[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3632) 2 buggy getpeername calls in client library will result in crash of clients



First, this should not be marked as a major security issue
(see notes on submission page).  I have cleared this
indicator and, through my inclusion below, now make this
report public.

Second, 2.0 (as well as 2.1) are Historic.  You should
encourage your packager to provide more recent versions
of OpenLDAP Software, such as the latest "stable" release.
It contains many security-related fixes that remain in
final releases on the 2.0 and 2.1 branches.

Kurt

At 07:14 AM 4/5/2005, pb@bieringer.de wrote:
>Full_Name: Peter Bieringer
>Version: 2.0.27
>OS: Red Hat Enterprise Linux 3
>URL: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=153263
>Submission from: (NULL) (2002:5499:2f12::1)
>
>
>The IPv6 support in client library of latest version 2.0.x (2.0.27) is buggy and
>can lead clients to crash (e.g. postfix in LDAP lookup code).
>
>Reason: 2 getpeername calls are IPv4 centric.
>
>This is already fixed in 2.1.30, but RHEL3 contain 2.0.27 (perhaps other still
>supported Linux distributions), so OpenLDAP project should at least provide a
>patch, regardless that 2.0.x is beyond support.
>
>I've created a working patch, see RH bugzilla entry. Here also straces are
>shown.
>
>BTW: this bug causes strange DNS IPv6 PTR lookups which were the original
>starting point of looking for the bug.