touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #69304
Re: [Bug 1103353] Re: Invalid GnuTLS cipher suite strings causeslibldapto crash
On 04/10/2015 10:43 AM, Robie Basak wrote:
> Marking Won't Fix for SRUs as per Oleg's request. I don't see any real
> user impact to this bug here that would justify an SRU. Harry's case
> might be valid, but as Oleg was unable to reproduce and we don't have
> reproduction steps we wouldn't be able to pass SRU verification anyway.
> If somebody would like to post detailed steps to reproduce this bug that
> also demonstrates a use case which does create a real user impact, then
> I'd be happy to reconsider.
>
> ** Changed in: openldap (Ubuntu Precise)
> Status: In Progress => Won't Fix
>
> ** Changed in: openldap (Ubuntu Trusty)
> Status: In Progress => Won't Fix
>
Steps to reproduce:
1) Install older version that used openssl.
2) Set up a cipher suite of any sort.
3) Validate ldaps operation.
4) "upgrade" using current version built against gnutls.
5) Notice slapd won't start, complaining of double free, upgrade fails.
--
Harry G Coin
Quiet Fountain LLC
2118 Lundy Ln
Bettendorf, Iowa 52722
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1103353
Title:
Invalid GnuTLS cipher suite strings causes libldap to crash
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Precise:
Won't Fix
Status in openldap source package in Trusty:
Won't Fix
Status in openldap package in Debian:
Fix Released
Bug description:
If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4
crashes due to a double free. GnuTLS is extremely picky about the
cipher suite strings it accepts; as a first measure, try LDAP cipher
suite string "SECURE256" or "NORMAL". If that stops the crash, then
you have encountered this bug.
Typically, the crash report begins with something like
*** glibc detected *** APPLICATION: double free or corruption (!prev)
/lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fc68cff0b96]
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x38769)[0x7fc68bb13769]
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x3570e)[0x7fc68bb1070e]
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_pvt_tls_init_def_ctx+0x1d)[0x7fc68bb108ed]
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35965)[0x7fc68bb10965]
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35a6d)[0x7fc68bb10a6d]
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_int_tls_start+0x5d)[0x7fc68bb1149d]
The actual double free happens in
openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx(), in the
ldap_pvt_tls_ctx_free(lo->ldo_tls_ctx); call in the error_exit: path.
The root cause of the double free is lack of GnuTLS return value
checks when calling gnutls_priority*() functions. The code simply
assumes they succeed, and when GnuTLS fails to provide a valid context
due to those failures, ldap_int_tls_init_ctx() tries to free the
never-fully-initialized context.
A simple fix is to create GnuTLS security contexts using the
configured cipher suite string, instead of "NORMAL" as
openldap/libraries/libldap/tls_g.c now does. If the cipher suite
string is invalid, then do not create the context at all. This is
caught earlier in ldap_int_tls_init_ctx(), and avoids the crash.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions
Follow ups
References