Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 230269 (CVE-2008-2952)

Summary: net-nds/openldap < 2.3.43 ASN.1 BER Decoding Remote DoS Vulnerability (CVE-2008-2952)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: ldap-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-06-30 21:26:15 UTC
Ludwig Nussel writes:
Remote unauthenticated attackers can trigger an assertion in the ASN.1 BER
decoding of openlap and crash the server:;selectid=5580

Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-07-02 19:10:53 UTC
The patch seems to be broken, see (1.121 -> 1.122)
Comment 2 Markus Ullmann (RETIRED) gentoo-dev 2008-07-07 21:25:30 UTC
looks like upstream is working on this: (email)

Please test RE23, thanks!

Only minor fixes plus the security fix.

Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-20 16:11:56 UTC
any news here? according to $URL, 2.3.43 should be ok
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-07-20 18:50:15 UTC
security: .43 in the tree now, passed the testsuite.
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-20 18:53:38 UTC
(In reply to comment #4)
> security: .43 in the tree now, passed the testsuite.

Arches, please test and mark stable net-nds/openldap-2.3.43. Target Keywords: "alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd"
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2008-07-21 01:57:47 UTC
Stable for HPPA.
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2008-07-21 16:07:41 UTC
ppc64 stable
Comment 8 Friedrich Oslage (RETIRED) gentoo-dev 2008-07-21 19:46:00 UTC
sparc stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2008-07-21 20:57:19 UTC
alpha/ia64/x86 stable
Comment 10 Chad A. Simmons 2008-07-22 15:11:50 UTC
AMD64 AT Test Report

Compiles/Installs: OK
Tests: OK
Functionality: OK

chadgentoo at # emerge --info
Portage (default/linux/amd64/2008.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.25-gentoo-r6 x86_64)
System uname: 2.6.25-gentoo-r6 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4400+
Timestamp of tree: Tue, 22 Jul 2008 07:04:01 +0000
app-shells/bash:     3.2_p33
dev-lang/python:     2.4.4-r13, 2.5.2-r5
dev-python/pycrypto: 2.0.1-r6
sys-devel/autoconf:  2.13, 2.61-r2
sys-devel/automake:  1.4_p6, 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
CFLAGS="-march=k8 -msse3 -O2 -pipe"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=k8 -O2 -pipe"
FEATURES="collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans user-sandbox userfetch userpriv"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
USE="X acl acpi alsa amd64 berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups dbus dri dvd dvdr dvdread eds emboss encode esd evo fam firefox fortran gdbm gif gnome gnutls gpm gstreamer gtk hal iconv isdnlog jpeg kde kerberos ldap libnotify mad midi mikmod mmx mp3 mpeg mudflap multilib ncurses nls nptl nptlonly ogg opengl openmp pam pcre pdf perl png ppds pppd python qt3 qt3support qt4 quicktime readline reflection sdl session spell spl sse sse2 ssl startup-notification svg tcpd tiff truetype unicode vorbis xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev mouse keyboard joystick" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="nvidia"

chadgentoo at #                                 
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2008-07-22 20:15:10 UTC
ppc stable
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2008-08-03 20:28:35 UTC
amd64 stable
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2008-08-03 20:29:20 UTC
Ready for vote, I vote YES.
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-08-05 14:53:02 UTC
Remote unauthenticated DoS -> obviously Yes.
Comment 15 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-08-05 20:53:18 UTC
glsa drafted
Comment 16 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-08-08 17:30:15 UTC
GLSA 200808-09