oss-sec mailing list archives
Re: CVE Request: openldap2 UTF8StringNormalize() can cause a (one-byte) buffer overflow
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 26 Oct 2011 09:22:01 -0600
On 10/26/2011 08:26 AM, Marcus Meissner wrote:
Hi, From our openldap2 Maintainer Ralf: |A bug in UTF8StringNormalize() can cause a (one-byte) buffer overflow when it |is passed a zero length string. (Can e.g. be triggered by passing a |"postalAddressAttribute" with the value "$" (or no value a all). What the code |does is writing a '\0' past a 1-byte long buffer allocated on the heap. (At |least as far as I understand it) | |Upstream Bug: ITS#7059 |http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7059;selectid=7059 | |This bug is present in older releases as well. | |I wonder if this is really security relevant as it seem the worst that might |happen is that an authenticated user can crash the daemon. I was not able to do |so during a short test but I guess that is just a matter of trying long enough. Ciao, Marcus
Please use CVE-2011-4079 for this issue -- -Kurt Seifried / Red Hat Security Response Team
Current thread:
- CVE Request: openldap2 UTF8StringNormalize() can cause a (one-byte) buffer overflow Marcus Meissner (Oct 26)
- Re: CVE Request: openldap2 UTF8StringNormalize() can cause a (one-byte) buffer overflow Marcus Meissner (Oct 26)
- Re: CVE Request: openldap2 UTF8StringNormalize() can cause a (one-byte) buffer overflow Ramon de C Valle (Oct 28)
- Re: CVE Request: openldap2 UTF8StringNormalize() can cause a (one-byte) buffer overflow Kurt Seifried (Oct 26)
- Re: CVE Request: openldap2 UTF8StringNormalize() can cause a (one-byte) buffer overflow Marcus Meissner (Oct 26)