Summary: | <net-nds/openldap-2.4.23: null pointer dereference and one free based on uninitialized pointer (CVE-2010-{0211,0212}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Matthias Geerdsen (RETIRED) <vorlon> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | ldap-bugs |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6570 | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Matthias Geerdsen (RETIRED)
2010-06-13 14:36:14 UTC
The patches seem to be marked with the ITS# in CVS if someone wants to look at those. I got to crash 2.4.19-r1 with both issues. This is public as per $URL. CVE-2010-0211 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0211): The slap_modrdn2mods function in modrdn.c in OpenLDAP 2.4.22 does not check the return value of a call to the smr_normalize function, which allows remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a modrdn call with an RDN string containing invalid UTF-8 sequences, which triggers a free of an invalid, uninitialized pointer in the slap_mods_free function, as demonstrated using the Codenomicon LDAPv3 test suite. CVE-2010-0212 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0212): OpenLDAP 2.4.22 allows remote attackers to cause a denial of service (crash) via a modrdn call with a zero-length RDN destination string, which is not properly handled by the smr_normalize function and triggers a NULL pointer dereference in the IA5StringNormalize function in schema_init.c, as demonstrated using the Codenomicon LDAPv3 test suite. ldap-bugs: ping 2.4.23 in tree. Arches, please test and mark stable: =net-nds/openldap-2.4.23 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" x86 stable amd64 done alpha/arm/ia64/s390/sh/sparc stable Stable for HPPA. ppc64 done Marked ppc stable. GLSA with 290345. This issue was resolved and addressed in GLSA 201406-36 at http://security.gentoo.org/glsa/glsa-201406-36.xml by GLSA coordinator Yury German (BlueKnight). |