Bugzilla Bug 134010

Hi All,

Date:           19 May 2006
SecWatch ID:            1014107
Vendor URL:             http://www.openldap.org/
Original Advisory:             
http://www.openldap.org/software/release/changes.html
http://www.openldap...tic=1sortbydate=0f=h

Description:
A weakness with unknown impact has been reported in OpenLDAP.

The weakness is caused due to a boundary error in slurpd within the handling of
the status file. This can be exploited to cause a stack-based buffer overflow
via an overly long hostname read from the status file.


Affected:
OpenLDAP version 2.3.21. Prior versions may also be affected.


Solution:
The vulnerability has been fixed in version 2.3.22 or later, available:
http://www.openldap.org/software/download/


Credits:
Reported by vendor.

rgds
Daxomatic

Seems very oscure to me and I don't think (not fully checked though) you can
inject arbitrary hostnames in slurpd status file, so it's dependent on DNS and
your configuration.

So it looks far from being critical to me.

Hi Lcars
Is the new version ready to be unmasked? If so, could you unmask it for stable?

rgds
Daxomatic

The new version has an issue with new-style config directory, mentioned in bug
#133898 which upstream already knows about

So really non-easy decision here...

http://tinyurl.com/s34lu

This seems to be the patch - could somebody do a revbump of the old-config
style version with this?

ldap team, please bump with provided patch or comment

As .24 was released some hours ago, I bumped right now

Arches please test and mark stable and sorry for the delay.

(In reply to comment #7)
> Arches please test and mark stable and sorry for the delay.

What version are we supposed to stable? Seems like the unaffected versions are
still masked.

# Markus Ullmann <jokey@gentoo.org (21 May 2006)
# OpenLDAP serious config problem, see bug #133898
>=net-nds/openldap-2.3.23

Readjusted the package mask so that all versions below 2.3.24 are masked.
2.3.24 is the candidate for stable

alpha done.

*** Bug 130975 has been marked as a duplicate of this bug. ***

If mit-krb5 is used to satisfy the virtual/kerberos use flag dependency for
kerberos, openldap will fail to build as mit-krb5 does not provide both
kadm5/admin.h or hdb.h headers.

(In reply to comment #9)
> Readjusted the package mask so that all versions below 2.3.24 are masked.
> 2.3.24 is the candidate for stable

# masking older versions due to security bug #134010 and bug #133898
<net-nds/openldap-2.3.24

Well uh... you've killed all stable openldap, not exactly a good thing,
considering that noone besides alpha keyworded the fixed version.

*** Bug 135216 has been marked as a duplicate of this bug. ***

(In reply to comment #9)
> Readjusted the package mask so that all versions below 2.3.24 are masked.
> 2.3.24 is the candidate for stable

Jokey,
Please never ever do that again. You started to cause a world of pain for alot 
of people. We first have the arches test and decide if it can be marked stable.
Then p.masking if needed.

Carlo,
Thanks for reverting that but please next time find the bug which caused 
the breakage and comment on it.

ppc stable

stable on ppc64

(In reply to comment #12)
> If mit-krb5 is used to satisfy the virtual/kerberos use flag dependency for
> kerberos, openldap will fail to build as mit-krb5 does not provide both
> kadm5/admin.h or hdb.h headers.
> 

Will/Can it be made to work with mit-krb5 or do I have to switch to heimdal?

a diff berween a last ebuild with the most arch keywork (openldap-2.2.28-r3)
and this one, we can see that there are a lot more modules in contrib/ comes
with openldap-2.3.24.ebuild . IMHO, it's a bad practice to introduce new
"features" in an ebuild requires secutiry stable keyword which causes problem
as seen with smbk5pwd module.

Created an attachment (id=88202) [details]
openldap-2.3.24.ebuild.patch with new stuff removed.

dsaschema, smbk5pwd, addrdnvalues are new stuff added in 2.3.24. I propose we
remove them for now.

~/cvs/gentoo-x86/net-nds/openldap $ grep -l dsaschema *.ebuild
openldap-2.3.24.ebuild
~/cvs/gentoo-x86/net-nds/openldap $ grep -l smbk5pwd *.ebuild
openldap-2.3.24.ebuild
~/cvs/gentoo-x86/net-nds/openldap $ grep -l addrdnvalues *.ebuild
openldap-2.3.24.ebuild

Okay, a short "what went wrong here" story to clarify things a bit.

First let me say sorry for the wrong package mask. I just had 2.3 branch in
mind when setting that mask.

Then in 2.3.21-r1 I started testing the contrib overlays as described in bug
#116045 but I decided to let it not hit the tree as I didn't have enough time
to test.
After 2.3.23 was out I prepared things to go live as in the meantime I was fine
with it. Then the slurpd bug came in and just thought "okay, not that many
changes (some overlays) so let it go.

Afterwards at least I do know better now.

Right now I prepare an 2.3.24-r1 ebuild without all the extra overlays that can
go stable then (already talked to arches who stabled already to make sure they
help here) and the new overlays (with what I learned from now) will go into an
-r3 then which should be at best ~ keyworded or just  stay hardmasked for
further development.

All in all not the best one would expect, I admit that but now try to make best
out of it and get this crap sorted.

Okay, candidate for stable is now 2.3.24-r1

-r1 works fine here on ppc with mit-krb5, but r2 still fails. 

Stable on hppa

amd64 stable.

SPARC stable

x86 done sorry about the delay

stable on ppc64

we are not CC'd...

GLSA 200606-17

arm, ia64, mips and s390 don't forget to mark stable to benifit from the GLSA.

Arm done

2.3.24 stable on mips.