[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Changed in: openldap (Debian)
Status: Unknown => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1838370
Title:
slapd segfault on filter parse error
Status in openldap:
Fix Released
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Xenial:
Fix Released
Status in openldap source package in Bionic:
Fix Released
Status in openldap source package in Disco:
Fix Released
Status in openldap package in Debian:
Fix Released
Bug description:
[Impact]
Users willing to use the slapd rwm overlay will face a slapd
segmentation fault when trying to rewrite some rules. Backporting this
fix will allow users using stable releases to take advantage of this
feature without crashing slapd. This issue was fixed by upstream not
freeing the rwm overlay filter memory without prior checking.
[Test Case]
In this test case, the rwm overlay will be used and a rule will be
created to deny any search request for uid=root, then the 'ldapsearch'
will be invoked to trigger the failure. It is important to mention
that the 'ldapsearch' command should fail regardless the presence of
the bug in the package, the target here is the slapd crash. To
reproduce this bug one can follow the procedure below in Ubuntu
xenial, bionic or disco:
$ sudo apt-get update
Use debconf to pre-seed slapd questions before install it:
$ debconf-set-selections << EOF
slapd slapd/no_configuration boolean false
slapd slapd/domain string example.com
slapd shared/organization string example.com
slapd slapd/password1 password test
slapd slapd/password2 password test
slapd slapd/backend select MDB
slapd slapd/move_old_database boolean false
EOF
$ sudo apt-get install slapd ldap-utils -y
Create a file called 'add-rwm.ldif' with the following content:
$ cat add-rwm.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
With this file in place, run:
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
Now, to trigger the crash:
$ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
slapd process will die, and /var/crash will have a crash file for
slapd. You can run the following command to confirm the error:
$ cat /var/log/syslog | grep filter_free
Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
-> Expected behavior
In this test case, as mentioned before, the 'ldapsearch' command
should fail but the 'slapd' process should not die. As result, we
don't expect a slapd crash report in /var/crash directory.
[Regression Potential]
Since the fix is a patch provided by upstream (reviewed by maintainers
and us) simple mistakes like typos are not expected. The patch impacts
only the rwm module which is not loaded by default. So any regression
would affect only the users that make use of this overlay. If an user
is not using rwm overlay and is facing any issue, it should be related
to other problems related to LDAP directory services.
[Original message]
Hello!
We have faced slapd crash, seems an attacker was trying to brute force one
of our services and uid parsing failures caused slapd crash:
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH
base="ou=test,dc=test,dc=com" scope=2 deref=0
filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp
shadowLastChange shadowMin shadow
Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap sshPublic
Key
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0
nentries=0 text=massaged filter parse error
Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so
[7fc8d1868000+1c]
Another faulty filter example:
filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0"
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
This bug was fixed in the package openldap - 2.4.42+dfsg-2ubuntu3.7
---
openldap (2.4.42+dfsg-2ubuntu3.7) xenial; urgency=medium
* d/p/rwm-do-not-free-original-filter.patch: Fix slapd segfault (LP:
#1838370)
-- Lucas Kanashiro Thu, 08 Aug 2019
16:33:06 -0300
** Changed in: openldap (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1838370
Title:
slapd segfault on filter parse error
Status in openldap:
Fix Released
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Xenial:
Fix Released
Status in openldap source package in Bionic:
Fix Released
Status in openldap source package in Disco:
Fix Released
Status in openldap package in Debian:
Unknown
Bug description:
[Impact]
Users willing to use the slapd rwm overlay will face a slapd
segmentation fault when trying to rewrite some rules. Backporting this
fix will allow users using stable releases to take advantage of this
feature without crashing slapd. This issue was fixed by upstream not
freeing the rwm overlay filter memory without prior checking.
[Test Case]
In this test case, the rwm overlay will be used and a rule will be
created to deny any search request for uid=root, then the 'ldapsearch'
will be invoked to trigger the failure. It is important to mention
that the 'ldapsearch' command should fail regardless the presence of
the bug in the package, the target here is the slapd crash. To
reproduce this bug one can follow the procedure below in Ubuntu
xenial, bionic or disco:
$ sudo apt-get update
Use debconf to pre-seed slapd questions before install it:
$ debconf-set-selections << EOF
slapd slapd/no_configuration boolean false
slapd slapd/domain string example.com
slapd shared/organization string example.com
slapd slapd/password1 password test
slapd slapd/password2 password test
slapd slapd/backend select MDB
slapd slapd/move_old_database boolean false
EOF
$ sudo apt-get install slapd ldap-utils -y
Create a file called 'add-rwm.ldif' with the following content:
$ cat add-rwm.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
With this file in place, run:
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
Now, to trigger the crash:
$ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
slapd process will die, and /var/crash will have a crash file for
slapd. You can run the following command to confirm the error:
$ cat /var/log/syslog | grep filter_free
Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
-> Expected behavior
In this test case, as mentioned before, the 'ldapsearch' command
should fail but the 'slapd' process should not die. As result, we
don't expect a slapd crash report in /var/crash directory.
[Regression Potential]
Since the fix is a patch provided by upstream (reviewed by maintainers
and us) simple mistakes like typos are not expected. The patch impacts
only the rwm module which is not loaded by default. So any regression
would affect only the users that make use of this overlay. If an user
is not using rwm overlay and is facing any issue, it should be related
to other problems related to LDAP directory services.
[Original message]
Hello!
We have faced slapd crash, seems an attacker was trying to brute force one
of our services and uid parsing failures caused slapd crash:
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH
base="ou=test,dc=test,dc=com" scope=2 deref=0
filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp
shadowLastChange shadowMin shadow
Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap sshPublic
Key
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0
nentries=0 text=massaged filter parse error
Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
This bug was fixed in the package openldap - 2.4.47+dfsg-3ubuntu2.2
---
openldap (2.4.47+dfsg-3ubuntu2.2) disco; urgency=medium
* d/p/rwm-do-not-free-original-filter.patch: Fix slapd segfault (LP:
#1838370)
-- Lucas Kanashiro Thu, 08 Aug 2019
15:04:04 -0300
** Changed in: openldap (Ubuntu Disco)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1838370
Title:
slapd segfault on filter parse error
Status in openldap:
Fix Released
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Xenial:
Fix Committed
Status in openldap source package in Bionic:
Fix Released
Status in openldap source package in Disco:
Fix Released
Status in openldap package in Debian:
Unknown
Bug description:
[Impact]
Users willing to use the slapd rwm overlay will face a slapd
segmentation fault when trying to rewrite some rules. Backporting this
fix will allow users using stable releases to take advantage of this
feature without crashing slapd. This issue was fixed by upstream not
freeing the rwm overlay filter memory without prior checking.
[Test Case]
In this test case, the rwm overlay will be used and a rule will be
created to deny any search request for uid=root, then the 'ldapsearch'
will be invoked to trigger the failure. It is important to mention
that the 'ldapsearch' command should fail regardless the presence of
the bug in the package, the target here is the slapd crash. To
reproduce this bug one can follow the procedure below in Ubuntu
xenial, bionic or disco:
$ sudo apt-get update
Use debconf to pre-seed slapd questions before install it:
$ debconf-set-selections << EOF
slapd slapd/no_configuration boolean false
slapd slapd/domain string example.com
slapd shared/organization string example.com
slapd slapd/password1 password test
slapd slapd/password2 password test
slapd slapd/backend select MDB
slapd slapd/move_old_database boolean false
EOF
$ sudo apt-get install slapd ldap-utils -y
Create a file called 'add-rwm.ldif' with the following content:
$ cat add-rwm.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
With this file in place, run:
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
Now, to trigger the crash:
$ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
slapd process will die, and /var/crash will have a crash file for
slapd. You can run the following command to confirm the error:
$ cat /var/log/syslog | grep filter_free
Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
-> Expected behavior
In this test case, as mentioned before, the 'ldapsearch' command
should fail but the 'slapd' process should not die. As result, we
don't expect a slapd crash report in /var/crash directory.
[Regression Potential]
Since the fix is a patch provided by upstream (reviewed by maintainers
and us) simple mistakes like typos are not expected. The patch impacts
only the rwm module which is not loaded by default. So any regression
would affect only the users that make use of this overlay. If an user
is not using rwm overlay and is facing any issue, it should be related
to other problems related to LDAP directory services.
[Original message]
Hello!
We have faced slapd crash, seems an attacker was trying to brute force one
of our services and uid parsing failures caused slapd crash:
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH
base="ou=test,dc=test,dc=com" scope=2 deref=0
filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp
shadowLastChange shadowMin shadow
Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap sshPublic
Key
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0
nentries=0 text=massaged filter parse error
Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
This bug was fixed in the package openldap - 2.4.45+dfsg-1ubuntu1.4
---
openldap (2.4.45+dfsg-1ubuntu1.4) bionic; urgency=medium
* d/p/rwm-do-not-free-original-filter.patch: Fix slapd segfault (LP:
#1838370)
-- Lucas Kanashiro Thu, 08 Aug 2019
15:08:36 -0300
** Changed in: openldap (Ubuntu Bionic)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1838370
Title:
slapd segfault on filter parse error
Status in openldap:
Fix Released
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Xenial:
Fix Committed
Status in openldap source package in Bionic:
Fix Released
Status in openldap source package in Disco:
Fix Released
Status in openldap package in Debian:
Unknown
Bug description:
[Impact]
Users willing to use the slapd rwm overlay will face a slapd
segmentation fault when trying to rewrite some rules. Backporting this
fix will allow users using stable releases to take advantage of this
feature without crashing slapd. This issue was fixed by upstream not
freeing the rwm overlay filter memory without prior checking.
[Test Case]
In this test case, the rwm overlay will be used and a rule will be
created to deny any search request for uid=root, then the 'ldapsearch'
will be invoked to trigger the failure. It is important to mention
that the 'ldapsearch' command should fail regardless the presence of
the bug in the package, the target here is the slapd crash. To
reproduce this bug one can follow the procedure below in Ubuntu
xenial, bionic or disco:
$ sudo apt-get update
Use debconf to pre-seed slapd questions before install it:
$ debconf-set-selections << EOF
slapd slapd/no_configuration boolean false
slapd slapd/domain string example.com
slapd shared/organization string example.com
slapd slapd/password1 password test
slapd slapd/password2 password test
slapd slapd/backend select MDB
slapd slapd/move_old_database boolean false
EOF
$ sudo apt-get install slapd ldap-utils -y
Create a file called 'add-rwm.ldif' with the following content:
$ cat add-rwm.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
With this file in place, run:
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
Now, to trigger the crash:
$ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
slapd process will die, and /var/crash will have a crash file for
slapd. You can run the following command to confirm the error:
$ cat /var/log/syslog | grep filter_free
Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
-> Expected behavior
In this test case, as mentioned before, the 'ldapsearch' command
should fail but the 'slapd' process should not die. As result, we
don't expect a slapd crash report in /var/crash directory.
[Regression Potential]
Since the fix is a patch provided by upstream (reviewed by maintainers
and us) simple mistakes like typos are not expected. The patch impacts
only the rwm module which is not loaded by default. So any regression
would affect only the users that make use of this overlay. If an user
is not using rwm overlay and is facing any issue, it should be related
to other problems related to LDAP directory services.
[Original message]
Hello!
We have faced slapd crash, seems an attacker was trying to brute force one
of our services and uid parsing failures caused slapd crash:
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH
base="ou=test,dc=test,dc=com" scope=2 deref=0
filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp
shadowLastChange shadowMin shadow
Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap sshPublic
Key
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0
nentries=0 text=massaged filter parse error
Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
I installed the package available in bionic-proposed as you can see
below:
root@openldap-bionic-sru:~# apt policy slapd
slapd:
Installed: 2.4.45+dfsg-1ubuntu1.4
Candidate: 2.4.45+dfsg-1ubuntu1.4
Version table:
*** 2.4.45+dfsg-1ubuntu1.4 500
500 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages
100 /var/lib/dpkg/status
2.4.45+dfsg-1ubuntu1.3 500
500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu bionic-security/main amd64
Packages
2.4.45+dfsg-1ubuntu1 500
500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages
And after executing the steps presented in the Test case section, the
slapd process did not die:
root@openldap-bionic-sru:~# ps aux | grep slapd
openldap 1029 0.0 4.5 2106104 730124 ? Ssl 18:51 0:00
/usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F
/etc/ldap/slapd.d
root 1488 0.0 0.0 14852 840 ?S+ 18:52 0:00 grep
--color=auto slapd
root@openldap-bionic-sru:~# ldapsearch -x -h localhost -b dc=example,dc=com
-LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
root@openldap-bionic-sru:~# ps aux | grep slapd
openldap 1029 0.0 4.5 2106104 730124 ? Ssl 18:51 0:00
/usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F
/etc/ldap/slapd.d
root 1492 0.0 0.0 14852 804 ?S+ 18:52 0:00 grep
--color=auto slapd
The PID of the slapd process is the same. Moreover, there is no sign of
crash in the syslog output nor a crash file in /var/crash:
root@openldap-bionic-sru:~# cat /var/log/syslog | grep filter_free
root@openldap-bionic-sru:~# ls /var/crash/ | grep slapd
** Tags removed: verification-needed-bionic
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1838370
Title:
slapd segfault on filter parse error
Status in openldap:
Fix Released
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Xenial:
Fix Committed
Status in openldap source package in Bionic:
Fix Committed
Status in openldap source package in Disco:
Fix Committed
Status in openldap package in Debian:
Unknown
Bug description:
[Impact]
Users willing to use the slapd rwm overlay will face a slapd
segmentation fault when trying to rewrite some rules. Backporting this
fix will allow users using stable releases to take advantage of this
feature without crashing slapd. This issue was fixed by upstream not
freeing the rwm overlay filter memory without prior checking.
[Test Case]
In this test case, the rwm overlay will be used and a rule will be
created to deny any search request for uid=root, then the 'ldapsearch'
will be invoked to trigger the failure. It is important to mention
that the 'ldapsearch' command should fail regardless the presence of
the bug in the package, the target here is the slapd crash. To
reproduce this bug one can follow the procedure below in Ubuntu
xenial, bionic or disco:
$ sudo apt-get update
Use debconf to pre-seed slapd questions before install it:
$ debconf-set-selections << EOF
slapd slapd/no_configuration boolean false
slapd slapd/domain string example.com
slapd shared/organization string example.com
slapd slapd/password1 password test
slapd slapd/password2 password test
slapd slapd/backend select MDB
slapd slapd/move_old_database boolean false
EOF
$ sudo apt-get install slapd ldap-utils -y
Create a file called 'add-rwm.ldif' with the following content:
$ cat add-rwm.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
With this file in place, run:
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
Now, to trigger the crash:
$ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
slapd process will die, and /var/crash will have a crash file for
slapd. You can run the following command to confirm the error:
$ cat /var/log/syslog | grep filter_free
Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
-> Expected behavior
In this test case, as mentioned before, the 'ldapsearch' command
should fail but the 'slapd' process should not die. As result, we
don't expect a slapd crash report in /var/crash directory.
[Regression Potential]
Since the fix
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
I installed the package available in disco-proposed as you can see
below:
root@openldap-disco-sru:~# apt policy slapd
slapd:
Installed: 2.4.47+dfsg-3ubuntu2.2
Candidate: 2.4.47+dfsg-3ubuntu2.2
Version table:
*** 2.4.47+dfsg-3ubuntu2.2 500
500 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 Packages
100 /var/lib/dpkg/status
2.4.47+dfsg-3ubuntu2.1 500
500 http://archive.ubuntu.com/ubuntu disco-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu disco-security/main amd64 Packages
2.4.47+dfsg-3ubuntu2 500
500 http://archive.ubuntu.com/ubuntu disco/main amd64 Packages
And after executing the steps presented in the Test case section, the
slapd process did not die:
root@openldap-disco-sru:~# ps aux | grep slapd
openldap 1994 0.0 4.5 2003840 728176 ? Ssl 19:05 0:00
/usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F
/etc/ldap/slapd.d
root 2453 0.0 0.0 7980 1544 ?S+ 19:06 0:00 grep
--color=auto slapd
root@openldap-disco-sru:~# ldapsearch -x -h localhost -b dc=example,dc=com -LLL
uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
root@openldap-disco-sru:~# ps aux | grep slapd
openldap 1994 0.0 4.5 2003840 728176 ? Ssl 19:05 0:00
/usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F
/etc/ldap/slapd.d
root 2457 0.0 0.0 7980 684 ?S+ 19:06 0:00 grep
--color=auto slapd
The PID of the slapd process is the same. Moreover, there is no sign of
crash in the syslog output nor a crash file in /var/crash:
root@openldap-disco-sru:~# cat /var/log/syslog | grep filter_free
root@openldap-disco-sru:~# ls /var/crash/ | grep slapd
** Tags removed: verification-needed-disco
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1838370
Title:
slapd segfault on filter parse error
Status in openldap:
Fix Released
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Xenial:
Fix Committed
Status in openldap source package in Bionic:
Fix Committed
Status in openldap source package in Disco:
Fix Committed
Status in openldap package in Debian:
Unknown
Bug description:
[Impact]
Users willing to use the slapd rwm overlay will face a slapd
segmentation fault when trying to rewrite some rules. Backporting this
fix will allow users using stable releases to take advantage of this
feature without crashing slapd. This issue was fixed by upstream not
freeing the rwm overlay filter memory without prior checking.
[Test Case]
In this test case, the rwm overlay will be used and a rule will be
created to deny any search request for uid=root, then the 'ldapsearch'
will be invoked to trigger the failure. It is important to mention
that the 'ldapsearch' command should fail regardless the presence of
the bug in the package, the target here is the slapd crash. To
reproduce this bug one can follow the procedure below in Ubuntu
xenial, bionic or disco:
$ sudo apt-get update
Use debconf to pre-seed slapd questions before install it:
$ debconf-set-selections << EOF
slapd slapd/no_configuration boolean false
slapd slapd/domain string example.com
slapd shared/organization string example.com
slapd slapd/password1 password test
slapd slapd/password2 password test
slapd slapd/backend select MDB
slapd slapd/move_old_database boolean false
EOF
$ sudo apt-get install slapd ldap-utils -y
Create a file called 'add-rwm.ldif' with the following content:
$ cat add-rwm.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
With this file in place, run:
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
Now, to trigger the crash:
$ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
slapd process will die, and /var/crash will have a crash file for
slapd. You can run the following command to confirm the error:
$ cat /var/log/syslog | grep filter_free
Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
-> Expected behavior
In this test case, as mentioned before, the 'ldapsearch' command
should fail but the 'slapd' process should not die. As result, we
don't expect a slapd crash report in /var/crash directory.
[Regression Potential]
Since the fix is a patch
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
I installed the package available in xenial-proposed as you can see
below:
root@openldap-xenial-sru:~# apt policy slapd
slapd:
Installed: 2.4.42+dfsg-2ubuntu3.7
Candidate: 2.4.42+dfsg-2ubuntu3.7
Version table:
*** 2.4.42+dfsg-2ubuntu3.7 500
500 http://archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages
100 /var/lib/dpkg/status
2.4.42+dfsg-2ubuntu3.6 500
500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64
Packages
2.4.42+dfsg-2ubuntu3 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
And after executing the steps presented in the Test case section, the slapd
process did not die:
root@openldap-xenial-sru:~# ps aux | grep slapd
openldap 2078 0.0 4.5 2094540 730664 ? Ssl 19:02 0:00
/usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F
/etc/ldap/slapd.d
root 2147 0.0 0.0 14616 904 ?S+ 19:03 0:00 grep
--color=auto slapd
root@openldap-xenial-sru:~# ldapsearch -x -h localhost -b dc=example,dc=com
-LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
root@openldap-xenial-sru:~# ps aux | grep slapd
openldap 2078 0.0 4.5 2094540 730576 ? Ssl 19:02 0:00
/usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F
/etc/ldap/slapd.d
root 2151 0.0 0.0 14616 860 ?S+ 19:03 0:00 grep
--color=auto slapd
The PID of the slapd process is the same. Moreover, there is no sign of crash in
the syslog output nor a crash file in /var/crash:
root@openldap-xenial-sru:~# cat /var/log/syslog | grep filter_free
root@openldap-xenial-sru:~# ls /var/crash/ | grep slapd
** Tags removed: verification-needed verification-needed-xenial
** Tags added: verification-done-bionic verification-done-disco
verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1838370
Title:
slapd segfault on filter parse error
Status in openldap:
Fix Released
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Xenial:
Fix Committed
Status in openldap source package in Bionic:
Fix Committed
Status in openldap source package in Disco:
Fix Committed
Status in openldap package in Debian:
Unknown
Bug description:
[Impact]
Users willing to use the slapd rwm overlay will face a slapd
segmentation fault when trying to rewrite some rules. Backporting this
fix will allow users using stable releases to take advantage of this
feature without crashing slapd. This issue was fixed by upstream not
freeing the rwm overlay filter memory without prior checking.
[Test Case]
In this test case, the rwm overlay will be used and a rule will be
created to deny any search request for uid=root, then the 'ldapsearch'
will be invoked to trigger the failure. It is important to mention
that the 'ldapsearch' command should fail regardless the presence of
the bug in the package, the target here is the slapd crash. To
reproduce this bug one can follow the procedure below in Ubuntu
xenial, bionic or disco:
$ sudo apt-get update
Use debconf to pre-seed slapd questions before install it:
$ debconf-set-selections << EOF
slapd slapd/no_configuration boolean false
slapd slapd/domain string example.com
slapd shared/organization string example.com
slapd slapd/password1 password test
slapd slapd/password2 password test
slapd slapd/backend select MDB
slapd slapd/move_old_database boolean false
EOF
$ sudo apt-get install slapd ldap-utils -y
Create a file called 'add-rwm.ldif' with the following content:
$ cat add-rwm.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
With this file in place, run:
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
Now, to trigger the crash:
$ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
slapd process will die, and /var/crash will have a crash file for
slapd. You can run the following command to confirm the error:
$ cat /var/log/syslog | grep filter_free
Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
-> Expected behavior
In this test case, as mentioned before, the 'ldapsearch' command
should fail but the 'slapd' process should not die. As
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
Hello Kseniya, or anyone else affected,
Accepted openldap into disco-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/openldap/2.4.47+dfsg-
3ubuntu2.2 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed. Your feedback will aid us getting this
update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-disco to verification-done-disco. If it does not fix
the bug for you, please add a comment stating that, and change the tag
to verification-failed-disco. In either case, without details of your
testing we will not be able to proceed.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance for helping!
N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.
** Changed in: openldap (Ubuntu Disco)
Status: Confirmed => Fix Committed
** Tags added: verification-needed verification-needed-disco
** Changed in: openldap (Ubuntu Bionic)
Status: Confirmed => Fix Committed
** Tags added: verification-needed-bionic
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1838370
Title:
slapd segfault on filter parse error
Status in openldap:
Fix Released
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Xenial:
Fix Committed
Status in openldap source package in Bionic:
Fix Committed
Status in openldap source package in Disco:
Fix Committed
Status in openldap package in Debian:
Unknown
Bug description:
[Impact]
Users willing to use the slapd rwm overlay will face a slapd
segmentation fault when trying to rewrite some rules. Backporting this
fix will allow users using stable releases to take advantage of this
feature without crashing slapd. This issue was fixed by upstream not
freeing the rwm overlay filter memory without prior checking.
[Test Case]
In this test case, the rwm overlay will be used and a rule will be
created to deny any search request for uid=root, then the 'ldapsearch'
will be invoked to trigger the failure. It is important to mention
that the 'ldapsearch' command should fail regardless the presence of
the bug in the package, the target here is the slapd crash. To
reproduce this bug one can follow the procedure below in Ubuntu
xenial, bionic or disco:
$ sudo apt-get update
Use debconf to pre-seed slapd questions before install it:
$ debconf-set-selections << EOF
slapd slapd/no_configuration boolean false
slapd slapd/domain string example.com
slapd shared/organization string example.com
slapd slapd/password1 password test
slapd slapd/password2 password test
slapd slapd/backend select MDB
slapd slapd/move_old_database boolean false
EOF
$ sudo apt-get install slapd ldap-utils -y
Create a file called 'add-rwm.ldif' with the following content:
$ cat add-rwm.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
With this file in place, run:
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
Now, to trigger the crash:
$ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
slapd process will die, and /var/crash will have a crash file for
slapd. You can run the following command to confirm the error:
$ cat /var/log/syslog | grep filter_free
Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
-> Expected behavior
In this test case, as mentioned before, the 'ldapsearch' command
should fail but the 'slapd' process should not die. As result, we
don't expect a slapd crash report in /var/crash directory.
[Regression Potential]
Since the fix is a patch provided by upstream (reviewed by maintainers
and us) simple mistakes like typos are not expected. The patch impacts
only the rwm module which is not loaded by default. So any regression
would affect only the users that make use of this overlay. If an user
is not using rwm overlay and is facing any issue, it should be
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Changed in: openldap (Ubuntu Xenial)
Assignee: (unassigned) => Lucas Kanashiro (lucaskanashiro)
** Changed in: openldap (Ubuntu Bionic)
Assignee: (unassigned) => Lucas Kanashiro (lucaskanashiro)
** Changed in: openldap (Ubuntu Disco)
Assignee: (unassigned) => Lucas Kanashiro (lucaskanashiro)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1838370
Title:
slapd segfault on filter parse error
Status in openldap:
Fix Released
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Xenial:
Confirmed
Status in openldap source package in Bionic:
Confirmed
Status in openldap source package in Disco:
Confirmed
Status in openldap package in Debian:
Unknown
Bug description:
[Impact]
Users willing to use the slapd rwm overlay will face a slapd
segmentation fault when trying to rewrite some rules. Backporting this
fix will allow users using stable releases to take advantage of this
feature without crashing slapd. This issue was fixed by upstream not
freeing the rwm overlay filter memory without prior checking.
[Test Case]
In this test case, the rwm overlay will be used and a rule will be
created to deny any search request for uid=root, then the 'ldapsearch'
will be invoked to trigger the failure. It is important to mention
that the 'ldapsearch' command should fail regardless the presence of
the bug in the package, the target here is the slapd crash. To
reproduce this bug one can follow the procedure below in Ubuntu
xenial, bionic or disco:
$ sudo apt-get update
Use debconf to pre-seed slapd questions before install it:
$ debconf-set-selections << EOF
slapd slapd/no_configuration boolean false
slapd slapd/domain string example.com
slapd shared/organization string example.com
slapd slapd/password1 password test
slapd slapd/password2 password test
slapd slapd/backend select MDB
slapd slapd/move_old_database boolean false
EOF
$ sudo apt-get install slapd ldap-utils -y
Create a file called 'add-rwm.ldif' with the following content:
$ cat add-rwm.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
With this file in place, run:
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
Now, to trigger the crash:
$ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
slapd process will die, and /var/crash will have a crash file for
slapd. You can run the following command to confirm the error:
$ cat /var/log/syslog | grep filter_free
Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
-> Expected behavior
In this test case, as mentioned before, the 'ldapsearch' command
should fail but the 'slapd' process should not die. As result, we
don't expect a slapd crash report in /var/crash directory.
[Regression Potential]
Since the fix is a patch provided by upstream (reviewed by maintainers
and us) simple mistakes like typos are not expected. The patch impacts
only the rwm module which is not loaded by default. So any regression
would affect only the users that make use of this overlay. If an user
is not using rwm overlay and is facing any issue, it should be related
to other problems related to LDAP directory services.
[Original message]
Hello!
We have faced slapd crash, seems an attacker was trying to brute force one
of our services and uid parsing failures caused slapd crash:
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH
base="ou=test,dc=test,dc=com" scope=2 deref=0
filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp
shadowLastChange shadowMin shadow
Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap sshPublic
Key
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0
nentries=0 text=massaged filter parse error
Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Description changed:
- Impact
- --
+ [Impact]
Users willing to use the slapd rwm overlay will face a slapd
segmentation fault when trying to rewrite some rules. Backporting this
fix will allow users using stable releases to take advantage of this
feature without crashing slapd. This issue was fixed by upstream not
freeing the rwm overlay filter memory without prior checking.
- Test Case
- -
+ [Test Case]
In this test case, the rwm overlay will be used and a rule will be
created to deny any search request for uid=root, then the 'ldapsearch'
will be invoked to trigger the failure. It is important to mention that
the 'ldapsearch' command should fail regardless the presence of the bug
in the package, the target here is the slapd crash. To reproduce this
bug one can follow the procedure below in Ubuntu xenial, bionic or
disco:
$ sudo apt-get update
-
Use debconf to pre-seed slapd questions before install it:
$ debconf-set-selections << EOF
slapd slapd/no_configuration boolean false
slapd slapd/domain string example.com
slapd shared/organization string example.com
slapd slapd/password1 password test
slapd slapd/password2 password test
slapd slapd/backend select MDB
slapd slapd/move_old_database boolean false
EOF
$ sudo apt-get install slapd ldap-utils -y
-
Create a file called 'add-rwm.ldif' with the following content:
$ cat add-rwm.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
With this file in place, run:
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
Now, to trigger the crash:
$ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
-
- slapd process will die, and /var/crash will have a crash file for slapd. You
can run the following command to confirm the error:
+ slapd process will die, and /var/crash will have a crash file for slapd.
+ You can run the following command to confirm the error:
$ cat /var/log/syslog | grep filter_free
Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
-> Expected behavior
In this test case, as mentioned before, the 'ldapsearch' command should
fail but the 'slapd' process should not die. As result, we don't expect
a slapd crash report in /var/crash directory.
-
- Regression Potential
-
+ [Regression Potential]
Since the fix is a patch provided by upstream (reviewed by maintainers
and us) simple mistakes like typos are not expected. The patch impacts
only the rwm module which is not loaded by default. So any regression
would affect only the users that make use of this overlay. If an user is
not using rwm overlay and is facing any issue, it should be related to
other problems related to LDAP directory services.
-
[Original message]
Hello!
We have faced slapd crash, seems an attacker was trying to brute force one
of our services and uid parsing failures caused slapd crash:
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH
base="ou=test,dc=test,dc=com" scope=2 deref=0
filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp
shadowLastChange shadowMin shadow
Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap sshPublic
Key
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0
nentries=0 text=massaged filter parse error
Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so
[7fc8d1868000+1c]
Another faulty filter example:
filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0"
filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
$ lsb_release -rd
Description: Ubuntu 16.04.5 LTS
Release: 16.04
$ slapd -VVV
@(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $
buildd@lcy01-amd64-019
:/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd
Included static backends:
config
ldif
$ apt-cache
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Description changed:
Impact
--
Users willing to use the slapd rwm overlay will face a slapd
segmentation fault when trying to rewrite some rules. Backporting this
fix will allow users using stable releases to take advantage of this
feature without crashing slapd. This issue was fixed by upstream not
freeing the rwm overlay filter memory without prior checking.
Test Case
-
In this test case, the rwm overlay will be used and a rule will be
created to deny any search request for uid=root, then the 'ldapsearch'
will be invoked to trigger the failure. It is important to mention that
the 'ldapsearch' command should fail regardless the presence of the bug
in the package, the target here is the slapd crash. To reproduce this
bug one can follow the procedure below in Ubuntu xenial, bionic or
disco:
$ sudo apt-get update
+
+
+ Use debconf to pre-seed slapd questions before install it:
+
+ $ debconf-set-selections << EOF
+ slapd slapd/no_configuration boolean false
+ slapd slapd/domain string example.com
+ slapd shared/organization string example.com
+ slapd slapd/password1 password test
+ slapd slapd/password2 password test
+ slapd slapd/backend select MDB
+ slapd slapd/move_old_database boolean false
+ EOF
$ sudo apt-get install slapd ldap-utils -y
- Reconfigure the slapd package. When asked about a domain, use "example.com".
- Choose a password you want (or just leave it blank), and accept defaults for
- everything else:
-
- $ sudo dpkg-reconfigure slapd
Create a file called 'add-rwm.ldif' with the following content:
$ cat add-rwm.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
With this file in place, run:
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
Now, to trigger the crash:
$ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
- slapd process will die, and /var/crash will have a crash file for slapd. You
- can run the following command to confirm the error:
+
+ slapd process will die, and /var/crash will have a crash file for slapd. You
can run the following command to confirm the error:
$ cat /var/log/syslog | grep filter_free
Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
+
+ -> Expected behavior
+
+ In this test case, as mentioned before, the 'ldapsearch' command should
+ fail but the 'slapd' process should not die. As result, we don't expect
+ a slapd crash report in /var/crash directory.
+
Regression Potential
Since the fix is a patch provided by upstream (reviewed by maintainers
and us) simple mistakes like typos are not expected. The patch impacts
only the rwm module which is not loaded by default. So any regression
would affect only the users that make use of this overlay. If an user is
not using rwm overlay and is facing any issue, it should be related to
other problems related to LDAP directory services.
+
[Original message]
Hello!
We have faced slapd crash, seems an attacker was trying to brute force one
of our services and uid parsing failures caused slapd crash:
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH
base="ou=test,dc=test,dc=com" scope=2 deref=0
filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp
shadowLastChange shadowMin shadow
Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap sshPublic
Key
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0
nentries=0 text=massaged filter parse error
Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so
[7fc8d1868000+1c]
Another faulty filter example:
filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0"
filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
$ lsb_release -rd
Description: Ubuntu 16.04.5 LTS
Release: 16.04
$ slapd -VVV
@(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Bug watch added: Debian Bug tracker #934277
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934277
** Also affects: openldap (Debian) via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934277
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1838370
Title:
slapd segfault on filter parse error
Status in openldap:
Fix Released
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Xenial:
Confirmed
Status in openldap source package in Bionic:
Confirmed
Status in openldap source package in Disco:
Confirmed
Status in openldap package in Debian:
Unknown
Bug description:
Impact
--
Users willing to use the slapd rwm overlay will face a slapd
segmentation fault when trying to rewrite some rules. Backporting this
fix will allow users using stable releases to take advantage of this
feature without crashing slapd. This issue was fixed by upstream not
freeing the rwm overlay filter memory without prior checking.
Test Case
-
In this test case, the rwm overlay will be used and a rule will be
created to deny any search request for uid=root, then the 'ldapsearch'
will be invoked to trigger the failure. It is important to mention
that the 'ldapsearch' command should fail regardless the presence of
the bug in the package, the target here is the slapd crash. To
reproduce this bug one can follow the procedure below in Ubuntu
xenial, bionic or disco:
$ sudo apt-get update
$ sudo apt-get install slapd ldap-utils -y
Reconfigure the slapd package. When asked about a domain, use "example.com".
Choose a password you want (or just leave it blank), and accept defaults for
everything else:
$ sudo dpkg-reconfigure slapd
Create a file called 'add-rwm.ldif' with the following content:
$ cat add-rwm.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
With this file in place, run:
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
Now, to trigger the crash:
$ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
slapd process will die, and /var/crash will have a crash file for slapd. You
can run the following command to confirm the error:
$ cat /var/log/syslog | grep filter_free
Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
Regression Potential
Since the fix is a patch provided by upstream (reviewed by maintainers
and us) simple mistakes like typos are not expected. The patch impacts
only the rwm module which is not loaded by default. So any regression
would affect only the users that make use of this overlay. If an user
is not using rwm overlay and is facing any issue, it should be related
to other problems related to LDAP directory services.
[Original message]
Hello!
We have faced slapd crash, seems an attacker was trying to brute force one
of our services and uid parsing failures caused slapd crash:
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH
base="ou=test,dc=test,dc=com" scope=2 deref=0
filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp
shadowLastChange shadowMin shadow
Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap sshPublic
Key
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0
nentries=0 text=massaged filter parse error
Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so
[7fc8d1868000+1c]
Another faulty filter example:
filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0"
filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
$ lsb_release -rd
Description: Ubuntu 16.04.5 LTS
Release: 16.04
$ slapd -VVV
@(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $
buildd@lcy01-amd64-019
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Description changed:
Impact
--
- Users willing to use the slapd rwm overlay will face a slapd segmentation
fault
- when trying to rewrite some rules. Backporting this fix will allow users using
- stable releases to take advantage of this feature without crashing slapd. This
- issue was fixed by upstream not freeing the rwm overlay filter memory without
- prior checking.
+ Users willing to use the slapd rwm overlay will face a slapd
+ segmentation fault when trying to rewrite some rules. Backporting this
+ fix will allow users using stable releases to take advantage of this
+ feature without crashing slapd. This issue was fixed by upstream not
+ freeing the rwm overlay filter memory without prior checking.
Test Case
-
- In this test case, the rwm overlay will be used and a rule will be created to
- deny any search request for uid=root, then the 'ldapsearch' will be invoked to
- trigger the failure. It is important to mention that the 'ldapsearch' command
- should fail regardless the presence of the bug in the package, the target here
- is the slapd crash. To reproduce this bug one can follow the procedure below
in
- Ubuntu xenial, bionic or disco:
+ In this test case, the rwm overlay will be used and a rule will be
+ created to deny any search request for uid=root, then the 'ldapsearch'
+ will be invoked to trigger the failure. It is important to mention that
+ the 'ldapsearch' command should fail regardless the presence of the bug
+ in the package, the target here is the slapd crash. To reproduce this
+ bug one can follow the procedure below in Ubuntu xenial, bionic or
+ disco:
$ sudo apt-get update
$ sudo apt-get install slapd ldap-utils -y
Reconfigure the slapd package. When asked about a domain, use "example.com".
Choose a password you want (or just leave it blank), and accept defaults for
everything else:
$ sudo dpkg-reconfigure slapd
Create a file called 'add-rwm.ldif' with the following content:
$ cat add-rwm.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
-
With this file in place, run:
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
Now, to trigger the crash:
$ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
-
slapd process will die, and /var/crash will have a crash file for slapd. You
can run the following command to confirm the error:
$ cat /var/log/syslog | grep filter_free
Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
-
Regression Potential
- Since the fix is a patch provided by upstream (reviewed by maintainers and us)
- simple mistakes like typos are not expected. The patch impacts only the rwm
- module which is not loaded by default. So any regression would affect only the
- users that make use of this overlay. If an user is not using rwm overlay and
is
- facing any issue, it should be related to other problems related to LDAP
- directory services.
-
-
+ Since the fix is a patch provided by upstream (reviewed by maintainers
+ and us) simple mistakes like typos are not expected. The patch impacts
+ only the rwm module which is not loaded by default. So any regression
+ would affect only the users that make use of this overlay. If an user is
+ not using rwm overlay and is facing any issue, it should be related to
+ other problems related to LDAP directory services.
[Original message]
Hello!
We have faced slapd crash, seems an attacker was trying to brute force one
of our services and uid parsing failures caused slapd crash:
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH
base="ou=test,dc=test,dc=com" scope=2 deref=0
filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp
shadowLastChange shadowMin shadow
Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap sshPublic
Key
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0
nentries=0 text=massaged filter parse error
Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Merge proposal linked:
https://code.launchpad.net/~lucaskanashiro/ubuntu/+source/openldap/+git/openldap/+merge/371148
** Merge proposal linked:
https://code.launchpad.net/~lucaskanashiro/ubuntu/+source/openldap/+git/openldap/+merge/371149
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1838370
Title:
slapd segfault on filter parse error
Status in openldap:
Fix Released
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Xenial:
Confirmed
Status in openldap source package in Bionic:
Confirmed
Status in openldap source package in Disco:
Confirmed
Bug description:
Impact
--
Users willing to use the slapd rwm overlay will face a slapd segmentation
fault
when trying to rewrite some rules. Backporting this fix will allow users using
stable releases to take advantage of this feature without crashing slapd. This
issue was fixed by upstream not freeing the rwm overlay filter memory without
prior checking.
Test Case
-
In this test case, the rwm overlay will be used and a rule will be created to
deny any search request for uid=root, then the 'ldapsearch' will be invoked to
trigger the failure. It is important to mention that the 'ldapsearch' command
should fail regardless the presence of the bug in the package, the target here
is the slapd crash. To reproduce this bug one can follow the procedure below
in
Ubuntu xenial, bionic or disco:
$ sudo apt-get update
$ sudo apt-get install slapd ldap-utils -y
Reconfigure the slapd package. When asked about a domain, use "example.com".
Choose a password you want (or just leave it blank), and accept defaults for
everything else:
$ sudo dpkg-reconfigure slapd
Create a file called 'add-rwm.ldif' with the following content:
$ cat add-rwm.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
With this file in place, run:
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
Now, to trigger the crash:
$ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
slapd process will die, and /var/crash will have a crash file for slapd. You
can run the following command to confirm the error:
$ cat /var/log/syslog | grep filter_free
Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
Regression Potential
Since the fix is a patch provided by upstream (reviewed by maintainers and us)
simple mistakes like typos are not expected. The patch impacts only the rwm
module which is not loaded by default. So any regression would affect only the
users that make use of this overlay. If an user is not using rwm overlay and
is
facing any issue, it should be related to other problems related to LDAP
directory services.
[Original message]
Hello!
We have faced slapd crash, seems an attacker was trying to brute force one
of our services and uid parsing failures caused slapd crash:
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH
base="ou=test,dc=test,dc=com" scope=2 deref=0
filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp
shadowLastChange shadowMin shadow
Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap sshPublic
Key
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0
nentries=0 text=massaged filter parse error
Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so
[7fc8d1868000+1c]
Another faulty filter example:
filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0"
filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
$ lsb_release -rd
Description: Ubuntu 16.04.5 LTS
Release: 16.04
$ slapd -VVV
@(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $
buildd@lcy01-amd64-019
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Merge proposal linked:
https://code.launchpad.net/~lucaskanashiro/ubuntu/+source/openldap/+git/openldap/+merge/371147
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1838370
Title:
slapd segfault on filter parse error
Status in openldap:
Fix Released
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Xenial:
Confirmed
Status in openldap source package in Bionic:
Confirmed
Status in openldap source package in Disco:
Confirmed
Bug description:
Impact
--
Users willing to use the slapd rwm overlay will face a slapd segmentation
fault
when trying to rewrite some rules. Backporting this fix will allow users using
stable releases to take advantage of this feature without crashing slapd. This
issue was fixed by upstream not freeing the rwm overlay filter memory without
prior checking.
Test Case
-
In this test case, the rwm overlay will be used and a rule will be created to
deny any search request for uid=root, then the 'ldapsearch' will be invoked to
trigger the failure. It is important to mention that the 'ldapsearch' command
should fail regardless the presence of the bug in the package, the target here
is the slapd crash. To reproduce this bug one can follow the procedure below
in
Ubuntu xenial, bionic or disco:
$ sudo apt-get update
$ sudo apt-get install slapd ldap-utils -y
Reconfigure the slapd package. When asked about a domain, use "example.com".
Choose a password you want (or just leave it blank), and accept defaults for
everything else:
$ sudo dpkg-reconfigure slapd
Create a file called 'add-rwm.ldif' with the following content:
$ cat add-rwm.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
With this file in place, run:
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
Now, to trigger the crash:
$ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
slapd process will die, and /var/crash will have a crash file for slapd. You
can run the following command to confirm the error:
$ cat /var/log/syslog | grep filter_free
Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
Regression Potential
Since the fix is a patch provided by upstream (reviewed by maintainers and us)
simple mistakes like typos are not expected. The patch impacts only the rwm
module which is not loaded by default. So any regression would affect only the
users that make use of this overlay. If an user is not using rwm overlay and
is
facing any issue, it should be related to other problems related to LDAP
directory services.
[Original message]
Hello!
We have faced slapd crash, seems an attacker was trying to brute force one
of our services and uid parsing failures caused slapd crash:
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH
base="ou=test,dc=test,dc=com" scope=2 deref=0
filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp
shadowLastChange shadowMin shadow
Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap sshPublic
Key
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0
nentries=0 text=massaged filter parse error
Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so
[7fc8d1868000+1c]
Another faulty filter example:
filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0"
filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
$ lsb_release -rd
Description: Ubuntu 16.04.5 LTS
Release: 16.04
$ slapd -VVV
@(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $
buildd@lcy01-amd64-019
:/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd
Included static backends:
config
ldif
$ apt-cache policy slapd
slapd:
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Description changed:
+ Impact
+ --
+
+ Users willing to use the slapd rwm overlay will face a slapd segmentation
fault
+ when trying to rewrite some rules. Backporting this fix will allow users using
+ stable releases to take advantage of this feature without crashing slapd. This
+ issue was fixed by upstream not freeing the rwm overlay filter memory without
+ prior checking.
+
+ Test Case
+ -
+
+ In this test case, the rwm overlay will be used and a rule will be created to
+ deny any search request for uid=root, then the 'ldapsearch' will be invoked to
+ trigger the failure. It is important to mention that the 'ldapsearch' command
+ should fail regardless the presence of the bug in the package, the target here
+ is the slapd crash. To reproduce this bug one can follow the procedure below
in
+ Ubuntu xenial, bionic or disco:
+
+ $ sudo apt-get update
+ $ sudo apt-get install slapd ldap-utils -y
+
+ Reconfigure the slapd package. When asked about a domain, use "example.com".
+ Choose a password you want (or just leave it blank), and accept defaults for
+ everything else:
+
+ $ sudo dpkg-reconfigure slapd
+
+ Create a file called 'add-rwm.ldif' with the following content:
+
+ $ cat add-rwm.ldif
+ dn: cn=module{0},cn=config
+ changetype: modify
+ add: olcModuleLoad
+ olcModuleLoad: rwm
+
+ dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
+ changetype: add
+ objectClass: olcOverlayConfig
+ objectClass: olcRwmConfig
+ olcOverlay: rwm
+ olcRwmRewrite: {0} rwm-rewriteEngine "on"
+ olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
+ olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
+
+
+ With this file in place, run:
+
+ $ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
+
+ Now, to trigger the crash:
+
+ $ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
+ Server is unwilling to perform (53)
+ Additional information: searchFilter/searchFilterAttrDN massage error
+
+
+ slapd process will die, and /var/crash will have a crash file for slapd. You
+ can run the following command to confirm the error:
+
+ $ cat /var/log/syslog | grep filter_free
+ Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
+
+
+ Regression Potential
+
+
+ Since the fix is a patch provided by upstream (reviewed by maintainers and us)
+ simple mistakes like typos are not expected. The patch impacts only the rwm
+ module which is not loaded by default. So any regression would affect only the
+ users that make use of this overlay. If an user is not using rwm overlay and
is
+ facing any issue, it should be related to other problems related to LDAP
+ directory services.
+
+
+
+ [Original message]
+
Hello!
We have faced slapd crash, seems an attacker was trying to brute force one
of our services and uid parsing failures caused slapd crash:
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH
base="ou=test,dc=test,dc=com" scope=2 deref=0
filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp
shadowLastChange shadowMin shadow
Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap sshPublic
Key
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0
nentries=0 text=massaged filter parse error
Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so
[7fc8d1868000+1c]
Another faulty filter example:
filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0"
filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
$ lsb_release -rd
Description: Ubuntu 16.04.5 LTS
Release: 16.04
$ slapd -VVV
@(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $
buildd@lcy01-amd64-019
:/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd
Included static backends:
- config
- ldif
+ config
+ ldif
$ apt-cache policy slapd
slapd:
- Installed: 2.4.42+dfsg-2ubuntu3.3
- Candidate: 2.4.42+dfsg-2ubuntu3.5
- Version table:
- 2.4.42+dfsg-2ubuntu3.5 500
- 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64
+ Installed: 2.4.42+dfsg-2ubuntu3.3
+ Candidate: 2.4.42+dfsg-2ubuntu3.5
+ Version table:
+ 2.4.42+dfsg-2ubuntu3.5 500
+ 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64
Packages
- *** 2.4.42+dfsg-2ubuntu3.3 100
- 100 /var/lib/dpkg/status
- 2.4.42+dfsg-2ubuntu3.2 500
- 500
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
Here is a quick reproducer.
sudo apt update
sudo apt install slapd ldap-utils -y
Reconfigure the slapd package. When asked about a domain, use
"example.com". Choose a password, and accept defaults for everything
else:
sudo dpkg-reconfigure slapd
Create a file called add-rwm.ldif with these contents:
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
Then run:
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
And then, to trigger the crash:
ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
slapd will die, and /var/crash will have a crash file for slapd.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1838370
Title:
slapd segfault on filter parse error
Status in openldap:
Fix Released
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Xenial:
Confirmed
Status in openldap source package in Bionic:
Confirmed
Status in openldap source package in Disco:
Confirmed
Bug description:
Hello!
We have faced slapd crash, seems an attacker was trying to brute force one
of our services and uid parsing failures caused slapd crash:
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH
base="ou=test,dc=test,dc=com" scope=2 deref=0
filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp
shadowLastChange shadowMin shadow
Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap sshPublic
Key
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0
nentries=0 text=massaged filter parse error
Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so
[7fc8d1868000+1c]
Another faulty filter example:
filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0"
filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
$ lsb_release -rd
Description: Ubuntu 16.04.5 LTS
Release: 16.04
$ slapd -VVV
@(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $
buildd@lcy01-amd64-019
:/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd
Included static backends:
config
ldif
$ apt-cache policy slapd
slapd:
Installed: 2.4.42+dfsg-2ubuntu3.3
Candidate: 2.4.42+dfsg-2ubuntu3.5
Version table:
2.4.42+dfsg-2ubuntu3.5 500
500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64
Packages
*** 2.4.42+dfsg-2ubuntu3.3 100
100 /var/lib/dpkg/status
2.4.42+dfsg-2ubuntu3.2 500
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64
Packages
2.4.42+dfsg-2ubuntu3 500
500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
affects ubuntu/openldap
To manage notifications about this bug go to:
https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
Hm, I forgot to re-add the bug reference after a few iterating over another change, sorry. But this is a good SRU candidate. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Confirmed Status in openldap source package in Bionic: Confirmed Status in openldap source package in Disco: Confirmed Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
This has already been fixed as of 2.4.48+dfsg-1ubuntu1. I'm not sure why the upload didn't automatically close the bug. ** Changed in: openldap (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Confirmed Status in openldap source package in Bionic: Confirmed Status in openldap source package in Disco: Confirmed Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
Is there any information when it's gonna be fixed in Ubuntu? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Confirmed Status in openldap source package in Xenial: Confirmed Status in openldap source package in Bionic: Confirmed Status in openldap source package in Disco: Confirmed Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: openldap (Ubuntu Bionic) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Confirmed Status in openldap source package in Xenial: Confirmed Status in openldap source package in Bionic: Confirmed Status in openldap source package in Disco: Confirmed Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: openldap (Ubuntu Disco) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Confirmed Status in openldap source package in Xenial: Confirmed Status in openldap source package in Bionic: Confirmed Status in openldap source package in Disco: Confirmed Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: openldap (Ubuntu Xenial) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Confirmed Status in openldap source package in Xenial: Confirmed Status in openldap source package in Bionic: Confirmed Status in openldap source package in Disco: Confirmed Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Tags added: bitesize -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Confirmed Status in openldap source package in Xenial: New Status in openldap source package in Bionic: New Status in openldap source package in Disco: New Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Confirmed Status in openldap source package in Xenial: New Status in openldap source package in Bionic: New Status in openldap source package in Disco: New Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Tags added: server-next -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Confirmed Status in openldap source package in Xenial: New Status in openldap source package in Bionic: New Status in openldap source package in Disco: New Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Patch added: "Patch mentioned in previous comment" https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1838370/+attachment/5280211/+files/0001-ITS-8964-Do-not-free-original-filter.patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Confirmed Status in openldap source package in Xenial: New Status in openldap source package in Bionic: New Status in openldap source package in Disco: New Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Also affects: openldap (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: openldap (Ubuntu Disco) Importance: Undecided Status: New ** Also affects: openldap (Ubuntu Xenial) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Confirmed Status in openldap source package in Xenial: New Status in openldap source package in Bionic: New Status in openldap source package in Disco: New Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
Looks like this is fixed upstream already: https://openldap.org/its/?findid=8964 fixed in 2.4.48. Cherry-picking upstream commit d40b357f5da9a94d2f4f541c21bde02610d9cd3b fixes the crash for me. ** Also affects: openldap Importance: Undecided Status: New ** Changed in: openldap Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Confirmed Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
