oss-sec mailing list archives
Re: CVE Request: openldap2 UTF8StringNormalize() can cause a (one-byte) buffer overflow
From: Marcus Meissner <meissner () suse de>
Date: Wed, 26 Oct 2011 16:29:35 +0200
On Wed, Oct 26, 2011 at 04:26:45PM +0200, Marcus Meissner wrote:
Hi,
Dup from Sebastians mail, which he mailed at the same tiem. Ciao, Marcus
From our openldap2 Maintainer Ralf: |A bug in UTF8StringNormalize() can cause a (one-byte) buffer overflow when it |is passed a zero length string. (Can e.g. be triggered by passing a |"postalAddressAttribute" with the value "$" (or no value a all). What the code |does is writing a '\0' past a 1-byte long buffer allocated on the heap. (At |least as far as I understand it) | |Upstream Bug: ITS#7059 |http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7059;selectid=7059 | |This bug is present in older releases as well. | |I wonder if this is really security relevant as it seem the worst that might |happen is that an authenticated user can crash the daemon. I was not able to do |so during a short test but I guess that is just a matter of trying long enough. Ciao, Marcus
-- Working, but not speaking, for the following german company: SUSE LINUX Products GmbH, HRB 16746 (AG Nuernberg) Geschaeftsfuehrer: Jeff Hawn, Jennifer Guild, Felix Imendoerffer
Current thread:
- CVE Request: openldap2 UTF8StringNormalize() can cause a (one-byte) buffer overflow Marcus Meissner (Oct 26)
- Re: CVE Request: openldap2 UTF8StringNormalize() can cause a (one-byte) buffer overflow Marcus Meissner (Oct 26)
- Re: CVE Request: openldap2 UTF8StringNormalize() can cause a (one-byte) buffer overflow Ramon de C Valle (Oct 28)
- Re: CVE Request: openldap2 UTF8StringNormalize() can cause a (one-byte) buffer overflow Kurt Seifried (Oct 26)
- Re: CVE Request: openldap2 UTF8StringNormalize() can cause a (one-byte) buffer overflow Marcus Meissner (Oct 26)