Gentoo Logo

OpenLDAP DoS Vulnerability

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200403-12 / openldap
Release Date March 31, 2004
Latest Revision May 22, 2006: 02
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-nds/openldap <= 2.1.12 >= 2.1.13 All supported architectures

Related bugreports: #26728

Synopsis

A failed password operation can cause the OpenLDAP slapd server, if it is using the back-ldbm backend, to free memory that was never allocated.

2.  Impact Information

Background

OpenLDAP is a suite of LDAP-related application and development tools. It includes slapd (the standalone LDAP server), slurpd (the standalone LDAP replication server), and various LDAP libraries, utilities and example clients.

Description

A password extended operation (password EXOP) which fails will cause the slapd server to free() an uninitialized pointer, possibly resulting in a segfault. This only affects servers using the back-ldbm backend.

Such a crash is not guaranteed with every failed operation, however, it is possible.

Impact

An attacker (or indeed, a normal user) may crash the OpenLDAP server, creating a Denial of Service condition.

3.  Resolution Information

Workaround

A workaround is not currently known for this issue. All users are advised to upgrade to the latest version of the affected package.

Resolution

OpenLDAP users should upgrade to version 2.1.13 or later:

Code Listing 3.1: Resolution

# emerge sync

# emerge -pv ">=net-nds/openldap-2.1.13"
# emerge ">=net-nds/openldap-2.1.13"

4.  References



Print

Page updated March 31, 2004

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.