Bug 1019490 (CVE-2013-4449)

Summary: CVE-2013-4449 openldap: segfault on certain queries with rwm overlay
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dspurek, hyc, iboernig, jkurik, jsynacek, maci, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-26 22:44:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1003038, 1058250, 1060851, 1061405, 1064145, 1064146    
Bug Blocks: 1019493    

Description Vincent Danen 2013-10-15 20:47:36 UTC 
It was discovered that OpenLDAP, with the rwm overlay to slapd, could segfault if a user were able to query the directory and immediately unbind from the server.  This seems to be due to the rwm overlay not doing reference counting properly, so rwm_conn_destroy frees the session context while rwm_op_search is using it.  This condition also seems to require multiple cores/CPUs to trigger.

This was also reported upstream [1] and is currently unfixed.

[1] http://www.openldap.org/its/index.cgi/Incoming?id=7723
Comment 1 Vincent Danen 2013-10-16 21:36:17 UTC 
Acknowledgements:

Red Hat would like to thank Michael Vishchers from Seven Principles AG for reporting this issue.
Comment 2 Howard Chu 2013-10-23 21:01:16 UTC 
(In reply to Vincent Danen from comment #0)
> It was discovered that OpenLDAP, with the rwm overlay to slapd, could
> segfault if a user were able to query the directory and immediately unbind
> from the server.  This seems to be due to the rwm overlay not doing
> reference counting properly, so rwm_conn_destroy frees the session context
> while rwm_op_search is using it.  This condition also seems to require
> multiple cores/CPUs to trigger.
> 
> This was also reported upstream [1] and is currently unfixed.
> 
> [1] http://www.openldap.org/its/index.cgi/Incoming?id=7723

Nor is any fix coming from us any time soon. The rwm overlay is a pretty low priority module. Patches welcome.
Comment 5 Vincent Danen 2014-02-03 18:33:31 UTC 
Created openldap tracking bugs for this issue:

Affects: fedora-all [bug 1060851]
Comment 6 errata-xmlrpc 2014-02-03 18:51:44 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0126 https://rhn.redhat.com/errata/RHSA-2014-0126.html
Comment 8 Fedora Update System 2014-02-11 23:13:01 UTC 
openldap-2.4.39-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 errata-xmlrpc 2014-02-24 17:57:54 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0206 https://rhn.redhat.com/errata/RHSA-2014-0206.html