** Bug watch added: Debian Bug tracker #934277

** Also affects: openldap (Debian) via
   Importance: Unknown
       Status: Unknown

You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.

  slapd segfault on filter parse error

Status in openldap:
  Fix Released
Status in openldap package in Ubuntu:
  Fix Released
Status in openldap source package in Xenial:
Status in openldap source package in Bionic:
Status in openldap source package in Disco:
Status in openldap package in Debian:

Bug description:

  Users willing to use the slapd rwm overlay will face a slapd
  segmentation fault when trying to rewrite some rules. Backporting this
  fix will allow users using stable releases to take advantage of this
  feature without crashing slapd. This issue was fixed by upstream not
  freeing the rwm overlay filter memory without prior checking.

  Test Case

  In this test case, the rwm overlay will be used and a rule will be
  created to deny any search request for uid=root, then the 'ldapsearch'
  will be invoked to trigger the failure. It is important to mention
  that the 'ldapsearch' command should fail regardless the presence of
  the bug in the package, the target here is the slapd crash. To
  reproduce this bug one can follow the procedure below in Ubuntu
  xenial, bionic or disco:

  $ sudo apt-get update
  $ sudo apt-get install slapd ldap-utils -y

  Reconfigure the slapd package. When asked about a domain, use "example.com".
  Choose a password you want (or just leave it blank), and accept defaults for
  everything else:

  $ sudo dpkg-reconfigure slapd

  Create a file called 'add-rwm.ldif' with the following content:

  $ cat add-rwm.ldif
  dn: cn=module{0},cn=config
  changetype: modify
  add: olcModuleLoad
  olcModuleLoad: rwm

  dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
  changetype: add
  objectClass: olcOverlayConfig
  objectClass: olcRwmConfig
  olcOverlay: rwm
  olcRwmRewrite: {0} rwm-rewriteEngine "on"
  olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
  olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"

  With this file in place, run:

  $ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif

  Now, to trigger the crash:

  $ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
  Server is unwilling to perform (53)
  Additional information: searchFilter/searchFilterAttrDN massage error

  slapd process will die, and /var/crash will have a crash file for slapd. You
  can run the following command to confirm the error:

  $ cat /var/log/syslog | grep filter_free
  Aug  9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter 

  Regression Potential

  Since the fix is a patch provided by upstream (reviewed by maintainers
  and us) simple mistakes like typos are not expected. The patch impacts
  only the rwm module which is not loaded by default. So any regression
  would affect only the users that make use of this overlay. If an user
  is not using rwm overlay and is facing any issue, it should be related
  to other problems related to LDAP directory services.

  [Original message]

  We have faced slapd crash, seems an attacker was trying to brute force one
  of our services and uid parsing failures caused slapd crash:

  Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH
  base="ou=test,dc=test,dc=com" scope=2 deref=0
  Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid
  userPassword uidNumber gidNumber gecos homeDirectory loginShell
  krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp
  shadowLastChange shadowMin shadow
  Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
  krbPasswordExpiration pwdAttribute authorizedService accountExpires
  userAccountControl nsAccountLock host loginDisabled loginExpirationTime
  loginAllowedTimeMap sshPublic
  Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0
  nentries=0 text=massaged filter parse error
  Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
  00007fc8d18ec512 sp 00007fc8889e2810 error 4 in libc-2.23.so

  Another faulty filter example:

  $ lsb_release -rd
  Description: Ubuntu 16.04.5 LTS
  Release: 16.04

  $ slapd -VVV
  @(#) $OpenLDAP: slapd  (Ubuntu) (May 22 2018 13:54:12) $

  Included static backends:

  $ apt-cache policy slapd
    Installed: 2.4.42+dfsg-2ubuntu3.3
    Candidate: 2.4.42+dfsg-2ubuntu3.5
    Version table:
       2.4.42+dfsg-2ubuntu3.5 500
          500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64
   *** 2.4.42+dfsg-2ubuntu3.3 100
          100 /var/lib/dpkg/status
       2.4.42+dfsg-2ubuntu3.2 500
          500 http://security.ubuntu.com/ubuntu xenial-security/main amd64
       2.4.42+dfsg-2ubuntu3 500
          500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

   affects ubuntu/openldap

To manage notifications about this bug go to:

Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to