7490 – Security weakness in sha2 password module

Issue 7490 - Security weakness in sha2 password module

Summary: Security weakness in sha2 password module

Status:	VERIFIED FIXED

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	slapd (show other issues)
Version:	unspecified
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-01-11 06:19 UTC by Matthew Hardin
Modified:	2014-08-01 21:04 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description Matthew Hardin 2013-01-11 06:19:08 UTC

Full_Name: Matthew Hardin
Version: 2.4.33+
OS: All
URL: ftp://ftp.openldap.org/incoming/sha2.c-diff.txt
Submission from: (NULL) (69.43.206.100)


contrib/slapd-modules/passwd/sha2/sha2.c uses a series of context buffers and
zeros them out in several places using the following macro:

MEMSET_BZERO(context, sizeof(context))

The variable 'context' is a pointer to a context buffer, so sizeof will evaluate
to the size of a pointer for the particular platform. As a result, the context
buffer is only partially zeroed.

The correct invocation is:

MEMSET_BZERO(context, sizeof(*context))

which will zero out the complete context buffer.

The referenced diff details the changes to sha2.c that are necessary to correct
this issue.

Note this also cleans up warnings reported by MacOS's clang compiler.

I, Matthew Hardin, hereby place the following modifications to OpenLDAP Software
(and only these modifications) into the public domain. Hence, these
modifications may be freely used and/or redistributed for any purpose with or
without attribution and/or other notice.

Comment 1 Quanah Gibson-Mount 2013-01-16 00:58:53 UTC

--On Friday, January 11, 2013 6:19 AM +0000 mhardin@symas.com wrote:

> Full_Name: Matthew Hardin
> Version: 2.4.33+
> OS: All
> URL: ftp://ftp.openldap.org/incoming/sha2.c-diff.txt
> Submission from: (NULL) (69.43.206.100)
>
>
> contrib/slapd-modules/passwd/sha2/sha2.c uses a series of context buffers
> and zeros them out in several places using the following macro:
>
> MEMSET_BZERO(context, sizeof(context))
>
> The variable 'context' is a pointer to a context buffer, so sizeof will
> evaluate to the size of a pointer for the particular platform. As a
> result, the context buffer is only partially zeroed.
>
> The correct invocation is:
>
> MEMSET_BZERO(context, sizeof(*context))
>
> which will zero out the complete context buffer.
>
> The referenced diff details the changes to sha2.c that are necessary to
> correct this issue.
>
> Note this also cleans up warnings reported by MacOS's clang compiler.
>
> I, Matthew Hardin, hereby place the following modifications to OpenLDAP
> Software (and only these modifications) into the public domain. Hence,
> these modifications may be freely used and/or redistributed for any
> purpose with or without attribution and/or other notice.

Can you resubmit the patch using git-format-patch?  Or at least using 
unified diff format? ;)

--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Comment 2 Quanah Gibson-Mount 2013-01-17 20:06:35 UTC

changed notes
changed state Open to Test
moved from Incoming to Software Bugs

Comment 3 Quanah Gibson-Mount 2013-01-27 02:42:43 UTC

changed notes
changed state Test to Release

Comment 4 Quanah Gibson-Mount 2013-03-05 02:25:49 UTC

changed notes
changed state Release to Closed

Comment 5 OpenLDAP project 2014-08-01 21:04:46 UTC

Fixed in master
Fixed in RE24