[Touch-packages] [Bug 1103353] Re: Invalid GnuTLS cipher suite strings causes libldap to crash
Hi Harry, Thanks for the input. Could you add more information on this please: silently switch from a slapd that used openssl to gnutls I just looked through the launchpad package archive and it looks like we never had openldap linked against openssl in 12.04 and 14.04. First version of openldap which showed up in 12.04 was 2.4.25 and it has libgnutls-dev in build dependencies. Do you mean upgrading from any previous release to precise/trusty? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1103353 Title: Invalid GnuTLS cipher suite strings causes libldap to crash Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Precise: In Progress Status in openldap source package in Trusty: In Progress Status in openldap package in Debian: Fix Released Bug description: If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4 crashes due to a double free. GnuTLS is extremely picky about the cipher suite strings it accepts; as a first measure, try LDAP cipher suite string SECURE256 or NORMAL. If that stops the crash, then you have encountered this bug. Typically, the crash report begins with something like *** glibc detected *** APPLICATION: double free or corruption (!prev) /lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fc68cff0b96] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x38769)[0x7fc68bb13769] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x3570e)[0x7fc68bb1070e] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_pvt_tls_init_def_ctx+0x1d)[0x7fc68bb108ed] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35965)[0x7fc68bb10965] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35a6d)[0x7fc68bb10a6d] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_int_tls_start+0x5d)[0x7fc68bb1149d] The actual double free happens in openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx(), in the ldap_pvt_tls_ctx_free(lo-ldo_tls_ctx); call in the error_exit: path. The root cause of the double free is lack of GnuTLS return value checks when calling gnutls_priority*() functions. The code simply assumes they succeed, and when GnuTLS fails to provide a valid context due to those failures, ldap_int_tls_init_ctx() tries to free the never-fully-initialized context. A simple fix is to create GnuTLS security contexts using the configured cipher suite string, instead of NORMAL as openldap/libraries/libldap/tls_g.c now does. If the cipher suite string is invalid, then do not create the context at all. This is caught earlier in ldap_int_tls_init_ctx(), and avoids the crash. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1103353] Re: Invalid GnuTLS cipher suite strings causes libldap to crash
13:40 strikov rbasak: i did a research on CVE attached to the bug and came to conclusion that it was attached incorrectly 13:41 strikov rbasak: this CVE is about a different thing and I have no idea why it was attached Looking at the CVE details I agree, so unlinking. ** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-4449 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1103353 Title: Invalid GnuTLS cipher suite strings causes libldap to crash Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Precise: In Progress Status in openldap source package in Trusty: In Progress Status in openldap package in Debian: Fix Released Bug description: If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4 crashes due to a double free. GnuTLS is extremely picky about the cipher suite strings it accepts; as a first measure, try LDAP cipher suite string SECURE256 or NORMAL. If that stops the crash, then you have encountered this bug. Typically, the crash report begins with something like *** glibc detected *** APPLICATION: double free or corruption (!prev) /lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fc68cff0b96] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x38769)[0x7fc68bb13769] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x3570e)[0x7fc68bb1070e] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_pvt_tls_init_def_ctx+0x1d)[0x7fc68bb108ed] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35965)[0x7fc68bb10965] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35a6d)[0x7fc68bb10a6d] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_int_tls_start+0x5d)[0x7fc68bb1149d] The actual double free happens in openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx(), in the ldap_pvt_tls_ctx_free(lo-ldo_tls_ctx); call in the error_exit: path. The root cause of the double free is lack of GnuTLS return value checks when calling gnutls_priority*() functions. The code simply assumes they succeed, and when GnuTLS fails to provide a valid context due to those failures, ldap_int_tls_init_ctx() tries to free the never-fully-initialized context. A simple fix is to create GnuTLS security contexts using the configured cipher suite string, instead of NORMAL as openldap/libraries/libldap/tls_g.c now does. If the cipher suite string is invalid, then do not create the context at all. This is caught earlier in ldap_int_tls_init_ctx(), and avoids the crash. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1103353] Re: Invalid GnuTLS cipher suite strings causes libldap to crash
I plan to change the status of this bug for 12.04 (precise) and 14.04 (trusty) to Won't Fix. In this comment I want to explain why I came to this decision. This bug had CVE-2013-4449 linked to it. I don't think that this CVE is relevant because the patch proposed in this bug doesn't resolve the issue mentioned in the description of this CVE. I proved that by using the following repro script: http://pastebin.ubuntu.com/10764620/ This script is derived from the repro case provided in the debian bug for CVE-2013-4449: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729367#22 [!] Please note that this CVE can be reliably reproduced only on multicore machine (e.g. you can't use m1.small cloud instance). Some form of race condition takes place and your chances are much higher on multicore. When CVE-2013-4449 is resolved this script should print 'Finished' at the end of execution. When CVE is still here it prints 'No server found on localhost:389 attempt'. 'No server found' means that slapd crashed and can't be accessed via network and 'attempt' is a number of iteration when slapd crashed (it usually takes from 3 to 15 iterations because some form of race condition needs to take place). WITH and WITHOUT the proposed patch I get 'No server found' message on 12.04 (precise) and 14.04 (trusty). It means that patch doesn't fix CVE-2013-4449. Patch doesn't fix CVE-2013-4449 but it still can fix the issue mentioned in the bug description (incorrect cipher suite string leads to a crash). That's true but I don't think that we want to update 12.04 (precise) and 14.04 (trusty). ANY update may lead to unpredictable regressions (see https://wiki.ubuntu.com/StableReleaseUpdates) and the profit of patching should exceed the amount of potential issues it may create. OpenLDAP is an important infrastructural component and we need to have a very good reason to update it. I don't see such a reason. Client may crash itself by passing incorrect cipher suite to the API. While that's sad, it doesn't crash slapd itself and doesn't create any inconveniences to other users. This looks like a good fix for a development release but not stable release. Please let me know if you have any objections or additional information about this bug. We're open to discussion and can re-open this bug if needed. Thanks to Jouko Orava and others for opening this bug and taking part in the discussion. ** Bug watch added: Debian Bug tracker #729367 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729367 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-4449 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1103353 Title: Invalid GnuTLS cipher suite strings causes libldap to crash Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Precise: In Progress Status in openldap source package in Trusty: In Progress Status in openldap package in Debian: Fix Released Bug description: If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4 crashes due to a double free. GnuTLS is extremely picky about the cipher suite strings it accepts; as a first measure, try LDAP cipher suite string SECURE256 or NORMAL. If that stops the crash, then you have encountered this bug. Typically, the crash report begins with something like *** glibc detected *** APPLICATION: double free or corruption (!prev) /lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fc68cff0b96] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x38769)[0x7fc68bb13769] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x3570e)[0x7fc68bb1070e] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_pvt_tls_init_def_ctx+0x1d)[0x7fc68bb108ed] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35965)[0x7fc68bb10965] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35a6d)[0x7fc68bb10a6d] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_int_tls_start+0x5d)[0x7fc68bb1149d] The actual double free happens in openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx(), in the ldap_pvt_tls_ctx_free(lo-ldo_tls_ctx); call in the error_exit: path. The root cause of the double free is lack of GnuTLS return value checks when calling gnutls_priority*() functions. The code simply assumes they succeed, and when GnuTLS fails to provide a valid context due to those failures, ldap_int_tls_init_ctx() tries to free the never-fully-initialized context. A simple fix is to create GnuTLS security contexts using the configured cipher suite string, instead of NORMAL as openldap/libraries/libldap/tls_g.c now does. If the cipher suite string is invalid, then do not create the context at all. This is caught earlier in ldap_int_tls_init_ctx(), and avoids the crash. To manage notifications about this bug go to:
[Touch-packages] [Bug 1103353] Re: Invalid GnuTLS cipher suite strings causes libldap to crash
Shell script which reproduces the issue: http://pastebin.ubuntu.com/10712595/ Please run this script only on a disposable instance in the cloud because it creates and adds ultimately trusted certificate to the target machine. I was able to reproduce the issue on precise (12.04) and trusty (14.04). I *was not* able to reproduce the issue on utopic (14.10) and vivid (15.04). This happens because libldap is linked against later version of libgnutls in 14.10 and 15.04. 12.04 and 14.04 use 2.x generation of libgnutls while 14.10 and 15.04 use 3.x generation. I assume that libgnutls 3.x does proper cleanup and doesn't return semi-initialized context on errors (which was the root cause of the bug). Please note that this issue doesn't crash ldap server itself but only clients who passes incorrect SSL/TLS-related settings into libldap using ldap_set_option(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE, NAME). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1103353 Title: Invalid GnuTLS cipher suite strings causes libldap to crash Status in openldap package in Ubuntu: Triaged Status in openldap package in Debian: Fix Released Bug description: If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4 crashes due to a double free. GnuTLS is extremely picky about the cipher suite strings it accepts; as a first measure, try LDAP cipher suite string SECURE256 or NORMAL. If that stops the crash, then you have encountered this bug. Typically, the crash report begins with something like *** glibc detected *** APPLICATION: double free or corruption (!prev) /lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fc68cff0b96] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x38769)[0x7fc68bb13769] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x3570e)[0x7fc68bb1070e] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_pvt_tls_init_def_ctx+0x1d)[0x7fc68bb108ed] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35965)[0x7fc68bb10965] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35a6d)[0x7fc68bb10a6d] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_int_tls_start+0x5d)[0x7fc68bb1149d] The actual double free happens in openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx(), in the ldap_pvt_tls_ctx_free(lo-ldo_tls_ctx); call in the error_exit: path. The root cause of the double free is lack of GnuTLS return value checks when calling gnutls_priority*() functions. The code simply assumes they succeed, and when GnuTLS fails to provide a valid context due to those failures, ldap_int_tls_init_ctx() tries to free the never-fully-initialized context. A simple fix is to create GnuTLS security contexts using the configured cipher suite string, instead of NORMAL as openldap/libraries/libldap/tls_g.c now does. If the cipher suite string is invalid, then do not create the context at all. This is caught earlier in ldap_int_tls_init_ctx(), and avoids the crash. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1103353] Re: Invalid GnuTLS cipher suite strings causes libldap to crash
** Also affects: openldap (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: openldap (Ubuntu Precise) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1103353 Title: Invalid GnuTLS cipher suite strings causes libldap to crash Status in openldap package in Ubuntu: Triaged Status in openldap source package in Precise: New Status in openldap source package in Trusty: New Status in openldap package in Debian: Fix Released Bug description: If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4 crashes due to a double free. GnuTLS is extremely picky about the cipher suite strings it accepts; as a first measure, try LDAP cipher suite string SECURE256 or NORMAL. If that stops the crash, then you have encountered this bug. Typically, the crash report begins with something like *** glibc detected *** APPLICATION: double free or corruption (!prev) /lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fc68cff0b96] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x38769)[0x7fc68bb13769] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x3570e)[0x7fc68bb1070e] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_pvt_tls_init_def_ctx+0x1d)[0x7fc68bb108ed] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35965)[0x7fc68bb10965] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35a6d)[0x7fc68bb10a6d] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_int_tls_start+0x5d)[0x7fc68bb1149d] The actual double free happens in openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx(), in the ldap_pvt_tls_ctx_free(lo-ldo_tls_ctx); call in the error_exit: path. The root cause of the double free is lack of GnuTLS return value checks when calling gnutls_priority*() functions. The code simply assumes they succeed, and when GnuTLS fails to provide a valid context due to those failures, ldap_int_tls_init_ctx() tries to free the never-fully-initialized context. A simple fix is to create GnuTLS security contexts using the configured cipher suite string, instead of NORMAL as openldap/libraries/libldap/tls_g.c now does. If the cipher suite string is invalid, then do not create the context at all. This is caught earlier in ldap_int_tls_init_ctx(), and avoids the crash. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1103353] Re: Invalid GnuTLS cipher suite strings causes libldap to crash
** Changed in: openldap (Ubuntu Precise) Status: New = In Progress ** Changed in: openldap (Ubuntu Trusty) Status: New = In Progress ** Changed in: openldap (Ubuntu Precise) Assignee: (unassigned) = Oleg Strikov (strikov) ** Changed in: openldap (Ubuntu Trusty) Assignee: (unassigned) = Oleg Strikov (strikov) ** Changed in: openldap (Ubuntu) Status: Triaged = Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1103353 Title: Invalid GnuTLS cipher suite strings causes libldap to crash Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Precise: In Progress Status in openldap source package in Trusty: In Progress Status in openldap package in Debian: Fix Released Bug description: If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4 crashes due to a double free. GnuTLS is extremely picky about the cipher suite strings it accepts; as a first measure, try LDAP cipher suite string SECURE256 or NORMAL. If that stops the crash, then you have encountered this bug. Typically, the crash report begins with something like *** glibc detected *** APPLICATION: double free or corruption (!prev) /lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fc68cff0b96] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x38769)[0x7fc68bb13769] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x3570e)[0x7fc68bb1070e] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_pvt_tls_init_def_ctx+0x1d)[0x7fc68bb108ed] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35965)[0x7fc68bb10965] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35a6d)[0x7fc68bb10a6d] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_int_tls_start+0x5d)[0x7fc68bb1149d] The actual double free happens in openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx(), in the ldap_pvt_tls_ctx_free(lo-ldo_tls_ctx); call in the error_exit: path. The root cause of the double free is lack of GnuTLS return value checks when calling gnutls_priority*() functions. The code simply assumes they succeed, and when GnuTLS fails to provide a valid context due to those failures, ldap_int_tls_init_ctx() tries to free the never-fully-initialized context. A simple fix is to create GnuTLS security contexts using the configured cipher suite string, instead of NORMAL as openldap/libraries/libldap/tls_g.c now does. If the cipher suite string is invalid, then do not create the context at all. This is caught earlier in ldap_int_tls_init_ctx(), and avoids the crash. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1103353] Re: Invalid GnuTLS cipher suite strings causes libldap to crash
I just now noted the remark above suggesting the remedy to programs which crash abort when having a string parsing error is to not feed it strings it doesn't like. I suppose, mutatis mutandis, were the string one 99 of 100 leave defaulted it could be overlooked. However does anyone really think the string configuring the allowed ciphers isn't tweaked every few months in any serious deployment? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1103353 Title: Invalid GnuTLS cipher suite strings causes libldap to crash Status in openldap package in Ubuntu: Triaged Status in openldap package in Debian: Fix Released Bug description: If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4 crashes due to a double free. GnuTLS is extremely picky about the cipher suite strings it accepts; as a first measure, try LDAP cipher suite string SECURE256 or NORMAL. If that stops the crash, then you have encountered this bug. Typically, the crash report begins with something like *** glibc detected *** APPLICATION: double free or corruption (!prev) /lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fc68cff0b96] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x38769)[0x7fc68bb13769] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x3570e)[0x7fc68bb1070e] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_pvt_tls_init_def_ctx+0x1d)[0x7fc68bb108ed] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35965)[0x7fc68bb10965] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35a6d)[0x7fc68bb10a6d] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_int_tls_start+0x5d)[0x7fc68bb1149d] The actual double free happens in openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx(), in the ldap_pvt_tls_ctx_free(lo-ldo_tls_ctx); call in the error_exit: path. The root cause of the double free is lack of GnuTLS return value checks when calling gnutls_priority*() functions. The code simply assumes they succeed, and when GnuTLS fails to provide a valid context due to those failures, ldap_int_tls_init_ctx() tries to free the never-fully-initialized context. A simple fix is to create GnuTLS security contexts using the configured cipher suite string, instead of NORMAL as openldap/libraries/libldap/tls_g.c now does. If the cipher suite string is invalid, then do not create the context at all. This is caught earlier in ldap_int_tls_init_ctx(), and avoids the crash. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1103353] Re: Invalid GnuTLS cipher suite strings causes libldap to crash
If this were a library used in a game or a bug in a screensaver I could see letting a formatting error in a string crash abort any program using the library sit for a year. I'm staggered really to experience this for a package as widely touted as gnutls, contending to be a replacement for openssl, and especially in a business supporting group like ubuntu that aims for site installs. I think this 11-month 'maintainers have higher priorities' event is a strong sign gnutls just is so not ready for mission critical deployment that whatever priority it may have on launchpad--- in the maintainers minds this is a 'might fix, won't deploy'. I've compiled it against openssl, and it's solid. Though I've stuck with ubuntu for many years now I have to agree with the sentiment upstream: this is a confidence buster. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1103353 Title: Invalid GnuTLS cipher suite strings causes libldap to crash Status in openldap package in Ubuntu: Triaged Status in openldap package in Debian: Fix Released Bug description: If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4 crashes due to a double free. GnuTLS is extremely picky about the cipher suite strings it accepts; as a first measure, try LDAP cipher suite string SECURE256 or NORMAL. If that stops the crash, then you have encountered this bug. Typically, the crash report begins with something like *** glibc detected *** APPLICATION: double free or corruption (!prev) /lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fc68cff0b96] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x38769)[0x7fc68bb13769] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x3570e)[0x7fc68bb1070e] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_pvt_tls_init_def_ctx+0x1d)[0x7fc68bb108ed] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35965)[0x7fc68bb10965] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35a6d)[0x7fc68bb10a6d] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_int_tls_start+0x5d)[0x7fc68bb1149d] The actual double free happens in openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx(), in the ldap_pvt_tls_ctx_free(lo-ldo_tls_ctx); call in the error_exit: path. The root cause of the double free is lack of GnuTLS return value checks when calling gnutls_priority*() functions. The code simply assumes they succeed, and when GnuTLS fails to provide a valid context due to those failures, ldap_int_tls_init_ctx() tries to free the never-fully-initialized context. A simple fix is to create GnuTLS security contexts using the configured cipher suite string, instead of NORMAL as openldap/libraries/libldap/tls_g.c now does. If the cipher suite string is invalid, then do not create the context at all. This is caught earlier in ldap_int_tls_init_ctx(), and avoids the crash. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1103353] Re: Invalid GnuTLS cipher suite strings causes libldap to crash
Well, considering that Ubuntu openldap maintainers consider e.g. CVE-2013-4449 (denial-of-service, 2.4.31 to 2.4.36 are vulnerable) not important enough to patch or update to a later openldap version, I expect there to be zero chance of this bug to be patched either. It seems that if it does not hurt the maintainers' systems, it's not worth fixing. The current Ubuntu version I am using right now, 14.04 LTS, is certainly the last Ubuntu version I will be using. I am still evaluating the alternatives, but definitely all Debian jessie derivatives are straight out. I won't be monitoring this bug anymore, either. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-4449 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1103353 Title: Invalid GnuTLS cipher suite strings causes libldap to crash Status in openldap package in Ubuntu: Triaged Status in openldap package in Debian: Fix Released Bug description: If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4 crashes due to a double free. GnuTLS is extremely picky about the cipher suite strings it accepts; as a first measure, try LDAP cipher suite string SECURE256 or NORMAL. If that stops the crash, then you have encountered this bug. Typically, the crash report begins with something like *** glibc detected *** APPLICATION: double free or corruption (!prev) /lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fc68cff0b96] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x38769)[0x7fc68bb13769] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x3570e)[0x7fc68bb1070e] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_pvt_tls_init_def_ctx+0x1d)[0x7fc68bb108ed] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35965)[0x7fc68bb10965] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35a6d)[0x7fc68bb10a6d] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_int_tls_start+0x5d)[0x7fc68bb1149d] The actual double free happens in openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx(), in the ldap_pvt_tls_ctx_free(lo-ldo_tls_ctx); call in the error_exit: path. The root cause of the double free is lack of GnuTLS return value checks when calling gnutls_priority*() functions. The code simply assumes they succeed, and when GnuTLS fails to provide a valid context due to those failures, ldap_int_tls_init_ctx() tries to free the never-fully-initialized context. A simple fix is to create GnuTLS security contexts using the configured cipher suite string, instead of NORMAL as openldap/libraries/libldap/tls_g.c now does. If the cipher suite string is invalid, then do not create the context at all. This is caught earlier in ldap_int_tls_init_ctx(), and avoids the crash. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1103353] Re: Invalid GnuTLS cipher suite strings causes libldap to crash
Kindly notice that the fix mentioned above for .40, was dated not quite a year ago. I'm not a ubuntu expert, but I think this page: https://launchpad.net/ubuntu/+source/openldap explains the fix mentioned above is not available as a backport for trusty, nor native in utopic, nor even being tested in vivid. Is it available on Ubuntu but I just missed it somehow? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1103353 Title: Invalid GnuTLS cipher suite strings causes libldap to crash Status in openldap package in Ubuntu: Triaged Status in openldap package in Debian: Fix Released Bug description: If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4 crashes due to a double free. GnuTLS is extremely picky about the cipher suite strings it accepts; as a first measure, try LDAP cipher suite string SECURE256 or NORMAL. If that stops the crash, then you have encountered this bug. Typically, the crash report begins with something like *** glibc detected *** APPLICATION: double free or corruption (!prev) /lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fc68cff0b96] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x38769)[0x7fc68bb13769] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x3570e)[0x7fc68bb1070e] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_pvt_tls_init_def_ctx+0x1d)[0x7fc68bb108ed] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35965)[0x7fc68bb10965] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35a6d)[0x7fc68bb10a6d] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_int_tls_start+0x5d)[0x7fc68bb1149d] The actual double free happens in openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx(), in the ldap_pvt_tls_ctx_free(lo-ldo_tls_ctx); call in the error_exit: path. The root cause of the double free is lack of GnuTLS return value checks when calling gnutls_priority*() functions. The code simply assumes they succeed, and when GnuTLS fails to provide a valid context due to those failures, ldap_int_tls_init_ctx() tries to free the never-fully-initialized context. A simple fix is to create GnuTLS security contexts using the configured cipher suite string, instead of NORMAL as openldap/libraries/libldap/tls_g.c now does. If the cipher suite string is invalid, then do not create the context at all. This is caught earlier in ldap_int_tls_init_ctx(), and avoids the crash. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1103353] Re: Invalid GnuTLS cipher suite strings causes libldap to crash
The fixed version is not in Ubuntu yet. This crash only happens on invalid configurations, though; slapd will still refuse to start on such a configuration. Fix your configuration to be correct, and you won't see the crash any more. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1103353 Title: Invalid GnuTLS cipher suite strings causes libldap to crash Status in openldap package in Ubuntu: Triaged Status in openldap package in Debian: Fix Released Bug description: If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4 crashes due to a double free. GnuTLS is extremely picky about the cipher suite strings it accepts; as a first measure, try LDAP cipher suite string SECURE256 or NORMAL. If that stops the crash, then you have encountered this bug. Typically, the crash report begins with something like *** glibc detected *** APPLICATION: double free or corruption (!prev) /lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fc68cff0b96] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x38769)[0x7fc68bb13769] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x3570e)[0x7fc68bb1070e] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_pvt_tls_init_def_ctx+0x1d)[0x7fc68bb108ed] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35965)[0x7fc68bb10965] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35a6d)[0x7fc68bb10a6d] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_int_tls_start+0x5d)[0x7fc68bb1149d] The actual double free happens in openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx(), in the ldap_pvt_tls_ctx_free(lo-ldo_tls_ctx); call in the error_exit: path. The root cause of the double free is lack of GnuTLS return value checks when calling gnutls_priority*() functions. The code simply assumes they succeed, and when GnuTLS fails to provide a valid context due to those failures, ldap_int_tls_init_ctx() tries to free the never-fully-initialized context. A simple fix is to create GnuTLS security contexts using the configured cipher suite string, instead of NORMAL as openldap/libraries/libldap/tls_g.c now does. If the cipher suite string is invalid, then do not create the context at all. This is caught earlier in ldap_int_tls_init_ctx(), and avoids the crash. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1103353] Re: Invalid GnuTLS cipher suite strings causes libldap to crash
rtandy, this is not specific to slapd, but affects all applications that use libldap2 and gnutls. Instead of returning a failure at START_TLS, the library just crashes at a double-free. This makes it difficult to find the actual problem in services like sssd that crash due to this bug, although the root cause is a simple configuration mistake. (gnutls cipherspecs are notoriously complicated, and very easy to get wrong. Crashing in such a case is, and should be considered, a serious bug. There is nothing an application can do to mitigate this.) Attached is a backported patch from 2.4.40 to current Debian/Ubuntu source package. I applied this to 2.4.31-1+nmu2ubuntu8, added a dummy changelog entry, and recompiled the package. The changes are localized and safe, should apply cleanly to other versions too. The patched library no longer crashes: this fixes the bug. In other words, this is a trivial bug for the Debian/Ubuntu openldap maintainers to fix, if they saw the bug serious enough to fix. ** Patch added: Debian/Ubuntu source package patch, backported from 2.4.40 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+attachment/4349163/+files/openldap-2.4.31-gnutls-backport.patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1103353 Title: Invalid GnuTLS cipher suite strings causes libldap to crash Status in openldap package in Ubuntu: Triaged Status in openldap package in Debian: Fix Released Bug description: If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4 crashes due to a double free. GnuTLS is extremely picky about the cipher suite strings it accepts; as a first measure, try LDAP cipher suite string SECURE256 or NORMAL. If that stops the crash, then you have encountered this bug. Typically, the crash report begins with something like *** glibc detected *** APPLICATION: double free or corruption (!prev) /lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fc68cff0b96] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x38769)[0x7fc68bb13769] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x3570e)[0x7fc68bb1070e] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_pvt_tls_init_def_ctx+0x1d)[0x7fc68bb108ed] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35965)[0x7fc68bb10965] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35a6d)[0x7fc68bb10a6d] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_int_tls_start+0x5d)[0x7fc68bb1149d] The actual double free happens in openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx(), in the ldap_pvt_tls_ctx_free(lo-ldo_tls_ctx); call in the error_exit: path. The root cause of the double free is lack of GnuTLS return value checks when calling gnutls_priority*() functions. The code simply assumes they succeed, and when GnuTLS fails to provide a valid context due to those failures, ldap_int_tls_init_ctx() tries to free the never-fully-initialized context. A simple fix is to create GnuTLS security contexts using the configured cipher suite string, instead of NORMAL as openldap/libraries/libldap/tls_g.c now does. If the cipher suite string is invalid, then do not create the context at all. This is caught earlier in ldap_int_tls_init_ctx(), and avoids the crash. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1103353] Re: Invalid GnuTLS cipher suite strings causes libldap to crash
On Wed, Mar 18, 2015 at 06:40:06PM -, Jouko Orava wrote: rtandy, this is not specific to slapd, but affects all applications that use libldap2 and gnutls. Apologies for the lack of context. You're completely correct, but the message I was replying to was about slapd specifically: he had just reported bug 1433666 about slapd failing to start when configured with a wrong cipher suite settings. Thanks for providing a patch. I can't upload packages myself, but maybe ubuntu-sponsors will consider it. This is already fixed in Debian jessie and wheezy-backports, FWIW (but not wheezy itself). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1103353 Title: Invalid GnuTLS cipher suite strings causes libldap to crash Status in openldap package in Ubuntu: Triaged Status in openldap package in Debian: Fix Released Bug description: If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4 crashes due to a double free. GnuTLS is extremely picky about the cipher suite strings it accepts; as a first measure, try LDAP cipher suite string SECURE256 or NORMAL. If that stops the crash, then you have encountered this bug. Typically, the crash report begins with something like *** glibc detected *** APPLICATION: double free or corruption (!prev) /lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fc68cff0b96] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x38769)[0x7fc68bb13769] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x3570e)[0x7fc68bb1070e] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_pvt_tls_init_def_ctx+0x1d)[0x7fc68bb108ed] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35965)[0x7fc68bb10965] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35a6d)[0x7fc68bb10a6d] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_int_tls_start+0x5d)[0x7fc68bb1149d] The actual double free happens in openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx(), in the ldap_pvt_tls_ctx_free(lo-ldo_tls_ctx); call in the error_exit: path. The root cause of the double free is lack of GnuTLS return value checks when calling gnutls_priority*() functions. The code simply assumes they succeed, and when GnuTLS fails to provide a valid context due to those failures, ldap_int_tls_init_ctx() tries to free the never-fully-initialized context. A simple fix is to create GnuTLS security contexts using the configured cipher suite string, instead of NORMAL as openldap/libraries/libldap/tls_g.c now does. If the cipher suite string is invalid, then do not create the context at all. This is caught earlier in ldap_int_tls_init_ctx(), and avoids the crash. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1103353] Re: Invalid GnuTLS cipher suite strings causes libldap to crash
** Changed in: openldap (Debian) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1103353 Title: Invalid GnuTLS cipher suite strings causes libldap to crash Status in “openldap” package in Ubuntu: Triaged Status in “openldap” package in Debian: Fix Released Bug description: If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4 crashes due to a double free. GnuTLS is extremely picky about the cipher suite strings it accepts; as a first measure, try LDAP cipher suite string SECURE256 or NORMAL. If that stops the crash, then you have encountered this bug. Typically, the crash report begins with something like *** glibc detected *** APPLICATION: double free or corruption (!prev) /lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fc68cff0b96] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x38769)[0x7fc68bb13769] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x3570e)[0x7fc68bb1070e] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_pvt_tls_init_def_ctx+0x1d)[0x7fc68bb108ed] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35965)[0x7fc68bb10965] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35a6d)[0x7fc68bb10a6d] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_int_tls_start+0x5d)[0x7fc68bb1149d] The actual double free happens in openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx(), in the ldap_pvt_tls_ctx_free(lo-ldo_tls_ctx); call in the error_exit: path. The root cause of the double free is lack of GnuTLS return value checks when calling gnutls_priority*() functions. The code simply assumes they succeed, and when GnuTLS fails to provide a valid context due to those failures, ldap_int_tls_init_ctx() tries to free the never-fully-initialized context. A simple fix is to create GnuTLS security contexts using the configured cipher suite string, instead of NORMAL as openldap/libraries/libldap/tls_g.c now does. If the cipher suite string is invalid, then do not create the context at all. This is caught earlier in ldap_int_tls_init_ctx(), and avoids the crash. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1103353] Re: Invalid GnuTLS cipher suite strings causes libldap to crash
** Changed in: openldap (Debian) Status: Unknown = Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1103353 Title: Invalid GnuTLS cipher suite strings causes libldap to crash Status in “openldap” package in Ubuntu: Triaged Status in “openldap” package in Debian: Confirmed Bug description: If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4 crashes due to a double free. GnuTLS is extremely picky about the cipher suite strings it accepts; as a first measure, try LDAP cipher suite string SECURE256 or NORMAL. If that stops the crash, then you have encountered this bug. Typically, the crash report begins with something like *** glibc detected *** APPLICATION: double free or corruption (!prev) /lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fc68cff0b96] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x38769)[0x7fc68bb13769] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x3570e)[0x7fc68bb1070e] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_pvt_tls_init_def_ctx+0x1d)[0x7fc68bb108ed] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35965)[0x7fc68bb10965] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35a6d)[0x7fc68bb10a6d] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_int_tls_start+0x5d)[0x7fc68bb1149d] The actual double free happens in openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx(), in the ldap_pvt_tls_ctx_free(lo-ldo_tls_ctx); call in the error_exit: path. The root cause of the double free is lack of GnuTLS return value checks when calling gnutls_priority*() functions. The code simply assumes they succeed, and when GnuTLS fails to provide a valid context due to those failures, ldap_int_tls_init_ctx() tries to free the never-fully-initialized context. A simple fix is to create GnuTLS security contexts using the configured cipher suite string, instead of NORMAL as openldap/libraries/libldap/tls_g.c now does. If the cipher suite string is invalid, then do not create the context at all. This is caught earlier in ldap_int_tls_init_ctx(), and avoids the crash. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1103353] Re: Invalid GnuTLS cipher suite strings causes libldap to crash
** Also affects: openldap (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640384 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1103353 Title: Invalid GnuTLS cipher suite strings causes libldap to crash Status in “openldap” package in Ubuntu: Triaged Status in “openldap” package in Debian: Unknown Bug description: If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4 crashes due to a double free. GnuTLS is extremely picky about the cipher suite strings it accepts; as a first measure, try LDAP cipher suite string SECURE256 or NORMAL. If that stops the crash, then you have encountered this bug. Typically, the crash report begins with something like *** glibc detected *** APPLICATION: double free or corruption (!prev) /lib/x86_64-linux-gnu/libc.so.6(+0x7eb96)[0x7fc68cff0b96] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x38769)[0x7fc68bb13769] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x3570e)[0x7fc68bb1070e] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_pvt_tls_init_def_ctx+0x1d)[0x7fc68bb108ed] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35965)[0x7fc68bb10965] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(+0x35a6d)[0x7fc68bb10a6d] /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2(ldap_int_tls_start+0x5d)[0x7fc68bb1149d] The actual double free happens in openldap/libraries/libldap/tls2.c:ldap_int_tls_init_ctx(), in the ldap_pvt_tls_ctx_free(lo-ldo_tls_ctx); call in the error_exit: path. The root cause of the double free is lack of GnuTLS return value checks when calling gnutls_priority*() functions. The code simply assumes they succeed, and when GnuTLS fails to provide a valid context due to those failures, ldap_int_tls_init_ctx() tries to free the never-fully-initialized context. A simple fix is to create GnuTLS security contexts using the configured cipher suite string, instead of NORMAL as openldap/libraries/libldap/tls_g.c now does. If the cipher suite string is invalid, then do not create the context at all. This is caught earlier in ldap_int_tls_init_ctx(), and avoids the crash. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp