oss-sec mailing list archives
Re: openldap DoS
From: Ludwig Nussel <ludwig.nussel () suse de>
Date: Wed, 2 Jul 2008 08:48:02 +0200
Josh Bressers wrote:
On 30 June 2008, Ludwig Nussel wrote:Remote unauthenticated attackers can trigger an assertion in the ASN.1 BER decoding of openlap and crash the server: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580;selectid=5580The patch is here it seems: http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/io.c.diff?r1=1.120&r2=1.121&hideattic=1&sortbydate=0
Looks like the change was broken. Citing our maintainer from bugzilla: --- Comment #7 from Ralf Haferkamp <rhafer () novell com> 2008-07-02 00:38:08 MDT --- The OpenLDAP commit log just turned up this: -------------8<----------------------------- Update of /repo/OpenLDAP/pkg/ldap/libraries/liblber Modified Files: io.c 1.121 -> 1.122 Log Message: ITS#5580: Revert prev commit, failed on byte-at-a-time input. Different approach used here. CVS Web URLs: http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/ http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/io.c ------------->8----------------------------- The thread discussing those changes starts here: http://www.openldap.org/lists/openldap-devel/200807/msg00000.html cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
Current thread:
- Re: openldap DoS Josh Bressers (Jul 01)
- <Possible follow-ups>
- Re: openldap DoS Steven M. Christey (Jul 01)
- Re: openldap DoS Nico Golde (Jul 13)
- Re: openldap DoS Ludwig Nussel (Jul 01)