OpenLDAP "UTF8StringNormalize()" Off-by-One Denial of Service Vulnerability

Bug #884163 reported by Tibor Pittich on 2011-10-31
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Medium
Jamie Strandboge
Hardy
Medium
Unassigned
Lucid
Medium
Jamie Strandboge
Maverick
Medium
Jamie Strandboge
Natty
Medium
Jamie Strandboge
Oneiric
Medium
Jamie Strandboge
Precise
Medium
Jamie Strandboge

Bug Description

The vulnerability is caused due to an off-by-one error in the "UTF8StringNormalize()" function when NULL terminating a string. This can be exploited to crash the daemon via e.g. an empty "postalAddressAttribute" value.

The fix is in GIT repository since 6.Oct.2011 - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=507238713b71208ec4f262f312cb495a302df9e9

visibility: private → public
visibility: private → public
Changed in openldap (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Changed in openldap (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in openldap (Ubuntu):
status: Confirmed → In Progress
Changed in openldap (Ubuntu Lucid):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in openldap (Ubuntu Maverick):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in openldap (Ubuntu Natty):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in openldap (Ubuntu Oneiric):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in openldap (Ubuntu Hardy):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand) wrote :

Hardy's openldap2.3 does not have postalAddressValidate(), which is the only known function to pass UTF8StringNormalize() a 0 length string.

Changed in openldap (Ubuntu Hardy):
assignee: Jamie Strandboge (jdstrand) → nobody
status: In Progress → Invalid
Changed in openldap (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in openldap (Ubuntu Maverick):
status: In Progress → Fix Committed
Changed in openldap (Ubuntu Natty):
status: In Progress → Fix Committed
Changed in openldap (Ubuntu Precise):
status: In Progress → Fix Committed
Changed in openldap (Ubuntu Oneiric):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.25-3ubuntu2

---------------
openldap (2.4.25-3ubuntu2) precise; urgency=low

  * SECURITY UPDATE: potential denial of service (LP: #884163)
    - debian/patches/CVE-2011-4079: fix off by one error in
      postalAddressNormalize()
    - CVE-2011-4079
 -- Jamie Strandboge <email address hidden> Mon, 14 Nov 2011 13:59:56 -0600

Changed in openldap (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.25-1.1ubuntu4.1

---------------
openldap (2.4.25-1.1ubuntu4.1) oneiric-security; urgency=low

  * SECURITY UPDATE: potential denial of service (LP: #884163)
    - debian/patches/CVE-2011-4079: fix off by one error in
      postalAddressNormalize()
    - CVE-2011-4079
 -- Jamie Strandboge <email address hidden> Mon, 14 Nov 2011 13:22:54 -0600

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.23-6ubuntu6.1

---------------
openldap (2.4.23-6ubuntu6.1) natty-security; urgency=low

  * SECURITY UPDATE: potential denial of service (LP: #884163)
    - debian/patches/CVE-2011-4079: fix off by one error in
      postalAddressNormalize()
    - CVE-2011-4079
 -- Jamie Strandboge <email address hidden> Mon, 14 Nov 2011 13:29:39 -0600

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.23-0ubuntu3.7

---------------
openldap (2.4.23-0ubuntu3.7) maverick-security; urgency=low

  * SECURITY UPDATE: potential denial of service (LP: #884163)
    - debian/patches/CVE-2011-4079: fix off by one error in
      postalAddressNormalize()
    - CVE-2011-4079
 -- Jamie Strandboge <email address hidden> Mon, 14 Nov 2011 13:30:50 -0600

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.21-0ubuntu5.6

---------------
openldap (2.4.21-0ubuntu5.6) lucid-security; urgency=low

  * SECURITY UPDATE: potential denial of service (LP: #884163)
    - debian/patches/CVE-2011-4079: fix off by one error in
      postalAddressNormalize()
    - CVE-2011-4079
 -- Jamie Strandboge <email address hidden> Mon, 14 Nov 2011 13:32:11 -0600

Changed in openldap (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in openldap (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in openldap (Ubuntu Natty):
status: Fix Committed → Fix Released
Changed in openldap (Ubuntu Oneiric):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers