Hello community, here is the log from the commit of package openldap2 checked in at Fri Nov 17 19:05:06 CET 2006. -------- --- openldap2/openldap2-client.changes 2006-11-15 17:51:28.000000000 +0100 +++ /mounts/work_src_done/STABLE/openldap2/openldap2-client.changes 2006-11-17 19:04:13.000000000 +0100 @@ -1,0 +2,8 @@ +Fri Nov 17 10:25:44 CET 2006 - rhafer@suse.de + +- Fix for a flaw in libldap's strval2strlen() function when processing the + authcid string of certain Bind Requests, which could allow attackers to + cause an affected application to crash (especially the OpenLDAP Server), + creating a denial of service condition (Bug#221154,ITS#4740) + +------------------------------------------------------------------- openldap2.changes: same change New: ---- libldap-sasl_bind-assert.dif ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openldap2-client.spec ++++++ --- /var/tmp/diff_new_pack.cFVNTd/_old 2006-11-17 19:04:52.000000000 +0100 +++ /var/tmp/diff_new_pack.cFVNTd/_new 2006-11-17 19:04:52.000000000 +0100 @@ -28,7 +28,7 @@ %endif Autoreqprov: on Version: 2.3.27 -Release: 21 +Release: 23 Source: openldap-%{version}.tar.bz2 Source1: openldap-rc.tgz Source2: openldap-admin-guide.tar.bz2 @@ -46,6 +46,7 @@ Patch8: libldap-manpages.dif Patch9: slapd_chain_return_error.dif Patch10: back-perl-init.dif +Patch11: libldap-sasl_bind-assert.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build Prefix: %{_prefix} @@ -128,6 +129,7 @@ %patch8 -p1 %patch9 -p1 %patch10 +%patch11 %build %{?suse_update_config:%{suse_update_config -f build}} @@ -346,6 +348,11 @@ %endif %changelog -n openldap2-client +* Fri Nov 17 2006 - rhafer@suse.de +- Fix for a flaw in libldap's strval2strlen() function when processing the + authcid string of certain Bind Requests, which could allow attackers to + cause an affected application to crash (especially the OpenLDAP Server), + creating a denial of service condition (Bug#221154,ITS#4740) * Tue Nov 14 2006 - rhafer@suse.de - Additional back-perl fixes from CVS. The first revision of the patch did not fix the problem completely (Bug#207618, ITS#4751) openldap2.spec: same change ++++++ libldap-sasl_bind-assert.dif ++++++ Full_Name: Howard Chu Version: all < 2.3.29 OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (76.168.84.21) Submitted by: hyc Apparently this bug was discovered by Evgeny Legerov but was not previously reported to anyone on the Project. The bug is now fixed in HEAD and RE23. Performing a SASL Bind with an authcid longer than 255 characters, with a space as the 255th character, will cause the length of the normalized name to be computed incorrectly, failing to take into account the escaping of the space character. (The SASL Bind code truncates all incoming names longer than 255 to exactly 255 characters.) This triggers an assert in libldap because the resulting string length doesn't match what we expected it to be. The fix is in libldap/getdn.c rev 1.134. The MITRE CVE record for this bug is http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5779 --- libraries/libldap/getdn.c 2006/10/28 02:47:58 1.133 +++ libraries/libldap/getdn.c 2006/11/08 22:57:02 1.134 @@ -2016,7 +2016,7 @@ strval2strlen( struct berval *val, unsigned flags, ber_len_t *len ) { ber_len_t l, cl = 1; - char *p; + char *p, *end; int escaped_byte_len = LDAP_DN_IS_PRETTY( flags ) ? 1 : 3; #ifdef PRETTY_ESCAPE int escaped_ascii_len = LDAP_DN_IS_PRETTY( flags ) ? 2 : 3; @@ -2030,7 +2030,8 @@ return( 0 ); } - for ( l = 0, p = val->bv_val; p < val->bv_val + val->bv_len; p += cl ) { + end = val->bv_val + val->bv_len - 1; + for ( l = 0, p = val->bv_val; p <= end; p += cl ) { /* * escape '%x00' @@ -2059,7 +2060,7 @@ } else if ( LDAP_DN_NEEDESCAPE( p[ 0 ] ) || LDAP_DN_SHOULDESCAPE( p[ 0 ] ) || ( p == val->bv_val && LDAP_DN_NEEDESCAPE_LEAD( p[ 0 ] ) ) - || ( !p[ 1 ] && LDAP_DN_NEEDESCAPE_TRAIL( p[ 0 ] ) ) ) { + || ( p == end && LDAP_DN_NEEDESCAPE_TRAIL( p[ 0 ] ) ) ) { #ifdef PRETTY_ESCAPE #if 0 if ( LDAP_DN_WILLESCAPE_HEX( flags, p[ 0 ] ) ) { ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org