26569 – openldap new security issue CVE-2020-12243

Bug 26569 - openldap new security issue CVE-2020-12243

Summary: openldap new security issue CVE-2020-12243

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:	24076
	Show dependency tree / graph

Reported:	2020-04-30 19:31 CEST by David Walser
Modified:	2020-05-05 14:22 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	openldap-2.4.47-3.1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-04-30 19:31:02 CEST

Debian has issued an advisory on April 28:
https://www.debian.org/security/2020/dsa-4666

The issue is fixed upstream in 2.4.50.

David Walser 2020-04-30 19:31:24 CEST

Blocks: (none) => 24076
Status comment: (none) => Fixed upstream in 2.4.50

Comment 1 Buchan Milne 2020-05-01 17:33:40 CEST

Considering the rest of the bugfixes[1],[2],[3] (not addressed by individual patches), I am leaning towards updating to 2.4.50 instead of just applying/backporting patches[4].


1. https://lists.openldap.org/hyperkitty/list/openldap-announce@openldap.org/thread/NQ6OHLWNVRKIJU3HI5YGGAZL54H2RB73/
2. https://lists.openldap.org/hyperkitty/list/openldap-announce@openldap.org/thread/VMMBUCQHEDF6QA4CDOONP2CDQEOR5YQA/
3. https://lists.openldap.org/hyperkitty/list/openldap-announce@openldap.org/thread/FUOYA6YCHBXMLANBJMSO22JD2NB22WGC/
4. https://git.openldap.org/openldap/openldap/-/commit/d38d48fc8f572dedfb67b9da61a2ba3b125ced91

Status: NEW => ASSIGNED

Comment 2 David Walser 2020-05-01 17:40:03 CEST

Sounds reasonable.  Don't forget to address Bug 24076.

Comment 3 Buchan Milne 2020-05-02 10:33:14 CEST

openldap-2.4.50-1.1.mga7.src.rpm submitted to updates_testing for MGA7, after some local testing.

All tests from openldap-tests also passed running locally.

CC: (none) => bgmilne
Assignee: bgmilne => bugsquad

Comment 4 David Walser 2020-05-02 17:40:54 CEST

Advisory:
========================

Updated openldap packages fix security vulnerabilities:

When both the nops module and the member of overlay are enabled, attempts to
free a buffer that was allocated on the stack, which allows remote attackers to
cause a denial of service (slapd crash) via a member MODDN operation
(CVE-2017-17740).

In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested
boolean expressions can result in denial of service (daemon crash)
(CVE-2020-12243).

The nops overlay has been dropped from the package, fixing CVE-2017-17740.

The openldap package has been updated to version 2.4.50, fixing CVE-2020-12243
and several other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17740
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12243
https://lists.openldap.org/hyperkitty/list/openldap-announce@openldap.org/thread/NQ6OHLWNVRKIJU3HI5YGGAZL54H2RB73/
https://lists.openldap.org/hyperkitty/list/openldap-announce@openldap.org/thread/VMMBUCQHEDF6QA4CDOONP2CDQEOR5YQA/
https://lists.openldap.org/hyperkitty/list/openldap-announce@openldap.org/thread/FUOYA6YCHBXMLANBJMSO22JD2NB22WGC/
https://lists.opensuse.org/opensuse-updates/2019-09/msg00113.html
https://www.debian.org/security/2020/dsa-4666
========================

Updated packages in core/updates_testing:
========================
openldap-2.4.50-1.1.mga7
openldap-servers-2.4.50-1.1.mga7
openldap-servers-devel-2.4.50-1.1.mga7
openldap-clients-2.4.50-1.1.mga7
libldap2.4_2-2.4.50-1.1.mga7
libldap2.4_2-devel-2.4.50-1.1.mga7
libldap2.4_2-static-devel-2.4.50-1.1.mga7
openldap-back_sql-2.4.50-1.1.mga7
openldap-back_bdb-2.4.50-1.1.mga7
openldap-back_mdb-2.4.50-1.1.mga7
openldap-doc-2.4.50-1.1.mga7
openldap-tests-2.4.50-1.1.mga7
openldap-testprogs-2.4.50-1.1.mga7

from openldap-2.4.50-1.1.mga7.src.rpm

Assignee: bugsquad => qa-bugs
Status comment: Fixed upstream in 2.4.50 => (none)

Comment 5 David Walser 2020-05-02 17:41:21 CEST

Addendum to references:
https://bugs.mageia.org/show_bug.cgi?id=24076
https://bugs.mageia.org/show_bug.cgi?id=26569

Comment 6 Herman Viaene 2020-05-04 14:46:07 CEST

MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 25286 Comment 5 and 6 for testing.
At CLI:
# systemctl  start slapd
# systemctl -l status slapd
● slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-05-04 13:48:05 CEST; 17s ago
  Process: 14744 ExecStartPre=/usr/share/openldap/scripts/ldap-config check (code=exited, status=0/SUCCESS)
  Process: 14782 ExecStart=/usr/sbin/slapd -u ${LDAP_USER} -g ${LDAP_GROUP} -h ${SLAPDURLLIST} -l ${SLAPDSYSLOGLOCALUSER} >
 Main PID: 14783 (slapd)
    Tasks: 3 (limit: 4915)
   Memory: 4.3M
   CGroup: /system.slice/slapd.service
           └─14783 /usr/sbin/slapd -u ldap -g ldap -h ldap:/// ldapi:/// -l local4 -s 0

May 04 13:48:04 mach5.hviaene.thuis systemd[1]: Starting OpenLDAP Server Daemon...
May 04 13:48:04 mach5.hviaene.thuis su[14752]: (to ldap) root on none
May 04 13:48:05 mach5.hviaene.thuis su[14752]: pam_unix(su:session): session opened for user ldap by (uid=0)
May 04 13:48:05 mach5.hviaene.thuis su[14752]: pam_unix(su:session): session closed for user ldap
May 04 13:48:05 mach5.hviaene.thuis ldap-config[14744]: Checking config file /etc/openldap/slapd.conf: [  OK  ]
May 04 13:48:05 mach5.hviaene.thuis systemd[1]: Started OpenLDAP Server Daemon.

$ ldapsearch -x -b '' -s base supportedControl   
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedControl 
#

#
dn:
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.3.6.1.1.22
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

$ ldapsearch -x -b '' -s base supportedFeatures
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedFeatures 
#

#
dn:
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

$ ldapsearch -x -b '' -s base supportedExtension
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedExtension 
#

#
dn:
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.1.8

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

$ make -C /usr/share/openldap/tests test
runs for more than 30 min., no errors noticed
OK for me

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 7 Thomas Andrews 2020-05-05 01:09:38 CEST

Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 8 David Walser 2020-05-05 01:30:29 CEST

And Comment 5.

Thomas Backlund 2020-05-05 12:19:45 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 9 Mageia Robot 2020-05-05 14:22:57 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0200.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.