Invalid GnuTLS cipher suite strings causes libldap to crash
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openldap (Debian) |
Fix Released
|
Unknown
|
|||
openldap (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Precise |
Won't Fix
|
Undecided
|
Unassigned | ||
Trusty |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4 crashes due to a double free. GnuTLS is extremely picky about the cipher suite strings it accepts; as a first measure, try LDAP cipher suite string "SECURE256" or "NORMAL". If that stops the crash, then you have encountered this bug.
Typically, the crash report begins with something like
*** glibc detected *** APPLICATION: double free or corruption (!prev)
/lib/x86_
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
The actual double free happens in openldap/
The root cause of the double free is lack of GnuTLS return value checks when calling gnutls_priority*() functions. The code simply assumes they succeed, and when GnuTLS fails to provide a valid context due to those failures, ldap_int_
A simple fix is to create GnuTLS security contexts using the configured cipher suite string, instead of "NORMAL" as openldap/
CVE References
Changed in openldap (Debian): | |
status: | Unknown → Confirmed |
Changed in openldap (Debian): | |
status: | Confirmed → Fix Released |
Changed in openldap (Ubuntu Precise): | |
status: | New → In Progress |
Changed in openldap (Ubuntu Trusty): | |
status: | New → In Progress |
Changed in openldap (Ubuntu Precise): | |
assignee: | nobody → Oleg Strikov (strikov) |
Changed in openldap (Ubuntu Trusty): | |
assignee: | nobody → Oleg Strikov (strikov) |
Changed in openldap (Ubuntu): | |
status: | Triaged → Fix Released |
The attachment "Suggested patch to fix libldap crash with invalid GnuTLS cipher suite strings" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.
[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]