← Back to team overview

touch-packages team mailing list archive

[Bug 1103353] Re: Invalid GnuTLS cipher suite strings causes libldap to crash

 

rtandy, this is not specific to slapd, but affects all applications that
use libldap2 and gnutls. Instead of returning a failure at START_TLS,
the library just crashes at a double-free. This makes it difficult to
find the actual problem in services like sssd that crash due to this
bug, although the root cause is a simple configuration mistake. (gnutls
cipherspecs are notoriously complicated, and very easy to get wrong.
Crashing in such a case is, and should be considered, a serious bug.
There is nothing an application can do to mitigate this.)

Attached is a backported patch from 2.4.40 to current Debian/Ubuntu
source package. I applied this to 2.4.31-1+nmu2ubuntu8, added a dummy
changelog entry, and recompiled the package. The changes are localized
and safe, should apply cleanly to other versions too. The patched
library no longer crashes: this fixes the bug.

In other words, this is a trivial bug for the Debian/Ubuntu openldap
maintainers to fix, if they saw the bug serious enough to fix.

** Patch added: "Debian/Ubuntu source package patch, backported from 2.4.40"
   https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+attachment/4349163/+files/openldap-2.4.31-gnutls-backport.patch

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1103353

Title:
  Invalid GnuTLS cipher suite strings causes libldap to crash

Status in openldap package in Ubuntu:
  Triaged
Status in openldap package in Debian:
  Fix Released

Bug description:
  If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4
  crashes due to a double free. GnuTLS is extremely picky about the
  cipher suite strings it accepts; as a first measure, try LDAP cipher
  suite string "SECURE256" or "NORMAL". If that stops the crash, then
  you have encountered this bug.

  Typically, the crash report begins with something like

  *** glibc detected *** APPLICATION: double free or corruption (!prev)
  /lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fc68cff0b96]
  /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x38769)[0x7fc68bb13769]
  /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x3570e)[0x7fc68bb1070e]
  /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_pvt_tls_init_def_ctx+0x1d)[0x7fc68bb108ed]
  /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35965)[0x7fc68bb10965]
  /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35a6d)[0x7fc68bb10a6d]
  /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_int_tls_start+0x5d)[0x7fc68bb1149d]

  The actual double free happens in
  openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx(), in the
  ldap_pvt_tls_ctx_free(lo->ldo_tls_ctx); call in the error_exit: path.

  The root cause of the double free is lack of GnuTLS return value
  checks when calling gnutls_priority*() functions. The code simply
  assumes they succeed, and when GnuTLS fails to provide a valid context
  due to those failures, ldap_int_tls_init_ctx() tries to free the
  never-fully-initialized context.

  A simple fix is to create GnuTLS security contexts using the
  configured cipher suite string, instead of "NORMAL" as
  openldap/libraries/libldap/tls_g.c now does. If the cipher suite
  string is invalid, then do not create the context at all. This is
  caught earlier in ldap_int_tls_init_ctx(), and avoids the crash.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions


Follow ups