Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 641576 (CVE-2017-17740) - <net-nds/openldap-2.4.49-r2: denial of service (slapd crash) via a member MODDN operation (CVE-2017-17740)
Summary: <net-nds/openldap-2.4.49-r2: denial of service (slapd crash) via a member MOD...
Status: RESOLVED FIXED
Alias: CVE-2017-17740
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openldap.org/its/index.cgi...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: CVE-2020-12243
Blocks:
  Show dependency tree
 
Reported: 2017-12-18 14:44 UTC by D'juan McDonald (domhnall)
Modified: 2020-05-08 10:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2017-12-18 14:44:44 UTC
CVE-2017-17740(https://nvd.nist.gov/vuln/detail/CVE-2017-17740):

contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.


@maintainer(s): In case of bump, please call for stabilization when ready, thank you.


Gentoo Security Padawan
(Jmbailey/mbailey_j)
Comment 1 Pacho Ramos gentoo-dev 2019-11-10 16:08:46 UTC
we have newer versions in stable already
Comment 2 Thomas Deutschmann gentoo-dev Security 2020-03-16 22:48:29 UTC
The vulnerability is still present.

@ maintainer(s): Please rev bump and don't build contrib module "nops" from "nops-overlay".
Comment 3 Larry the Git Cow gentoo-dev 2020-03-18 01:34:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=276da7075cf8a92fa965fda056817d68eeac7b40

commit 276da7075cf8a92fa965fda056817d68eeac7b40
Author:     Patrick McLean <chutzpah@gentoo.org>
AuthorDate: 2020-03-18 01:25:56 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2020-03-18 01:33:48 +0000

    net-nds/openldap-2.4.49-r2: revbump, fix pkg_postinst, sec bug #641576
    
    pkg_postinst currently die()-s if /var/run/openldap doesn't exist, this
    breaks many cases (chroot build, first install etc).
    
    Also disable build of nops module for security bug #641576
    
    Bug: https://bugs.gentoo.org/641576
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 net-nds/openldap/openldap-2.4.49-r2.ebuild | 903 +++++++++++++++++++++++++++++
 1 file changed, 903 insertions(+)
Comment 4 Sam James archtester gentoo-dev Security 2020-03-18 21:34:21 UTC
Thanks for that.

@maintainer(s), please advise if you are ready for stabilisation or call for stabilistion yourself.
Comment 5 Sam James archtester gentoo-dev Security 2020-04-18 09:12:41 UTC
@maintainer(s): ping.
Comment 6 Larry the Git Cow gentoo-dev 2020-05-02 23:14:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4bf2f1709bbb8b087c56a2e01ce735d0dac58c2b

commit 4bf2f1709bbb8b087c56a2e01ce735d0dac58c2b
Author:     Robin H. Johnson <robbat2@gentoo.org>
AuthorDate: 2020-05-02 23:12:26 +0000
Commit:     Robin H. Johnson <robbat2@gentoo.org>
CommitDate: 2020-05-02 23:12:26 +0000

    net-nds/openldap: bump for security CVE-2020-12243
    
    Also update mirrors to use HTTPS/HTTPS, because upstream's official
    download URL is a FTP site which seems to be broken.
    
    Bug: https://bugs.gentoo.org/641576
    Bug: https://bugs.gentoo.org/719960
    Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>

 net-nds/openldap/Manifest               |   1 +
 net-nds/openldap/openldap-2.4.50.ebuild | 907 ++++++++++++++++++++++++++++++++
 2 files changed, 908 insertions(+)
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-05-08 10:23:36 UTC
GLSA vote: no.