Bug 1019490 (CVE-2013-4449) - CVE-2013-4449 openldap: segfault on certain queries with rwm overlay
Summary: CVE-2013-4449 openldap: segfault on certain queries with rwm overlay
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-4449
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1003038 1058250 1060851 1061405 1064145 1064146
Blocks: 1019493
TreeView+ depends on / blocked
 
Reported: 2013-10-15 20:47 UTC by Vincent Danen
Modified: 2019-09-29 13:09 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-02-26 22:44:40 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0126 normal SHIPPED_LIVE Moderate: openldap security and bug fix update 2014-02-03 23:49:48 UTC
Red Hat Product Errata RHSA-2014:0206 normal SHIPPED_LIVE Moderate: openldap security update 2014-02-24 22:57:13 UTC

Description Vincent Danen 2013-10-15 20:47:36 UTC
It was discovered that OpenLDAP, with the rwm overlay to slapd, could segfault if a user were able to query the directory and immediately unbind from the server.  This seems to be due to the rwm overlay not doing reference counting properly, so rwm_conn_destroy frees the session context while rwm_op_search is using it.  This condition also seems to require multiple cores/CPUs to trigger.

This was also reported upstream [1] and is currently unfixed.

[1] http://www.openldap.org/its/index.cgi/Incoming?id=7723

Comment 1 Vincent Danen 2013-10-16 21:36:17 UTC
Acknowledgements:

Red Hat would like to thank Michael Vishchers from Seven Principles AG for reporting this issue.

Comment 2 Howard Chu 2013-10-23 21:01:16 UTC
(In reply to Vincent Danen from comment #0)
> It was discovered that OpenLDAP, with the rwm overlay to slapd, could
> segfault if a user were able to query the directory and immediately unbind
> from the server.  This seems to be due to the rwm overlay not doing
> reference counting properly, so rwm_conn_destroy frees the session context
> while rwm_op_search is using it.  This condition also seems to require
> multiple cores/CPUs to trigger.
> 
> This was also reported upstream [1] and is currently unfixed.
> 
> [1] http://www.openldap.org/its/index.cgi/Incoming?id=7723

Nor is any fix coming from us any time soon. The rwm overlay is a pretty low priority module. Patches welcome.

Comment 5 Vincent Danen 2014-02-03 18:33:31 UTC
Created openldap tracking bugs for this issue:

Affects: fedora-all [bug 1060851]

Comment 6 errata-xmlrpc 2014-02-03 18:51:44 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0126 https://rhn.redhat.com/errata/RHSA-2014-0126.html

Comment 8 Fedora Update System 2014-02-11 23:13:01 UTC
openldap-2.4.39-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 errata-xmlrpc 2014-02-24 17:57:54 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0206 https://rhn.redhat.com/errata/RHSA-2014-0206.html


Note You need to log in before you can comment on or make changes to this bug.