CVE-2017-9287: #863563 - openldap: CVE-2017-9287: double free with Paged Results control and pagesize 0

Reported by: Ryan Tandy [email protected]

Date: Sun, 28 May 2017 16:51:01 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Found in versions openldap/2.4.31-2+deb7u2, openldap/2.4.31-1, openldap/2.4.44+dfsg-4, openldap/2.4.40+dfsg-1, openldap/2.4.31-2, openldap/2.4.40+dfsg-1+deb8u2

Fixed in versions openldap/2.4.44+dfsg-5, openldap/2.4.40+dfsg-1+deb8u3

Done: Ryan Tandy [email protected]

Bug is archived. No further changes may be made.

Forwarded to http://www.openldap.org/its/?findid=8655

Toggle useless messages

Report forwarded to [email protected], Debian OpenLDAP Maintainers [email protected]:
Bug#863563; Package slapd. (Sun, 28 May 2017 16:51:04 GMT) (full text, mbox, link).

Acknowledgement sent to Ryan Tandy [email protected]:
New Bug report received and forwarded. Copy sent to Debian OpenLDAP Maintainers [email protected]. (Sun, 28 May 2017 16:51:04 GMT) (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

Package: slapd Version: 2.4.44+dfsg-4 Severity: important Tags: security fixed-upstream Control: forwarded -1 http://www.openldap.org/its/?findid=8655 Control: found -1 2.4.40+dfsg-1+deb8u2 Control: found -1 2.4.31-2+deb7u2

Karsten Heymann discovered that a user with access to search the directory can crash slapd by issuing a search including the Paged Results control with a page size of 0. Opening a bug for tracking in Debian now that the ITS is public.

Marked as found in versions openldap/2.4.40+dfsg-1+deb8u2. Request was from Ryan Tandy [email protected] to [email protected]. (Sun, 28 May 2017 16:51:04 GMT) (full text, mbox, link).

Marked as found in versions openldap/2.4.31-2+deb7u2. Request was from Ryan Tandy [email protected] to [email protected]. (Sun, 28 May 2017 16:51:05 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Ryan Tandy [email protected] to [email protected]. (Sun, 28 May 2017 18:15:02 GMT) (full text, mbox, link).

Reply sent to Ryan Tandy [email protected]:
You have taken responsibility. (Sun, 28 May 2017 21:07:34 GMT) (full text, mbox, link).

Notification sent to Ryan Tandy [email protected]:
Bug acknowledged by developer. (Sun, 28 May 2017 21:07:34 GMT) (full text, mbox, link).

Message #18 received at [email protected] (full text, mbox, reply):

Source: openldap Source-Version: 2.4.44+dfsg-5

We believe that the bug you reported is fixed in the latest version of openldap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is attached.

Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software pp. Ryan Tandy [email protected] (supplier of updated openldap package)

(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected])

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

Format: 1.8 Date: Sun, 28 May 2017 09:59:46 -0700 Source: openldap Binary: slapd slapd-smbk5pwd ldap-utils libldap-2.4-2 libldap-common libldap-2.4-2-dbg libldap2-dev slapd-dbg Architecture: source Version: 2.4.44+dfsg-5 Distribution: unstable Urgency: medium Maintainer: Debian OpenLDAP Maintainers [email protected] Changed-By: Ryan Tandy [email protected] Description: ldap-utils - OpenLDAP utilities libldap-2.4-2 - OpenLDAP libraries libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries libldap-common - OpenLDAP common files for libraries libldap2-dev - OpenLDAP development libraries slapd - OpenLDAP server (slapd) slapd-dbg - Debugging information for the OpenLDAP server (slapd) slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd. Closes: 770890 863563 Changes: openldap (2.4.44+dfsg-5) unstable; urgency=medium . * debian/patches/ITS-8644-wait-for-slapd-to-start-in-test064.patch: Fix an intermittently failing test by waiting for slapd to start before running tests. (ITS#8644) (Closes: #770890) * debian/patches/ITS-8655-paged-results-double-free.patch: Fix a double free in the MDB backend on a search including the Paged Results control with a page size of 0. (ITS#8655) (Closes: #863563) Checksums-Sha1: a3e9ec30f66aa4a9f50697aeaf2ad2f7a71de06b 2946 openldap_2.4.44+dfsg-5.dsc 8e0f9585d41e6ea1ef14b9b6cae007d18d257058 163740 openldap_2.4.44+dfsg-5.debian.tar.xz Checksums-Sha256: 852cf740c7de619527923f49f2ab095278ebf1fbb0b28df1529ea8e6aa05d99a 2946 openldap_2.4.44+dfsg-5.dsc d7c6de5c192341e43958b9f899fab68198c6592782980c78cd3b15267e20ef34 163740 openldap_2.4.44+dfsg-5.debian.tar.xz Files: fd7f7134138a6c04cc1520b8b37f2ca5 2946 net optional openldap_2.4.44+dfsg-5.dsc 292a9a58ad4f6c23f291cd616e7f53e5 163740 net optional openldap_2.4.44+dfsg-5.debian.tar.xz

-----BEGIN PGP SIGNATURE----- Version: GnuPG v2

iQIcBAEBCAAGBQJZKzT8AAoJEPNPCXROn13ZF/0QAMpY51y4IIRIGaDnJE/wDNUm ofM7xHs6+GcchabjWXFeQEysjbA0SBBqMxEhqDBH2a1pXASzB2W0izkk7vpF9h+s xk3QAVZWm5Vojh08l9f3Z9u5Uo5tFpzU3D9SGDWQfD+sI0I2XuODwThQYX3gVwMF 0bbkvQmmxXRDmjjBcrDCIQuKqXmo46ciYdRV0yanw1y//nOPtkfPL/4f5GQx+h6D EP/vCNyXt2hCpjRTW8TeNSWKNTK4043tJjNVEPXd+wJzEJLI32df4IhBgBayqZxt PXjmYuUAng9MuZiFTxaaNuYfmzc3Xji4CPtqn243XlzWgiT+c5CLuxcfjjs0RfZm +9Z3vQnfieqEwOCNINvh7KIDp0V1cEgaVRD97E9zHKiTGVjDHwuu8RYbueYnndp5 A/hfFFz9NSvrs0OWJ5KBKa/wAivB41um8ZcdOxMH2tqWi/xeSU7c6FfiXoJddz6n bszaCrgRmZNdUChD1V9bTOPFdu4FuY3c4rrAQ/UvzETTFUHij6g0XBdUlknjLjY4 zLgDOV/wkgQCN4WnMPkDwUa0Zygisr9d1t+3B8Mj3+DR+8FkefgwYurWtqwI/AAu I5lAtyu0zldCPRSAc7BUwMjpeqdZDd8vkGIy0IjxJgN/Z9lfKAfOTiPRChnyCfNQ 4XgpprTcxkHx9zrritrU =j2JG -----END PGP SIGNATURE-----

Added tag(s) upstream. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Mon, 29 May 2017 04:15:02 GMT) (full text, mbox, link).

Marked as found in versions openldap/2.4.40+dfsg-1. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Mon, 29 May 2017 04:15:05 GMT) (full text, mbox, link).

Marked as found in versions openldap/2.4.31-2. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Mon, 29 May 2017 04:15:07 GMT) (full text, mbox, link).

Marked as found in versions openldap/2.4.31-1. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Mon, 29 May 2017 08:15:05 GMT) (full text, mbox, link).

Changed Bug title to ‘openldap: CVE-2017-9287: double free with Paged Results control and pagesize 0’ from 'double free with Paged Results control and pagesize 0’. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Mon, 29 May 2017 17:03:05 GMT) (full text, mbox, link).

Reply sent to Ryan Tandy [email protected]:
You have taken responsibility. (Sun, 11 Jun 2017 21:03:12 GMT) (full text, mbox, link).

Notification sent to Ryan Tandy [email protected]:
Bug acknowledged by developer. (Sun, 11 Jun 2017 21:03:12 GMT) (full text, mbox, link).

Message #33 received at [email protected] (full text, mbox, reply):

Source: openldap Source-Version: 2.4.40+dfsg-1+deb8u3

We believe that the bug you reported is fixed in the latest version of openldap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is attached.

Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software pp. Ryan Tandy [email protected] (supplier of updated openldap package)

(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected])

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Format: 1.8 Date: Sun, 28 May 2017 16:08:03 -0700 Source: openldap Binary: slapd slapd-smbk5pwd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg libldap2-dev slapd-dbg Architecture: source Version: 2.4.40+dfsg-1+deb8u3 Distribution: jessie-security Urgency: high Maintainer: Debian OpenLDAP Maintainers [email protected] Changed-By: Ryan Tandy [email protected] Closes: 863563 Description: ldap-utils - OpenLDAP utilities libldap-2.4-2 - OpenLDAP libraries libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries libldap2-dev - OpenLDAP development libraries slapd - OpenLDAP server (slapd) slapd-dbg - Debugging information for the OpenLDAP server (slapd) slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd. Changes: openldap (2.4.40+dfsg-1+deb8u3) jessie-security; urgency=high . * debian/patches/ITS-8655-paged-results-double-free.patch: Fix a double free in the MDB backend on a search including the Paged Results control with a page size of 0. (ITS#8655) (CVE-2017-9287) (Closes: #863563) Checksums-Sha1: dc7cb72188f4ec15c2e5fce875c8ed8ff1e20a9e 2990 openldap_2.4.40+dfsg-1+deb8u3.dsc 94705cf6bd8b8672590e5b33a55a59033948af42 180281 openldap_2.4.40+dfsg-1+deb8u3.diff.gz Checksums-Sha256: 6e5877b1e071abdf613849689bff4bde15f8ac8dd4277a14cd30afb240052dd4 2990 openldap_2.4.40+dfsg-1+deb8u3.dsc b6e7709cc75470bac1e6a797beed18c32ac97ac925932fad596a4921218b4d57 180281 openldap_2.4.40+dfsg-1+deb8u3.diff.gz Files: bb76beec77fb851d2843aa2e31eec72d 2990 net optional openldap_2.4.40+dfsg-1+deb8u3.dsc 4406d83fdc37a70ec72fd640a3c86115 180281 net optional openldap_2.4.40+dfsg-1+deb8u3.diff.gz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlktGvNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89ES58P/3hV3y1WEhZ91PkDJeq3/cua9TyFGiIf z5N3m/k5ia7DthDGXKkhQtGc9sd7eJ6Ea41HwPs2K737dTCOhjidZZSzNuGJY4mL jLlDICG6RRT9xccgQZTkBnUKLcvn9LYmTrAINxRN6DjCI2xOSybMhLP5/ipxGRDx neOCe3x7vUntTFOCX3Sq6LyLAprg9bkDRMlJ5UFeVINVVB4DC7gyNm+3D32YIjQT ZFo3/2XuHusksQsN+3vwN8f1YpF1hCEzzWWqVMdGjf7tZoakog7yLxwaN7ujpLuF VLB4OcVRrYSNzL6sVtDOYvzEzf6siq0yWevsHw3TRxPQDhYsrePEfmjg6pEI94hx M88yo5uERhOn4KJWTk0ssPuZVYzyNCO49121xq9CP1TuU+oNFozz9xFTe7KUj3bi 65yA/Ihq/vr6QPCsqnDVPr/RJyW2f6Lx7ce6W/p6eRwp56QYhfKsvmze6RwigxGW yX+RIf0lbd9QlNErlZmDHV5bNlmm4k/yNCD/XW44mkHQStTWZ83z9IPKEzc/F8EX fIthHzTH6tBZ8ijSf6VPojE7Lo/IJwaymQnYNULUxQ8rm0/IP00op56seOyOp1Rw gKMVhgk0MSBjJjmoE8dTmx3W2BZbuQW0ii08ig1feoIjmbbPaiMduhCwHiZcW2MC RJGDq0aF/isE =wjPe -----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request [email protected] to [email protected]. (Mon, 10 Jul 2017 07:25:27 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Mon Jun 13 19:38:11 2022; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.