touch-packages team mailing list archive

Thread
Date

Re: [Bug 1103353] Re: Invalid GnuTLS cipher suite strings causeslibldapto crash

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Harry Coin <hcoin@xxxxxxxxxxxxxxxxx>
Date: Tue, 07 Apr 2015 19:36:26 -0000
Reply-to: Bug 1103353 <1103353@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

On 04/07/2015 01:32 PM, Oleg Strikov wrote:
>   Client may crash itself
> by passing incorrect cipher suite to the API. While that's sad, it
> doesn't crash slapd itself
To the contrary, it certainly does crash slapd itself.   Anyone 
upgrading will at some point silently switch from a slapd that used 
openssl to gnutls --- without the package warning about nor updating the 
apropos config string.  As a result, "apt-get update;apt-get upgrade" 
results in slapd crashing with a double free as it loads the previous 
conf file.  Most package maintainers would refer to this as a regression 
inasmuch as the typical upgrade process fails to start and without any 
obvious warning.  The answer may be found by spending many hours 
googling for 'what the heck'.   For over a year this has gone unfixed.

At least improve the upgrade script to warn the installer and prevent 
slapd from starting until some flag is set noting the user has corrected 
the string and is aware the developers won't fix the issue.

In the alternative, I think a much better approach is to put a versions 
of all these and related packages compiled against openSSL in the 
appropriate repository.  It is not material to me whether this is fixed 
or not as I've removed all packages using gnutls until it's more mature, 
and won't revisit this again for at least four years.

In fact I'm looking for other distros like Mint that actually check 
whether upgrades generate regressions and classify risk assessments that 
allow only proven upgrades to succeed.

It's really quite an eye-opener to me that a distro aiming to be 
deployed outside the sole-user world doesn't see this as a problem.

--

Harry G Coin
Quiet Fountain LLC
2118 Lundy Ln
Bettendorf, Iowa 52722

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1103353

Title:
  Invalid GnuTLS cipher suite strings causes libldap to crash

Status in openldap package in Ubuntu:
  Fix Released
Status in openldap source package in Precise:
  In Progress
Status in openldap source package in Trusty:
  In Progress
Status in openldap package in Debian:
  Fix Released

Bug description:
  If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4
  crashes due to a double free. GnuTLS is extremely picky about the
  cipher suite strings it accepts; as a first measure, try LDAP cipher
  suite string "SECURE256" or "NORMAL". If that stops the crash, then
  you have encountered this bug.

  Typically, the crash report begins with something like

  *** glibc detected *** APPLICATION: double free or corruption (!prev)
  /lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fc68cff0b96]
  /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x38769)[0x7fc68bb13769]
  /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x3570e)[0x7fc68bb1070e]
  /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_pvt_tls_init_def_ctx+0x1d)[0x7fc68bb108ed]
  /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35965)[0x7fc68bb10965]
  /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35a6d)[0x7fc68bb10a6d]
  /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_int_tls_start+0x5d)[0x7fc68bb1149d]

  The actual double free happens in
  openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx(), in the
  ldap_pvt_tls_ctx_free(lo->ldo_tls_ctx); call in the error_exit: path.

  The root cause of the double free is lack of GnuTLS return value
  checks when calling gnutls_priority*() functions. The code simply
  assumes they succeed, and when GnuTLS fails to provide a valid context
  due to those failures, ldap_int_tls_init_ctx() tries to free the
  never-fully-initialized context.

  A simple fix is to create GnuTLS security contexts using the
  configured cipher suite string, instead of "NORMAL" as
  openldap/libraries/libldap/tls_g.c now does. If the cipher suite
  string is invalid, then do not create the context at all. This is
  caught earlier in ldap_int_tls_init_ctx(), and avoids the crash.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions

References

[Bug 1103353] Re: Invalid GnuTLS cipher suite strings causes libldap to crash
From: Oleg Strikov, 2015-04-07