[Bug 1103353] Re: Invalid GnuTLS cipher suite strings causes libldap to crash
Oleg Strikov
oleg.strikov at canonical.com
Tue Apr 7 18:32:31 UTC 2015
I plan to change the status of this bug for 12.04 (precise) and 14.04 (trusty) to Won't Fix.
In this comment I want to explain why I came to this decision.
This bug had CVE-2013-4449 linked to it. I don't think that this CVE is relevant because the patch proposed in this bug doesn't resolve the issue mentioned in the description of this CVE. I proved that by using the following repro script:
http://pastebin.ubuntu.com/10764620/
This script is derived from the repro case provided in the debian bug for CVE-2013-4449:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729367#22
[!] Please note that this CVE can be reliably reproduced only on multicore machine (e.g. you can't use m1.small cloud instance). Some form of race condition takes place and your chances are much higher on multicore.
When CVE-2013-4449 is resolved this script should print 'Finished' at the end of execution.
When CVE is still here it prints 'No server found on localhost:389 <attempt>'.
'No server found' means that slapd crashed and can't be accessed via network and '<attempt>' is a number of iteration when slapd crashed (it usually takes from 3 to 15 iterations because some form of race condition needs to take place).
WITH and WITHOUT the proposed patch I get 'No server found' message on 12.04 (precise) and 14.04 (trusty).
It means that patch doesn't fix CVE-2013-4449.
Patch doesn't fix CVE-2013-4449 but it still can fix the issue mentioned
in the bug description (incorrect cipher suite string leads to a crash).
That's true but I don't think that we want to update 12.04 (precise) and
14.04 (trusty). ANY update may lead to unpredictable regressions (see
https://wiki.ubuntu.com/StableReleaseUpdates) and the profit of patching
should exceed the amount of potential issues it may create. OpenLDAP is
an important infrastructural component and we need to have a very good
reason to update it. I don't see such a reason. Client may crash itself
by passing incorrect cipher suite to the API. While that's sad, it
doesn't crash slapd itself and doesn't create any inconveniences to
other users. This looks like a good fix for a development release but
not stable release.
Please let me know if you have any objections or additional information about this bug.
We're open to discussion and can re-open this bug if needed.
Thanks to Jouko Orava and others for opening this bug and taking part in the discussion.
** Bug watch added: Debian Bug tracker #729367
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729367
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-4449
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1103353
Title:
Invalid GnuTLS cipher suite strings causes libldap to crash
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions
More information about the Ubuntu-server-bugs
mailing list