Bug 1381481 (CVE-2017-2591)

Summary: CVE-2017-2591 389-ds-base: Heap buffer overflow in uiduniq.c
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: amaris, cbuissar, edewata, fweimer, mreynolds, nhosoi, nkinder, rmeggins
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 389-ds-base 1.3.6 Doc Type: If docs needed, set a value
Doc Text:
It was found that the uniqueness_entry_to_config() function, used by the "attribute uniqueness" plugin of 389 Directory Server, did not properly NULL terminate an array used in some configuration. An authenticated, or possibly unauthenticated, attacker could use this flaw to force an out-of-bound heap memory read, possibly triggering a crash of the LDAP service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-19 10:59:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1381483    
Bug Blocks: 1381482    

Description Adam Mariš 2016-10-04 08:58:22 UTC 
The "attribute uniqueness" plugin did not properly NULL-terminate an array when building up its configuration, if a so called 'old-style' configuration, was being used (Using nsslapd-pluginarg<X> parameters) .

A attacker, authenticated, but possibly also unauthenticated, could possibly force the plugin to read beyond allocated memory and trigger a segfault.

The crash could also possibly be triggered accidentally.

Upstream patch :https://fedorahosted.org/389/changeset/ffda694dd622b31277da07be76d3469fad86150f/
Affected versions : from 1.3.4.0

Fixed version : 1.3.6

Upstream bug report : https://fedorahosted.org/389/ticket/48986
Comment 1 Adam Mariš 2016-10-04 09:01:26 UTC 
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-all [bug 1381483]
Comment 2 Noriko Hosoi 2016-11-14 22:07:51 UTC 
Fixed in 389-ds-base-1.3.6 and newer.

Note: 389-ds-base-1.3.6 is available for F26 (current rawhide).
Comment 9 Cedric Buissart 2017-01-19 10:56:20 UTC 
Statement:

Red Hat Product Security has rated this issue as having Low security
impact, a future update may address this flaw.