Bug 749324 (CVE-2011-4079)

Summary: CVE-2011-4079 openldap: one-byte buffer overflow in slapd
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jvcelak, rcvalle, rmeggins, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20111006,reported=20111026,source=oss-security,cvss2=3.5/AV:N/AC:M/Au:S/C:N/I:N/A:P,fedora-all/openldap=affected,rhel-4/openldap=affected,rhel-5/openldap=affected,rhel-6/openldap=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-03 07:24:12 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 749328    

Description Vincent Danen 2011-10-26 14:02:50 EDT
A bug in slapd's UTF8StringNormalize() function can cause a one-byte buffer overflow when it is passed a zero-length string.  The code then writes a '\0' past the one-byte long buffer allocated on the heap, which could possibly allow a remote authenticated user to crash slapd.  As per the upstream report [1], this bug has been present since 2003-04-07 [2] so should affect all versions of openldap we currently ship.

A patch to correct the flaw has been committed [3] (depends on the previous patch [4]).

[1] http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7059;selectid=7059
[2] http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=67d6b23d
[3] http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=507238713b71208ec4f262f312cb495a302df9e9
[4] http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=d0dd8616f1c68a868afeb8c2c5c09969e366e2c0
Comment 1 Ramon de C Valle 2011-10-28 11:21:16 EDT
Doug Lea's Malloc stores chunks whose size is smaller than 512 bytes in one of the small bins, which holds identically sized chunks. The size of a chunk is always a multiple of 8 bytes, and the first small bin holds 16 bytes chunks. Since the minimum allocated size is 16 bytes, it seems no data that can result in application crash can be overwritten as a result of this.
Comment 2 Jan Vcelak 2011-11-01 11:11:09 EDT
Resolved in Fedora Rawhide (openldap-2.4.26-6.fc17).
Comment 3 Ramon de C Valle 2011-11-15 11:30:35 EST

The Red Hat Security Response Team does not consider this to be a security issue. For additional information, refer to: https://bugzilla.redhat.com/show_bug.cgi?id=749324#c1.
Comment 4 Ramon de C Valle 2011-11-22 10:49:13 EST
For additional information, OpenLDAP has a Slab Allocator implementation atop of glibc malloc with the size of its allocated objects rounded up to double word boundaries, which is also its minimum size. Thus, this can not even be called an off-by-one when not falling back to glibc malloc.