Bug 603942

Summary: CVE-2010-2222 redhat-ds: null deref in _ger_parse_control() for subjectdn can crash server
Product: [Retired] 389 Reporter: Rich Megginson <rmeggins>
Component: Security - Access Control (GER)Assignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: high Docs Contact:
Priority: high    
Version: 1.2.6CC: edewata, ldv, nhosoi, nkinder, security-response-team, vdanen
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://dhcp47-145.lab.bos.redhat.com:8080/sourcebrowser.htm?projectId=10030#mergedDefectId=11862&streamDefectId=12048&defectInstanceId=13911&fileInstanceId=49273
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-07 16:45:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 434914, 543590, 604783    
Attachments:
Description Flags
0001-Bug-603942-null-deref-in-_ger_parse_control-for.patch nkinder: review+

Description Rich Megginson 2010-06-14 23:19:24 UTC
The code that parses the GER request can dereference a NULL pointer

Comment 1 Rich Megginson 2010-06-15 02:26:07 UTC
Created attachment 424011 [details]
0001-Bug-603942-null-deref-in-_ger_parse_control-for.patch

Comment 9 Vincent Danen 2010-06-16 15:41:01 UTC
This has been assigned CVE-2010-2222.

Comment 10 Vincent Danen 2010-06-16 17:42:32 UTC
Adding Dmitry as ALT Linux does ship 389.

Comment 20 Tomas Hoger 2010-07-01 14:26:53 UTC
Further investigation showed this bug was only introduced very recently in the following commit from Apr 2010:

http://git.fedorahosted.org/git/?p=389/ds.git;a=commitdiff;h=78c50664d6#patch10

Therefore, this issue does not affect any released version of Red Hat Directory Server and only affects versions of 389 Directory Server in Fedora updates-testing.  Due to that, we'd like to make it public asap and do fixed 389 builds for Fedora.

Dmitry, does that work fine for you too, or do you need some more time to work on ALT updates?

Comment 21 Dmitry V. Levin 2010-07-01 15:54:21 UTC
(In reply to comment #20)
> Dmitry, does that work fine for you too, or do you need some more time to work
> on ALT updates?    

It's OK for us, too.

Comment 22 Rich Megginson 2010-07-01 16:31:48 UTC
So, ok to open this bug and lift the embargo?  I would like to commit this upstream asap.

Comment 23 Tomas Hoger 2010-07-01 18:53:56 UTC
Making bug public.

Comment 24 Rich Megginson 2010-07-01 19:54:40 UTC
To ssh://git.fedorahosted.org/git/389/ds.git
   c28fcad..82625eb  Directory_Server_8_2_Branch -> Directory_Server_8_2_Branch
commit 82625ebf670c0f234e8bcbf18420e84b325e359e
Author: Rich Megginson <rmeggins>
Date:   Mon Jun 14 20:25:18 2010 -0600
    Reviewed by: nkinder (Thanks!)
    Branch: Directory_Server_8_2_Branch
    Fix Description: Needed to pass &orig to ber_scanf 'a' instead of orig.  Als
    Platforms tested: RHEL5 x86_64
    Flag Day: no
    Doc impact: no
   1a47871..8632731  master -> master
commit 8632731df33fc3a91eb3cfecfb9c63d56cff23e8
Author: Rich Megginson <rmeggins>
Date:   Mon Jun 14 20:25:18 2010 -0600
    Branch: HEAD

Comment 25 Tomas Hoger 2010-07-02 06:51:50 UTC
(In reply to comment #24)
> To ssh://git.fedorahosted.org/git/389/ds.git
>    c28fcad..82625eb  Directory_Server_8_2_Branch -> Directory_Server_8_2_Branch
> commit 82625ebf670c0f234e8bcbf18420e84b325e359e

http://git.fedorahosted.org/git/?p=389/ds.git;a=commitdiff;h=82625ebf67

Comment 26 Noriko Hosoi 2010-09-14 19:03:13 UTC
*** Bug 601946 has been marked as a duplicate of this bug. ***