off-by-one in LDIF length

Bug #1461276 reported by Kartik Subbarao on 2015-06-02
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)

Bug Description

Would it be possible to include the patch for ITS#8003 in the next build of the 2.4.40 package?;a=patch;h=c8353f7acdec4a42f537b0d475aaae005ba72363

It fixes a bug that causes slapd to crash when the audit log is enabled and a large base64-encoded attribute is printed.

Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Which upstream releases are affected, please? Is it just 2.4.40, and thus just Wily? Or are 2.4.28 and/or 2.4.31 affected as well?

summary: - Requesting ITS#8003 inclusion in 2.4.40 package
+ off-by-one in LDIF length
Changed in openldap (Ubuntu):
importance: Undecided → High
Kartik Subbarao (subbarao) wrote :

I have run both 2.4.31 and 2.4.40 for a few days, and have only experienced this type of slapd crash with 2.4.40. That by itself isn't conclusive though, since memory corruption errors can be sensitive in how they manifest. Looking at the code briefly, I see that the same off-by-one error in include/ldif.h is present in the 2.4.31 code (as well as 2.4.28), so the potential for the bug to be expressed is likely there in the earlier versions as well. I hedge with "likely" because it seems that there have been many changes made to this part of the code recently, and I've seen that just reading it briefly can be misleading when drawing firm conclusions.

The most conservative approach would be just to patch 2.4.40 for now, unless/until people report this bug in earlier versions. A more aggressive approach would be to patch 2.4.31 and 2.4.28 and wait for people to report other things breaking in the earlier versions.

As an aside -- I'm actually building/running the 2.4.40 package on 14.04, not on Wily -- and I have verified that adding the patch to the package build fixes the bug.

Kartik Subbarao (subbarao) wrote :

Any response on this?

Kartik Subbarao (subbarao) wrote :

This bug can be closed out now in favor of just building a new package for 2.4.41, since that release is now available and includes the fix:

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.41+dfsg-1ubuntu1

openldap (2.4.41+dfsg-1ubuntu1) wily; urgency=medium

  * Merge from Debian testing (LP: #1471831). Remaining changes:
    - Enable AppArmor support:
      - d/apparmor-profile: add AppArmor profile
      - d/rules: use dh_apparmor
      - d/control: Build-Depends on dh-apparmor
      - d/slapd.README.Debian: add note about AppArmor
    - Enable GSSAPI support:
      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
        - Add --with-gssapi support
        - Make guess_service_principal() more robust when determining
      - d/configure.options: Configure with --with-gssapi
      - d/control: Added heimdal-dev as a build depend
    - Enable ufw support:
      - d/control: suggest ufw.
      - d/rules: install ufw profile.
      - d/slapd.ufw.profile: add ufw profile.
    - Enable nss overlay:
      - d/{patches/nssov-build,rules}: Apply, build and package the
        nss overlay.
    - d/{rules,}: Add apport hook.
    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
      either the default DIT nor via an Authn mapping.
    - d/slapd.scripts-common:
      - add slapcat_opts to local variables.
      - Remove unused variable new_conf.
      - Fix backup directory naming for multiple reconfiguration.
    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
      in the openldap library, as required by Likewise-Open
    - Show distribution in version:
      - d/control: added lsb-release
      - d/patches/fix-ldap-distribution.patch: show distribution in version
  * Dropped changes:
    - Fix cpp calls for GCC 5: fixed upstream (ITS#8056)
  * Upstream fixes:
    - slapd crash with auditlog overlay and large (~27KB) attribute values
      (ITS#8003) (LP: #1461276)
    - nssov updated to support recent nss-pam-ldapd client libraries
      (ITS#8097) (LP: #1393306)
  * Update d/patches/nssov-build for upstream changes.
  * Tweak d/patches/gssapi.diff to apply without fuzz.
  * d/libldap-2.4-2.symbols: Add symbols not present in Debian.
    - CLDAP (UDP) was added in 2.4.17-1ubuntu2
    - GSSAPI support was enabled in 2.4.18-0ubuntu2

 -- Ryan Tandy <email address hidden> Fri, 24 Jul 2015 14:12:06 -0700

Changed in openldap (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers