Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 197446 (CVE-2007-5707) - net-nds/openldap < 2.3.39-r1 app-emulation/emul-linux-x86-baselibs <20071128 Denial of Service Vulnerabilities (CVE-2007-{5707,5708})
Summary: net-nds/openldap < 2.3.39-r1 app-emulation/emul-linux-x86-baselibs <20071128 ...
Status: RESOLVED FIXED
Alias: CVE-2007-5707
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor
Assignee: Gentoo Security
URL: http://secunia.com/advisories/27424/
Whiteboard: B3 [glsa]
Keywords:
: 195180 (view as bug list)
Depends on:
Blocks: 196865
  Show dependency tree
 
Reported: 2007-10-29 19:20 UTC by Tobias Heinlein (RETIRED)
Modified: 2008-03-19 22:07 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Heinlein (RETIRED) gentoo-dev 2007-10-29 19:20:10 UTC
Some vulnerabilities have been reported in OpenLDAP, which can be
exploited by malicious users to cause a DoS (Denial of Service).

1) A vulnerability is caused due to the "add_filter_attrs()" function
in servers/slapd/overlay/pcache.c not correctly NULL terminating
"new_attrs", which can be exploited to crash slapd due to an out of
bounds memory access.

Successful exploitation may require that slapd runs as proxy-caching
server.

2) An error within the normalisation of "objectClasses" can be
exploited to crash a vulnerable server by sending a malformed
"objectClasses" attribute.

The vulnerabilities are reported in versions prior to 2.3.39.

Note: Several other bugs, which may have a security impact, were also
reported.

SOLUTION:
Update to version 2.3.39.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2007-10-29 19:24:07 UTC
2.3.39 has been added to the tree a few hours ago. Is this version ready to be stabilised? ldap team, please advise.
Comment 2 Markus Ullmann (RETIRED) gentoo-dev 2007-10-29 19:47:47 UTC
do it :)

arches please use the testkit with overlays useflag set (and without if you feel like spending more time)
Comment 3 Benjamin Smee (strerror) (RETIRED) gentoo-dev 2007-10-29 19:48:05 UTC
well given that it's only just been added and we haven't filed a stabilization bug i'd guess it's NOT ready to be stabilized. In light of the advisory though we can probably speed it up. Having read all the advisories though, it doesn't seem to be a major issue, in fact contrary to what I saw some classify the bug as, it does require special compile configuration and authorized access to add things to the DIT. In other words the impact is lessened considerably if you are running a normal recommended setup where you don't allow anonymous people to make modifications to your LDAP backend. I'll see if I can get hold of robbat / jokey and find out there thoughts, we'll look to stabilize it soon though.
Comment 4 Benjamin Smee (strerror) (RETIRED) gentoo-dev 2007-10-29 19:48:38 UTC
markus your overlay use flag still breaks all the syncrepl stuff. I'd like to fix it before we push it out. I'll catch you on irc.
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-29 21:50:28 UTC
ok, ping security back when it's ready.
Comment 6 Markus Ullmann (RETIRED) gentoo-dev 2007-10-30 11:04:59 UTC
*** Bug 195180 has been marked as a duplicate of this bug. ***
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2007-11-05 19:32:10 UTC
After ~arch for a week, how is it doing?
Comment 8 Markus Ullmann (RETIRED) gentoo-dev 2007-11-08 06:24:37 UTC
Enabled the syncprov overlay now by default so that it works sanely with new-style config system with 2.3.39-r1
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2007-11-16 00:06:50 UTC
Is this ready for stabling now?
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2007-11-26 02:02:31 UTC
Jokey, I remember you OK'ed the stabling in a recent chat, but I lost the logs. Can you confirm that again, please?
Comment 11 Markus Ullmann (RETIRED) gentoo-dev 2007-11-26 19:51:18 UTC
Yup, just go ahead for now, the bdb issue will be dealt with at a different version
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2007-11-26 20:14:24 UTC
Arches, please test and mark stable net-nds/openldap-2.3.39-r1.
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 13 Mike Doty (RETIRED) gentoo-dev 2007-11-26 21:16:37 UTC
*sigh* you'll need a emul-linux-x86-baselibs bump too...
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2007-11-26 21:31:38 UTC
(In reply to comment #13)
> *sigh* you'll need a emul-linux-x86-baselibs bump too...

copy that sigh.
Comment 15 Brent Baude (RETIRED) gentoo-dev 2007-11-26 23:14:29 UTC
ppc stable
Comment 16 Brent Baude (RETIRED) gentoo-dev 2007-11-27 01:28:18 UTC
ppc64 stable
Comment 17 Jeroen Roovers (RETIRED) gentoo-dev 2007-11-27 03:18:44 UTC
Stable for HPPA.
Comment 18 Christian Faulhammer (RETIRED) gentoo-dev 2007-11-27 08:59:42 UTC
x86 stable
Comment 19 Raúl Porcel (RETIRED) gentoo-dev 2007-11-27 14:47:07 UTC
alpha/ia64/sparc stable
Comment 20 Mike Doty (RETIRED) gentoo-dev 2007-11-28 06:01:36 UTC
(In reply to comment #14)
> (In reply to comment #13)
> > *sigh* you'll need a emul-linux-x86-baselibs bump too...
> 
> copy that sigh.
> 

app-emulation/emul-linux-x86-baselibs-20071128 going in the tree in an hour contains the fix.
Comment 21 Chris Gianelloni (RETIRED) gentoo-dev 2007-11-28 23:22:26 UTC
amd64 done...
Comment 22 Robert Buchholz (RETIRED) gentoo-dev 2007-11-28 23:58:44 UTC
vote is open.

Vulnerability (1) does not affect the default configuration and vulnerability (2) only allows *authenticated* users to crash the server.

I still tend to vote YES here.
Comment 23 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-01-06 18:15:45 UTC
I vote YES.
Comment 24 Robert Buchholz (RETIRED) gentoo-dev 2008-01-06 23:03:48 UTC
full YES then and filed.
Comment 25 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-19 22:07:43 UTC
GLSA 200803-28