Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
TITLE: OpenLDAP BIND Denial of Service Vulnerability SECUNIA ADVISORY ID: SA22750 VERIFY ADVISORY: http://secunia.com/advisories/22750/ CRITICAL: Moderately critical IMPACT: DoS WHERE: From remote SOFTWARE: OpenLDAP 2.2.x http://secunia.com/product/5319/ OpenLDAP 2.1.x http://secunia.com/product/1831/ DESCRIPTION: Evgeny Legerov has reported a vulnerability in OpenLDAP, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error when processing certain BIND requests. This can be exploited to cause a crash by sending specially crafted BIND requests to an OpenLDAP server. The vulnerability is reported in OpenLDAP version 2.2.29. Other versions may also be affected. SOLUTION: Restrict access to trusted people only. PROVIDED AND/OR DISCOVERED BY: Evgeny Legerov
*** Bug 154350 has been marked as a duplicate of this bug. ***
corresponding exploit: http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050563.html
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=4740 fix available in upstream cvs
ldap-bugs please advise.
[07:17] <robbat2> it's more that the patch that upstream put in for the 2.3 series totally doesn't apply to the old versions (of 2.3) Mandriva has released patches for 2.2 in corporate and 2.3 in 2006. Padawans could you locate them, robbat2 is very short on time and so am I?
Created an attachment (id=102447) [details] openldap-2.3.27-CVE-2006-5779.patch CVE-2006-5779 fix
Thx Eduardo.
Arches, please stabilize the following: required: openldap-2.3.27-r3 - target: alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86 AT LEAST ONE of: openldap-2.2.28-r5 openldap-2.2.28-r6* - target: alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86 AT LEAST ONE of: openldap-2.1.30-r8 openldap-2.1.30-r9* - target: alpha amd64 hppa ppc ppc64 sparc x86 The *d versions contain features that had not seen stable in that major version previously, but do exist in newer major versions as stable, and have been in the tree for much longer than 30 days.
Thx Robbat.
Marked openldap-2.3.27-r3, openldap-2.2.28-r5, & openldap-2.1.30-r8 ppc64 stable. On the 2.2 and 2.1 series, the tests failed citing broken shared libraries on slapd. I checked and previous versions exhibited this behavior as well. When emerging without the tests, compilation seemed fine. Also, slapd started without error. Any ideas on the tests and do other archs see similar behavior?
net-nds/openldap-2.1.30-r8 USE="berkdb crypt gdbm ipv6 perl readline samba ssl tcpd -debug -odbc -sasl (-selinux) -slp" 1. emerges on x86, please note: /usr/portage/net-nds/openldap/openldap-2.1.30-r8.ebuild: line 103: cd: /var/tmp/portage/openldap-2.1.30-r8/work//var/tmp/portage/openldap-2.1.30-r8/work/openldap-2.1.30: No such file or directory and QA Notice: pre-stripped files found: /var/tmp/portage/openldap-2.1.30-r8/image/usr/lib/openldap/slapd /var/tmp/portage/openldap-2.1.30-r8/image/usr/lib/openldap/slurpd /var/tmp/portage/openldap-2.1.30-r8/image/usr/bin/ldapsearch /var/tmp/portage/openldap-2.1.30-r8/image/usr/bin/ldapmodify /var/tmp/portage/openldap-2.1.30-r8/image/usr/bin/ldapdelete /var/tmp/portage/openldap-2.1.30-r8/image/usr/bin/ldapmodrdn /var/tmp/portage/openldap-2.1.30-r8/image/usr/bin/ldappasswd /var/tmp/portage/openldap-2.1.30-r8/image/usr/bin/ldapwhoami /var/tmp/portage/openldap-2.1.30-r8/image/usr/bin/ldapcompare /var/tmp/portage/openldap-2.1.30-r8/image/usr/bin/ldapadd /var/tmp/portage/openldap-2.1.30-r8/image/usr/sbin/slapadd /var/tmp/portage/openldap-2.1.30-r8/image/usr/sbin/slapcat /var/tmp/portage/openldap-2.1.30-r8/image/usr/sbin/slapindex /var/tmp/portage/openldap-2.1.30-r8/image/usr/sbin/slappasswd 2. passes collision test 3. fails test suite: Waiting 5 seconds for slapd to start... ./scripts/test000-rootdse: line 57: kill: (15449) - No such process /var/tmp/portage/openldap-2.1.30-r8/work/openldap-2.1.30/clients/tools/.libs/lt-ldapsearch: error while loading shared libraries: libldap.so.2: cannot open shared object file: No such file or directory >>>>> Test failed 4. but seems to work, downgraded to this version and revdep-rebuild rebuilt the broken packages successfully Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18.2 i686) ================================================================= System uname: 2.6.18.2 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System version 1.12.6 Last Sync: Tue, 21 Nov 2006 19:00:01 +0000 ccache version 2.3 [disabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/alias /var/qmail/control" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner" FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kdeenablefinal kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib" Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
The older releases had some weird behavior with shared libraries that we couldn't fix (it took a lot of reworking for upstream to fix 2.3). If you want the tests to pass on 2.1/2.2, you can use this workaround: 1. emerge --unmerge openldap 2. FEATURES=-test emerge =openldap-2.1* 3. FEATURES=test emerge =openldap-2.1* All three stages are absolutely required if you want the tests to work. I fixed the ${WORKDIR}/${S} typo as well now, but it was merely cosmetic.
thanks for the tip to test the older versions, will do this next time. net-nds/openldap-2.3.27-r3 USE="berkdb crypt gdbm ipv6 perl readline samba ssl tcpd -debug -kerberos -minimal -odbc -overlays -sasl (-selinux) -slp -smbkrb5passwd" 1. emerges on x86, please note: QA Notice: pre-stripped files found: /var/tmp/portage/openldap-2.3.27-r3/image/usr/lib/liblber.so.2.0.130 /var/tmp/portage/openldap-2.3.27-r3/image/usr/lib/libldap.so.2.0.130 /var/tmp/portage/openldap-2.3.27-r3/image/usr/lib/libldap_r.so.2.0.130 2. passes collision test 3. passes test suite 4. revdep-rebuild again fixed my broken packages without problems. (I suppose this wouldn't be necessary when updating from a 2.3* version) emerge --info @ comment 11
(In reply to comment #8) > openldap-2.1.30-r8 Done on x86. Am now testing 2.2* which will take some time (because of revdep-rebuild), so if anyone of x86 projects wants to do 2.3*, feel free. Thanks Markus.
(In reply to comment #14) > (In reply to comment #8) > > openldap-2.1.30-r8 > > Done on x86. Am now testing 2.2* which will take some time (because of > revdep-rebuild), so if anyone of x86 projects wants to do 2.3*, feel free. > Thanks Markus. Ok, that was fast. openldap-2.2.28-r5 done on x86, testing 2.3 now. I leave for some hours and will do the last step later.
I tested openldap-2.3.27-r3, 2.2.28-r5 and 2.1.30-r8 on amd64, they're all emerging fine and passing their test suites (thanks for the tip in comment 12 for 2.2 and 2.1), so they're ready for prime time :) Portage 2.1.1-r2 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-suspend2-Dudebox-Edition x86_64) ================================================================= System uname: 2.6.18-suspend2-Dudebox-Edition x86_64 AMD Athlon(tm) 64 Processor 3200+ Gentoo Base System version 1.12.6 Last Sync: Wed, 22 Nov 2006 05:00:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: [Not Present] dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -msse3 -Os -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/alias /var/qmail/control" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-march=k8 -msse3 -Os -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/" LDFLAGS="-Wl,-O1" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage_overlay" SYNC="rsync://server/gentoo-portage" USE="amd64 X alsa apache2 berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode esd fam firefox fortran gcj gdbm gif gpm gstreamer gtk gtk2 hal iconv imap input_devices_keyboard input_devices_mouse isdnlog jpeg kde kdeenablefinal kdehiddenvisibility kernel_linux libg++ mad mikmod mp3 mpeg mysql ncurses nls nptl nptlonly objc objc++ ogg oss pam pcre perl png ppds pppd python qt3 quicktime readline reflection sdl session spell spl sqlite ssl tcpd test truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_radeon vorbis xml xorg xv zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS
And x86 is gone
ppc stable
sparc stable.
Stable on Alpha + ia64.
ranger marked stable (comment #10). I have seen this failure in make tests, too. I don't think this will get resolved in those older branches. removing us from CC.
amd64 is fine
This one is ready for GLSA decision. I tend to vote YES.
YES.
Reverting to full YES. Let's have a GLSA.
HPPA done.
Finally on -announce GLSA 200611-25
epsilon ~ # glsa-check -f 200611-25 fixing 200611-25 >>> merging net-nds/openldap-2.3.27-r3 Calculating dependencies... done! >>> Emerging (1 of 1) net-nds/openldap-2.3.27-r3 to / * openldap-2.3.27.tgz MD5 ;-) ... [ ok ] * openldap-2.3.27.tgz RMD160 ;-) ... [ ok ] * openldap-2.3.27.tgz SHA1 ;-) ... [ ok ] * openldap-2.3.27.tgz SHA256 ;-) ... [ ok ] * openldap-2.3.27.tgz size ;-) ... [ ok ] * checking ebuild checksums ;-) ... [ ok ] * checking auxfile checksums ;-) ... [ ok ] * checking miscfile checksums ;-) ... [ ok ] * checking openldap-2.3.27.tgz ;-) ... [ ok ] * * Scanning datadir(s) from slapd.conf and * the default installdir for Versiontags * (/var/lib/openldap-data may appear twice) * * - Checking /var/lib/openldap-data... * Found Versiontag in /var/lib/openldap-data * Versiontag is fine here :) * * - Checking /var/lib/openldap-data... * Found Versiontag in /var/lib/openldap-data * Versiontag is fine here :) * * * All datadirs are fine, proceeding with merge now... * >>> Unpacking source... >>> Unpacking openldap-2.3.27.tgz to /var/tmp/portage/openldap-2.3.27-r3/work * Applying openldap-2.2.14-perlthreadsfix.patch ... [ ok ] * Applying openldap-2.2.6-ntlm.patch ... [ ok ] * Cannot find $EPATCH_SOURCE! Value for $EPATCH_SOURCE is: * * /usr/portage/net-nds/openldap/files/openldap-2.3.27-CVE-2006-5779.patch * ( openldap-2.3.27-CVE-2006-5779.patch ) !!! ERROR: net-nds/openldap-2.3.27-r3 failed. Call stack: ebuild.sh, line 1546: Called dyn_unpack ebuild.sh, line 708: Called src_unpack openldap-2.3.27-r3.ebuild, line 205: Called epatch '/usr/portage/net-nds/openldap/files/openldap-2.3.27-CVE-2006-5779.patch' eutils.eclass, line 198: Called die !!! Cannot find $EPATCH_SOURCE! !!! If you need support, post the topmost build error, and the call stack if relevant.
please rsync again and file a new bug if the problem is still here.
