[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8240) OpenLDAP ber_get_next denial of service vulnerability

denis.andzakovic@security-assessment.com wrote:
> Full_Name: Denis Andzakovic
> Version: 2.4.42
> OS: Debian 8
> URL:
> Submission from: (NULL) (2402:6000:110:a01:743b:8319:1f96:bd89)
> OpenLDAP ber_get_next Denial of Service
> Affected Versions: OpenLDAP <= 2.4.42

> +----------+
> | Solution |
> +----------+
> Ensure that data received from untrusted sources is not able to trigger
> conditions resulting in the server crashing. In this specific instance, the
> NDEBUG macro should be defined before the inclusion of assert.h by default,
> requiring a specific compile time alteration to enable debug.

Our patch response was too hasty. There is no OpenLDAP bug here, the real 
issue is production binaries being built with asserts enabled instead of 
compiling with -DNDEBUG. That's an issue for packagers and distros to resolve. 
Closing this ITS, not an OpenLDAP bug.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/