oss-sec mailing list archives
CVE Request: openldap2 UTF8StringNormalize() can cause a (one-byte) buffer overflow
From: Marcus Meissner <meissner () suse de>
Date: Wed, 26 Oct 2011 16:26:45 +0200
Hi, From our openldap2 Maintainer Ralf: |A bug in UTF8StringNormalize() can cause a (one-byte) buffer overflow when it |is passed a zero length string. (Can e.g. be triggered by passing a |"postalAddressAttribute" with the value "$" (or no value a all). What the code |does is writing a '\0' past a 1-byte long buffer allocated on the heap. (At |least as far as I understand it) | |Upstream Bug: ITS#7059 |http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7059;selectid=7059 | |This bug is present in older releases as well. | |I wonder if this is really security relevant as it seem the worst that might |happen is that an authenticated user can crash the daemon. I was not able to do |so during a short test but I guess that is just a matter of trying long enough. Ciao, Marcus
Current thread:
- CVE Request: openldap2 UTF8StringNormalize() can cause a (one-byte) buffer overflow Marcus Meissner (Oct 26)
- Re: CVE Request: openldap2 UTF8StringNormalize() can cause a (one-byte) buffer overflow Marcus Meissner (Oct 26)
- Re: CVE Request: openldap2 UTF8StringNormalize() can cause a (one-byte) buffer overflow Ramon de C Valle (Oct 28)
- Re: CVE Request: openldap2 UTF8StringNormalize() can cause a (one-byte) buffer overflow Kurt Seifried (Oct 26)
- Re: CVE Request: openldap2 UTF8StringNormalize() can cause a (one-byte) buffer overflow Marcus Meissner (Oct 26)