Bug 846389 (CVE-2013-4449) - VUL-1: CVE-2013-4449: openldap2: segfault on certain queries with rwm overlay
Summary: VUL-1: CVE-2013-4449: openldap2: segfault on certain queries with rwm overlay
Status: RESOLVED FIXED
Alias: CVE-2013-4449
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Peter Varkoly
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/93213
Whiteboard: maint:released:sle11-sp1:61598
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-17 11:21 UTC by Victor Pereira
Modified: 2016-05-12 14:00 UTC (History)
10 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
0008-ITS-7723-fix-reference-counting.patch (912 bytes, patch)
2014-09-05 10:01 UTC, Marcus Meissner 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2013-10-17 11:21:42 UTC 
OSS:11318

It was discovered that OpenLDAP, with the rwm overlay to slapd, could segfault if a user were able to query the directory and immediately unbind from the server. 

This condition also seems to require multiple cores/CPUs to trigger.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1019490
http://comments.gmane.org/gmane.comp.security.oss.general/11318
http://www.openldap.org/its/index.cgi/Incoming?id=7723
Comment 1 Swamp Workflow Management 2013-10-17 22:00:16 UTC 
bugbot adjusting priority
Comment 2 Ralf Haferkamp 2013-10-18 07:38:21 UTC 
Upstream seems to be still working on a fix for this. At least there is nothing in git that addresses the issue yet.
Comment 3 Marcus Meissner 2013-11-21 14:04:17 UTC 
CVE-2013-4449
Comment 4 Ahmad Sadeghpour 2014-07-16 14:58:18 UTC 
>>> On 16.07.2014 at 16:32, "Kelley, Benjamin" <benjamin.kelley@emc.com> wrote:
> Hi Ahmad, I didn't find any information on this CVE online - is SLES11 SP3 
> vulnerable to CVE-2013-4449?
> 
> http://www.openldap.org/lists/openldap-bugs/201311/msg00010.html 
> 
> Thanks,
> -ben
Comment 5 Forgotten User 6PpIaANeoZ 2014-07-16 15:24:14 UTC 
Adding myself to CC list... Any ETA on a fix? Thank you!
Comment 8 Marcus Meissner 2014-09-05 10:01:32 UTC 
Created attachment 605162 [details]
0008-ITS-7723-fix-reference-counting.patch

patch in SLE12 openldap2 package.
Comment 9 Marcus Meissner 2014-09-05 10:03:13 UTC 
currently not planned for immediate release
Comment 13 Bernhard Wiedemann 2014-09-22 14:00:11 UTC 
This is an autogenerated message for OBS integration:
This bug (846389) was mentioned in
https://build.opensuse.org/request/show/250671 Factory / openldap2
Comment 14 Victor Pereira 2014-12-15 10:49:13 UTC 
released for SLE-12
Comment 17 Howard Guo 2015-04-09 09:22:23 UTC 
The identical patch has been submitted to SP3:Updates, the submission is now under review.
Comment 19 Swamp Workflow Management 2015-05-15 20:05:19 UTC 
SUSE-SU-2015:0887-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 846389,905959,916897,916914
CVE References: CVE-2013-4449,CVE-2015-1545,CVE-2015-1546
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    openldap2-2.4.26-0.30.1, openldap2-client-2.4.26-0.30.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    openldap2-2.4.26-0.30.1, openldap2-client-2.4.26-0.30.1
SUSE Linux Enterprise Server 11 SP3 (src):    openldap2-2.4.26-0.30.1, openldap2-client-2.4.26-0.30.1
SUSE Linux Enterprise Security Module 11 SP3 (src):    openldap2-client-openssl1-2.4.26-0.30.2
SUSE Linux Enterprise Desktop 11 SP3 (src):    openldap2-client-2.4.26-0.30.1
Comment 20 Sebastian Krahmer 2015-05-18 08:46:24 UTC 
done