Bug#776991: [Pkg-openldap-devel] Bug#776991: slapd: crash in valueReturnFilter cleanup
Control: tags -1 + fixed-upstream
This is fixed upstream in git master now.
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=2f1a2dd329b91afe561cd06b872d09630d4edb6a
Test case: ldapsearch -E 'mv=(cn={*)(sn=*)'
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776991: slapd: crash in valueReturnFilter cleanup
Package: slapd Version: 2.4.40-3 Severity: important Tags: upstream Control: forwarded -1 http://www.openldap.org/its/?findid=8046 Bill MacAllister discovered that certain queries cause slapd to crash while freeing operation controls. Details to follow. This is a 2.4.40 regression. Earlier releases are not affected. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776991: slapd: crash in valueReturnFilter cleanup
On Tue, 3 Feb 2015 12:38:39 -0800 Ryan Tandy r...@nardis.ca wrote: Bill MacAllister discovered that certain queries cause slapd to crash while freeing operation controls. Details to follow. I've some problems in understanding this comment from upstream bug report: The system exhibiting this problem was running a beta release of 2.4.40. When I installed from a build of the current stable the problem disappeared. Apologies for the bother, I didn't realize the system had not been updated. I think that documenting the query would be useful anyway, but I want to hold off on that because I know the problem exists in the build that is in debian backports. I would like to give Ryan a chance to fix it before I publish it. I was able to reproduce the problem with ldapsearch and it is a trival and very effective denial of service attack. Is it something that we introduced with our patching? Where did he get a beta release of 2.4.40? Does a build of current stable mean 2.4.31-1+nmu2 from wheezy or some upstream version he built? In the last paragraph, is he implying that he is unable to reproduce the bug with vanilla openldap? Cheers, Luca -- .''`. | ~[ Luca BRUNO ~ (kaeso) ]~ : :' : | Email: lucab (AT) debian.org ~ Debian Developer `. `'` | GPG Key ID: 0x3BFB9FB3 ~ Free Software supporter `-| HAM-radio callsign: IZ1WGT ~ Networking sorcerer -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776991: slapd: crash in valueReturnFilter cleanup
Hi, On Tue, Feb 03, 2015 at 10:37:24PM +0100, Luca BRUNO wrote: Is it something that we introduced with our patching? No. I have reproduced it in upstream git master and 2.4 branches, as well as in 2.4.40-3 in sid. Where did he get a beta release of 2.4.40? I believe he means a git snapshot from between 2.4.39 and 2.4.40. Does a build of current stable mean 2.4.31-1+nmu2 from wheezy or some upstream version he built? I believe that refers to the final 2.4.40 tarball. In the last paragraph, is he implying that he is unable to reproduce the bug with vanilla openldap? I think so, but I'm hoping to receive some clarification once upstream responds to the bug. Like I wrote above, I reproduced it with our 2.4.40-3 as well as with unmodified upstream git sources, while Bill wrote that in some cases it didn't reproduce. As it's a memory-related bug, it's possible it's not 100% reproducible, or that the allocator plays a role (note tcmalloc in his backtrace, while I use glibc's). Before I filed this, Bill wrote to me privately about his ITS, and I have provided a minimal test case and git bisection result to upstream, also privately. We will most likely want to fix this for jessie, and probably #776988 as well, since both result in remotely-triggered DoS. hope that helps, Ryan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
