Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 843161 (CVE-2022-29155)

Summary: <net-nds/openldap-2.6.2: sql injection in back-sql slapd backend
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: trivial CC: ldap-bugs, zlogene
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugs.openldap.org/show_bug.cgi?id=9815
Whiteboard: B4 [cleanup]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-07 15:16:06 UTC 
CVE-2022-29155:

In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.

Not sure if this affects our stable versions, but fix is in 2.5.12 and
2.6.2.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-06-02 23:20:22 UTC 
Yeah, we are "OpenLDAP 2.x before 2.5.x", I think is how to read it.