[SRU] denial of service via an LDAP search query (CVE-2012-1164, CVE-2013-4449, CVE-2015-1545)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | openldap (Debian) |
Fix Released
|
Unknown
|
||
| | openldap (Ubuntu) |
High
|
Felipe Reyes | ||
| | Precise |
High
|
Felipe Reyes | ||
| | Trusty |
Undecided
|
Felipe Reyes | ||
| | Utopic |
Undecided
|
Felipe Reyes | ||
| | Vivid |
Undecided
|
Felipe Reyes | ||
Bug Description
[Impact]
* CVE-2012-1164:
- slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an LDAP search query with attrsOnly set to true, which causes empty attributes to be returned.
- Trusty ships 2.4.31 which comes with a fix for this.
* CVE-2013-4449
- The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd crash) by unbinding immediately after a search request, which triggers rwm_conn_destroy to free the session context while it is being used by rwm_op_search.
- This bug affects all the series (precise, trusty, utopic, vivid and wily)
* CVE-2015-1545
- The deref_parseCtrl function in servers/
- This bug affects all the series (precise, trusty, utopic, vivid and wily)
[Regression Potential]
* this set of patches adds validations to avoid segfaults, so no regression is expected.
[Other Info]
* CVE-2012-1164:
- Upstream bug report http://
- http://
- Patches backported:
- http://
- http://
- http://
* CVE-2013-4449
- Upstream bug report http://
- Patches backported:
- http://
* CVE-2015-1545
- Upstream bug report http://
- Patches backported:
- http://
| Changed in openldap (Ubuntu): | |
| assignee: | nobody → Felipe Reyes (freyes) |
| Changed in openldap (Debian): | |
| status: | Unknown → Fix Released |
| description: | updated |
| summary: |
- denial of service via an LDAP search query with attrsOnly set to true - (CVE-2012-1164) + [SRU] denial of service via an LDAP search query with attrsOnly set to + true (CVE-2012-1164) |
| description: | updated |
| tags: | removed: patch |
| Sebastien Bacher (seb128) wrote : | #3 |
Thanks, that seems fixed in the current serie, so closing that part and accepting for precise. Since the issue has a CVE replacing the sponsors by the security-team sponsors
| Changed in openldap (Ubuntu): | |
| status: | New → Fix Released |
| importance: | Undecided → High |
| Changed in openldap (Ubuntu Precise): | |
| status: | New → Triaged |
| importance: | Undecided → High |
| Felipe Reyes (freyes) wrote : | #4 |
Here I'm attaching a new version of the patch for precise that includes fixes for CVE-2012-1164, CVE-2013-4449 and CVE-2015-1545
Pending to add patches to fix CVE-2013-4449 and CVE-2015-1545 in trusty, utopic, vivid and wily.
| description: | updated |
| Felipe Reyes (freyes) wrote : | #5 |
Patch for trusty to fix CVE-2013-4449 and CVE-2015-1545
| Felipe Reyes (freyes) wrote : | #6 |
Patch for utopic to fix CVE-2013-4449 and CVE-2015-1545
| Felipe Reyes (freyes) wrote : | #7 |
Patch for vivid to fix CVE-2013-4449 and CVE-2015-1545
| Ryan Tandy (rtandy) wrote : Re: [Bug 1446809] Re: [SRU] denial of service via an LDAP search query with attrsOnly set to true (CVE-2012-1164) | #8 |
Hello,
On Tue, May 19, 2015 at 07:25:06PM -0000, Felipe Reyes wrote:
>Here I'm attaching a new version of the patch for precise that includes
>fixes for CVE-2012-1164, CVE-2013-4449 and CVE-2015-1545
The precise debdiff adds d/p/0001-
which is the same as CVE-2013-4449.patch but not used in d/p/series.
Thanks for working on these fixes.
| summary: |
- [SRU] denial of service via an LDAP search query with attrsOnly set to - true (CVE-2012-1164) + [SRU] denial of service via an LDAP search query (CVE-2012-1164, + CVE-2013-4449, CVE-2015-1545) |
| Felipe Reyes (freyes) wrote : | #9 |
On Tue, 19 May 2015 19:56:07 -0000
Ryan Tandy <email address hidden> wrote:
> The precise debdiff adds
> d/p/0001-
> CVE-2013-4449.patch but not used in d/p/series.
Right, my bad, a leftover of an import I dismissed. Do you want me to
reupload the patch?
Best,
--
Felipe Reyes
Software Sustaining Engineer @ Canonical
STS Engineering Team
# Email: <email address hidden> (GPG:0x9B1FFF39)
# Phone: +56 9 7640 7887
# Launchpad: ~freyes | IRC: freyes
| Marc Deslauriers (mdeslaur) wrote : | #10 |
ACK on the debdiffs, I've uploaded them for building. (I removed the extra patch, and changed the pocket to -security).
What testing did you perform on these?
| Felipe Reyes (freyes) wrote : | #11 |
Marc,
I tested these patches against two scenarios: 1) single node with default configuration and phpldapadmin, 2) a two nodes scenario, 1 node configures a relay and translucent proxy and connects to the second one which has a default configuration. For details of each configuration please see at the end.
Is there any specific configuration that you would like me to test?.
Best,
SCENARIO 1, this is a single node configuration running a default
configuration and phpldapadmin
#+BEGIN_SRC shell
sudo apt-get install -y slapd ldap-utils
sudo dpkg-reconfigure slapd
# Omit OpenLDAP server configuration? No
# DNS domain? ldap.example.com
# Organization name? example
# Administrator password? ubuntu
# Database backend to use? HDB
# Remove the database when slapd is purged? No
# Move old database? Yes
# Allow LDAPv2 protocol? No
sudo apt-get install -y phpldapadmin
sudo sed -i s/127.0.
sudo sed -i s/dc=example,
sudo service apache2 restart
cat <<EOF > /tmp/foo.ldif
dn: ou=People,
ou: People
description: All people
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,
ou: Group
description: All groups
objectClass: top
objectClass: organizationalUnit
dn: uid=user1,
uid: user1
cn: user1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {CRYPT}
shadowLastChange: 15192
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/users/user1
dn: cn=user1,
objectClass: posixGroup
objectClass: top
cn: user1
userPassword: {crypt}x
gidNumber: 1001
EOF
ldapadd -x -w ubuntu -D "cn=admin,
ldapsearch -x -w ubuntu -D "cn=admin,
sensible-browser http://
# login and check entries created with phpldapadmin
#+END_SRC
SCENARIO 2: this is a 2 nodes setup, one of the nodes configures a relay and a
translucent proxy.
node 1 config:
#+BEGIN_SRC shell
echo 10.0.3.240 ldap.example.com | sudo tee -a /etc/hosts # IP of node number 2
sudo apt-get install -y slapd ldap-utils
cat <<EOF > /etc/ldap/
pidfile /var/run/slapd.pid
TLSCACertificat
modulepath /usr/lib/ldap
moduleload back_hdb.la
moduleload back_relay.la
moduleload back_ldap.la
moduleload rwm.la
moduleload translucent.la
include /etc/ldap/
include /etc/ldap/
include /etc/ldap/
include /etc/ldap/
include /etc/ldap/
include /etc/ldap/
access to attrs=userPassword by * auth
access to * by * read
backend hdb
backend relay
database hdb
directory /var/lib/ldap
suffix "dc=foo,
rootdn "c...
| Launchpad Janitor (janitor) wrote : | #12 |
This bug was fixed in the package openldap - 2.4.31-
---------------
openldap (2.4.31-
* SECURITY UPDATE: fix rwm overlay reference counting. (LP: #1446809)
- debian/
- CVE-2013-4449
* SECURITY UPDATE: fix NULL pointer dereference in deref_parseCtrl()
- debian/
- CVE-2015-1545
-- Felipe Reyes <email address hidden> Tue, 19 May 2015 12:59:29 -0300
| Changed in openldap (Ubuntu Utopic): | |
| status: | New → Fix Released |
| Launchpad Janitor (janitor) wrote : | #13 |
This bug was fixed in the package openldap - 2.4.31-
---------------
openldap (2.4.31-
* SECURITY UPDATE: fix rwm overlay reference counting. (LP: #1446809)
- debian/
- CVE-2013-4449
* SECURITY UPDATE: fix NULL pointer dereference in deref_parseCtrl()
- debian/
- CVE-2015-1545
-- Felipe Reyes <email address hidden> Tue, 19 May 2015 12:58:25 -0300
| Changed in openldap (Ubuntu Vivid): | |
| status: | New → Fix Released |
| Launchpad Janitor (janitor) wrote : | #14 |
This bug was fixed in the package openldap - 2.4.28-1.1ubuntu4.5
---------------
openldap (2.4.28-
* SECURITY UPDATE: denial of service via an LDAP search query
with attrsOnly set to true. (LP: #1446809)
- debian/
normalized attr values
- debian/
current patch is not ideal
- debian/
present (attrsOnly = TRUE)
- CVE-2012-1164
* SECURITY UPDATE: fix rwm overlay reference counting
- debian/
- CVE-2013-4449
* SECURITY UPDATE: fix NULL pointer dereference in deref_parseCtrl()
- debian/
- CVE-2015-1545
-- Felipe Reyes <email address hidden> Tue, 19 May 2015 11:53:17 -0300
| Changed in openldap (Ubuntu Precise): | |
| status: | Triaged → Fix Released |
| Launchpad Janitor (janitor) wrote : | #15 |
This bug was fixed in the package openldap - 2.4.31-
---------------
openldap (2.4.31-
* SECURITY UPDATE: fix rwm overlay reference counting. (LP: #1446809)
- debian/
- CVE-2013-4449
* SECURITY UPDATE: fix NULL pointer dereference in deref_parseCtrl()
- debian/
- CVE-2015-1545
-- Felipe Reyes <email address hidden> Tue, 19 May 2015 13:00:21 -0300
| Changed in openldap (Ubuntu Trusty): | |
| status: | New → Fix Released |
| Changed in openldap (Ubuntu Precise): | |
| assignee: | nobody → Felipe Reyes (freyes) |
| Changed in openldap (Ubuntu Trusty): | |
| assignee: | nobody → Felipe Reyes (freyes) |
| Changed in openldap (Ubuntu Utopic): | |
| assignee: | nobody → Felipe Reyes (freyes) |
| Changed in openldap (Ubuntu Vivid): | |
| assignee: | nobody → Felipe Reyes (freyes) |
The attachment "lp1446809_
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]