Bug 1537314 (CVE-2018-1054)

Summary: CVE-2018-1054 389-ds-base: remote Denial of Service (DoS) via search filters in SetUnicodeStringFromUTF_8 in collate.c
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: carnil, dkholia, lkrispen, mreynolds, nkinder, rmeggins, security-response-team, tbordaz, vashirov
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 389-ds-base 1.3.6.14, 389-ds-base 1.3.7.10, 389-ds-base 1.4.0.6 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds memory read flaw was found in the way 389-ds-base handled certain LDAP search filters. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-14 05:11:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1540105, 1540106, 1543798, 1543799, 1551515, 1555168    
Bug Blocks: 1537315    
Attachments:
Description Flags
Patch for CVE-2018-1054 none

Description Laura Pardo 2018-01-22 22:28:49 UTC 
A flaw was found in 389 Directory Server, affecting all versions including upstream 1.4.x. An improper handling of the search feature with an extended filter, when read access on <attribute_name> is enabled, in SetUnicodeStringFromUTF_8 function in collate.c, can lead to out-of-bounds memory operations. This may allow a remote unauthenticated attacker to trigger a server crash, thus resulting in denial of service.

External References:

https://pagure.io/389-ds-base/issue/49545

Upstream Patch:

https://pagure.io/389-ds-base/c/14ce2fe0dfa67405dae
Comment 6 Dhiru Kholia 2018-03-05 10:21:54 UTC 
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-all [bug 1551515]
Comment 9 Dhiru Kholia 2018-03-06 03:47:57 UTC 
Created attachment 1404619 [details]
Patch for CVE-2018-1054

Patch for CVE-2018-1054 attached.
Comment 11 errata-xmlrpc 2018-03-06 21:43:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0414 https://access.redhat.com/errata/RHSA-2018:0414
Comment 12 Tomas Hoger 2018-03-13 08:29:12 UTC 
Fixed upstream in versions 1.3.6.14, 1.3.7.10, and 1.4.0.6:

http://directory.fedoraproject.org/docs/389ds/releases/release-1-3-6-14.html
http://directory.fedoraproject.org/docs/389ds/releases/release-1-3-7-10.html
http://directory.fedoraproject.org/docs/389ds/releases/release-1-4-0-6.html
Comment 13 errata-xmlrpc 2018-03-13 18:26:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:0515 https://access.redhat.com/errata/RHSA-2018:0515