458506 – SASL bind can leak credentials in some cases

Bug 458506 - SASL bind can leak credentials in some cases

Summary: SASL bind can leak credentials in some cases

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	389
Classification:	Retired
Component:	Security - SASL
Sub Component:
Version:	1.1.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Rich Megginson
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:	comment#1.review+nhosoi
Depends On:
Blocks:	249650 FDS112 453229 CVE-2008-3283
TreeView+	depends on / blocked

Reported:	2008-08-08 23:44 UTC by Rich Megginson
Modified:	2015-01-04 23:33 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-08-27 20:39:06 UTC
Embargoed:

Attachments	(Terms of Use)
diffs (1.82 KB, patch) 2008-08-08 23:46 UTC, Rich Megginson	no flags	Details \| Diff
cvs commit log - DS8.0 (169 bytes, text/plain) 2008-08-12 22:19 UTC, Rich Megginson	no flags	Details
cvs commit log - HEAD (163 bytes, text/plain) 2008-08-27 21:07 UTC, Rich Megginson	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2008:0602	0	normal	SHIPPED_LIVE	Moderate: redhat-ds-base and redhat-ds-admin security and bug fix update	2008-08-27 20:38:30 UTC

Description Rich Megginson 2008-08-08 23:44:13 UTC

There is this call in saslbind.c line 767:
    /* can't do any harm */
    if (cred->bv_len == 0) cred->bv_val = NULL;
apparently in some cases, cred bv_len is 0 but cred->bv_val is not-null.  This causes a leak of cred->bv_val.

Comment 1 Rich Megginson 2008-08-08 23:46:19 UTC

Created attachment 313856 [details]
diffs

The fix is to make sure cred->bv_val is freed if bv_len is 0.  This should catch all cases where this erroneous assumption is made.

Comment 2 Rich Megginson 2008-08-11 16:35:22 UTC

I'm not exactly sure how to trigger this issue.  Maybe pass a 0 length password e.g. just the \0 character?  That would seem to be the only way to make bv_len 0 but have bv_val allocated, but if bv_len is 0 then bv_val should always be NULL.

The bug could be triggered by anonymous.
The way to mitigate this issue is to disable sasl bind.

Comment 3 Rich Megginson 2008-08-12 22:19:31 UTC

Created attachment 314144 [details]
cvs commit log - DS8.0

Reviewed by: nkinder, nhosoi (Thanks!)
Branch: Directory_Server_8_0
Fix Description: There is this call in saslbind.c line 767:
   /* can't do any harm */
   if (cred->bv_len == 0) cred->bv_val = NULL;
apparently in some cases, cred bv_len is 0 but cred->bv_val is not-null.  This
causes a leak of cred->bv_val.
The fix is to make sure cred->bv_val is freed if bv_len is 0.  This should
catch all cases where this erroneous assumption is made.
Platforms tested: RHEL5, Fedora 8
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none

Comment 5 Jenny Severance 2008-08-19 20:24:55 UTC

How can QE verify this?  What to look for in the valgrind output?

Comment 6 Rich Megginson 2008-08-19 20:34:36 UTC

(In reply to comment #5)
> How can QE verify this?  What to look for in the valgrind output?

Look for a memory leak in do_bind().

Comment 7 Jenny Severance 2008-08-21 17:45:45 UTC

verified 8.0 RHEL4-32, RHEL4-64, RHEL5-32, RHEL5-64

Comment 10 errata-xmlrpc 2008-08-27 20:39:06 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2008-0602.html

Comment 11 Rich Megginson 2008-08-27 21:07:23 UTC

Created attachment 315144 [details]
cvs commit log - HEAD

Note You need to log in before you can comment on or make changes to this bug.