[jira] [Created] (DIRAPI-403) OutOfMemory error in Asn1Decoder for LDAP messages

[Andrey Slepykh (Jira)]

Andrey Slepykh created DIRAPI-403:
-

 Summary: OutOfMemory error in Asn1Decoder for LDAP messages
 Key: DIRAPI-403
 URL: https://issues.apache.org/jira/browse/DIRAPI-403
 Project: Directory Client API
  Issue Type: Bug
Affects Versions: 2.1.6
Reporter: Andrey Slepykh
 Attachments: OutOfMemoryReproducer.java

Hi, we have found Out Of Memory error while fuzzing Asn1Decoder for LDAP 
messages.

Steps to reproduce:
1. Download Apache Directory LDAP API v2.1.6:
{code:java}
wget wget 
https://github.com/apache/directory-ldap-api/archive/refs/tags/2.1.6.tar.gz
tar xf 2.1.6.tar.gz && rm 2.1.6.tar.gz{code}
2. Compile the project (we used jdk-11 and mvn-3.9.6):
{code:java}
cd directory-ldap-api-2.1.6
mvn clean package{code}
3. Get the reproducer:
{code:java}
mkdir fuzz && cd fuzz
mv /OutOfMemoryReproducer.java .{code}
4. Compile the reproducer
{code:java}
javac -cp 
../asn1/ber/target/classes/:../asn1/api/target/classes/:../ldap/codec/core/target/classes/:../ldap/model/target/classes/:../ldap/codec/core/target/classes/
 ./OutOfMemoryReproducer.java{code}
5. Reproduce the error:
{code:java}
java -Xmx2000m -cp 
.:../asn1/ber/target/classes/:../asn1/api/target/classes/:../ldap/codec/core/target/classes/:../ldap/model/target/classes/:../ldap/codec/core/target/classes/:../util/target/classes/:../util/target/classes/:../integ-osgi/target/dependency/slf4j-api-1.7.36.jar:../i18n/target/classes/:../integ-osgi/target/dependency/mina-core-2.2.3.jar
 OutOfMemoryReproducer{code}
We think that 2000 MB is a reasonable limit and the program should not take 
more.

Found by Linux Verification Center (portal.linuxtesting.ru) with Jazzer.
Author L.Reviakin (l.revia...@fobos-nt.ru)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org

Re: [PR] Bump com.nimbusds:nimbus-jose-jwt from 9.39.1 to 9.39.2 [directory-kerby]

[via GitHub]

dependabot[bot] closed pull request #386: Bump com.nimbusds:nimbus-jose-jwt 
from 9.39.1 to 9.39.2
URL: https://github.com/apache/directory-kerby/pull/386


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org

Re: [PR] Bump com.nimbusds:nimbus-jose-jwt from 9.39.1 to 9.39.2 [directory-kerby]

[via GitHub]

dependabot[bot] commented on PR #386:
URL: https://github.com/apache/directory-kerby/pull/386#issuecomment-2141838479

   Superseded by #387.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org

[PR] Bump com.nimbusds:nimbus-jose-jwt from 9.39.1 to 9.39.3 [directory-kerby]

[via GitHub]

dependabot[bot] opened a new pull request, #387:
URL: https://github.com/apache/directory-kerby/pull/387

   Bumps 
[com.nimbusds:nimbus-jose-jwt](https://bitbucket.org/connect2id/nimbus-jose-jwt)
 from 9.39.1 to 9.39.3.
   
   Changelog
   Sourced from https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt;>com.nimbusds:nimbus-jose-jwt's
 changelog.
   
   version 1.0 (2012-03-01)
   
   First version based on the OpenInfoCard JWT, JWS and JWE code base.
   
   version 1.1 (2012-03-06)
   
   Introduces type-safe enumeration of the JSON Web Algorithms (JWA).
   Refactors the JWT class.
   
   version 1.2 (2012-03-08)
   
   Moves JWS and JWE code into separate classes.
   
   version 1.3 (2012-03-09)
   
   Switches to Apache Commons Codec for Base64URL encoding and decoding
   Consolidates the crypto utilities within the package.
   Introduces a JWT content serialiser class.
   
   version 1.4 (2012-03-09)
   
   Refactoring of JWT class and JUnit tests.
   
   version 1.5 (2012-03-18)
   
   Switches to JSON Smart for JSON serialisation and parsing.
   Introduces claims set class with JSON objects, string, Base64URL and
   byte array views.
   
   version 1.6 (2012-03-20)
   
   Creates class for representing, serialising and parsing JSON Web Keys
   (JWK).
   Introduces separate class for representing JWT headers.
   
   version 1.7 (2012-04-01)
   
   Introduces separate classes for plain, JWS and JWE headers.
   Introduces separate classes for plain, signed and encrypted JWTs.
   Removes the JWTContent class.
   Removes password-based (PE820) encryption support.
   
   version 1.8 (2012-04-03)
   
   Adds support for the ZIP JWE header parameter.
   Removes unsupported algorithms from the JWA enumeration.
   
   version 1.9 (2012-04-03)
   
   Renames JWEHeader.{get|set}EncryptionAlgorithm() to
   JWEHeader.{get|set}EncryptionMethod().
   
   version 1.9.1 (2012-04-03)
   
   Upgrades JSON Smart JAR to 1.1.1.
   
   version 1.10 (2012-04-14)
   
   Introduces serialize() method to base abstract JWT class.
   
   version 1.11 (2012-05-13)
   
   JWT.serialize() throws checked JWTException instead of
   
   
   
   ... (truncated)
   
   
   Commits
   
   https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/16d52cd6ce38d46d8e0a3aef01b04f8008a2e260;>16d52cd
 [maven-release-plugin] prepare for next development iteration
   https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/b530053d09c79e1016faaa5f46776b8c1429bca6;>b530053
 Fixes NPE in DefaultJWTClaimsVerifier.verify when checking an exact match 
cla...
   https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/63be304cb84e16118b3651288bd7e321fd9a64b4;>63be304
 Fixes version 9.39.2 date
   https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/97183e0d584c4c44f2bb350d2daaf204f11e6c28;>97183e0
 [maven-release-plugin] prepare release 9.39.2
   https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/2e444edc3ea8fa1b70577be5433af24de1591ea6;>2e444ed
 [maven-release-plugin] prepare for next development iteration
   https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/26527774ef13ac4246505c0c05b167f4568dfbdd;>2652777
 Bumps GSon to 2.11.0, addressing Number parsing performance issue (https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/546;>#546)
   https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/7dde63560c2d9efd0f9424d2b5ab8cea77ad8a68;>7dde635
 Fixes JSONObjectUtilsTest.testParseFromStringEntity test, ParseException 
mess...
   https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/6d001d46a3a3095342fa1fc3398c79d5d387b513;>6d001d4
 [maven-release-plugin] prepare release 9.39.3
   See full diff in https://bitbucket.org/connect2id/nimbus-jose-jwt/branches/compare/9.39.3..9.39.1;>compare
 view
   
   
   
   
   
   [![Dependabot compatibility 
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.nimbusds:nimbus-jose-jwt=maven=9.39.1=9.39.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
   
   Dependabot will resolve any conflicts with this PR as long as you don't 
alter it yourself. You can also trigger a rebase manually by commenting 
`@dependabot rebase`.
   
   [//]: # (dependabot-automerge-start)
   [//]: # (dependabot-automerge-end)
   
   ---
   
   
   Dependabot commands and options
   
   
   You can trigger Dependabot actions by commenting on this PR:
   - `@dependabot rebase` will rebase this PR
   - `@dependabot recreate` will recreate this PR, overwriting any edits that 
have been made to it
   - `@dependabot merge` will merge this PR after your CI passes on it
   - `@dependabot squash and merge` will squash and merge this PR after your CI 
passes on it
   - `@dependabot cancel merge` will cancel a previously requested merge and 
block automerging
   - `@dependabot reopen` will reopen this PR if it is closed
   - `@dependabot close` will close this PR and stop