Bug 1202470 (CVE-2022-2850)

Summary: VUL-0: CVE-2022-2850: 389-ds: SIGSEGV in sync_repl
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/339954/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-2850:6.5:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2022-08-17 07:30:23 UTC 
rh#2118691

Description of problem:
Previously: https://bugzilla.redhat.com/show_bug.cgi?id=1952907

This issue is not fixed completely and can be triggered by supplying a malformed cookie, for example -E sync=rp/foo

Thread 14 "ns-slapd" received signal SIGSEGV, Segmentation fault.
0x00007f7802ba38d6 in __strcmp_evex () from target:/lib64/libc.so.6
(gdb) bt
#0  0x00007f7802ba38d6 in __strcmp_evex () at target:/lib64/libc.so.6
#1  0x00007f77fe926e9f in sync_cookie_isvalid (refcookie=0x7f77febfaba0, testcookie=0x7f77febfab80)
    at ldap/servers/plugins/sync/sync_util.c:796
#2  sync_cookie_isvalid (testcookie=0x7f77febfab80, refcookie=0x7f77febfaba0) at ldap/servers/plugins/sync/sync_util.c:789
#3  0x00007f77fe92aa7d in sync_srch_refresh_pre_search (pb=0x7f77feb9fd00) at ldap/servers/plugins/sync/sync_refresh.c:135
#4  0x00007f7802e297d9 in plugin_call_func
    (list=0x7f77fe9ed800, operation=operation@entry=403, pb=pb@entry=0x7f77feb9fd00, call_one=call_one@entry=0)
    at ldap/servers/slapd/plugin.c:2001
#5  0x00007f7802e299e6 in plugin_call_list (pb=0x7f77feb9fd00, operation=403, list=<optimized out>) at ldap/servers/slapd/plugin.c:1944
#6  plugin_call_plugins (pb=0x7f77feb9fd00, whichfunction=403) at ldap/servers/slapd/plugin.c:414
#7  0x00007f7802e222a9 in op_shared_search (pb=pb@entry=0x7f77feb9fd00, send_result=send_result@entry=1) at ldap/servers/slapd/opshared.c:586
#8  0x0000556eb3f0db14 in do_search (pb=<optimized out>) at ldap/servers/slapd/search.c:388
#9  0x0000556eb3efcb7f in connection_dispatch_operation (pb=0x7f77feb9fd00, op=<optimized out>, conn=<optimized out>)
    at ldap/servers/slapd/connection.c:659
#10 connection_threadmain () at ldap/servers/slapd/connection.c:1785
#11 0x00007f780290ec34 in _pt_root () at target:/lib64/libnspr4.so
#12 0x00007f7802b75802 in start_thread () at target:/lib64/libc.so.6
#13 0x00007f7802b15450 in clone3 () at target:/lib64/libc.so.6


Automated reproducer: https://github.com/389ds/389-ds-base/blob/main/dirsrvtests/tests/tickets/ticket48013_test.py

Version-Release number of selected component (if applicable):
389-ds-base-2.0.x+ (earliest I was able to test was 2.0.5).

How reproducible:
Deterministically 

Steps to Reproduce:
1. https://github.com/389ds/389-ds-base/blob/main/dirsrvtests/tests/tickets/ticket48013_test.py

Actual results:
Server crashes

Expected results:
Should return an error that the cookie is invalid and not crash.

Additional info:
Upstream ticket: https://github.com/389ds/389-ds-base/issues/4711#issuecomment-1205100979

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2118691
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2850
Comment 1 William Brown 2022-08-23 02:08:34 UTC 
Only affects SP2, SP3 and SP4. Does not affect SP1.
Comment 4 Swamp Workflow Management 2022-09-05 19:25:02 UTC 
SUSE-SU-2022:3029-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1199908,1202470
CVE References: CVE-2022-2850
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    389-ds-1.4.4.19~git46.c900a28c8-150300.3.22.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    389-ds-1.4.4.19~git46.c900a28c8-150300.3.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2022-09-16 10:20:28 UTC 
SUSE-SU-2022:3286-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1197998,1202470
CVE References: CVE-2022-2850
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    389-ds-2.0.16~git20.219f047ae-150400.3.10.1
SUSE Linux Enterprise Module for Server Applications 15-SP4 (src):    389-ds-2.0.16~git20.219f047ae-150400.3.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.