493989 – Admin Server: valgrind invalid read in security.c when installing CRL

Bug 493989 - Admin Server: valgrind invalid read in security.c when installing CRL

Summary: Admin Server: valgrind invalid read in security.c when installing CRL

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	389
Classification:	Retired
Component:	Admin
Sub Component:
Version:	1.2.0
Hardware:	All
OS:	All
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Rich Megginson
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	249650 FDS1.2.0
TreeView+	depends on / blocked

Reported:	2009-04-03 15:48 UTC by Rich Megginson
Modified:	2015-01-04 23:37 UTC (History)
CC List:	3 users (show)
Fixed In Version:	8.1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-04-29 23:11:55 UTC
Embargoed:

Attachments	(Terms of Use)
patch (856 bytes, patch) 2009-04-03 15:48 UTC, Rich Megginson	no flags	Details \| Diff
cvs commit log (175 bytes, text/plain) 2009-04-03 16:07 UTC, Rich Megginson	no flags	Details
valgrind output (2.14 MB, text/plain) 2009-04-06 13:31 UTC, Jenny Severance	no flags	Details
security shell script (918 bytes, text/plain) 2009-04-06 17:31 UTC, Rich Megginson	no flags	Details
When loading the CRL with the security shell script attached in place, loading the CRL almost halts the system and the console eventually times out with an http error. It did produce a number of log (80.00 KB, application/x-tar) 2009-04-06 18:28 UTC, Jenny Severance	no flags	Details
View All

Description Rich Megginson 2009-04-03 15:48:46 UTC

Created attachment 338069 [details]
patch

valgrind reports an invalid read in security.c when parsing the CRL file.

Comment 1 Rich Megginson 2009-04-03 16:07:21 UTC

Created attachment 338073 [details]
cvs commit log

Reviewed by: nkinder (Thanks!)
Fix Description: security.c uses strstr to search for the begin and end crl header and footer.  This assumes the buffer is null terminated, but it is not.  The fix is to null terminate the buffer.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no

Comment 2 Fedora Update System 2009-04-03 20:42:38 UTC

fedora-ds-admin-1.1.7-2.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/fedora-ds-admin-1.1.7-2.fc9

Comment 3 Fedora Update System 2009-04-03 20:51:52 UTC

fedora-ds-admin-1.1.7-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/fedora-ds-admin-1.1.7-2.fc10

Comment 4 Jenny Severance 2009-04-06 13:30:36 UTC

attaching valgrind output from RHEL 5 DS 8.1 - importing CRL

Do not find any security.c messages in output.  Please review attached report for validation.  Thanks.

Comment 5 Jenny Severance 2009-04-06 13:31:33 UTC

Created attachment 338329 [details]
valgrind output

Comment 6 Rich Megginson 2009-04-06 14:08:15 UTC

It's actually not a problem with slapd, it's a problem with the security CGI program in /usr/lib[64]/dirsrv/cgi-bin/security

Comment 7 Jenny Severance 2009-04-06 14:28:10 UTC

okay.  Can you please add steps to verify? Thanks

Comment 8 Rich Megginson 2009-04-06 17:31:03 UTC

Created attachment 338366 [details]
security shell script

cd /usr/lib/dirsrv/cgi-bin or /usr/lib64/dirsrv/cgi-bin
mv security security.orig

Then copy the attached shell script to security
chmod +x security

add the crl in the console

The valgrind and other files will be in /tmp/security

Comment 9 Jenny Severance 2009-04-06 18:28:02 UTC

Created attachment 338376 [details]
When loading the CRL with the security shell script attached in place, loading the CRL almost halts the system and the console eventually times out with an http error.  It did produce a number of log

Comment 10 Jenny Severance 2009-04-06 18:28:41 UTC

Please let me know if this is enough or I need to try something else.  Thanks

Comment 11 Rich Megginson 2009-04-06 19:40:42 UTC

I checked all of the valgrind files - all of them report No Errors.

Verified.

Comment 12 Jenny Severance 2009-04-06 19:44:53 UTC

Thank you Rich!  verified RHEL 4 DS 8.1

Comment 13 Fedora Update System 2009-04-06 20:28:00 UTC

fedora-ds-admin-1.1.7-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2009-04-06 20:30:58 UTC

fedora-ds-admin-1.1.7-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Chandrasekar Kannan 2009-04-29 23:11:55 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html

Note You need to log in before you can comment on or make changes to this bug.