touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #68448
Re: [Bug 1103353] Re: Invalid GnuTLS cipher suite strings causeslibldapto crash
On 04/07/2015 01:32 PM, Oleg Strikov wrote:
> Client may crash itself
> by passing incorrect cipher suite to the API. While that's sad, it
> doesn't crash slapd itself
To the contrary, it certainly does crash slapd itself. Anyone
upgrading will at some point silently switch from a slapd that used
openssl to gnutls --- without the package warning about nor updating the
apropos config string. As a result, "apt-get update;apt-get upgrade"
results in slapd crashing with a double free as it loads the previous
conf file. Most package maintainers would refer to this as a regression
inasmuch as the typical upgrade process fails to start and without any
obvious warning. The answer may be found by spending many hours
googling for 'what the heck'. For over a year this has gone unfixed.
At least improve the upgrade script to warn the installer and prevent
slapd from starting until some flag is set noting the user has corrected
the string and is aware the developers won't fix the issue.
In the alternative, I think a much better approach is to put a versions
of all these and related packages compiled against openSSL in the
appropriate repository. It is not material to me whether this is fixed
or not as I've removed all packages using gnutls until it's more mature,
and won't revisit this again for at least four years.
In fact I'm looking for other distros like Mint that actually check
whether upgrades generate regressions and classify risk assessments that
allow only proven upgrades to succeed.
It's really quite an eye-opener to me that a distro aiming to be
deployed outside the sole-user world doesn't see this as a problem.
--
Harry G Coin
Quiet Fountain LLC
2118 Lundy Ln
Bettendorf, Iowa 52722
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1103353
Title:
Invalid GnuTLS cipher suite strings causes libldap to crash
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Precise:
In Progress
Status in openldap source package in Trusty:
In Progress
Status in openldap package in Debian:
Fix Released
Bug description:
If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4
crashes due to a double free. GnuTLS is extremely picky about the
cipher suite strings it accepts; as a first measure, try LDAP cipher
suite string "SECURE256" or "NORMAL". If that stops the crash, then
you have encountered this bug.
Typically, the crash report begins with something like
*** glibc detected *** APPLICATION: double free or corruption (!prev)
/lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fc68cff0b96]
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x38769)[0x7fc68bb13769]
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x3570e)[0x7fc68bb1070e]
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_pvt_tls_init_def_ctx+0x1d)[0x7fc68bb108ed]
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35965)[0x7fc68bb10965]
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35a6d)[0x7fc68bb10a6d]
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_int_tls_start+0x5d)[0x7fc68bb1149d]
The actual double free happens in
openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx(), in the
ldap_pvt_tls_ctx_free(lo->ldo_tls_ctx); call in the error_exit: path.
The root cause of the double free is lack of GnuTLS return value
checks when calling gnutls_priority*() functions. The code simply
assumes they succeed, and when GnuTLS fails to provide a valid context
due to those failures, ldap_int_tls_init_ctx() tries to free the
never-fully-initialized context.
A simple fix is to create GnuTLS security contexts using the
configured cipher suite string, instead of "NORMAL" as
openldap/libraries/libldap/tls_g.c now does. If the cipher suite
string is invalid, then do not create the context at all. This is
caught earlier in ldap_int_tls_init_ctx(), and avoids the crash.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions
References