2016-06-16 18:41:54 |
Eric Desrochers |
bug |
|
|
added bug |
2016-06-16 19:21:16 |
Eric Desrochers |
openldap (Ubuntu): importance |
Undecided |
Medium |
|
2016-06-17 03:22:18 |
Eric Desrochers |
openldap (Ubuntu): assignee |
|
Eric Desrochers (slashd) |
|
2016-06-17 13:10:45 |
Robie Basak |
nominated for series |
|
Ubuntu Trusty |
|
2016-06-17 13:10:45 |
Robie Basak |
bug task added |
|
openldap (Ubuntu Trusty) |
|
2016-06-17 13:13:02 |
Eric Desrochers |
openldap (Ubuntu Trusty): assignee |
|
Eric Desrochers (slashd) |
|
2016-06-17 13:13:15 |
Eric Desrochers |
tags |
|
sts |
|
2016-06-17 13:16:13 |
Eric Desrochers |
openldap (Ubuntu Trusty): importance |
Undecided |
Medium |
|
2016-06-17 13:29:26 |
Eric Desrochers |
openldap (Ubuntu): status |
New |
Fix Released |
|
2016-06-20 10:28:08 |
Amad Ali |
bug |
|
|
added subscriber Amad Ali |
2016-06-20 15:05:55 |
Eric Desrochers |
description |
Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
210 ../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.
(gdb) bt
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1 0x00007f674ae8cab2 in slap_bv2ad (bv=bv@entry=0x7f6741e0e830, ad=ad@entry=0x7f6741e0e848, text=text@entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
#2 0x00007f674ae4d235 in get_filter (op=op@entry=0x7f672c000a80, ber=<optimized out>, filt=filt@entry=0x7f672c000af0, text=text@entry=0x7f6741e0f980)
at ../../../../servers/slapd/filter.c:190
#3 0x00007f674ae4b985 in do_search (op=0x7f672c000a80, rs=0x7f6741e0f960) at ../../../../servers/slapd/search.c:127
#4 0x00007f674ae496dc in connection_operation (ctx=ctx@entry=0x7f6741e0fb90, arg_v=arg_v@entry=0x7f672c000a80) at ../../../../servers/slapd/connection.c:1150
#5 0x00007f674ae49a40 in connection_read_thread (ctx=0x7f6741e0fb90, argv=0x19) at ../../../../servers/slapd/connection.c:1286
#6 0x00007f674a9a7aba in ?? () from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#7 0x00007f67498dc182 in start_thread (arg=0x7f6741e10700) at pthread_create.c:312
#8 0x00007f674960947d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 |
[Impact]
The effect of the bug on users is that the program (slapd) terminated with signal SIGSEGV, Segmentation fault when ldapsearch tries to query using multiple language tags.
GDB output:
...
Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
Program terminated with signal SIGSEGV, Segmentation fault.
...
(gdb) bt
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1 0x00007f674ae8cab2 in slap_bv2ad (bv=bv@entry=0x7f6741e0e830, ad=ad@entry=0x7f6741e0e848, text=text@entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
...
In frame #1 the 'tags' struct is corrupt.
Line #272 checks for duplication and jumps to the done label (line #294) when a duplicate is found. The code increases 'ntags' without filling in the tags struct with values. In later iterations this could lead to copying and using uninitialised memory.
[Test Case]
One way to reproduce the issue :
$ ldapsearch -D "cn=<BINDDN_COMMON_NAME>,dc=<BINDDN_DOMAIN_COMPONENT>,dc=<BINDDN_DOMAIN_COMPONENT>,dc=<BINDDN_DOMAIN_COMPONENT>" -x -W -b "dc=<SEARCHPATH_DOMAIN_COMPONENT>,dc=<SEARCHPATH_DOMAIN_COMPONENT>,dc=<SEARCHPATH_DOMAIN_COMPONENT>" "cn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de"
Explanation :
Reference:
http://manpages.ubuntu.com/cgi-bin/search.py?q=ldapsearch
-D binddn
Use the Distinguished Name binddn to bind to the LDAP directory.
For SASL binds, the server is expected to ignore this value.
-x
Use simple authentication instead of SASL.
-W
Prompt for simple authentication. This is used instead of
specifying the password on the command line.
-b searchbase
Use searchbase as the starting point for the search instead of the default.
[Regression Potential]
The patch is already in place in Debian & Wily and late Ubuntu release version.
[Other Info]
Upstream OpenLDAP Bug :
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7941;page=9
Upstream OpenLDAP Commit :
af8f1e0 ITS#7941 fix for repeated tags
Upstream OpenLDAP Commit Web :
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=af8f1e0
(The commit has been introduced first in upstream branch : OPENLDAP_REL_ENG_2_4_40~6)
[Original Description]
Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
210 ../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.
(gdb) bt
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1 0x00007f674ae8cab2 in slap_bv2ad (bv=bv@entry=0x7f6741e0e830, ad=ad@entry=0x7f6741e0e848, text=text@entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
#2 0x00007f674ae4d235 in get_filter (op=op@entry=0x7f672c000a80, ber=<optimized out>, filt=filt@entry=0x7f672c000af0, text=text@entry=0x7f6741e0f980)
at ../../../../servers/slapd/filter.c:190
#3 0x00007f674ae4b985 in do_search (op=0x7f672c000a80, rs=0x7f6741e0f960) at ../../../../servers/slapd/search.c:127
#4 0x00007f674ae496dc in connection_operation (ctx=ctx@entry=0x7f6741e0fb90, arg_v=arg_v@entry=0x7f672c000a80) at ../../../../servers/slapd/connection.c:1150
#5 0x00007f674ae49a40 in connection_read_thread (ctx=0x7f6741e0fb90, argv=0x19) at ../../../../servers/slapd/connection.c:1286
#6 0x00007f674a9a7aba in ?? () from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#7 0x00007f67498dc182 in start_thread (arg=0x7f6741e10700) at pthread_create.c:312
#8 0x00007f674960947d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 |
|
2016-06-20 15:06:53 |
Eric Desrochers |
description |
[Impact]
The effect of the bug on users is that the program (slapd) terminated with signal SIGSEGV, Segmentation fault when ldapsearch tries to query using multiple language tags.
GDB output:
...
Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
Program terminated with signal SIGSEGV, Segmentation fault.
...
(gdb) bt
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1 0x00007f674ae8cab2 in slap_bv2ad (bv=bv@entry=0x7f6741e0e830, ad=ad@entry=0x7f6741e0e848, text=text@entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
...
In frame #1 the 'tags' struct is corrupt.
Line #272 checks for duplication and jumps to the done label (line #294) when a duplicate is found. The code increases 'ntags' without filling in the tags struct with values. In later iterations this could lead to copying and using uninitialised memory.
[Test Case]
One way to reproduce the issue :
$ ldapsearch -D "cn=<BINDDN_COMMON_NAME>,dc=<BINDDN_DOMAIN_COMPONENT>,dc=<BINDDN_DOMAIN_COMPONENT>,dc=<BINDDN_DOMAIN_COMPONENT>" -x -W -b "dc=<SEARCHPATH_DOMAIN_COMPONENT>,dc=<SEARCHPATH_DOMAIN_COMPONENT>,dc=<SEARCHPATH_DOMAIN_COMPONENT>" "cn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de"
Explanation :
Reference:
http://manpages.ubuntu.com/cgi-bin/search.py?q=ldapsearch
-D binddn
Use the Distinguished Name binddn to bind to the LDAP directory.
For SASL binds, the server is expected to ignore this value.
-x
Use simple authentication instead of SASL.
-W
Prompt for simple authentication. This is used instead of
specifying the password on the command line.
-b searchbase
Use searchbase as the starting point for the search instead of the default.
[Regression Potential]
The patch is already in place in Debian & Wily and late Ubuntu release version.
[Other Info]
Upstream OpenLDAP Bug :
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7941;page=9
Upstream OpenLDAP Commit :
af8f1e0 ITS#7941 fix for repeated tags
Upstream OpenLDAP Commit Web :
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=af8f1e0
(The commit has been introduced first in upstream branch : OPENLDAP_REL_ENG_2_4_40~6)
[Original Description]
Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
210 ../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.
(gdb) bt
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1 0x00007f674ae8cab2 in slap_bv2ad (bv=bv@entry=0x7f6741e0e830, ad=ad@entry=0x7f6741e0e848, text=text@entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
#2 0x00007f674ae4d235 in get_filter (op=op@entry=0x7f672c000a80, ber=<optimized out>, filt=filt@entry=0x7f672c000af0, text=text@entry=0x7f6741e0f980)
at ../../../../servers/slapd/filter.c:190
#3 0x00007f674ae4b985 in do_search (op=0x7f672c000a80, rs=0x7f6741e0f960) at ../../../../servers/slapd/search.c:127
#4 0x00007f674ae496dc in connection_operation (ctx=ctx@entry=0x7f6741e0fb90, arg_v=arg_v@entry=0x7f672c000a80) at ../../../../servers/slapd/connection.c:1150
#5 0x00007f674ae49a40 in connection_read_thread (ctx=0x7f6741e0fb90, argv=0x19) at ../../../../servers/slapd/connection.c:1286
#6 0x00007f674a9a7aba in ?? () from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#7 0x00007f67498dc182 in start_thread (arg=0x7f6741e10700) at pthread_create.c:312
#8 0x00007f674960947d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 |
[SRU JUSTIFICATION]
[Impact]
The effect of the bug on users is that the program (slapd) terminated with signal SIGSEGV, Segmentation fault when ldapsearch tries to query using multiple language tags.
GDB output:
...
Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
Program terminated with signal SIGSEGV, Segmentation fault.
...
(gdb) bt
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1 0x00007f674ae8cab2 in slap_bv2ad (bv=bv@entry=0x7f6741e0e830, ad=ad@entry=0x7f6741e0e848, text=text@entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
...
In frame #1 the 'tags' struct is corrupt.
Line #272 checks for duplication and jumps to the done label (line #294) when a duplicate is found. The code increases 'ntags' without filling in the tags struct with values. In later iterations this could lead to copying and using uninitialised memory.
[Test Case]
One way to reproduce the issue :
$ ldapsearch -D "cn=<BINDDN_COMMON_NAME>,dc=<BINDDN_DOMAIN_COMPONENT>,dc=<BINDDN_DOMAIN_COMPONENT>,dc=<BINDDN_DOMAIN_COMPONENT>" -x -W -b "dc=<SEARCHPATH_DOMAIN_COMPONENT>,dc=<SEARCHPATH_DOMAIN_COMPONENT>,dc=<SEARCHPATH_DOMAIN_COMPONENT>" "cn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de"
Explanation :
Reference:
http://manpages.ubuntu.com/cgi-bin/search.py?q=ldapsearch
-D binddn
Use the Distinguished Name binddn to bind to the LDAP directory.
For SASL binds, the server is expected to ignore this value.
-x
Use simple authentication instead of SASL.
-W
Prompt for simple authentication. This is used instead of
specifying the password on the command line.
-b searchbase
Use searchbase as the starting point for the search instead of the default.
[Regression Potential]
The patch is already in place in Debian & Wily and late Ubuntu release version.
[Other Info]
Upstream OpenLDAP Bug :
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7941;page=9
Upstream OpenLDAP Commit :
af8f1e0 ITS#7941 fix for repeated tags
Upstream OpenLDAP Commit Web :
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=af8f1e0
(The commit has been introduced first in upstream branch : OPENLDAP_REL_ENG_2_4_40~6)
[Original Description]
Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
210 ../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.
(gdb) bt
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1 0x00007f674ae8cab2 in slap_bv2ad (bv=bv@entry=0x7f6741e0e830, ad=ad@entry=0x7f6741e0e848, text=text@entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
#2 0x00007f674ae4d235 in get_filter (op=op@entry=0x7f672c000a80, ber=<optimized out>, filt=filt@entry=0x7f672c000af0, text=text@entry=0x7f6741e0f980)
at ../../../../servers/slapd/filter.c:190
#3 0x00007f674ae4b985 in do_search (op=0x7f672c000a80, rs=0x7f6741e0f960) at ../../../../servers/slapd/search.c:127
#4 0x00007f674ae496dc in connection_operation (ctx=ctx@entry=0x7f6741e0fb90, arg_v=arg_v@entry=0x7f672c000a80) at ../../../../servers/slapd/connection.c:1150
#5 0x00007f674ae49a40 in connection_read_thread (ctx=0x7f6741e0fb90, argv=0x19) at ../../../../servers/slapd/connection.c:1286
#6 0x00007f674a9a7aba in ?? () from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#7 0x00007f67498dc182 in start_thread (arg=0x7f6741e10700) at pthread_create.c:312
#8 0x00007f674960947d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 |
|
2016-06-20 18:52:06 |
Eric Desrochers |
attachment added |
|
lp1593378_trusty.debdiff https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1593378/+attachment/4687422/+files/lp1593378_trusty.debdiff |
|
2016-06-20 18:52:41 |
Eric Desrochers |
bug |
|
|
added subscriber SRU Verification |
2016-06-20 18:55:21 |
Eric Desrochers |
openldap (Ubuntu Trusty): status |
New |
In Progress |
|
2016-06-20 18:59:50 |
Eric Desrochers |
tags |
sts |
sts ubuntu-sponsors |
|
2016-06-20 19:01:53 |
Eric Desrochers |
tags |
sts ubuntu-sponsors |
patch sts sts-sponsor sts-sru ubuntu-sponsors |
|
2016-06-20 19:02:32 |
Eric Desrochers |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2016-06-21 13:59:35 |
Eric Desrochers |
description |
[SRU JUSTIFICATION]
[Impact]
The effect of the bug on users is that the program (slapd) terminated with signal SIGSEGV, Segmentation fault when ldapsearch tries to query using multiple language tags.
GDB output:
...
Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
Program terminated with signal SIGSEGV, Segmentation fault.
...
(gdb) bt
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1 0x00007f674ae8cab2 in slap_bv2ad (bv=bv@entry=0x7f6741e0e830, ad=ad@entry=0x7f6741e0e848, text=text@entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
...
In frame #1 the 'tags' struct is corrupt.
Line #272 checks for duplication and jumps to the done label (line #294) when a duplicate is found. The code increases 'ntags' without filling in the tags struct with values. In later iterations this could lead to copying and using uninitialised memory.
[Test Case]
One way to reproduce the issue :
$ ldapsearch -D "cn=<BINDDN_COMMON_NAME>,dc=<BINDDN_DOMAIN_COMPONENT>,dc=<BINDDN_DOMAIN_COMPONENT>,dc=<BINDDN_DOMAIN_COMPONENT>" -x -W -b "dc=<SEARCHPATH_DOMAIN_COMPONENT>,dc=<SEARCHPATH_DOMAIN_COMPONENT>,dc=<SEARCHPATH_DOMAIN_COMPONENT>" "cn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de"
Explanation :
Reference:
http://manpages.ubuntu.com/cgi-bin/search.py?q=ldapsearch
-D binddn
Use the Distinguished Name binddn to bind to the LDAP directory.
For SASL binds, the server is expected to ignore this value.
-x
Use simple authentication instead of SASL.
-W
Prompt for simple authentication. This is used instead of
specifying the password on the command line.
-b searchbase
Use searchbase as the starting point for the search instead of the default.
[Regression Potential]
The patch is already in place in Debian & Wily and late Ubuntu release version.
[Other Info]
Upstream OpenLDAP Bug :
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7941;page=9
Upstream OpenLDAP Commit :
af8f1e0 ITS#7941 fix for repeated tags
Upstream OpenLDAP Commit Web :
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=af8f1e0
(The commit has been introduced first in upstream branch : OPENLDAP_REL_ENG_2_4_40~6)
[Original Description]
Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
210 ../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.
(gdb) bt
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1 0x00007f674ae8cab2 in slap_bv2ad (bv=bv@entry=0x7f6741e0e830, ad=ad@entry=0x7f6741e0e848, text=text@entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
#2 0x00007f674ae4d235 in get_filter (op=op@entry=0x7f672c000a80, ber=<optimized out>, filt=filt@entry=0x7f672c000af0, text=text@entry=0x7f6741e0f980)
at ../../../../servers/slapd/filter.c:190
#3 0x00007f674ae4b985 in do_search (op=0x7f672c000a80, rs=0x7f6741e0f960) at ../../../../servers/slapd/search.c:127
#4 0x00007f674ae496dc in connection_operation (ctx=ctx@entry=0x7f6741e0fb90, arg_v=arg_v@entry=0x7f672c000a80) at ../../../../servers/slapd/connection.c:1150
#5 0x00007f674ae49a40 in connection_read_thread (ctx=0x7f6741e0fb90, argv=0x19) at ../../../../servers/slapd/connection.c:1286
#6 0x00007f674a9a7aba in ?? () from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#7 0x00007f67498dc182 in start_thread (arg=0x7f6741e10700) at pthread_create.c:312
#8 0x00007f674960947d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 |
[SRU JUSTIFICATION]
[Impact]
The effect of the bug on users is that the program (slapd) terminated with signal SIGSEGV, Segmentation fault when ldapsearch tries to query using multiple language tags.
GDB output:
...
Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
Program terminated with signal SIGSEGV, Segmentation fault.
...
(gdb) bt
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1 0x00007f674ae8cab2 in slap_bv2ad (bv=bv@entry=0x7f6741e0e830, ad=ad@entry=0x7f6741e0e848, text=text@entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
...
In frame #1 the 'tags' struct is corrupt.
Line #272 checks for duplication and jumps to the done label (line #294) when a duplicate is found. The code increases 'ntags' without filling in the tags struct with values. In later iterations this could lead to copying and using uninitialised memory.
[Test Case]
One way to reproduce the issue :
$ ldapsearch -D "cn=<BINDDN_COMMON_NAME>,dc=<BINDDN_DOMAIN_COMPONENT>,dc=<BINDDN_DOMAIN_COMPONENT>,dc=<BINDDN_DOMAIN_COMPONENT>" -x -W -b "dc=<SEARCHPATH_DOMAIN_COMPONENT>,dc=<SEARCHPATH_DOMAIN_COMPONENT>,dc=<SEARCHPATH_DOMAIN_COMPONENT>" "cn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de"
Explanation :
Reference:
http://manpages.ubuntu.com/cgi-bin/search.py?q=ldapsearch
-D binddn
Use the Distinguished Name binddn to bind to the LDAP directory.
For SASL binds, the server is expected to ignore this value.
-x
Use simple authentication instead of SASL.
-W
Prompt for simple authentication. This is used instead of
specifying the password on the command line.
-b searchbase
Use searchbase as the starting point for the search instead of the default.
[Regression Potential]
The patch is already in place in Debian & Wily and late Ubuntu release version.
A hotfix has been tested by the user that originally reported the issue.
The hotfix solves the issue.
[Other Info]
Upstream OpenLDAP Bug :
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7941;page=9
Upstream OpenLDAP Commit :
af8f1e0 ITS#7941 fix for repeated tags
Upstream OpenLDAP Commit Web :
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=af8f1e0
(The commit has been introduced first in upstream branch : OPENLDAP_REL_ENG_2_4_40~6)
[Original Description]
Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
210 ../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.
(gdb) bt
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1 0x00007f674ae8cab2 in slap_bv2ad (bv=bv@entry=0x7f6741e0e830, ad=ad@entry=0x7f6741e0e848, text=text@entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
#2 0x00007f674ae4d235 in get_filter (op=op@entry=0x7f672c000a80, ber=<optimized out>, filt=filt@entry=0x7f672c000af0, text=text@entry=0x7f6741e0f980)
at ../../../../servers/slapd/filter.c:190
#3 0x00007f674ae4b985 in do_search (op=0x7f672c000a80, rs=0x7f6741e0f960) at ../../../../servers/slapd/search.c:127
#4 0x00007f674ae496dc in connection_operation (ctx=ctx@entry=0x7f6741e0fb90, arg_v=arg_v@entry=0x7f672c000a80) at ../../../../servers/slapd/connection.c:1150
#5 0x00007f674ae49a40 in connection_read_thread (ctx=0x7f6741e0fb90, argv=0x19) at ../../../../servers/slapd/connection.c:1286
#6 0x00007f674a9a7aba in ?? () from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#7 0x00007f67498dc182 in start_thread (arg=0x7f6741e10700) at pthread_create.c:312
#8 0x00007f674960947d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 |
|
2016-06-24 15:33:42 |
Martin Pitt |
openldap (Ubuntu Trusty): status |
In Progress |
Fix Committed |
|
2016-06-24 15:33:44 |
Martin Pitt |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2016-06-24 15:33:52 |
Martin Pitt |
tags |
patch sts sts-sponsor sts-sru ubuntu-sponsors |
patch sts sts-sponsor sts-sru ubuntu-sponsors verification-needed |
|
2016-06-24 20:22:12 |
Eric Desrochers |
tags |
patch sts sts-sponsor sts-sru ubuntu-sponsors verification-needed |
patch sts sts-sru ubuntu-sponsors verification-needed |
|
2016-06-27 13:03:56 |
Robie Basak |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2016-06-30 19:31:35 |
Eric Desrochers |
tags |
patch sts sts-sru ubuntu-sponsors verification-needed |
patch sts sts-sru ubuntu-sponsors verification-done |
|
2016-07-06 06:17:32 |
Launchpad Janitor |
openldap (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2016-07-06 06:17:37 |
Martin Pitt |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2016-11-09 12:22:35 |
Louis Bouchard |
tags |
patch sts sts-sru ubuntu-sponsors verification-done |
patch sts ubuntu-sponsors verification-done |
|
2017-05-22 23:50:37 |
amer lbunni |
bug |
|
|
added subscriber amer lbunni |