Hi, On Tue, Feb 03, 2015 at 10:37:24PM +0100, Luca BRUNO wrote:
Is it something that we introduced with our patching?
No. I have reproduced it in upstream git master and 2.4 branches, as well as in 2.4.40-3 in sid.
Where did he get a beta release of 2.4.40?
I believe he means a git snapshot from between 2.4.39 and 2.4.40.
Does "a build of current stable" mean 2.4.31-1+nmu2 from wheezy or some upstream version he built?
I believe that refers to the final 2.4.40 tarball.
In the last paragraph, is he implying that he is unable to reproduce the bug with vanilla openldap?
I think so, but I'm hoping to receive some clarification once upstream responds to the bug. Like I wrote above, I reproduced it with our 2.4.40-3 as well as with unmodified upstream git sources, while Bill wrote that in some cases it didn't reproduce. As it's a memory-related bug, it's possible it's not 100% reproducible, or that the allocator plays a role (note tcmalloc in his backtrace, while I use glibc's).
Before I filed this, Bill wrote to me privately about his ITS, and I have provided a minimal test case and git bisection result to upstream, also privately.
We will most likely want to fix this for jessie, and probably #776988 as well, since both result in remotely-triggered DoS.
hope that helps, Ryan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
