[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8240) OpenLDAP ber_get_next denial of service vulnerability

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8240) OpenLDAP ber_get_next denial of service vulnerability
From: hyc@symas.com
Date: Sat, 12 Sep 2015 09:06:47 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

denis.andzakovic@security-assessment.com wrote:
> Full_Name: Denis Andzakovic
> Version: 2.4.42
> OS: Debian 8
> URL:
> Submission from: (NULL) (2402:6000:110:a01:743b:8319:1f96:bd89)
>
>
> OpenLDAP ber_get_next Denial of Service
> Affected Versions: OpenLDAP <= 2.4.42

> +----------+
> | Solution |
> +----------+
> Ensure that data received from untrusted sources is not able to trigger
> conditions resulting in the server crashing. In this specific instance, the
> NDEBUG macro should be defined before the inclusion of assert.h by default,
> requiring a specific compile time alteration to enable debug.

Our patch response was too hasty. There is no OpenLDAP bug here, the real 
issue is production binaries being built with asserts enabled instead of 
compiling with -DNDEBUG. That's an issue for packagers and distros to resolve. 
Closing this ITS, not an OpenLDAP bug.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: ITS#8240
Next by Date: Re: (ITS#7964) overlay rwm escape issue with more the 9 rules / rewrite statements
Index(es):
- Chronological
- Thread