touch-packages team mailing list archive

Thread
Date

[Bug 1103353] Re: Invalid GnuTLS cipher suite strings causes libldap to crash

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Oleg Strikov <oleg.strikov@xxxxxxxxxxxxx>
Date: Wed, 08 Apr 2015 12:46:19 -0000
Reply-to: Bug 1103353 <1103353@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hi Harry,

Thanks for the input.
Could you add more information on this please:
> silently switch from a slapd that used openssl to gnutls
I just looked through the launchpad package archive and it looks like we never had openldap linked against openssl in 12.04 and 14.04. First version of openldap which showed up in 12.04 was 2.4.25 and it has libgnutls-dev in build dependencies. Do you mean upgrading from any previous release to precise/trusty?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1103353

Title:
  Invalid GnuTLS cipher suite strings causes libldap to crash

Status in openldap package in Ubuntu:
  Fix Released
Status in openldap source package in Precise:
  In Progress
Status in openldap source package in Trusty:
  In Progress
Status in openldap package in Debian:
  Fix Released

Bug description:
  If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4
  crashes due to a double free. GnuTLS is extremely picky about the
  cipher suite strings it accepts; as a first measure, try LDAP cipher
  suite string "SECURE256" or "NORMAL". If that stops the crash, then
  you have encountered this bug.

  Typically, the crash report begins with something like

  *** glibc detected *** APPLICATION: double free or corruption (!prev)
  /lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fc68cff0b96]
  /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x38769)[0x7fc68bb13769]
  /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x3570e)[0x7fc68bb1070e]
  /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_pvt_tls_init_def_ctx+0x1d)[0x7fc68bb108ed]
  /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35965)[0x7fc68bb10965]
  /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35a6d)[0x7fc68bb10a6d]
  /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_int_tls_start+0x5d)[0x7fc68bb1149d]

  The actual double free happens in
  openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx(), in the
  ldap_pvt_tls_ctx_free(lo->ldo_tls_ctx); call in the error_exit: path.

  The root cause of the double free is lack of GnuTLS return value
  checks when calling gnutls_priority*() functions. The code simply
  assumes they succeed, and when GnuTLS fails to provide a valid context
  due to those failures, ldap_int_tls_init_ctx() tries to free the
  never-fully-initialized context.

  A simple fix is to create GnuTLS security contexts using the
  configured cipher suite string, instead of "NORMAL" as
  openldap/libraries/libldap/tls_g.c now does. If the cipher suite
  string is invalid, then do not create the context at all. This is
  caught earlier in ldap_int_tls_init_ctx(), and avoids the crash.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions