Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 620204 (CVE-2017-9287) - <net-nds/openldap-2.4.45: Double free vulnerability in servers/slapd/back-mdb/search.c
Summary: <net-nds/openldap-2.4.45: Double free vulnerability in servers/slapd/back-mdb...
Status: RESOLVED FIXED
Alias: CVE-2017-9287
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-30 14:37 UTC by Agostino Sarubbo
Modified: 2018-11-30 20:19 UTC (History)
2 users (show)

See Also:
Package list:
=net-nds/openldap-2.4.45
Runtime testing required: Yes
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-05-30 14:37:56 UTC
From ${URL} :

servers/slapd/back-mdb/search.c in OpenLDAP through 2.4.44 is prone to a double free vulnerability. A user with access to search the directory can crash slapd by issuing a search including the Paged 
Results control with a page size of 0.

Upstream patch:

https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=0cee1ffb6021b1aae3fcc9581699da1c85a6dd6e


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 D'juan McDonald (domhnall) 2018-05-28 17:15:27 UTC
Reference: http://www.openldap.org/software/release/changes.html

OpenLDAP 2.4.45 Release (2017/06/01)
	Fixed slapd-mdb double free with size zero paged result (ITS#8655)
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-11-25 00:14:50 UTC
@maintainers, please call for stable when ready.
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2018-11-27 05:06:38 UTC
arches, please stabilize.

target keywords: alpha,amd64,arm,arm64,ia64,ppc,ppc64,x86,hppa,s390,sparc.

"USE='-minimal berkdb' FEATURES=test ebuild openldap-2.4.45.ebuild test"
should PASS. Expected runtime around 30 minutes.
Comment 4 Mart Raudsepp gentoo-dev 2018-11-27 09:43:28 UTC
Arch teams likely not proceeding until package list is filled as appropriate.
Comment 5 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-11-27 15:11:36 UTC
amd64 stable
Comment 6 Larry the Git Cow gentoo-dev 2018-11-27 16:01:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6c39556943d00d8462d523def8038deb75a6c0a

commit f6c39556943d00d8462d523def8038deb75a6c0a
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2018-11-27 16:00:55 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2018-11-27 16:00:55 +0000

    net-nds/openldap-2.4.45-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/620204
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 net-nds/openldap/openldap-2.4.45.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 7 Tobias Klausmann gentoo-dev 2018-11-27 16:06:08 UTC
Stable on alpha.
Comment 8 Paul B. Henson 2018-11-27 19:42:33 UTC
I've mentioned this a few times before; openldap operating as a server is only supported by upstream if it is using the lmdb version that it comes with. This ebuild has a dependency on >=dev-db/lmdb-0.9.18, whereas openldap 2.4.45 is bundled with lmdb-0.9.21. Running with an older version is not just unsupported, it's a really bad idea for a production system.

Please ensure the openldap version bump process includes bumping the related lmdb version and updating the dependency.

Thanks...
Comment 9 Thomas Deutschmann gentoo-dev Security 2018-11-27 21:57:28 UTC
x86 stable
Comment 10 Mart Raudsepp gentoo-dev 2018-11-28 12:35:22 UTC
arm64 stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2018-11-28 22:41:24 UTC
ia64 stable
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2018-11-28 22:42:33 UTC
ppc stable
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2018-11-28 22:43:46 UTC
ppc64 stable
Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev 2018-11-29 21:19:42 UTC
hppa stable
Comment 15 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-11-30 20:18:48 UTC
done and cleaned