Re: CVE Request: openldap2 UTF8StringNormalize() can cause a (one-byte) buffer overflow

[Marcus Meissner <meissner () suse de>]

On Wed, Oct 26, 2011 at 04:26:45PM +0200, Marcus Meissner wrote:
> Hi,

Dup from Sebastians mail, which he mailed at the same tiem.

Ciao, Marcus
 
> From our openldap2 Maintainer Ralf:
> |A bug in UTF8StringNormalize() can cause a (one-byte) buffer overflow when it
> |is passed a zero length string. (Can e.g. be triggered by passing a
> |"postalAddressAttribute" with the value "$" (or no value a all). What the code
> |does is writing a '\0' past a 1-byte long buffer allocated on the heap. (At
> |least as far as I understand it)
> |
> |Upstream Bug: ITS#7059
> |http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7059;selectid=7059
> |
> |This bug is present in older releases as well.
> |
> |I wonder if this is really security relevant as it seem the worst that might
> |happen is that an authenticated user can crash the daemon. I was not able to do
> |so during a short test but I guess that is just a matter of trying long enough.
>
> Ciao, Marcus

-- 
Working, but not speaking, for the following german company:
SUSE LINUX Products GmbH, HRB 16746 (AG Nuernberg)
Geschaeftsfuehrer: Jeff Hawn, Jennifer Guild, Felix Imendoerffer