touch-packages team mailing list archive

Thread
Date
[Bug 1103353] Re: Invalid GnuTLS cipher suite strings causes libldap to crash

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Jouko Orava <joorava@xxxxxx>
Date: Sat, 21 Mar 2015 00:20:58 -0000
Reply-to: Bug 1103353 <1103353@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Well, considering that Ubuntu openldap maintainers consider e.g. CVE-2013-4449
(denial-of-service, 2.4.31 to 2.4.36 are vulnerable) not important enough to patch
or update to a later openldap version, I expect there to be zero chance of this bug
to be patched either. It seems that if it does not hurt the maintainers' systems,
it's not worth fixing.

The current Ubuntu version I am using right now, 14.04 LTS, is certainly the last
Ubuntu version I will be using. I am still evaluating the alternatives, but
definitely all Debian jessie derivatives are straight out.

I won't be monitoring this bug anymore, either.

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-4449

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1103353

Title:
  Invalid GnuTLS cipher suite strings causes libldap to crash

Status in openldap package in Ubuntu:
  Triaged
Status in openldap package in Debian:
  Fix Released

Bug description:
  If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4
  crashes due to a double free. GnuTLS is extremely picky about the
  cipher suite strings it accepts; as a first measure, try LDAP cipher
  suite string "SECURE256" or "NORMAL". If that stops the crash, then
  you have encountered this bug.

  Typically, the crash report begins with something like

  *** glibc detected *** APPLICATION: double free or corruption (!prev)
  /lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fc68cff0b96]
  /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x38769)[0x7fc68bb13769]
  /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x3570e)[0x7fc68bb1070e]
  /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_pvt_tls_init_def_ctx+0x1d)[0x7fc68bb108ed]
  /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35965)[0x7fc68bb10965]
  /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35a6d)[0x7fc68bb10a6d]
  /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_int_tls_start+0x5d)[0x7fc68bb1149d]

  The actual double free happens in
  openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx(), in the
  ldap_pvt_tls_ctx_free(lo->ldo_tls_ctx); call in the error_exit: path.

  The root cause of the double free is lack of GnuTLS return value
  checks when calling gnutls_priority*() functions. The code simply
  assumes they succeed, and when GnuTLS fails to provide a valid context
  due to those failures, ldap_int_tls_init_ctx() tries to free the
  never-fully-initialized context.

  A simple fix is to create GnuTLS security contexts using the
  configured cipher suite string, instead of "NORMAL" as
  openldap/libraries/libldap/tls_g.c now does. If the cipher suite
  string is invalid, then do not create the context at all. This is
  caught earlier in ldap_int_tls_init_ctx(), and avoids the crash.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions