Bug 32073

Summary: openldap new security issue CVE-2023-2953
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, bgmilne, davidwhodgins, herman.viaene, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: openldap-2.4.57-1.2.mga8.src.rpm CVE:
Status comment:

Description David Walser 2023-07-05 22:59:04 CEST 
Ubuntu has issued an advisory on July 3:
https://ubuntu.com/security/notices/USN-6197-1

The issue is fixed upstream in 2.6.4.

Mageia 8 is also affected.
David Walser 2023-07-05 22:59:18 CEST

Status comment: (none) => Fixed upstream in 2.6.4
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-07-07 20:46:22 CEST 
Assigning to Buchan, principle packager for this thing.

Assignee: bugsquad => bgmilne

Comment 2 Buchan Milne 2023-07-15 13:46:54 CEST 
> The issue is fixed upstream in 2.6.4.

And in 2.5.14, which is present in Cauldron.

> Mageia 8 is also affected.

I will address only that issue here, shortly.

Status comment: Fixed upstream in 2.6.4 => Fixed upstream in 2.6.4 and 2.5.14

David Walser 2023-07-15 21:48:22 CEST

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Source RPM: openldap-2.5.14-1.mga9.src.rpm => openldap-2.4.57-1.2.mga8.src.rpm

Comment 3 Buchan Milne 2023-08-13 19:11:38 CEST 
openldap-2.4.57-1.3.mga8 is currently building in the build system, the resulting packages (for x86_64) are:

lib64ldap2.4_2-2.4.57-1.3.mga8.x86_64.rpm
lib64ldap2.4_2-debuginfo-2.4.57-1.3.mga8.x86_64.rpm
lib64ldap2.4_2-devel-2.4.57-1.3.mga8.x86_64.rpm
lib64ldap2.4_2-static-devel-2.4.57-1.3.mga8.x86_64.rpm
openldap-2.4.57-1.3.mga8.x86_64.rpm
openldap-back_bdb-2.4.57-1.3.mga8.x86_64.rpm
openldap-back_bdb-debuginfo-2.4.57-1.3.mga8.x86_64.rpm
openldap-back_mdb-2.4.57-1.3.mga8.x86_64.rpm
openldap-back_mdb-debuginfo-2.4.57-1.3.mga8.x86_64.rpm
openldap-back_sql-2.4.57-1.3.mga8.x86_64.rpm
openldap-back_sql-debuginfo-2.4.57-1.3.mga8.x86_64.rpm
openldap-clients-2.4.57-1.3.mga8.x86_64.rpm
openldap-clients-debuginfo-2.4.57-1.3.mga8.x86_64.rpm
openldap-debuginfo-2.4.57-1.3.mga8.x86_64.rpm
openldap-debugsource-2.4.57-1.3.mga8.x86_64.rpm
openldap-doc-2.4.57-1.3.mga8.x86_64.rpm
openldap-servers-2.4.57-1.3.mga8.x86_64.rpm
openldap-servers-debuginfo-2.4.57-1.3.mga8.x86_64.rpm
openldap-servers-devel-2.4.57-1.3.mga8.x86_64.rpm
openldap-testprogs-2.4.57-1.3.mga8.x86_64.rpm
openldap-testprogs-debuginfo-2.4.57-1.3.mga8.x86_64.rpm
openldap-tests-2.4.57-1.3.mga8.x86_64.rpm


Apologies for the delay in this update.

Status: NEW => ASSIGNED
CC: (none) => bgmilne
Assignee: bgmilne => qa-bugs

David Walser 2023-08-13 19:29:35 CEST

Status comment: Fixed upstream in 2.6.4 and 2.5.14 => (none)

Comment 4 Herman Viaene 2023-08-27 11:16:29 CEST 
MGA8-64 MATE on Acer Aspire 5253
No instellation issues
Ref bug 28300 for testing:
# systemctl -l status slapd
● slapd.service - OpenLDAP Server Daemon
     Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
     Active: inactive (dead)
# systemctl start slapd
# systemctl -l status slapd
● slapd.service - OpenLDAP Server Daemon
     Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
     Active: active (running) since Sun 2023-08-27 11:00:33 CEST; 2s ago
    Process: 36819 ExecStartPre=/usr/share/openldap/scripts/ldap-config check (code=exited, status=0/SUCCESS)
    Process: 37089 ExecStart=/usr/sbin/slapd -u ${LDAP_USER} -g ${LDAP_GROUP} -h ${SLAPDURLLIST} -l ${SLAPDSYSLOGLOCA>
   Main PID: 37108 (slapd)
      Tasks: 3 (limit: 4364)
     Memory: 3.4M
        CPU: 282ms
     CGroup: /system.slice/slapd.service
             └─37108 /usr/sbin/slapd -u ldap -g ldap -h ldap:/// ldapi:/// -l local4 -s 0

Aug 27 11:00:31 mach7.hviaene.thuis systemd[1]: Starting OpenLDAP Server Daemon...
Aug 27 11:00:31 mach7.hviaene.thuis su[36835]: (to ldap) root on none
Aug 27 11:00:32 mach7.hviaene.thuis ldap-config[36819]: Checking config file /etc/openldap/slapd.conf: [  OK  ]
Aug 27 11:00:33 mach7.hviaene.thuis systemd[1]: Started OpenLDAP Server Daemon.
Continuing ......

CC: (none) => herman.viaene

Comment 5 Herman Viaene 2023-08-27 13:37:35 CEST 
As normal user:
$ ldapsearch -x -b '' -s base supportedFeatures
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedFeatures 
#

#
dn:
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

$ make -C /usr/share/openldap/tests test
make: Entering directory '/usr/share/openldap/tests'
make[1]: Entering directory '/usr/share/openldap/tests'
Initiating LDAP tests for BDB...
Cleaning up test run directory leftover from previous run.
Running ./scripts/all for bdb...
>>>>> Executing all LDAP tests for bdb
>>>>> Starting test000-rootdse for bdb...
running defines.sh
Starting slapd on TCP/IP port 9011...
Using ldapsearch to retrieve the root DSE...
Using ldapsearch to retrieve the cn=Subschema...
Using ldapsearch to retrieve the cn=Monitor...
dn:
objectClass: top
objectClass: OpenLDAProotDSE
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: o=OpenLDAP Project,l=Internet
monitorContext: cn=Monitor
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.3.6.1.1.22
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.1.8
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
supportedSASLMechanisms: GS2-IAKERB
supportedSASLMechanisms: GS2-KRB5
supportedSASLMechanisms: GSSAPI
vendorName: The OpenLDAP Project <http://www.openldap.org/>
entryDN:
subschemaSubentry: cn=Subschema

dn: cn=Subschema
objectClass: top
objectClass: subentry
objectClass: subschema
objectClass: extensibleObject
cn: Subschema

dn: cn=Monitor
objectClass: monitorServer
cn: Monitor
description: This subtree contains monitoring/managing objects.
description: This object contains information about this server.
description: Most of the information is held in operational attributes, which 
 must be explicitly requested.
monitoredInfo: OpenLDAP: slapd 2.4.57 (Aug 13 2023 17:10:21)
and a load more ......

At the end:
Test succeeded
>>>>> test065-proxyauthz completed OK for mdb.

0 tests for mdb were skipped.
make[1]: Leaving directory '/usr/share/openldap/tests'
make: Leaving directory '/usr/share/openldap/tests'

Good enough as in previous update.

Whiteboard: (none) => MGA8-64-OK

Comment 6 Thomas Andrews 2023-08-28 15:36:46 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Dave Hodgins 2023-09-03 21:19:56 CEST 
Advisory committed to svn as
$ cat 32073.adv 
type: security
subject: Updated openldap packages fix security vulnerability
CVE:
 - CVE-2023-2953
src:
  8:
   core:
     - openldap-2.4.57-1.3.mga8
description: |
  Null pointer dereference in ber_memalloc_x() function (CVE-2023-2953)
references:
 - https://bugs.mageia.org/show_bug.cgi?id=32073
 - https://ubuntu.com/security/notices/USN-6197-1

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2023-09-03 22:59:04 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0252.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED