[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CVE-2017-17740 aka ITS#8759

To: Michael Ströder <michael@stroeder.com>, openldap-devel@openldap.org
Subject: Re: CVE-2017-17740 aka ITS#8759
From: Howard Chu <hyc@symas.com>
Date: Mon, 17 Dec 2018 21:24:21 +0000
In-reply-to: <467b6dbd-7c8c-c896-e56d-1389c8f0b77e@stroeder.com>
References: <467b6dbd-7c8c-c896-e56d-1389c8f0b77e@stroeder.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0 SeaMonkey/2.53

Michael Ströder wrote:
> HI!
> 
> This ITS was answered with won't fix / send patches:
> https://www.openldap.org/its/index.cgi?findid=8759
> 
> But in the mean-time somebody assigned a CVE number to it:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17740
> 
> The SUSE folks added a patch:
> 
> https://build.opensuse.org/package/view_file/network:ldap/openldap2/0017-Fix-segfault-in-nops.patch?expand=1
> 
> Could anybody review this and comment whether it makes sense at all?
> 
> If the patch is correct would it make sense to release it with 2.4.47?

If the patch is correct, the original patch author must submit it to the ITS.

The CVE makes no sense, since as already noted in the ITS, the bug is caused
by the nops overlay which is in contrib, and not officially part of OpenLDAP Software.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- CVE-2017-17740 aka ITS#8759
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: CVE-2017-17740 aka ITS#8759
Next by Date: Re: openldap.git branch master updated. 9cc97ea9e1c9ee2ee9f7d427ef9b950e890c219f
Index(es):
- Chronological
- Thread