** Please note that this issue is confidential at the moment and no information should be disclosed until it is made public ** CC'ing robbat2 for ldap herd Following information comes from CERT-FI: This information is embargoed until OpenLDAP 2.4.23 is released. Please check the availability of the release before publishing any of this information. The release is currently in testing and should be out in a couple of days. OpenLDAP tracks this issue as ITS#6570 and CERT-FI as FICORA #383115. The issues are fixed in OpenLDAP CVS in 2.4 branch and in HEAD. [...] = The Report Two OpenLDAP preauth, out of box and stock config exploitable vulnerabilities. One null pointer dereference and one free based on uninitialized pointer, potentially leading to total compromise. = Description of bug #1 (CVE-FIXME) OpenLDAP crashes with segfault during the processing of a modrdn call with maliciously formed destination rdn string. No authentication is required to trigger this vulnerability. = Description of bug #2 (CVE-FIXME) OpenLDAP crashes at a null pointer dereference during the processing of modrdn call with maliciously formed destination rdn string. No authentication is required to trigger this vulnerability. = Analysis #1 In the function modrdn.c:386:slap_modrdn2mods() a call is made to 448:*desc->ad_type->sat_equality->smr_normalize() without checking its return value. In this case the call fails and leaves mod_tmp->sml_nvalues uninitialized which leads to an invalid free() later in modrdn.c:202:slap_mods_free(). The breakdown of smr_normalize() is caused by invalid UTF-8 sequences, which are passed to the software via hex-formatted strings. It could be possible to insert and execute malicious code by careful manipulation of the program state prior to triggering the vulnerability. At least with a vanilla compilation of 2.4.22 it proved possible to freely control the invalid pointer being freed. For example, the following kind of log message is produced: * ** glibc detected *** /usr/sbin/slapd: double free or corruption (out): 0x002ce400 *** = Analysis #2 As with bug #1, the crash occurs during a call to smr_normalize, but in this case the call points to IA5StringNormalize which crashes with a null pointer dereference at schema_init.c:2696. [...] = Tested versions OpenLDAP 2.4.22 (vanilla), 2.4.11-1+lenny1, 2.4.21-0ubuntu5 = Credits The vulnerability was found by Ilkka Mattila and Tuomas Salomäki with Codenomicon LDAPv3 test suite at the Codenomicon Crash Test Party.
The patches seem to be marked with the ITS# in CVS if someone wants to look at those. I got to crash 2.4.19-r1 with both issues.
This is public as per $URL.
CVE-2010-0211 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0211): The slap_modrdn2mods function in modrdn.c in OpenLDAP 2.4.22 does not check the return value of a call to the smr_normalize function, which allows remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a modrdn call with an RDN string containing invalid UTF-8 sequences, which triggers a free of an invalid, uninitialized pointer in the slap_mods_free function, as demonstrated using the Codenomicon LDAPv3 test suite. CVE-2010-0212 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0212): OpenLDAP 2.4.22 allows remote attackers to cause a denial of service (crash) via a modrdn call with a zero-length RDN destination string, which is not properly handled by the smr_normalize function and triggers a NULL pointer dereference in the IA5StringNormalize function in schema_init.c, as demonstrated using the Codenomicon LDAPv3 test suite.
ldap-bugs: ping
2.4.23 in tree.
Arches, please test and mark stable: =net-nds/openldap-2.4.23 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
x86 stable
amd64 done
alpha/arm/ia64/s390/sh/sparc stable
Stable for HPPA.
ppc64 done
Marked ppc stable.
GLSA with 290345.
This issue was resolved and addressed in GLSA 201406-36 at http://security.gentoo.org/glsa/glsa-201406-36.xml by GLSA coordinator Yury German (BlueKnight).
