Debian Bug report logs - #440632
CVE-2007-5707 remote denial of service with malformed objectClasses attribute

version graph

Package: slapd; Maintainer for slapd is Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>; Source for slapd is src:openldap.

Reported by: Thomas Sesselmann <thomas.sesselmann@kip.uni-heidelberg.de>

Date: Mon, 3 Sep 2007 09:27:01 UTC

Severity: grave

Found in versions openldap2.3/2.3.30-5, openldap2.2/2.2.23-8

Fixed in version 2.3.38-1

Done: Matthijs Mohlmann <matthijs@cacholong.nl>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#440632; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Thomas Sesselmann <thomas.sesselmann@kip.uni-heidelberg.de>:
New Bug report received and forwarded. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Thomas Sesselmann <thomas.sesselmann@kip.uni-heidelberg.de>
To: submit@bugs.debian.org
Subject: ldapadd with 'objectClasses' instead of 'objectClass' brings slapd down
Date: Mon, 03 Sep 2007 11:23:31 +0200
Package: slapd
Version: 2.3.30-5
Severity: grave



Hello,

i am used debian etch.

I am wrongly used the misspelling Attribute 'objectClasses' instead of 'objectClass'
in ldapadd and then the slapd dies ...

I have verified this with a new (debian default) installation
with no special things and anonymous ldapadd!




floh@lenny:~$ ldapadd -x
dn: uid=test5,ou=SONST,ou=people,dc=kip.uni-heidelberg,dc=de
objectClasses: top


adding new entry "uid=test5,ou=SONST,ou=people,dc=kip.uni-heidelberg,dc=de"
ldap_add: Invalid syntax (21)
        additional info: objectClasses: value #0 normalization failed


=> now there are no slapd-processes left ... (the slapd process is dead)

floh@lenny:~$ ldapsearch -h ldap uid=test4
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

root@ldap:~# ps -ef |grep slap
root     21036 14161  0 10:30 pts/0    00:00:00 grep slap



The Log '/var/log/syslog' for the crash (loglevel 4095):
Sep  3 10:32:50 ldap slapd[21091]: daemon: read activity on 12
Sep  3 10:32:50 ldap slapd[21091]: connection_get(12)
Sep  3 10:32:50 ldap slapd[21091]: connection_get(12): got connid=3
Sep  3 10:32:50 ldap slapd[21091]: connection_read(12): checking for input on id=3
Sep  3 10:32:50 ldap slapd[21091]: ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
Sep  3 10:32:50 ldap slapd[21091]: daemon: select: listen=6 active_threads=0 tvp=NULL
Sep  3 10:32:50 ldap slapd[21091]: daemon: select: listen=7 active_threads=0 tvp=NULL
Sep  3 10:32:50 ldap slapd[21091]: daemon: select: listen=8 active_threads=0 tvp=NULL
Sep  3 10:32:50 ldap slapd[21091]: do_add
Sep  3 10:32:50 ldap slapd[21091]: >>> dnPrettyNormal: <uid=test5,ou=SONST,ou=people,dc=kip.uni-heidelberg,dc=de>
Sep  3 10:32:50 ldap slapd[21091]: <<< dnPrettyNormal: <uid=test5,ou=SONST,ou=people,dc=kip.uni-heidelberg,dc=de>, <uid=test5,ou=sonst,ou=people,dc=kip.uni-heidelberg,dc=de>
Sep  3 10:32:50 ldap slapd[21091]: do_add: dn (uid=test5,ou=SONST,ou=people,dc=kip.uni-heidelberg,dc=de)
Sep  3 10:32:50 ldap slapd[21091]: conn=3 op=4 ADD dn="uid=test5,ou=SONST,ou=people,dc=kip.uni-heidelberg,dc=de"
Sep  3 10:32:50 ldap slapd[21091]: <= str2entry NULL (ssyn_normalize 21)
Sep  3 10:32:50 ldap slapd[21091]: send_ldap_result: conn=3 op=4 p=3
Sep  3 10:32:50 ldap slapd[21091]: send_ldap_result: err=21 matched="" text="objectClasses: value #0 normalization failed"
Sep  3 10:32:50 ldap slapd[21091]: send_ldap_response: msgid=5 tag=105 err=21
Sep  3 10:32:50 ldap slapd[21091]: conn=3 op=4 RESULT tag=105 err=21 text=objectClasses: value #0 normalization failed






best regards

Thomas Sesselmann

-- 
Dipl.-Inf. Thomas Sesselmann         __O
Kirchhoff-Institut für Physik      _\-<,
Universitaet Heidelberg          _(_)/(_)_
INF227 / D-69120 Heidelberg
Tel.:   +49/6221/54-9132
E-Mail: Thomas.Sesselmann@kip.uni-heidelberg.de
gpg-key: 0x9392E54B  or finger -l tsesselm@ix.urz.uni-heidelberg.de




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#440632; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Quanah Gibson-Mount <quanah@zimbra.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 440632@bugs.debian.org (full text, mbox):

From: Quanah Gibson-Mount <quanah@zimbra.com>
To: 440632@bugs.debian.org
Cc: Thomas Sesselmann <thomas.sesselmann@kip.uni-heidelberg.de>
Subject: Re: [Pkg-openldap-devel] Bug#440632: ldapadd with 'objectClasses' instead of 'objectClass' brings slapd down
Date: Mon, 03 Sep 2007 20:33:18 -0700
--On Monday, September 03, 2007 11:23 AM +0200 Thomas Sesselmann 
<thomas.sesselmann@kip.uni-heidelberg.de> wrote:

Upstream bug#5119.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration



Reply sent to Matthijs Mohlmann <matthijs@cacholong.nl>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Thomas Sesselmann <thomas.sesselmann@kip.uni-heidelberg.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 440632-close@bugs.debian.org (full text, mbox):

From: Matthijs Mohlmann <matthijs@cacholong.nl>
To: 440632-close@bugs.debian.org
Subject: Bug#440632: fixed in openldap2.3 2.3.38-1
Date: Mon, 17 Sep 2007 21:32:45 +0000
Source: openldap2.3
Source-Version: 2.3.38-1

We believe that the bug you reported is fixed in the latest version of
openldap2.3, which is due to be installed in the Debian FTP archive:

ldap-utils_2.3.38-1_i386.deb
  to pool/main/o/openldap2.3/ldap-utils_2.3.38-1_i386.deb
libldap-2.3-0-dbg_2.3.38-1_i386.deb
  to pool/main/o/openldap2.3/libldap-2.3-0-dbg_2.3.38-1_i386.deb
libldap-2.3-0_2.3.38-1_i386.deb
  to pool/main/o/openldap2.3/libldap-2.3-0_2.3.38-1_i386.deb
openldap2.3_2.3.38-1.diff.gz
  to pool/main/o/openldap2.3/openldap2.3_2.3.38-1.diff.gz
openldap2.3_2.3.38-1.dsc
  to pool/main/o/openldap2.3/openldap2.3_2.3.38-1.dsc
openldap2.3_2.3.38.orig.tar.gz
  to pool/main/o/openldap2.3/openldap2.3_2.3.38.orig.tar.gz
slapd-dbg_2.3.38-1_i386.deb
  to pool/main/o/openldap2.3/slapd-dbg_2.3.38-1_i386.deb
slapd_2.3.38-1_i386.deb
  to pool/main/o/openldap2.3/slapd_2.3.38-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 440632@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthijs Mohlmann <matthijs@cacholong.nl> (supplier of updated openldap2.3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 17 Sep 2007 22:58:54 +0200
Source: openldap2.3
Binary: slapd ldap-utils libldap-2.3-0-dbg libldap-2.3-0 slapd-dbg
Architecture: source i386
Version: 2.3.38-1
Distribution: unstable
Urgency: low
Maintainer: matthijs@cacholong.nl
Changed-By: Matthijs Mohlmann <matthijs@cacholong.nl>
Description: 
 ldap-utils - OpenLDAP utilities
 libldap-2.3-0 - OpenLDAP libraries
 libldap-2.3-0-dbg - Debugging information for OpenLDAP libraries
 slapd      - OpenLDAP server (slapd)
 slapd-dbg  - Debugging information for the OpenLDAP server (slapd)
Closes: 428883 440632 442000
Changes: 
 openldap2.3 (2.3.38-1) unstable; urgency=low
 .
   [ Steve Langasek ]
   * Drop debian/patches/use-lpthread, which is no longer needed on mips*
     because gcc has been fixed.
   * Drop debian/patches/add-autogen-sh, also no longer needed now that
     the above patch is gone.
 .
   [ Matthijs Mohlmann ]
   * Fix bashism in initscript. (Closes: #428883)
   * Drop upstream patches ITS4924, ITS4925 and ITS4966.
   * Add patch for objectClasses which causes slapd to crash. (Closes: #440632)
     - Upstream bug ITS5119.
   * Change default loglevel to none, to log high priority messages.
     (Closes: #442000)
   * Tighten up the build dependencies, now that autogen patch is removed.
Files: 
 7b3acd47dba3ed2b140aa7b8d5b02411 1201 net optional openldap2.3_2.3.38-1.dsc
 c13b872eb062a33a16a31d5804f0964f 2955427 net optional openldap2.3_2.3.38.orig.tar.gz
 03b630f74f1f36d270664791e16445fe 152184 net optional openldap2.3_2.3.38-1.diff.gz
 1fe61a134af2ec245bfff836056a54c1 1206748 net optional slapd_2.3.38-1_i386.deb
 937f16b10b93abe26ee1ae1ff3ae746b 203878 net optional ldap-utils_2.3.38-1_i386.deb
 5f4339f34090d6e741b147198a5b14a1 314112 libs optional libldap-2.3-0_2.3.38-1_i386.deb
 fc04a98933e2cd53f380c85d3171588e 566590 libdevel extra libldap-2.3-0-dbg_2.3.38-1_i386.deb
 f85ba6df3988d3c3be56d2c9b15421f1 2990712 net extra slapd-dbg_2.3.38-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG7u5D2n1ROIkXqbARAk8sAJ9qFKP3z0HX6gzNOSuIved9ROBx+gCfbAuN
LGHLzxlWKcREfUeOIVMRCJM=
=48YF
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#440632; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Thomas Sesselmann <thomas.sesselmann@kip.uni-heidelberg.de>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #20 received at 440632@bugs.debian.org (full text, mbox):

From: Thomas Sesselmann <thomas.sesselmann@kip.uni-heidelberg.de>
To: 440632@bugs.debian.org
Cc: Matthijs Mohlmann <matthijs@cacholong.nl>
Subject: Re: Bug#440632: marked as done (ldapadd with 'objectClasses' instead of 'objectClass' brings slapd down)
Date: Tue, 18 Sep 2007 10:20:36 +0200
[Message part 1 (text/plain, inline)]
Hello,


because of this Bug can easily cause as Denial of Service of the stable LDAP-Server,
i will be happy if you can backport the fix/patch to the stable (etch) release of slapd.


many thanks

Thomas Sesselmann

-- 
Dipl.-Inf. Thomas Sesselmann
Kirchhoff-Institut für Physik
Universitaet Heidelberg
INF227 / D-69120 Heidelberg
Tel.:   +49/6221/54-9132
E-Mail: Thomas.Sesselmann@kip.uni-heidelberg.de
gpg-key: 0x9392E54B  or finger -l tsesselm@ix.urz.uni-heidelberg.de

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#440632; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #25 received at 440632@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 440632@bugs.debian.org
Cc: control@bugs.debian.org
Subject: CVE-2007-5707
Date: Tue, 30 Oct 2007 19:16:10 +0100
[Message part 1 (text/plain, inline)]
retitle 440632 CVE-2007-5707 remote denial of service with malformed objectClasses attribute
thanks
Hi,
this is CVE-2007-5707.
Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Changed Bug title to `CVE-2007-5707 remote denial of service with malformed objectClasses attribute' from `ldapadd with 'objectClasses' instead of 'objectClass' brings slapd down'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Tue, 30 Oct 2007 18:21:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#440632; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #32 received at 440632@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: control@bugs.debian.org, 440632@bugs.debian.org
Subject: affects sarge too
Date: Wed, 5 Dec 2007 18:16:23 +0000
found 440632 2.2.23-8
thanks

2.2.23 (in oldstable) is listed as vulnerable
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5707

and I believe there is still security support for oldstable.

Cheers,

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Bug marked as found in version 2.2.23-8. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Wed, 05 Dec 2007 18:21:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#440632; Package slapd. Full text and rfc822 format available.

Acknowledgement sent to Thomas Sesselmann <thomas.sesselmann@kip.uni-heidelberg.de>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #39 received at 440632@bugs.debian.org (full text, mbox):

From: Thomas Sesselmann <thomas.sesselmann@kip.uni-heidelberg.de>
To: 440632@bugs.debian.org
Cc: Matthijs Mohlmann <matthijs@cacholong.nl>, Nico Golde <nion@debian.org>
Subject: CVE-2007-5707 remote denial of service with malformed objectClasses attribute
Date: Mon, 07 Jan 2008 15:09:49 +0100
[Message part 1 (text/plain, inline)]
Hello,

how is the status of this _grave_ bug for stable (etch) and oldstable (sarge)?
It will be very nice if this will be fixed, since the fixed version is in
testing (security) since 2007-11-18.


thanks and best regards

Thomas Sesselmann

-- 
Dipl.-Inf. Thomas Sesselmann
Kirchhoff-Institut fuer Physik
Universitaet Heidelberg
INF227 / D-69120 Heidelberg
Tel.:   +49/6221/54-9132
E-Mail: Thomas.Sesselmann@kip.uni-heidelberg.de
gpg-key: 0x9392E54B  or finger -l tsesselm@ix.urz.uni-heidelberg.de

[signature.asc (application/pgp-signature, attachment)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 08:30:15 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 00:31:05 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.