0? > > + free( a->a_vals[0].bv_val ); > + ber_dupbv( &a->a_vals[0], &ava->la_value ); > > If the RDN is actually a compound with multiple AVAs you need to concatenate > them into a single value. Otherwise, if you don't intend to support compound > RDNs, there's no point in using a for-loop. Just return an error if there's > more than one AVA. While X-ORDERED 'SIBLINGS' are required to the single-valued in the draft and back-config doesn't actually use multi-valued rDNs, it might break if the latter ever changes. An updated fix is here: ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20170222-Deal-with-rDN-correc… This will still pick the value if the rDN is multi-valued, this time regardless of the attribute's position in the rDN. Ondrej

1 0

Re: (ITS#8485) [PATCH] Adding support for encrypted server private keys
by hyc＠symas.com 22 Feb '17

22 Feb '17

ahnolds(a)gmail.com wrote: > Full_Name: Alec Cooper > Version: HEAD of master branch > OS: Ubuntu Linux 16.04 > URL: ftp://ftp.openldap.org/incoming/Alec-Cooper-160827.patch > Submission from: (NULL) (73.134.243.211) > > > Adding support for encrypted server private keys. Thank you for your submission. I must compliment you on providing such a comprehensive and well-written contribution. Unfortunately the feature itself is clearly not useful. Perhaps you should have raised this topic on the openldap-devel list for discussion before spending your time writing it. All your feature does is embed the encryption key in the filesystem, so an encrypted private key is still no more secure than an unencrypted one. It still just depends on setting proper file access permissions, and the current documentation already makes that point. Indeed, all it does is give the false illusion of enhancing security, and followups like balmerpeak92(a)gmail.com's shows that people will easily fall for such illusions. I regret having to reject such a well written contribution, but we cannot in good conscience accept a security feature that doesn't actually improve security. > > The meat of this patch is changes to tls2.c, tls_g.c, tls_m.c, and tls_o.c to > send a password to the underlying TLS library. > > Changes to ldap.h, init.c and ldap-int.h expose the new > LDAP_OPT_X_TLS_KEYPASSWORD in the main API. > > Changes in the contrib/ldapc++ directory expose the corresponding > TlsOptions::KEYPASSWORD option in the C++ API. > > Changes in the servers directory expose equivalent options for servers as > configuration file entries or environment variables. > > Changes in the doc directory add documentation about the new options and remove > statements that indicated that encrypted keyfiles are not supported. > > New files in the test directory are for testing TLS connections, both in general > and with encrypted keyfiles. Tests pass for OpenSSL and GnuTLS using PEM > formatted certs and keys, and for MozNSS using cert/key databases. The new unit > test (test065-tls) has been written to detect when using NSS, and use the > cert/key databases in this case. I have been unable to get a working version of > libnsspem, so I cannot test MozNSS with (or without) encrypted keyfiles - > testing for this case would be welcome! > > Notice of origin: The attached patch file is derived from OpenLDAP Software. All > of the modifications to OpenLDAP Software represented in the following patch > were developed by Alec Cooper ahnolds(a)gmail.com. I have not assigned rights > and/or interest in this work to any party. > Rights statement: I, Alec Cooper, hereby place the following modifications to > OpenLDAP Software (and only these modifications) into the public domain. Hence, > these modifications may be freely used and/or redistributed for any purpose with > or without attribution and/or other notice. > > The patch has been uploaded to the OpenLDAP FTP server and can be found at > ftp://ftp.openldap.org/incoming/Alec-Cooper-160827.patch > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#8574) bconfig support for DNs that need escaping
by hyc＠symas.com 22 Feb '17

22 Feb '17

okuznik(a)symas.com wrote: > Full_Name: Ondrej Kuznik > Version: master > OS: > URL: ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20170125-Deal-with-rDN-correc… > Submission from: (NULL) (151.228.185.198) > > > When an rdn under cn=config needs escaping, incorrect value gets passed to the > attribute and, if the attribute is single-value, the entry is rejected by > entry_naming_check(). > > Patch against master is attached. Why are you running the normalizer in a for-loop: + for ( cnt = 0; rDN[cnt]; cnt++ ) { but always setting value #0? + free( a->a_vals[0].bv_val ); + ber_dupbv( &a->a_vals[0], &ava->la_value ); If the RDN is actually a compound with multiple AVAs you need to concatenate them into a single value. Otherwise, if you don't intend to support compound RDNs, there's no point in using a for-loop. Just return an error if there's more than one AVA. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#8592) Double free in sssvlv.c
by kevinanties＠gmail.com 21 Feb '17

21 Feb '17

--f403045e36642e33f305491978d4 Content-Type: text/plain; charset=UTF-8 Sorry for that. ftp://ftp.openldap.org/incoming/kevin-170221-sssvlv.patch The attached file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by YW. YW has not assigned rights and/or interest in this work to any party. I, Kevin, am authorized by YW, my employer, to release this work under the following terms. YW hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. On Wed, Feb 22, 2017 at 12:09 AM, Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Tuesday, February 21, 2017 4:20 AM +0000 kevinanties(a)gmail.com wrote: > > --f403045e3462d25e8f054902b3a3 >> Content-Type: text/plain; charset=UTF-8 >> >> I have submitted to ftp/incoming. The filename is >> kevin-170221-sssvlv.patch. >> > > Please carefully read the contribution web page. Your submission is > clearly missing the IPR notice: > > <http://www.openldap.org/devel/contributing.html#notice> > > > Regards, > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > > --f403045e36642e33f305491978d4 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr">Sorry for that.<br><br><pre><a rel=3D"nofollow" href=3D"ft= p://ftp.openldap.org/incoming/kevin-170221-sssvlv.patch">ftp://ftp.openldap= .org/incoming/kevin-170221-sssvlv.patch</a></pre><br><font face=3D"Arial,Ve= rdana,Helvetica">The attached file is derived from OpenLDAP Software. All o= f the modifications to OpenLDAP Software represented in the following patch= (es) were developed by YW. YW has not assigned rights and/or interest in th= is work to any party. I, Kevin, am authorized by YW, my employer, to releas= e this work under the following terms. <br></font><font face=3D"Arial,Verda= na,Helvetica"><br>YW hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. </font><br><br><br></div><div class=3D"gmail_extra"><br><div class=3D"gmail= _quote">On Wed, Feb 22, 2017 at 12:09 AM, Quanah Gibson-Mount <span dir=3D"= ltr"><<a href=3D"mailto:quanah@symas.com" target=3D"_blank">quanah@symas= .com</a>></span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"ma= rgin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">--On Tuesday, = February 21, 2017 4:20 AM +0000 <a href=3D"mailto:kevinanties@gmail.com" ta= rget=3D"_blank">kevinanties(a)gmail.com</a> wrote:<br> <br> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p= x #ccc solid;padding-left:1ex"> --f403045e3462d25e8f054902b3a3<br> Content-Type: text/plain; charset=3DUTF-8<span class=3D""><br> <br> I have submitted to ftp/incoming. The filename is<br> kevin-170221-sssvlv.patch.<br> </span></blockquote> <br> Please carefully read the contribution web page.=C2=A0 Your submission is c= learly missing the IPR notice:<br> <br> <<a href=3D"http://www.openldap.org/devel/contributing.html#notice" rel= =3D"noreferrer" target=3D"_blank">http://www.openldap.org/devel<wbr>/contri= buting.html#notice</a>><div class=3D"HOEnZb"><div class=3D"h5"><br> <br> Regards,<br> Quanah<br> <br> --<br> <br> Quanah Gibson-Mount<br> Product Architect<br> Symas Corporation<br> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:<br> <<a href=3D"http://www.symas.com" rel=3D"noreferrer" target=3D"_blank">h= ttp://www.symas.com</a>><br> <br> </div></div></blockquote></div><br></div> --f403045e36642e33f305491978d4--

1 0

Re: (ITS#8592) Double free in sssvlv.c
by quanah＠symas.com 21 Feb '17

21 Feb '17

--On Tuesday, February 21, 2017 4:20 AM +0000 kevinanties(a)gmail.com wrote: > --f403045e3462d25e8f054902b3a3 > Content-Type: text/plain; charset=UTF-8 > > I have submitted to ftp/incoming. The filename is > kevin-170221-sssvlv.patch. Please carefully read the contribution web page. Your submission is clearly missing the IPR notice: <http://www.openldap.org/devel/contributing.html#notice> Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#8592) Double free in sssvlv.c
by kevinanties＠gmail.com 20 Feb '17

20 Feb '17

--f403045e3462d25e8f054902b3a3 Content-Type: text/plain; charset=UTF-8 I have submitted to ftp/incoming. The filename is kevin-170221-sssvlv.patch. On Tue, Feb 21, 2017 at 12:25 AM, Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Monday, February 20, 2017 7:45 AM +0000 kevinanties(a)gmail.com wrote: > > > I have fixed this problem by adding one boolean flag to sort_op struct to >> indicate whether this is occupied or not . >> >> What is the best way to submit my patch? >> > > Hi Kevin, > > Submission requiresments are documented at <http://www.openldap.org/devel > /contributing.html> > > Regards, > > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > > --f403045e3462d25e8f054902b3a3 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr">I have submitted to ftp/incoming. The filename is kevin-17= 0221-sssvlv.patch.=C2=A0 <br></div><div class=3D"gmail_extra"><br><div clas= s=3D"gmail_quote">On Tue, Feb 21, 2017 at 12:25 AM, Quanah Gibson-Mount <sp= an dir=3D"ltr"><<a href=3D"mailto:quanah@symas.com" target=3D"_blank">qu= anah(a)symas.com</a>></span> wrote:<br><blockquote class=3D"gmail_quote" s= tyle=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><spa= n class=3D"">--On Monday, February 20, 2017 7:45 AM +0000 <a href=3D"mailto= :kevinanties@gmail.com" target=3D"_blank">kevinanties(a)gmail.com</a> wrote:<= br> <br> <br> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p= x #ccc solid;padding-left:1ex"> I have fixed this problem by adding one boolean flag to sort_op struct to<b= r> indicate whether this is occupied or not .<br> <br> What is the best way to submit my patch?<br> </blockquote> <br></span> Hi Kevin,<br> <br> Submission requiresments are documented at <<a href=3D"http://www.openld= ap.org/devel/contributing.html" rel=3D"noreferrer" target=3D"_blank">http:/= /www.openldap.org/devel<wbr>/contributing.html</a>><br> <br> Regards,<div class=3D"HOEnZb"><div class=3D"h5"><br> Quanah<br> <br> --<br> <br> Quanah Gibson-Mount<br> Product Architect<br> Symas Corporation<br> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:<br> <<a href=3D"http://www.symas.com" rel=3D"noreferrer" target=3D"_blank">h= ttp://www.symas.com</a>><br> <br> </div></div></blockquote></div><br></div> --f403045e3462d25e8f054902b3a3--

1 0

Re: (ITS#8592) Double free in sssvlv.c
by quanah＠symas.com 20 Feb '17

20 Feb '17

--On Monday, February 20, 2017 7:45 AM +0000 kevinanties(a)gmail.com wrote: > I have fixed this problem by adding one boolean flag to sort_op struct to > indicate whether this is occupied or not . > > What is the best way to submit my patch? Hi Kevin, Submission requiresments are documented at <http://www.openldap.org/devel/contributing.html> Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

(ITS#8603) [PATCH] adds ldif_open_mem()
by brett＠gladserv.com 20 Feb '17

20 Feb '17

Full_Name: Brett Sheffield Version: master OS: Gentoo GNU/Linux URL: http://www.brettsheffield.com/patches/openldap/brett-sheffield-170220-ldif_… Submission from: (NULL) (2001:470:6e0d:0:96de:80ff:fe2d:3aa9) Patch[0] to add ldif_open_mem() function to ldif API. ldif_open_mem() is the fmemopen(3) equivalent of ldif_open() which opens an ldif steam from memory, rather than from a file. I originally added a similar function to my project libgladdb in 2014[1], but it really belongs in openldap itself as it is generally useful. The attached modifications to OpenLDAP Software are subject to the following notice: Copyright 2014, 2017 Brett Sheffield Redistribution and use in source and binary forms, with or without modification, are permitted only as authorized by the OpenLDAP Public License. [0] http://www.brettsheffield.com/patches/openldap/brett-sheffield-170220-ldif_… [1] https://github.com/brettsheffield/gladdb/blob/master/src/ldif.c

1 0

Re: (ITS#8592) Double free in sssvlv.c
by kevinanties＠gmail.com 19 Feb '17

19 Feb '17

--f403045d9e2209c2250548f17338 Content-Type: text/plain; charset=UTF-8 I have found the cause of the problem. This bug is hard to reproduce unless we make some change to the source codes. (e.g put sleep(1) to send_result function of sssvlv.c) illustrate steps: 1. A client sends two requests with "server side sort" control flag to search some entries. 2. The server dispatches two threads (A and B) to handle. 3. Thread A allocate the "so" struct and puts the "so" pointer to the static array, sort_conns. 4. Thread A can not find any entry. free_sort_op is going to call at the end of send_result function. 5. At the same time, before free_sort_op is called, Thread B acquires the "so" pointer in sssvlv_op_search. It is because the ps_cookie is always zero for new initialized "so" . 6. free_sort_op is called at Thread A. 7. For thread B, due to op->o_conn->c_pagedresults_state.ps_cookie != ps->ps_cookie, ok become 0. 8. free_sort_op is called at Thread B. Double free error occurs. Server dead. This bug will cause all slpad server to dead if the sssvlv overlay is enabled. I have fixed this problem by adding one boolean flag to sort_op struct to indicate whether this is occupied or not . What is the best way to submit my patch? On Sat, Feb 18, 2017 at 2:02 AM, Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Thursday, February 16, 2017 5:06 AM +0000 kevinanties(a)gmail.com > wrote: > > Full_Name: Kevin >> Version: 2.40 >> OS: Debian 7 >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (218.188.214.98) >> > > Please do not file new ITSes for existing issue. Please follow up to the > original ITS with your additional information. > > Thanks. > > --Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > > --f403045d9e2209c2250548f17338 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div><br></div><div>I have found the cause of the problem.= This bug is hard to reproduce unless we make some change to the source cod= es. (e.g=C2=A0 put sleep(1) to send_result function of sssvlv.c)<br><br>ill= ustrate steps:<br></div><div><br></div><div>1. A client sends two requests = with "server side sort" control flag to search some entries. <br>= <br></div><div>2. The server dispatches two threads (A and B) to handle.<br= ><br></div><div>3. Thread A allocate the "so" struct and puts the= "so" pointer to the static array, sort_conns.<br></div><div><br>= </div><div>4. Thread A can not find any entry.=C2=A0 <span class=3D"gmail-p= l-en">free_sort_op is going to call at the end of send_result function.<br>= <br></span></div><div><span class=3D"gmail-pl-en">5. At the same time, befo= re </span><span class=3D"gmail-pl-en">free_sort_op is called, Thread B acqu= ires the "so" pointer in sssvlv_op_search. It is because the ps_c= ookie is always zero for new initialized "so" .<br></span></div><= div><br></div><div>6. <span class=3D"gmail-pl-en">free_sort_op is called a= t </span>Thread A.<br><br></div><div>7. For thread B, due to op->o_conn-= >c_pagedresults_state.<span class=3D"gmail-pl-smi">ps_cookie !=3D ps-&gt= ;ps_cookie, ok become 0.<br><br>8. </span><span class=3D"gmail-pl-en">free_= sort_op is called at </span>Thread B. Double free error occurs. Server dead= .<br><br></div><div>This bug will cause all slpad server to dead if the sss= vlv overlay is enabled.<br><br></div><div>I have fixed this problem by addi= ng one boolean flag to sort_op struct to indicate whether this is occupied = or not . <br><br>What is the best way to submit my patch?<br></div><div><br= ></div><div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Sa= t, Feb 18, 2017 at 2:02 AM, Quanah Gibson-Mount <span dir=3D"ltr"><<a hr= ef=3D"mailto:quanah@symas.com" target=3D"_blank">quanah(a)symas.com</a>></= span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0= px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">--On Thur= sday, February 16, 2017 5:06 AM +0000 <a href=3D"mailto:kevinanties@gmail.c= om" target=3D"_blank">kevinanties(a)gmail.com</a> wrote:<br> <br> <blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-= left:1px solid rgb(204,204,204);padding-left:1ex"> Full_Name: Kevin<br> Version: 2.40<br> OS: Debian 7<br> URL: <a href=3D"ftp://ftp.openldap.org/incoming/" rel=3D"noreferrer" target= =3D"_blank">ftp://ftp.openldap.org/incomin<wbr>g/</a><br> Submission from: (NULL) (218.188.214.98)<br> </blockquote> <br> Please do not file new ITSes for existing issue.=C2=A0 Please follow up to = the original ITS with your additional information.<br> <br> Thanks.<br> <br> --Quanah<br> <br> <br> --<br> <br> Quanah Gibson-Mount<br> Product Architect<br> Symas Corporation<br> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:<br> <<a href=3D"http://www.symas.com" rel=3D"noreferrer" target=3D"_blank">h= ttp://www.symas.com</a>><br> <br> </blockquote></div><br></div></div></div> --f403045d9e2209c2250548f17338--

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs