RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1104069 - perl-LDAP sets wrong length for function _sendmesg
Summary: perl-LDAP sets wrong length for function _sendmesg
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: perl-LDAP
Version: 6.5
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Petr Pisar
QA Contact: Stefan Kremen
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-06-03 08:38 UTC by Jaroslav Aster
Modified: 2015-12-15 16:37 UTC (History)
5 users (show)

Fixed In Version: perl-LDAP-0.40-2.el6
Doc Type: Bug Fix
Doc Text:
Previously, when using a Perl LDAP client with the Simple Authentication and Security Layer (SASL) mechanism, the LDAP server could receive corrupted LDAP queries. The Net::LDAP Perl module has been fixed to pass the actual query length to the syswrite() function instead of fixed 1,500 bytes. This can be redefined by other protocol layers like SASL authentication implementation. As a result, the Net::LDAP client no longer corrupts sent LDAP queries.
Clone Of:
: 1104243 (view as bug list)
Environment:
Last Closed: 2015-12-15 16:37:43 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
LDAP-Fix_size_of_packet.patch (528 bytes, patch)
2014-06-03 08:38 UTC, Jaroslav Aster 		no flags Details | Diff
Upstream fix (1.27 KB, patch)
2014-08-06 08:56 UTC, Petr Pisar 		no flags Details | Diff
Show Obsolete (1) View All


Links
System ID Private Priority Status Summary Last Updated
CPAN 96203 0 None None None Never
Red Hat Product Errata RHBA-2015:2646 0 normal SHIPPED_LIVE perl-LDAP bug fix update 2015-12-15 21:36:16 UTC

Description Jaroslav Aster 2014-06-03 08:38:09 UTC 
Created attachment 901670 [details]
LDAP-Fix_size_of_packet.patch

Description of problem:

perl-LDAP sets wrong length for function _sendmesg and this may cause error in function WRITE in perl-Authen-SASL when length of message is shorter than length. This bug is related with bug described in this bug report https://bugzilla.redhat.com/show_bug.cgi?id=965739.

Version-Release number of selected component (if applicable):

perl-LDAP-0.40-1.el6


How reproducible:


Steps to Reproduce:

Steps how to reproduce this bug are described in bug report for bug 965739. It is needed to use specific version of some packages.

389-ds-base-1.2.11.15-X.el6 where X is less than 22 or use Z-stream version of this package for rhel6.4. I use 389-ds-base-1.2.11.15-22.el6_4.

perl-Authen-SASL-2.13-2.el6

Actual results:

Program bad_sasl.pl from bug report for bug 965739 fails.

Expected results:

No fails.

Additional info:

Patch is added as an attachment.
Comment 1 Petr Pisar 2014-06-03 09:10:10 UTC 
The patch does:

   my $to_send = \( $mesg->pdu );
   my $offset = 0;
   while($offset < length($$to_send)) {
     my $s = substr($$to_send, $offset, 15000);
-    my $n = syswrite($socket, $s, length($s))
+    my $n = syswrite($socket, $s, 15000)
       or return _error($ldap, $mesg, LDAP_LOCAL_ERROR,"$!");
     $offset += $n;
   }
Comment 2 Jitka Plesnikova 2014-06-03 11:20:17 UTC 
(In reply to Petr Pisar from comment #1)
> The patch does:
> 
>    my $to_send = \( $mesg->pdu );
>    my $offset = 0;
>    while($offset < length($$to_send)) {
>      my $s = substr($$to_send, $offset, 15000);
> -    my $n = syswrite($socket, $s, length($s))
> +    my $n = syswrite($socket, $s, 15000)
>        or return _error($ldap, $mesg, LDAP_LOCAL_ERROR,"$!");
>      $offset += $n;
>    }


It is not true in case that whole string or the last substring is shorter than 15000. In that case, length($s) returns properly value and it prevents failure of WRITE in perl-Authen-SASL.
Comment 3 Jaroslav Aster 2014-06-03 13:32:53 UTC 
Comment on attachment 901670 [details]
LDAP-Fix_size_of_packet.patch

Patch is wrong.
Comment 4 Jaroslav Aster 2014-06-03 14:33:16 UTC 
Jitka has right. If the string for function syswrite is shorter then len (15000), it leads to ERROR in WRITE function in perl-Authen-SASL. I have test for it and I can reproduce it on rhel6.

Previous patch was wrong. Right patch is here:

--- /usr/share/perl5/Net/LDAP.pm.orig   2014-06-03 08:52:01.194328356 -0400
+++ /usr/share/perl5/Net/LDAP.pm        2014-06-03 08:53:04.561148330 -0400
@@ -801,7 +801,8 @@ sub _sendmesg {
   my $to_send = \( $mesg->pdu );
   my $offset = 0;
   while($offset < length($$to_send)) {
-    my $n = syswrite($socket, substr($$to_send, $offset, 15000), 15000)
+    my $s = substr($$to_send, $offset, 15000);
+    my $n = syswrite($socket, $s, length($s))
       or return _error($ldap, $mesg, LDAP_LOCAL_ERROR,"$!");
     $offset += $n;
   }
Comment 5 Petr Pisar 2014-08-06 08:56:28 UTC 
Created attachment 924408 [details]
Upstream fix
Comment 13 errata-xmlrpc 2015-12-15 16:37:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2646.html
Note You need to log in before you can comment on or make changes to this bug.