Ubuntu
openldap package

  1. Bug #1103353
  2. Comment #18

Comment 18 for bug 1103353

Revision history for this message
Oleg Strikov (strikov-deactivatedaccount) wrote :

I plan to change the status of this bug for 12.04 (precise) and 14.04 (trusty) to Won't Fix.
In this comment I want to explain why I came to this decision.

This bug had CVE-2013-4449 linked to it. I don't think that this CVE is relevant because the patch proposed in this bug doesn't resolve the issue mentioned in the description of this CVE. I proved that by using the following repro script:
http://pastebin.ubuntu.com/10764620/
This script is derived from the repro case provided in the debian bug for CVE-2013-4449:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729367#22
[!] Please note that this CVE can be reliably reproduced only on multicore machine (e.g. you can't use m1.small cloud instance). Some form of race condition takes place and your chances are much higher on multicore.

When CVE-2013-4449 is resolved this script should print 'Finished' at the end of execution.
When CVE is still here it prints 'No server found on localhost:389 <attempt>'.
'No server found' means that slapd crashed and can't be accessed via network and '<attempt>' is a number of iteration when slapd crashed (it usually takes from 3 to 15 iterations because some form of race condition needs to take place).
WITH and WITHOUT the proposed patch I get 'No server found' message on 12.04 (precise) and 14.04 (trusty).
It means that patch doesn't fix CVE-2013-4449.

Patch doesn't fix CVE-2013-4449 but it still can fix the issue mentioned in the bug description (incorrect cipher suite string leads to a crash). That's true but I don't think that we want to update 12.04 (precise) and 14.04 (trusty). ANY update may lead to unpredictable regressions (see https://wiki.ubuntu.com/StableReleaseUpdates) and the profit of patching should exceed the amount of potential issues it may create. OpenLDAP is an important infrastructural component and we need to have a very good reason to update it. I don't see such a reason. Client may crash itself by passing incorrect cipher suite to the API. While that's sad, it doesn't crash slapd itself and doesn't create any inconveniences to other users. This looks like a good fix for a development release but not stable release.

Please let me know if you have any objections or additional information about this bug.
We're open to discussion and can re-open this bug if needed.
Thanks to Jouko Orava and others for opening this bug and taking part in the discussion.