Bugzilla – Bug 916914
VUL-0: CVE-2015-1546: openldap2: slapd crash in valueReturnFilter cleanup
Last modified: 2017-06-07 10:02:29 UTC
rh#1190644 Certain queries cause slapd to crash while freeing operation controls. References: https://bugzilla.redhat.com/show_bug.cgi?id=1190644 http://www.openldap.org/its/?findid=8046 http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=2f1a2dd329b91afe561cd06b872d09630d4edb6a https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776991 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1546 http://seclists.org/oss-sec/2015/q1/452
bugbot adjusting priority
the report http://www.openldap.org/its/?findid=8046
a reproducer ldapsearch -E 'mv=(cn={*)(sn=*)'
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-02-26. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60662
Cannot reproduce in SLES 11. Which product is affected?
the code in sle11 is wrong on visual inspection at least. void vrFilter_free( Operation *op, ValuesReturnFilter *vrf ) { ValuesReturnFilter *p, *next; if ( vrf == NULL ) { return; } for ( p = vrf; p != NULL; p = next ) { next = p->vrf_next; switch ( vrf->vrf_choice & SLAPD_FILTER_MASK ) { case LDAP_FILTER_PRESENT: The loop never changes vrf, so the switch will always use the passed in vrf, which was actually already freed in the first loop iteration. So vrf needs to change with every loop, like the patch in http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=2f1a2dd329b91afe561cd06b872d09630d4edb6a does. it can be taken 1:1 I think
Patch is applied. Update submitted to SP3:Updates.
SUSE-SU-2015:0887-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 846389,905959,916897,916914 CVE References: CVE-2013-4449,CVE-2015-1545,CVE-2015-1546 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): openldap2-2.4.26-0.30.1, openldap2-client-2.4.26-0.30.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): openldap2-2.4.26-0.30.1, openldap2-client-2.4.26-0.30.1 SUSE Linux Enterprise Server 11 SP3 (src): openldap2-2.4.26-0.30.1, openldap2-client-2.4.26-0.30.1 SUSE Linux Enterprise Security Module 11 SP3 (src): openldap2-client-openssl1-2.4.26-0.30.2 SUSE Linux Enterprise Desktop 11 SP3 (src): openldap2-client-2.4.26-0.30.1
SUSE-SU-2015:1077-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 905959,916897,916914 CVE References: CVE-2015-1545,CVE-2015-1546 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): openldap2-2.4.39-15.1, openldap2-2.4.39-16.1, openldap2-client-2.4.39-15.1, openldap2-client-2.4.39-16.1 SUSE Linux Enterprise Server 12 (src): openldap2-2.4.39-15.1, openldap2-2.4.39-16.1, openldap2-client-2.4.39-15.1, openldap2-client-2.4.39-16.1 SUSE Linux Enterprise Module for Legacy Software 12 (src): openldap2-2.4.39-15.1, openldap2-2.4.39-16.1 SUSE Linux Enterprise Desktop 12 (src): openldap2-client-2.4.39-16.1 12 (src): openldap2-2.4.39-16.1
This is an autogenerated message for OBS integration: This bug (916914) was mentioned in https://build.opensuse.org/request/show/315869 13.2 / openldap2
Review open for 10 days, please review: https://build.opensuse.org/request/show/315869
Maintenance request in review for 13 days, can you please review: https://build.opensuse.org/request/show/315869 I believe Viktor did not submit this to the devel project. Can you please ensure the SLE patches are brought into Factory?
in the meantime i did it as for OpenSUSE 13.1...
This is an autogenerated message for OBS integration: This bug (916914) was mentioned in https://build.opensuse.org/request/show/318094 13.1 / openldap2
openSUSE-SU-2015:1325-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 905959,916897,916914 CVE References: CVE-2015-1545,CVE-2015-1546 Sources used: openSUSE 13.2 (src): openldap2-2.4.39-8.5.1, openldap2-client-2.4.39-8.5.1 openSUSE 13.1 (src): openldap2-2.4.33-8.3.1, openldap2-client-2.4.33-8.3.1
The updates have been released.
This is an autogenerated message for OBS integration: This bug (916914) was mentioned in https://build.opensuse.org/request/show/501412 Factory / openldap2
This is an autogenerated message for OBS integration: This bug (916914) was mentioned in https://build.opensuse.org/request/show/501631 Factory / openldap2