This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 1019490 - (CVE-2013-4449) CVE-2013-4449 openldap: segfault on certain queries with rwm overlay
CVE-2013-4449 openldap: segfault on certain queries with rwm overlay
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20131011,repor...
: Security
Depends On: 1003038 1058250 1060851 1061405 1064145 1064146
Blocks: 1019493
  Show dependency treegraph
 
Reported: 2013-10-15 16:47 EDT by Vincent Danen
Modified: 2015-10-15 14:03 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-02-26 17:44:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-10-15 16:47:36 EDT
It was discovered that OpenLDAP, with the rwm overlay to slapd, could segfault if a user were able to query the directory and immediately unbind from the server.  This seems to be due to the rwm overlay not doing reference counting properly, so rwm_conn_destroy frees the session context while rwm_op_search is using it.  This condition also seems to require multiple cores/CPUs to trigger.

This was also reported upstream [1] and is currently unfixed.

[1] http://www.openldap.org/its/index.cgi/Incoming?id=7723
Comment 1 Vincent Danen 2013-10-16 17:36:17 EDT
Acknowledgements:

Red Hat would like to thank Michael Vishchers from Seven Principles AG for reporting this issue.
Comment 2 Howard Chu 2013-10-23 17:01:16 EDT
(In reply to Vincent Danen from comment #0)
> It was discovered that OpenLDAP, with the rwm overlay to slapd, could
> segfault if a user were able to query the directory and immediately unbind
> from the server.  This seems to be due to the rwm overlay not doing
> reference counting properly, so rwm_conn_destroy frees the session context
> while rwm_op_search is using it.  This condition also seems to require
> multiple cores/CPUs to trigger.
> 
> This was also reported upstream [1] and is currently unfixed.
> 
> [1] http://www.openldap.org/its/index.cgi/Incoming?id=7723

Nor is any fix coming from us any time soon. The rwm overlay is a pretty low priority module. Patches welcome.
Comment 5 Vincent Danen 2014-02-03 13:33:31 EST
Created openldap tracking bugs for this issue:

Affects: fedora-all [bug 1060851]
Comment 6 errata-xmlrpc 2014-02-03 13:51:44 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0126 https://rhn.redhat.com/errata/RHSA-2014-0126.html
Comment 8 Fedora Update System 2014-02-11 18:13:01 EST
openldap-2.4.39-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 errata-xmlrpc 2014-02-24 12:57:54 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0206 https://rhn.redhat.com/errata/RHSA-2014-0206.html

Note You need to log in before you can comment on or make changes to this bug.