[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Changed in: openldap (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Fix Released Status in openldap source package in Bionic: Fix Released Status in openldap source package in Disco: Fix Released Status in openldap package in Debian: Fix Released Bug description: [Impact] Users willing to use the slapd rwm overlay will face a slapd segmentation fault when trying to rewrite some rules. Backporting this fix will allow users using stable releases to take advantage of this feature without crashing slapd. This issue was fixed by upstream not freeing the rwm overlay filter memory without prior checking. [Test Case] In this test case, the rwm overlay will be used and a rule will be created to deny any search request for uid=root, then the 'ldapsearch' will be invoked to trigger the failure. It is important to mention that the 'ldapsearch' command should fail regardless the presence of the bug in the package, the target here is the slapd crash. To reproduce this bug one can follow the procedure below in Ubuntu xenial, bionic or disco: $ sudo apt-get update Use debconf to pre-seed slapd questions before install it: $ debconf-set-selections << EOF slapd slapd/no_configuration boolean false slapd slapd/domain string example.com slapd shared/organization string example.com slapd slapd/password1 password test slapd slapd/password2 password test slapd slapd/backend select MDB slapd slapd/move_old_database boolean false EOF $ sudo apt-get install slapd ldap-utils -y Create a file called 'add-rwm.ldif' with the following content: $ cat add-rwm.ldif dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: rwm dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm olcRwmRewrite: {0} rwm-rewriteEngine "on" olcRwmRewrite: {1} rwm-rewriteContext "searchFilter" olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#" With this file in place, run: $ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif Now, to trigger the crash: $ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root Server is unwilling to perform (53) Additional information: searchFilter/searchFilterAttrDN massage error slapd process will die, and /var/crash will have a crash file for slapd. You can run the following command to confirm the error: $ cat /var/log/syslog | grep filter_free Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter type=28530 -> Expected behavior In this test case, as mentioned before, the 'ldapsearch' command should fail but the 'slapd' process should not die. As result, we don't expect a slapd crash report in /var/crash directory. [Regression Potential] Since the fix is a patch provided by upstream (reviewed by maintainers and us) simple mistakes like typos are not expected. The patch impacts only the rwm module which is not loaded by default. So any regression would affect only the users that make use of this overlay. If an user is not using rwm overlay and is facing any issue, it should be related to other problems related to LDAP directory services. [Original message] Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0"
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
This bug was fixed in the package openldap - 2.4.42+dfsg-2ubuntu3.7 --- openldap (2.4.42+dfsg-2ubuntu3.7) xenial; urgency=medium * d/p/rwm-do-not-free-original-filter.patch: Fix slapd segfault (LP: #1838370) -- Lucas Kanashiro Thu, 08 Aug 2019 16:33:06 -0300 ** Changed in: openldap (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Fix Released Status in openldap source package in Bionic: Fix Released Status in openldap source package in Disco: Fix Released Status in openldap package in Debian: Unknown Bug description: [Impact] Users willing to use the slapd rwm overlay will face a slapd segmentation fault when trying to rewrite some rules. Backporting this fix will allow users using stable releases to take advantage of this feature without crashing slapd. This issue was fixed by upstream not freeing the rwm overlay filter memory without prior checking. [Test Case] In this test case, the rwm overlay will be used and a rule will be created to deny any search request for uid=root, then the 'ldapsearch' will be invoked to trigger the failure. It is important to mention that the 'ldapsearch' command should fail regardless the presence of the bug in the package, the target here is the slapd crash. To reproduce this bug one can follow the procedure below in Ubuntu xenial, bionic or disco: $ sudo apt-get update Use debconf to pre-seed slapd questions before install it: $ debconf-set-selections << EOF slapd slapd/no_configuration boolean false slapd slapd/domain string example.com slapd shared/organization string example.com slapd slapd/password1 password test slapd slapd/password2 password test slapd slapd/backend select MDB slapd slapd/move_old_database boolean false EOF $ sudo apt-get install slapd ldap-utils -y Create a file called 'add-rwm.ldif' with the following content: $ cat add-rwm.ldif dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: rwm dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm olcRwmRewrite: {0} rwm-rewriteEngine "on" olcRwmRewrite: {1} rwm-rewriteContext "searchFilter" olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#" With this file in place, run: $ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif Now, to trigger the crash: $ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root Server is unwilling to perform (53) Additional information: searchFilter/searchFilterAttrDN massage error slapd process will die, and /var/crash will have a crash file for slapd. You can run the following command to confirm the error: $ cat /var/log/syslog | grep filter_free Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter type=28530 -> Expected behavior In this test case, as mentioned before, the 'ldapsearch' command should fail but the 'slapd' process should not die. As result, we don't expect a slapd crash report in /var/crash directory. [Regression Potential] Since the fix is a patch provided by upstream (reviewed by maintainers and us) simple mistakes like typos are not expected. The patch impacts only the rwm module which is not loaded by default. So any regression would affect only the users that make use of this overlay. If an user is not using rwm overlay and is facing any issue, it should be related to other problems related to LDAP directory services. [Original message] Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
This bug was fixed in the package openldap - 2.4.47+dfsg-3ubuntu2.2 --- openldap (2.4.47+dfsg-3ubuntu2.2) disco; urgency=medium * d/p/rwm-do-not-free-original-filter.patch: Fix slapd segfault (LP: #1838370) -- Lucas Kanashiro Thu, 08 Aug 2019 15:04:04 -0300 ** Changed in: openldap (Ubuntu Disco) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Fix Committed Status in openldap source package in Bionic: Fix Released Status in openldap source package in Disco: Fix Released Status in openldap package in Debian: Unknown Bug description: [Impact] Users willing to use the slapd rwm overlay will face a slapd segmentation fault when trying to rewrite some rules. Backporting this fix will allow users using stable releases to take advantage of this feature without crashing slapd. This issue was fixed by upstream not freeing the rwm overlay filter memory without prior checking. [Test Case] In this test case, the rwm overlay will be used and a rule will be created to deny any search request for uid=root, then the 'ldapsearch' will be invoked to trigger the failure. It is important to mention that the 'ldapsearch' command should fail regardless the presence of the bug in the package, the target here is the slapd crash. To reproduce this bug one can follow the procedure below in Ubuntu xenial, bionic or disco: $ sudo apt-get update Use debconf to pre-seed slapd questions before install it: $ debconf-set-selections << EOF slapd slapd/no_configuration boolean false slapd slapd/domain string example.com slapd shared/organization string example.com slapd slapd/password1 password test slapd slapd/password2 password test slapd slapd/backend select MDB slapd slapd/move_old_database boolean false EOF $ sudo apt-get install slapd ldap-utils -y Create a file called 'add-rwm.ldif' with the following content: $ cat add-rwm.ldif dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: rwm dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm olcRwmRewrite: {0} rwm-rewriteEngine "on" olcRwmRewrite: {1} rwm-rewriteContext "searchFilter" olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#" With this file in place, run: $ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif Now, to trigger the crash: $ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root Server is unwilling to perform (53) Additional information: searchFilter/searchFilterAttrDN massage error slapd process will die, and /var/crash will have a crash file for slapd. You can run the following command to confirm the error: $ cat /var/log/syslog | grep filter_free Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter type=28530 -> Expected behavior In this test case, as mentioned before, the 'ldapsearch' command should fail but the 'slapd' process should not die. As result, we don't expect a slapd crash report in /var/crash directory. [Regression Potential] Since the fix is a patch provided by upstream (reviewed by maintainers and us) simple mistakes like typos are not expected. The patch impacts only the rwm module which is not loaded by default. So any regression would affect only the users that make use of this overlay. If an user is not using rwm overlay and is facing any issue, it should be related to other problems related to LDAP directory services. [Original message] Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
This bug was fixed in the package openldap - 2.4.45+dfsg-1ubuntu1.4 --- openldap (2.4.45+dfsg-1ubuntu1.4) bionic; urgency=medium * d/p/rwm-do-not-free-original-filter.patch: Fix slapd segfault (LP: #1838370) -- Lucas Kanashiro Thu, 08 Aug 2019 15:08:36 -0300 ** Changed in: openldap (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Fix Committed Status in openldap source package in Bionic: Fix Released Status in openldap source package in Disco: Fix Released Status in openldap package in Debian: Unknown Bug description: [Impact] Users willing to use the slapd rwm overlay will face a slapd segmentation fault when trying to rewrite some rules. Backporting this fix will allow users using stable releases to take advantage of this feature without crashing slapd. This issue was fixed by upstream not freeing the rwm overlay filter memory without prior checking. [Test Case] In this test case, the rwm overlay will be used and a rule will be created to deny any search request for uid=root, then the 'ldapsearch' will be invoked to trigger the failure. It is important to mention that the 'ldapsearch' command should fail regardless the presence of the bug in the package, the target here is the slapd crash. To reproduce this bug one can follow the procedure below in Ubuntu xenial, bionic or disco: $ sudo apt-get update Use debconf to pre-seed slapd questions before install it: $ debconf-set-selections << EOF slapd slapd/no_configuration boolean false slapd slapd/domain string example.com slapd shared/organization string example.com slapd slapd/password1 password test slapd slapd/password2 password test slapd slapd/backend select MDB slapd slapd/move_old_database boolean false EOF $ sudo apt-get install slapd ldap-utils -y Create a file called 'add-rwm.ldif' with the following content: $ cat add-rwm.ldif dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: rwm dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm olcRwmRewrite: {0} rwm-rewriteEngine "on" olcRwmRewrite: {1} rwm-rewriteContext "searchFilter" olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#" With this file in place, run: $ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif Now, to trigger the crash: $ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root Server is unwilling to perform (53) Additional information: searchFilter/searchFilterAttrDN massage error slapd process will die, and /var/crash will have a crash file for slapd. You can run the following command to confirm the error: $ cat /var/log/syslog | grep filter_free Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter type=28530 -> Expected behavior In this test case, as mentioned before, the 'ldapsearch' command should fail but the 'slapd' process should not die. As result, we don't expect a slapd crash report in /var/crash directory. [Regression Potential] Since the fix is a patch provided by upstream (reviewed by maintainers and us) simple mistakes like typos are not expected. The patch impacts only the rwm module which is not loaded by default. So any regression would affect only the users that make use of this overlay. If an user is not using rwm overlay and is facing any issue, it should be related to other problems related to LDAP directory services. [Original message] Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
I installed the package available in bionic-proposed as you can see below: root@openldap-bionic-sru:~# apt policy slapd slapd: Installed: 2.4.45+dfsg-1ubuntu1.4 Candidate: 2.4.45+dfsg-1ubuntu1.4 Version table: *** 2.4.45+dfsg-1ubuntu1.4 500 500 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages 100 /var/lib/dpkg/status 2.4.45+dfsg-1ubuntu1.3 500 500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 2.4.45+dfsg-1ubuntu1 500 500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages And after executing the steps presented in the Test case section, the slapd process did not die: root@openldap-bionic-sru:~# ps aux | grep slapd openldap 1029 0.0 4.5 2106104 730124 ? Ssl 18:51 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d root 1488 0.0 0.0 14852 840 ?S+ 18:52 0:00 grep --color=auto slapd root@openldap-bionic-sru:~# ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root Server is unwilling to perform (53) Additional information: searchFilter/searchFilterAttrDN massage error root@openldap-bionic-sru:~# ps aux | grep slapd openldap 1029 0.0 4.5 2106104 730124 ? Ssl 18:51 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d root 1492 0.0 0.0 14852 804 ?S+ 18:52 0:00 grep --color=auto slapd The PID of the slapd process is the same. Moreover, there is no sign of crash in the syslog output nor a crash file in /var/crash: root@openldap-bionic-sru:~# cat /var/log/syslog | grep filter_free root@openldap-bionic-sru:~# ls /var/crash/ | grep slapd ** Tags removed: verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Fix Committed Status in openldap source package in Bionic: Fix Committed Status in openldap source package in Disco: Fix Committed Status in openldap package in Debian: Unknown Bug description: [Impact] Users willing to use the slapd rwm overlay will face a slapd segmentation fault when trying to rewrite some rules. Backporting this fix will allow users using stable releases to take advantage of this feature without crashing slapd. This issue was fixed by upstream not freeing the rwm overlay filter memory without prior checking. [Test Case] In this test case, the rwm overlay will be used and a rule will be created to deny any search request for uid=root, then the 'ldapsearch' will be invoked to trigger the failure. It is important to mention that the 'ldapsearch' command should fail regardless the presence of the bug in the package, the target here is the slapd crash. To reproduce this bug one can follow the procedure below in Ubuntu xenial, bionic or disco: $ sudo apt-get update Use debconf to pre-seed slapd questions before install it: $ debconf-set-selections << EOF slapd slapd/no_configuration boolean false slapd slapd/domain string example.com slapd shared/organization string example.com slapd slapd/password1 password test slapd slapd/password2 password test slapd slapd/backend select MDB slapd slapd/move_old_database boolean false EOF $ sudo apt-get install slapd ldap-utils -y Create a file called 'add-rwm.ldif' with the following content: $ cat add-rwm.ldif dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: rwm dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm olcRwmRewrite: {0} rwm-rewriteEngine "on" olcRwmRewrite: {1} rwm-rewriteContext "searchFilter" olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#" With this file in place, run: $ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif Now, to trigger the crash: $ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root Server is unwilling to perform (53) Additional information: searchFilter/searchFilterAttrDN massage error slapd process will die, and /var/crash will have a crash file for slapd. You can run the following command to confirm the error: $ cat /var/log/syslog | grep filter_free Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter type=28530 -> Expected behavior In this test case, as mentioned before, the 'ldapsearch' command should fail but the 'slapd' process should not die. As result, we don't expect a slapd crash report in /var/crash directory. [Regression Potential] Since the fix
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
I installed the package available in disco-proposed as you can see below: root@openldap-disco-sru:~# apt policy slapd slapd: Installed: 2.4.47+dfsg-3ubuntu2.2 Candidate: 2.4.47+dfsg-3ubuntu2.2 Version table: *** 2.4.47+dfsg-3ubuntu2.2 500 500 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 Packages 100 /var/lib/dpkg/status 2.4.47+dfsg-3ubuntu2.1 500 500 http://archive.ubuntu.com/ubuntu disco-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu disco-security/main amd64 Packages 2.4.47+dfsg-3ubuntu2 500 500 http://archive.ubuntu.com/ubuntu disco/main amd64 Packages And after executing the steps presented in the Test case section, the slapd process did not die: root@openldap-disco-sru:~# ps aux | grep slapd openldap 1994 0.0 4.5 2003840 728176 ? Ssl 19:05 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d root 2453 0.0 0.0 7980 1544 ?S+ 19:06 0:00 grep --color=auto slapd root@openldap-disco-sru:~# ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root Server is unwilling to perform (53) Additional information: searchFilter/searchFilterAttrDN massage error root@openldap-disco-sru:~# ps aux | grep slapd openldap 1994 0.0 4.5 2003840 728176 ? Ssl 19:05 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d root 2457 0.0 0.0 7980 684 ?S+ 19:06 0:00 grep --color=auto slapd The PID of the slapd process is the same. Moreover, there is no sign of crash in the syslog output nor a crash file in /var/crash: root@openldap-disco-sru:~# cat /var/log/syslog | grep filter_free root@openldap-disco-sru:~# ls /var/crash/ | grep slapd ** Tags removed: verification-needed-disco -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Fix Committed Status in openldap source package in Bionic: Fix Committed Status in openldap source package in Disco: Fix Committed Status in openldap package in Debian: Unknown Bug description: [Impact] Users willing to use the slapd rwm overlay will face a slapd segmentation fault when trying to rewrite some rules. Backporting this fix will allow users using stable releases to take advantage of this feature without crashing slapd. This issue was fixed by upstream not freeing the rwm overlay filter memory without prior checking. [Test Case] In this test case, the rwm overlay will be used and a rule will be created to deny any search request for uid=root, then the 'ldapsearch' will be invoked to trigger the failure. It is important to mention that the 'ldapsearch' command should fail regardless the presence of the bug in the package, the target here is the slapd crash. To reproduce this bug one can follow the procedure below in Ubuntu xenial, bionic or disco: $ sudo apt-get update Use debconf to pre-seed slapd questions before install it: $ debconf-set-selections << EOF slapd slapd/no_configuration boolean false slapd slapd/domain string example.com slapd shared/organization string example.com slapd slapd/password1 password test slapd slapd/password2 password test slapd slapd/backend select MDB slapd slapd/move_old_database boolean false EOF $ sudo apt-get install slapd ldap-utils -y Create a file called 'add-rwm.ldif' with the following content: $ cat add-rwm.ldif dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: rwm dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm olcRwmRewrite: {0} rwm-rewriteEngine "on" olcRwmRewrite: {1} rwm-rewriteContext "searchFilter" olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#" With this file in place, run: $ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif Now, to trigger the crash: $ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root Server is unwilling to perform (53) Additional information: searchFilter/searchFilterAttrDN massage error slapd process will die, and /var/crash will have a crash file for slapd. You can run the following command to confirm the error: $ cat /var/log/syslog | grep filter_free Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter type=28530 -> Expected behavior In this test case, as mentioned before, the 'ldapsearch' command should fail but the 'slapd' process should not die. As result, we don't expect a slapd crash report in /var/crash directory. [Regression Potential] Since the fix is a patch
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
I installed the package available in xenial-proposed as you can see below: root@openldap-xenial-sru:~# apt policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.7 Candidate: 2.4.42+dfsg-2ubuntu3.7 Version table: *** 2.4.42+dfsg-2ubuntu3.7 500 500 http://archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.6 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages And after executing the steps presented in the Test case section, the slapd process did not die: root@openldap-xenial-sru:~# ps aux | grep slapd openldap 2078 0.0 4.5 2094540 730664 ? Ssl 19:02 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d root 2147 0.0 0.0 14616 904 ?S+ 19:03 0:00 grep --color=auto slapd root@openldap-xenial-sru:~# ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root Server is unwilling to perform (53) Additional information: searchFilter/searchFilterAttrDN massage error root@openldap-xenial-sru:~# ps aux | grep slapd openldap 2078 0.0 4.5 2094540 730576 ? Ssl 19:02 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d root 2151 0.0 0.0 14616 860 ?S+ 19:03 0:00 grep --color=auto slapd The PID of the slapd process is the same. Moreover, there is no sign of crash in the syslog output nor a crash file in /var/crash: root@openldap-xenial-sru:~# cat /var/log/syslog | grep filter_free root@openldap-xenial-sru:~# ls /var/crash/ | grep slapd ** Tags removed: verification-needed verification-needed-xenial ** Tags added: verification-done-bionic verification-done-disco verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Fix Committed Status in openldap source package in Bionic: Fix Committed Status in openldap source package in Disco: Fix Committed Status in openldap package in Debian: Unknown Bug description: [Impact] Users willing to use the slapd rwm overlay will face a slapd segmentation fault when trying to rewrite some rules. Backporting this fix will allow users using stable releases to take advantage of this feature without crashing slapd. This issue was fixed by upstream not freeing the rwm overlay filter memory without prior checking. [Test Case] In this test case, the rwm overlay will be used and a rule will be created to deny any search request for uid=root, then the 'ldapsearch' will be invoked to trigger the failure. It is important to mention that the 'ldapsearch' command should fail regardless the presence of the bug in the package, the target here is the slapd crash. To reproduce this bug one can follow the procedure below in Ubuntu xenial, bionic or disco: $ sudo apt-get update Use debconf to pre-seed slapd questions before install it: $ debconf-set-selections << EOF slapd slapd/no_configuration boolean false slapd slapd/domain string example.com slapd shared/organization string example.com slapd slapd/password1 password test slapd slapd/password2 password test slapd slapd/backend select MDB slapd slapd/move_old_database boolean false EOF $ sudo apt-get install slapd ldap-utils -y Create a file called 'add-rwm.ldif' with the following content: $ cat add-rwm.ldif dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: rwm dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm olcRwmRewrite: {0} rwm-rewriteEngine "on" olcRwmRewrite: {1} rwm-rewriteContext "searchFilter" olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#" With this file in place, run: $ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif Now, to trigger the crash: $ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root Server is unwilling to perform (53) Additional information: searchFilter/searchFilterAttrDN massage error slapd process will die, and /var/crash will have a crash file for slapd. You can run the following command to confirm the error: $ cat /var/log/syslog | grep filter_free Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter type=28530 -> Expected behavior In this test case, as mentioned before, the 'ldapsearch' command should fail but the 'slapd' process should not die. As
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
Hello Kseniya, or anyone else affected, Accepted openldap into disco-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openldap/2.4.47+dfsg- 3ubuntu2.2 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-disco to verification-done-disco. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-disco. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: openldap (Ubuntu Disco) Status: Confirmed => Fix Committed ** Tags added: verification-needed verification-needed-disco ** Changed in: openldap (Ubuntu Bionic) Status: Confirmed => Fix Committed ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Fix Committed Status in openldap source package in Bionic: Fix Committed Status in openldap source package in Disco: Fix Committed Status in openldap package in Debian: Unknown Bug description: [Impact] Users willing to use the slapd rwm overlay will face a slapd segmentation fault when trying to rewrite some rules. Backporting this fix will allow users using stable releases to take advantage of this feature without crashing slapd. This issue was fixed by upstream not freeing the rwm overlay filter memory without prior checking. [Test Case] In this test case, the rwm overlay will be used and a rule will be created to deny any search request for uid=root, then the 'ldapsearch' will be invoked to trigger the failure. It is important to mention that the 'ldapsearch' command should fail regardless the presence of the bug in the package, the target here is the slapd crash. To reproduce this bug one can follow the procedure below in Ubuntu xenial, bionic or disco: $ sudo apt-get update Use debconf to pre-seed slapd questions before install it: $ debconf-set-selections << EOF slapd slapd/no_configuration boolean false slapd slapd/domain string example.com slapd shared/organization string example.com slapd slapd/password1 password test slapd slapd/password2 password test slapd slapd/backend select MDB slapd slapd/move_old_database boolean false EOF $ sudo apt-get install slapd ldap-utils -y Create a file called 'add-rwm.ldif' with the following content: $ cat add-rwm.ldif dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: rwm dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm olcRwmRewrite: {0} rwm-rewriteEngine "on" olcRwmRewrite: {1} rwm-rewriteContext "searchFilter" olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#" With this file in place, run: $ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif Now, to trigger the crash: $ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root Server is unwilling to perform (53) Additional information: searchFilter/searchFilterAttrDN massage error slapd process will die, and /var/crash will have a crash file for slapd. You can run the following command to confirm the error: $ cat /var/log/syslog | grep filter_free Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter type=28530 -> Expected behavior In this test case, as mentioned before, the 'ldapsearch' command should fail but the 'slapd' process should not die. As result, we don't expect a slapd crash report in /var/crash directory. [Regression Potential] Since the fix is a patch provided by upstream (reviewed by maintainers and us) simple mistakes like typos are not expected. The patch impacts only the rwm module which is not loaded by default. So any regression would affect only the users that make use of this overlay. If an user is not using rwm overlay and is facing any issue, it should be
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Changed in: openldap (Ubuntu Xenial) Assignee: (unassigned) => Lucas Kanashiro (lucaskanashiro) ** Changed in: openldap (Ubuntu Bionic) Assignee: (unassigned) => Lucas Kanashiro (lucaskanashiro) ** Changed in: openldap (Ubuntu Disco) Assignee: (unassigned) => Lucas Kanashiro (lucaskanashiro) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Confirmed Status in openldap source package in Bionic: Confirmed Status in openldap source package in Disco: Confirmed Status in openldap package in Debian: Unknown Bug description: [Impact] Users willing to use the slapd rwm overlay will face a slapd segmentation fault when trying to rewrite some rules. Backporting this fix will allow users using stable releases to take advantage of this feature without crashing slapd. This issue was fixed by upstream not freeing the rwm overlay filter memory without prior checking. [Test Case] In this test case, the rwm overlay will be used and a rule will be created to deny any search request for uid=root, then the 'ldapsearch' will be invoked to trigger the failure. It is important to mention that the 'ldapsearch' command should fail regardless the presence of the bug in the package, the target here is the slapd crash. To reproduce this bug one can follow the procedure below in Ubuntu xenial, bionic or disco: $ sudo apt-get update Use debconf to pre-seed slapd questions before install it: $ debconf-set-selections << EOF slapd slapd/no_configuration boolean false slapd slapd/domain string example.com slapd shared/organization string example.com slapd slapd/password1 password test slapd slapd/password2 password test slapd slapd/backend select MDB slapd slapd/move_old_database boolean false EOF $ sudo apt-get install slapd ldap-utils -y Create a file called 'add-rwm.ldif' with the following content: $ cat add-rwm.ldif dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: rwm dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm olcRwmRewrite: {0} rwm-rewriteEngine "on" olcRwmRewrite: {1} rwm-rewriteContext "searchFilter" olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#" With this file in place, run: $ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif Now, to trigger the crash: $ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root Server is unwilling to perform (53) Additional information: searchFilter/searchFilterAttrDN massage error slapd process will die, and /var/crash will have a crash file for slapd. You can run the following command to confirm the error: $ cat /var/log/syslog | grep filter_free Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter type=28530 -> Expected behavior In this test case, as mentioned before, the 'ldapsearch' command should fail but the 'slapd' process should not die. As result, we don't expect a slapd crash report in /var/crash directory. [Regression Potential] Since the fix is a patch provided by upstream (reviewed by maintainers and us) simple mistakes like typos are not expected. The patch impacts only the rwm module which is not loaded by default. So any regression would affect only the users that make use of this overlay. If an user is not using rwm overlay and is facing any issue, it should be related to other problems related to LDAP directory services. [Original message] Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Description changed: - Impact - -- + [Impact] Users willing to use the slapd rwm overlay will face a slapd segmentation fault when trying to rewrite some rules. Backporting this fix will allow users using stable releases to take advantage of this feature without crashing slapd. This issue was fixed by upstream not freeing the rwm overlay filter memory without prior checking. - Test Case - - + [Test Case] In this test case, the rwm overlay will be used and a rule will be created to deny any search request for uid=root, then the 'ldapsearch' will be invoked to trigger the failure. It is important to mention that the 'ldapsearch' command should fail regardless the presence of the bug in the package, the target here is the slapd crash. To reproduce this bug one can follow the procedure below in Ubuntu xenial, bionic or disco: $ sudo apt-get update - Use debconf to pre-seed slapd questions before install it: $ debconf-set-selections << EOF slapd slapd/no_configuration boolean false slapd slapd/domain string example.com slapd shared/organization string example.com slapd slapd/password1 password test slapd slapd/password2 password test slapd slapd/backend select MDB slapd slapd/move_old_database boolean false EOF $ sudo apt-get install slapd ldap-utils -y - Create a file called 'add-rwm.ldif' with the following content: $ cat add-rwm.ldif dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: rwm dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm olcRwmRewrite: {0} rwm-rewriteEngine "on" olcRwmRewrite: {1} rwm-rewriteContext "searchFilter" olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#" With this file in place, run: $ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif Now, to trigger the crash: $ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root Server is unwilling to perform (53) Additional information: searchFilter/searchFilterAttrDN massage error - - slapd process will die, and /var/crash will have a crash file for slapd. You can run the following command to confirm the error: + slapd process will die, and /var/crash will have a crash file for slapd. + You can run the following command to confirm the error: $ cat /var/log/syslog | grep filter_free Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter type=28530 -> Expected behavior In this test case, as mentioned before, the 'ldapsearch' command should fail but the 'slapd' process should not die. As result, we don't expect a slapd crash report in /var/crash directory. - - Regression Potential - + [Regression Potential] Since the fix is a patch provided by upstream (reviewed by maintainers and us) simple mistakes like typos are not expected. The patch impacts only the rwm module which is not loaded by default. So any regression would affect only the users that make use of this overlay. If an user is not using rwm overlay and is facing any issue, it should be related to other problems related to LDAP directory services. - [Original message] Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Description changed: Impact -- Users willing to use the slapd rwm overlay will face a slapd segmentation fault when trying to rewrite some rules. Backporting this fix will allow users using stable releases to take advantage of this feature without crashing slapd. This issue was fixed by upstream not freeing the rwm overlay filter memory without prior checking. Test Case - In this test case, the rwm overlay will be used and a rule will be created to deny any search request for uid=root, then the 'ldapsearch' will be invoked to trigger the failure. It is important to mention that the 'ldapsearch' command should fail regardless the presence of the bug in the package, the target here is the slapd crash. To reproduce this bug one can follow the procedure below in Ubuntu xenial, bionic or disco: $ sudo apt-get update + + + Use debconf to pre-seed slapd questions before install it: + + $ debconf-set-selections << EOF + slapd slapd/no_configuration boolean false + slapd slapd/domain string example.com + slapd shared/organization string example.com + slapd slapd/password1 password test + slapd slapd/password2 password test + slapd slapd/backend select MDB + slapd slapd/move_old_database boolean false + EOF $ sudo apt-get install slapd ldap-utils -y - Reconfigure the slapd package. When asked about a domain, use "example.com". - Choose a password you want (or just leave it blank), and accept defaults for - everything else: - - $ sudo dpkg-reconfigure slapd Create a file called 'add-rwm.ldif' with the following content: $ cat add-rwm.ldif dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: rwm dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm olcRwmRewrite: {0} rwm-rewriteEngine "on" olcRwmRewrite: {1} rwm-rewriteContext "searchFilter" olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#" With this file in place, run: $ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif Now, to trigger the crash: $ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root Server is unwilling to perform (53) Additional information: searchFilter/searchFilterAttrDN massage error - slapd process will die, and /var/crash will have a crash file for slapd. You - can run the following command to confirm the error: + + slapd process will die, and /var/crash will have a crash file for slapd. You can run the following command to confirm the error: $ cat /var/log/syslog | grep filter_free Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter type=28530 + + -> Expected behavior + + In this test case, as mentioned before, the 'ldapsearch' command should + fail but the 'slapd' process should not die. As result, we don't expect + a slapd crash report in /var/crash directory. + Regression Potential Since the fix is a patch provided by upstream (reviewed by maintainers and us) simple mistakes like typos are not expected. The patch impacts only the rwm module which is not loaded by default. So any regression would affect only the users that make use of this overlay. If an user is not using rwm overlay and is facing any issue, it should be related to other problems related to LDAP directory services. + [Original message] Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Bug watch added: Debian Bug tracker #934277 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934277 ** Also affects: openldap (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934277 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Confirmed Status in openldap source package in Bionic: Confirmed Status in openldap source package in Disco: Confirmed Status in openldap package in Debian: Unknown Bug description: Impact -- Users willing to use the slapd rwm overlay will face a slapd segmentation fault when trying to rewrite some rules. Backporting this fix will allow users using stable releases to take advantage of this feature without crashing slapd. This issue was fixed by upstream not freeing the rwm overlay filter memory without prior checking. Test Case - In this test case, the rwm overlay will be used and a rule will be created to deny any search request for uid=root, then the 'ldapsearch' will be invoked to trigger the failure. It is important to mention that the 'ldapsearch' command should fail regardless the presence of the bug in the package, the target here is the slapd crash. To reproduce this bug one can follow the procedure below in Ubuntu xenial, bionic or disco: $ sudo apt-get update $ sudo apt-get install slapd ldap-utils -y Reconfigure the slapd package. When asked about a domain, use "example.com". Choose a password you want (or just leave it blank), and accept defaults for everything else: $ sudo dpkg-reconfigure slapd Create a file called 'add-rwm.ldif' with the following content: $ cat add-rwm.ldif dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: rwm dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm olcRwmRewrite: {0} rwm-rewriteEngine "on" olcRwmRewrite: {1} rwm-rewriteContext "searchFilter" olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#" With this file in place, run: $ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif Now, to trigger the crash: $ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root Server is unwilling to perform (53) Additional information: searchFilter/searchFilterAttrDN massage error slapd process will die, and /var/crash will have a crash file for slapd. You can run the following command to confirm the error: $ cat /var/log/syslog | grep filter_free Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter type=28530 Regression Potential Since the fix is a patch provided by upstream (reviewed by maintainers and us) simple mistakes like typos are not expected. The patch impacts only the rwm module which is not loaded by default. So any regression would affect only the users that make use of this overlay. If an user is not using rwm overlay and is facing any issue, it should be related to other problems related to LDAP directory services. [Original message] Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Description changed: Impact -- - Users willing to use the slapd rwm overlay will face a slapd segmentation fault - when trying to rewrite some rules. Backporting this fix will allow users using - stable releases to take advantage of this feature without crashing slapd. This - issue was fixed by upstream not freeing the rwm overlay filter memory without - prior checking. + Users willing to use the slapd rwm overlay will face a slapd + segmentation fault when trying to rewrite some rules. Backporting this + fix will allow users using stable releases to take advantage of this + feature without crashing slapd. This issue was fixed by upstream not + freeing the rwm overlay filter memory without prior checking. Test Case - - In this test case, the rwm overlay will be used and a rule will be created to - deny any search request for uid=root, then the 'ldapsearch' will be invoked to - trigger the failure. It is important to mention that the 'ldapsearch' command - should fail regardless the presence of the bug in the package, the target here - is the slapd crash. To reproduce this bug one can follow the procedure below in - Ubuntu xenial, bionic or disco: + In this test case, the rwm overlay will be used and a rule will be + created to deny any search request for uid=root, then the 'ldapsearch' + will be invoked to trigger the failure. It is important to mention that + the 'ldapsearch' command should fail regardless the presence of the bug + in the package, the target here is the slapd crash. To reproduce this + bug one can follow the procedure below in Ubuntu xenial, bionic or + disco: $ sudo apt-get update $ sudo apt-get install slapd ldap-utils -y Reconfigure the slapd package. When asked about a domain, use "example.com". Choose a password you want (or just leave it blank), and accept defaults for everything else: $ sudo dpkg-reconfigure slapd Create a file called 'add-rwm.ldif' with the following content: $ cat add-rwm.ldif dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: rwm dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm olcRwmRewrite: {0} rwm-rewriteEngine "on" olcRwmRewrite: {1} rwm-rewriteContext "searchFilter" olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#" - With this file in place, run: $ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif Now, to trigger the crash: $ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root Server is unwilling to perform (53) Additional information: searchFilter/searchFilterAttrDN massage error - slapd process will die, and /var/crash will have a crash file for slapd. You can run the following command to confirm the error: $ cat /var/log/syslog | grep filter_free Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter type=28530 - Regression Potential - Since the fix is a patch provided by upstream (reviewed by maintainers and us) - simple mistakes like typos are not expected. The patch impacts only the rwm - module which is not loaded by default. So any regression would affect only the - users that make use of this overlay. If an user is not using rwm overlay and is - facing any issue, it should be related to other problems related to LDAP - directory services. - - + Since the fix is a patch provided by upstream (reviewed by maintainers + and us) simple mistakes like typos are not expected. The patch impacts + only the rwm module which is not loaded by default. So any regression + would affect only the users that make use of this overlay. If an user is + not using rwm overlay and is facing any issue, it should be related to + other problems related to LDAP directory services. [Original message] Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Merge proposal linked: https://code.launchpad.net/~lucaskanashiro/ubuntu/+source/openldap/+git/openldap/+merge/371148 ** Merge proposal linked: https://code.launchpad.net/~lucaskanashiro/ubuntu/+source/openldap/+git/openldap/+merge/371149 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Confirmed Status in openldap source package in Bionic: Confirmed Status in openldap source package in Disco: Confirmed Bug description: Impact -- Users willing to use the slapd rwm overlay will face a slapd segmentation fault when trying to rewrite some rules. Backporting this fix will allow users using stable releases to take advantage of this feature without crashing slapd. This issue was fixed by upstream not freeing the rwm overlay filter memory without prior checking. Test Case - In this test case, the rwm overlay will be used and a rule will be created to deny any search request for uid=root, then the 'ldapsearch' will be invoked to trigger the failure. It is important to mention that the 'ldapsearch' command should fail regardless the presence of the bug in the package, the target here is the slapd crash. To reproduce this bug one can follow the procedure below in Ubuntu xenial, bionic or disco: $ sudo apt-get update $ sudo apt-get install slapd ldap-utils -y Reconfigure the slapd package. When asked about a domain, use "example.com". Choose a password you want (or just leave it blank), and accept defaults for everything else: $ sudo dpkg-reconfigure slapd Create a file called 'add-rwm.ldif' with the following content: $ cat add-rwm.ldif dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: rwm dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm olcRwmRewrite: {0} rwm-rewriteEngine "on" olcRwmRewrite: {1} rwm-rewriteContext "searchFilter" olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#" With this file in place, run: $ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif Now, to trigger the crash: $ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root Server is unwilling to perform (53) Additional information: searchFilter/searchFilterAttrDN massage error slapd process will die, and /var/crash will have a crash file for slapd. You can run the following command to confirm the error: $ cat /var/log/syslog | grep filter_free Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter type=28530 Regression Potential Since the fix is a patch provided by upstream (reviewed by maintainers and us) simple mistakes like typos are not expected. The patch impacts only the rwm module which is not loaded by default. So any regression would affect only the users that make use of this overlay. If an user is not using rwm overlay and is facing any issue, it should be related to other problems related to LDAP directory services. [Original message] Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Merge proposal linked: https://code.launchpad.net/~lucaskanashiro/ubuntu/+source/openldap/+git/openldap/+merge/371147 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Confirmed Status in openldap source package in Bionic: Confirmed Status in openldap source package in Disco: Confirmed Bug description: Impact -- Users willing to use the slapd rwm overlay will face a slapd segmentation fault when trying to rewrite some rules. Backporting this fix will allow users using stable releases to take advantage of this feature without crashing slapd. This issue was fixed by upstream not freeing the rwm overlay filter memory without prior checking. Test Case - In this test case, the rwm overlay will be used and a rule will be created to deny any search request for uid=root, then the 'ldapsearch' will be invoked to trigger the failure. It is important to mention that the 'ldapsearch' command should fail regardless the presence of the bug in the package, the target here is the slapd crash. To reproduce this bug one can follow the procedure below in Ubuntu xenial, bionic or disco: $ sudo apt-get update $ sudo apt-get install slapd ldap-utils -y Reconfigure the slapd package. When asked about a domain, use "example.com". Choose a password you want (or just leave it blank), and accept defaults for everything else: $ sudo dpkg-reconfigure slapd Create a file called 'add-rwm.ldif' with the following content: $ cat add-rwm.ldif dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: rwm dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm olcRwmRewrite: {0} rwm-rewriteEngine "on" olcRwmRewrite: {1} rwm-rewriteContext "searchFilter" olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#" With this file in place, run: $ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif Now, to trigger the crash: $ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root Server is unwilling to perform (53) Additional information: searchFilter/searchFilterAttrDN massage error slapd process will die, and /var/crash will have a crash file for slapd. You can run the following command to confirm the error: $ cat /var/log/syslog | grep filter_free Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter type=28530 Regression Potential Since the fix is a patch provided by upstream (reviewed by maintainers and us) simple mistakes like typos are not expected. The patch impacts only the rwm module which is not loaded by default. So any regression would affect only the users that make use of this overlay. If an user is not using rwm overlay and is facing any issue, it should be related to other problems related to LDAP directory services. [Original message] Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd:
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Description changed: + Impact + -- + + Users willing to use the slapd rwm overlay will face a slapd segmentation fault + when trying to rewrite some rules. Backporting this fix will allow users using + stable releases to take advantage of this feature without crashing slapd. This + issue was fixed by upstream not freeing the rwm overlay filter memory without + prior checking. + + Test Case + - + + In this test case, the rwm overlay will be used and a rule will be created to + deny any search request for uid=root, then the 'ldapsearch' will be invoked to + trigger the failure. It is important to mention that the 'ldapsearch' command + should fail regardless the presence of the bug in the package, the target here + is the slapd crash. To reproduce this bug one can follow the procedure below in + Ubuntu xenial, bionic or disco: + + $ sudo apt-get update + $ sudo apt-get install slapd ldap-utils -y + + Reconfigure the slapd package. When asked about a domain, use "example.com". + Choose a password you want (or just leave it blank), and accept defaults for + everything else: + + $ sudo dpkg-reconfigure slapd + + Create a file called 'add-rwm.ldif' with the following content: + + $ cat add-rwm.ldif + dn: cn=module{0},cn=config + changetype: modify + add: olcModuleLoad + olcModuleLoad: rwm + + dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config + changetype: add + objectClass: olcOverlayConfig + objectClass: olcRwmConfig + olcOverlay: rwm + olcRwmRewrite: {0} rwm-rewriteEngine "on" + olcRwmRewrite: {1} rwm-rewriteContext "searchFilter" + olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#" + + + With this file in place, run: + + $ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif + + Now, to trigger the crash: + + $ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root + Server is unwilling to perform (53) + Additional information: searchFilter/searchFilterAttrDN massage error + + + slapd process will die, and /var/crash will have a crash file for slapd. You + can run the following command to confirm the error: + + $ cat /var/log/syslog | grep filter_free + Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter type=28530 + + + Regression Potential + + + Since the fix is a patch provided by upstream (reviewed by maintainers and us) + simple mistakes like typos are not expected. The patch impacts only the rwm + module which is not loaded by default. So any regression would affect only the + users that make use of this overlay. If an user is not using rwm overlay and is + facing any issue, it should be related to other problems related to LDAP + directory services. + + + + [Original message] + Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: - config - ldif + config + ldif $ apt-cache policy slapd slapd: - Installed: 2.4.42+dfsg-2ubuntu3.3 - Candidate: 2.4.42+dfsg-2ubuntu3.5 - Version table: - 2.4.42+dfsg-2ubuntu3.5 500 - 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 + Installed: 2.4.42+dfsg-2ubuntu3.3 + Candidate: 2.4.42+dfsg-2ubuntu3.5 + Version table: + 2.4.42+dfsg-2ubuntu3.5 500 + 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages - *** 2.4.42+dfsg-2ubuntu3.3 100 - 100 /var/lib/dpkg/status - 2.4.42+dfsg-2ubuntu3.2 500 - 500
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
Here is a quick reproducer. sudo apt update sudo apt install slapd ldap-utils -y Reconfigure the slapd package. When asked about a domain, use "example.com". Choose a password, and accept defaults for everything else: sudo dpkg-reconfigure slapd Create a file called add-rwm.ldif with these contents: dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: rwm dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm olcRwmRewrite: {0} rwm-rewriteEngine "on" olcRwmRewrite: {1} rwm-rewriteContext "searchFilter" olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#" Then run: sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif And then, to trigger the crash: ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root slapd will die, and /var/crash will have a crash file for slapd. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Confirmed Status in openldap source package in Bionic: Confirmed Status in openldap source package in Disco: Confirmed Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
Hm, I forgot to re-add the bug reference after a few iterating over another change, sorry. But this is a good SRU candidate. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Confirmed Status in openldap source package in Bionic: Confirmed Status in openldap source package in Disco: Confirmed Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
This has already been fixed as of 2.4.48+dfsg-1ubuntu1. I'm not sure why the upload didn't automatically close the bug. ** Changed in: openldap (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Confirmed Status in openldap source package in Bionic: Confirmed Status in openldap source package in Disco: Confirmed Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
Is there any information when it's gonna be fixed in Ubuntu? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Confirmed Status in openldap source package in Xenial: Confirmed Status in openldap source package in Bionic: Confirmed Status in openldap source package in Disco: Confirmed Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: openldap (Ubuntu Bionic) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Confirmed Status in openldap source package in Xenial: Confirmed Status in openldap source package in Bionic: Confirmed Status in openldap source package in Disco: Confirmed Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: openldap (Ubuntu Disco) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Confirmed Status in openldap source package in Xenial: Confirmed Status in openldap source package in Bionic: Confirmed Status in openldap source package in Disco: Confirmed Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: openldap (Ubuntu Xenial) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Confirmed Status in openldap source package in Xenial: Confirmed Status in openldap source package in Bionic: Confirmed Status in openldap source package in Disco: Confirmed Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Tags added: bitesize -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Confirmed Status in openldap source package in Xenial: New Status in openldap source package in Bionic: New Status in openldap source package in Disco: New Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Confirmed Status in openldap source package in Xenial: New Status in openldap source package in Bionic: New Status in openldap source package in Disco: New Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Tags added: server-next -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Confirmed Status in openldap source package in Xenial: New Status in openldap source package in Bionic: New Status in openldap source package in Disco: New Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Patch added: "Patch mentioned in previous comment" https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1838370/+attachment/5280211/+files/0001-ITS-8964-Do-not-free-original-filter.patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Confirmed Status in openldap source package in Xenial: New Status in openldap source package in Bionic: New Status in openldap source package in Disco: New Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Also affects: openldap (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: openldap (Ubuntu Disco) Importance: Undecided Status: New ** Also affects: openldap (Ubuntu Xenial) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Confirmed Status in openldap source package in Xenial: New Status in openldap source package in Bionic: New Status in openldap source package in Disco: New Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
Looks like this is fixed upstream already: https://openldap.org/its/?findid=8964 fixed in 2.4.48. Cherry-picking upstream commit d40b357f5da9a94d2f4f541c21bde02610d9cd3b fixes the crash for me. ** Also affects: openldap Importance: Undecided Status: New ** Changed in: openldap Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1838370 Title: slapd segfault on filter parse error Status in openldap: Fix Released Status in openldap package in Ubuntu: Confirmed Bug description: Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash: Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c] Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0" $ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04 $ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd Included static backends: config ldif $ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages affects ubuntu/openldap To manage notifications about this bug go to: https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp