Re: CVE-2017-17740 aka ITS#8759

[Howard Chu]

Michael Ströder wrote:
> HI!
> 
> This ITS was answered with won't fix / send patches:
> https://www.openldap.org/its/index.cgi?findid=8759
> 
> But in the mean-time somebody assigned a CVE number to it:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17740
> 
> The SUSE folks added a patch:
> 
> https://build.opensuse.org/package/view_file/network:ldap/openldap2/0017-Fix-segfault-in-nops.patch?expand=1
> 
> Could anybody review this and comment whether it makes sense at all?
> 
> If the patch is correct would it make sense to release it with 2.4.47?

If the patch is correct, the original patch author must submit it to the ITS.

The CVE makes no sense, since as already noted in the ITS, the bug is caused
by the nops overlay which is in contrib, and not officially part of OpenLDAP 
Software.

-- 
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

CVE-2017-17740 aka ITS#8759

[Michael Ströder]

HI!

This ITS was answered with won't fix / send patches:
https://www.openldap.org/its/index.cgi?findid=8759

But in the mean-time somebody assigned a CVE number to it:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17740

The SUSE folks added a patch:

https://build.opensuse.org/package/view_file/network:ldap/openldap2/0017-Fix-segfault-in-nops.patch?expand=1

Could anybody review this and comment whether it makes sense at all?

If the patch is correct would it make sense to release it with 2.4.47?

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature