Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 488322 (CVE-2013-4449)

Summary: <=net-nds/openldap-2.4.36 : segfault on certain queries with rwm overlay (CVE-2013-4449)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ldap-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1019490
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-10-17 07:37:14 UTC 
From ${URL} :

It was discovered that OpenLDAP, with the rwm overlay to slapd, could segfault if a user were able to query the directory and immediately unbind from the server.  This seems to be due to the rwm overlay not doing reference counting properly, so rwm_conn_destroy frees the session context while rwm_op_search is using it.  This condition also seems to require multiple cores/CPUs to trigger.

This was also reported upstream [1] and is currently unfixed.

[1] http://www.openldap.org/its/index.cgi/Incoming?id=7723
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2014-06-30 19:20:15 UTC 
Redhat issue states it was fixed and pushed in openldap-2.4.39-2

Available upstream
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-08-19 23:06:36 UTC 
CVE-2013-4449 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4449):
  The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly
  count references, which allows remote attackers to cause a denial of service
  (slapd crash) by unbinding immediately after a search request, which
  triggers rwm_conn_destroy to free the session context while it is being used
  by rwm_op_search.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-09-10 03:48:15 UTC 
Maintainers, this security issue has been around since Feb 2014. Can we please bump to a non vulnerable version.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-10-05 19:35:26 UTC 
Ping for update, do we have an ebuild with non-vulnerable version?
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2014-10-11 21:19:19 UTC 
The CVE states the vulnerable version in <=2.4.36.

2.4.38 was added 2013/12/13, and 2.4.38-r2 is already stable on everything except s390 and sh;
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2014-10-15 02:54:10 UTC 
Thank you for the update. So the only thing left is the Cleanup of 2.4.35*.

Maintainer(s), please drop the vulnerable version(s).

GLSA Vote: No
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-12-28 19:09:18 UTC 
GLSA vote: no, too.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2014-12-29 08:18:40 UTC 
Maintainer(s): Ping on cleanup!
Comment 9 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2015-05-16 06:36:53 UTC 
InCVS.