Discussion:
Security alerts on OpenLDAP (CVE-2015-1545 / CVE-2015-1546)
Clément OUDOT
2015-02-23 20:10:09 UTC
Permalink
Content preview: Hi, I saw today two CVE on OpenLDAP: * http://vigilance.fr/vulnerability/OpenLDAP-NULL-pointer-dereference-via-deref-16124
* http://vigilance.fr/vulnerability/OpenLDAP-use-after-free-via-Matched-Values-16125
[...]

Content analysis details: (-2.0 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: vigilance.fr]
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(clem.oudot[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature

Hi,

I saw today two CVE on OpenLDAP:
* http://vigilance.fr/vulnerability/OpenLDAP-NULL-pointer-dereference-via-deref-16124
* http://vigilance.fr/vulnerability/OpenLDAP-use-after-free-via-Matched-Values-16125

Don't know if they are reported in some ITS.


Clément OUDOT.
Howard Chu
2015-02-24 00:36:38 UTC
Permalink
Post by Clément OUDOT
* http://vigilance.fr/vulnerability/OpenLDAP-NULL-pointer-dereference-via-deref-16124
* http://vigilance.fr/vulnerability/OpenLDAP-use-after-free-via-Matched-Values-16125
Don't know if they are reported in some ITS. [...]
Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: openldap.org]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP development discussion list <openldap-devel.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-devel>,
<mailto:openldap-devel-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-devel/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-devel-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-devel>,
<mailto:openldap-devel-***@openldap.org?subject=subscribe>
Errors-To: openldap-devel-***@openldap.org
Sender: "openldap-devel" <openldap-devel-***@openldap.org>
X-Spam-Score: -1.9 (-)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Post by Clément OUDOT
* http://vigilance.fr/vulnerability/OpenLDAP-NULL-pointer-dereference-via-deref-16124
* http://vigilance.fr/vulnerability/OpenLDAP-use-after-free-via-Matched-Values-16125
Don't know if they are reported in some ITS. [...]
Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: highlandsun.com]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
Post by Clément OUDOT
Hi,
* http://vigilance.fr/vulnerability/OpenLDAP-NULL-pointer-dereference-via-deref-16124
* http://vigilance.fr/vulnerability/OpenLDAP-use-after-free-via-Matched-Values-16125
Don't know if they are reported in some ITS.
That's because you're reading 2nd or 3rd-hand reports. Read the actual CVEs and you'll see that relevant ITSs already linked.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1545
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1546

Given that the deref overlay isn't even documented and is probably used by only a handful of OpenLDAP developers I don't believe it even merited a CVE record.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Michael Ströder
2015-02-24 09:47:56 UTC
Permalink
Post by Howard Chu
Given that the deref overlay isn't even documented and is probably used by
only a handful of OpenLDAP developers I don't believe it even merited a CVE
record.
Hmm, not sure. Arthur de Jong implemented support for this control in
nss-pam-ldapd a year ago [1] and IIRC also discussed it on the
openldap-technical mailing list.

Ciao, Michael.

[1] http://arthurdejong.org/git/nss-pam-ldapd/tree/ChangeLog

[..]
2014-01-05 Arthur de Jong <***@arthurdejong.org>

* [c6c317e] : Implement deref control handling

This uses the LDAP_CONTROL_X_DEREF control as described in
draft-masarati-ldap-deref-00 to request the LDAP server to
dereference group member attribute values to uid attribute values.
[..]
Clément OUDOT
2015-02-24 07:59:19 UTC
Permalink
Hi, >> >> I saw today two CVE on OpenLDAP: >> * >> http://vigilance.fr/vulnerability/OpenLDAP-NULL-pointer-dereference-via-deref-16124
* >> http://vigilance.fr/vulnerability/OpenLDAP-use-after-free-via-Matched-Values-16125
Don't know if they are reported in some ITS. > > > That's because you're
reading 2nd or 3rd-hand reports. Read the actual CVEs > and you'll see that
relevant ITSs already linked. > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1545
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1546 > > Given that
the deref overlay isn't even documented and is probably used by > only a
handful of OpenLDAP developers I don't believe it even merited a CVE > record.
[...]

Content analysis details: (-2.0 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(clem.oudot[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: mitre.org]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Mailman-Approved-At: Wed, 25 Feb 2015 02:26:39 +0000
Cc: openldap-***@openldap.org
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP development discussion list <openldap-devel.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-devel>,
<mailto:openldap-devel-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-devel/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-devel-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-devel>,
<mailto:openldap-devel-***@openldap.org?subject=subscribe>
Errors-To: openldap-devel-***@openldap.org
Sender: "openldap-devel" <openldap-devel-***@openldap.org>
X-Spam-Score: -2.0 (--)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Hi, >> >> I saw today two CVE on OpenLDAP: >> * >> http://vigilance.fr/vulnerability/OpenLDAP-NULL-pointer-dereference-via-deref-16124
* >> http://vigilance.fr/vulnerability/OpenLDAP-use-after-free-via-Matched-Values-16125
Don't know if they are reported in some ITS. > > > That's because you're
reading 2nd or 3rd-hand reports. Read the actual CVEs > and you'll see that
relevant ITSs already linked. > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1545
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1546 > > Given that
the deref overlay isn't even documented and is probably used by > only a
handful of OpenLDAP developers I don't believe it even merited a CVE > record.
[...]

Content analysis details: (-2.0 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL
was blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[209.85.192.173 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: mitre.org]
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(clem.oudot[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
Hi,
*
http://vigilance.fr/vulnerability/OpenLDAP-NULL-pointer-dereference-via-deref-16124
*
http://vigilance.fr/vulnerability/OpenLDAP-use-after-free-via-Matched-Values-16125
Don't know if they are reported in some ITS.
That's because you're reading 2nd or 3rd-hand reports. Read the actual CVEs
and you'll see that relevant ITSs already linked.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1545
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1546
Given that the deref overlay isn't even documented and is probably used by
only a handful of OpenLDAP developers I don't believe it even merited a CVE
record.
Agreed for the deref CVE, but I confirm that the matched values bug is
present in 2.4.40 official version (and so in LTB packages). I saw
that 2.4.41 was in preparation, any idea of a release date?

Clément.

Loading...