Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 794505 (CVE-2021-3514) - <net-nds/389-ds-base-1.4.4.16: unauthenticated DoS with malicious query (CVE-2021-3514)
Summary: <net-nds/389-ds-base-1.4.4.16: unauthenticated DoS with malicious query (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2021-3514
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/389ds/389-ds-base/...
Whiteboard: ~3 [noglsa]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2021-06-06 03:16 UTC by John Helmert III
Modified: 2021-08-12 22:59 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-06-06 03:16:16 UTC
CVE-2021-3514:

When using a sync_repl client in 389-ds-base, an authenticated attacker can cause a NULL pointer dereference using a specially crafted query, causing a crash.


1.4.4 branch patch: https://github.com/389ds/389-ds-base/commit/58dbf084a63e6dbbd999bf6a70475fad8255f26a

Patch is in 1.4.4.16, please bump.
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:21:54 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:30:04 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:38:02 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:46:09 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 18:02:06 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:10:25 UTC
Package list is empty or all packages have requested keywords.
Comment 7 John Helmert III gentoo-dev Security 2021-08-08 01:51:59 UTC
Ping
Comment 8 Larry the Git Cow gentoo-dev 2021-08-12 07:50:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d313250b77028f193e7590666973e8ba2a38270

commit 1d313250b77028f193e7590666973e8ba2a38270
Author:     Robert Förster <Dessa@gmake.de>
AuthorDate: 2021-07-28 13:09:56 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-08-12 07:49:50 +0000

    net-nds/389-ds-base: remove vulnerable
    
    Bug: https://bugs.gentoo.org/794505
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Robert Förster <Dessa@gmake.de>
    Closes: https://github.com/gentoo/gentoo/pull/21815
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 net-nds/389-ds-base/389-ds-base-1.4.4.13.ebuild    | 304 ---------------------
 net-nds/389-ds-base/Manifest                       |  34 ---
 .../files/389-ds-base-1.4.4.13-libxcrypt.patch     |  66 -----
 3 files changed, 404 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c99b894acb927383fe0b2e47e02b93d0fdc352c

commit 2c99b894acb927383fe0b2e47e02b93d0fdc352c
Author:     Robert Förster <Dessa@gmake.de>
AuthorDate: 2021-07-28 13:09:01 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-08-12 07:49:25 +0000

    net-nds/389-ds-base: bump to 1.4.4.16 with security fixes
    
    for CVE-2021-3514 and CVE-2021-3652
    
    Bug: https://bugs.gentoo.org/794505
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Robert Förster <Dessa@gmake.de>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 net-nds/389-ds-base/389-ds-base-1.4.4.16.ebuild    | 299 +++++++++++++++++++++
 net-nds/389-ds-base/Manifest                       |  26 ++
 .../files/389-ds-base-1.4.4.16-crypt-import.patch  | 118 ++++++++
 3 files changed, 443 insertions(+)
Comment 9 John Helmert III gentoo-dev Security 2021-08-12 22:59:31 UTC
Thanks!