OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Bugs/7059
Full headers

From: hyc@openldap.org
Subject: UTF8StringNormalize will overrun a zero-length value
Compose comment
Download message
State:
0 replies:
1 followups: 1

Major security issue: yes  no

Notes:

Notification:


Date: Thu, 06 Oct 2011 21:46:22 +0000
From: hyc@openldap.org
To: openldap-its@OpenLDAP.org
Subject: UTF8StringNormalize will overrun a zero-length value
Full_Name: Howard Chu
Version: 2.4.x
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (76.94.188.8)
Submitted by: hyc


According to the commit history this bug has been present since 2003-04-07
(commit 67d6b23d). A patch is in git master, but I'm continuing to investigate
and will update it further.

Followup 1

Download message
Date: Tue, 22 Nov 2011 14:30:04 -0800
From: Howard Chu <hyc@symas.com>
To: Howard Chu <openldap-its@OpenLDAP.org>
Subject: ITS#7059 UTF8StringNormalize issue
As Ralf Haferkamp noted, the real bug was introduced with 
postalAddressNormalize which was released in 2.4.10, so nothing earlier than 
that is affected. Also, this bug had no effect on most Linux installs because 
glibc malloc always allocates at least 16 bytes. The bug was only detected 
because I was running valgrind to check for leaks; there was no known crash 
related to this bug.
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org