REDHAT-BUG-2118691: Null Pointer Dereference
First published: Tue Aug 16 2022(Updated: )
Description of problem: Previously: <a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED ERRATA - CVE-2021-3514 389-ds-base: sync_repl NULL pointer dereference in sync_create_state_control()" href="show_bug.cgi?id=1952907">https://bugzilla.redhat.com/show_bug.cgi?id=1952907</a> This issue is not fixed completely and can be triggered by supplying a malformed cookie, for example -E sync=rp/foo Thread 14 "ns-slapd" received signal SIGSEGV, Segmentation fault. 0x00007f7802ba38d6 in __strcmp_evex () from target:/lib64/libc.so.6 (gdb) bt #0 0x00007f7802ba38d6 in __strcmp_evex () at target:/lib64/libc.so.6 #1 0x00007f77fe926e9f in sync_cookie_isvalid (refcookie=0x7f77febfaba0, testcookie=0x7f77febfab80) at ldap/servers/plugins/sync/sync_util.c:796 #2 sync_cookie_isvalid (testcookie=0x7f77febfab80, refcookie=0x7f77febfaba0) at ldap/servers/plugins/sync/sync_util.c:789 #3 0x00007f77fe92aa7d in sync_srch_refresh_pre_search (pb=0x7f77feb9fd00) at ldap/servers/plugins/sync/sync_refresh.c:135 #4 0x00007f7802e297d9 in plugin_call_func (list=0x7f77fe9ed800, operation=operation@entry=403, pb=pb@entry=0x7f77feb9fd00, call_one=call_one@entry=0) at ldap/servers/slapd/plugin.c:2001 #5 0x00007f7802e299e6 in plugin_call_list (pb=0x7f77feb9fd00, operation=403, list=<optimized out>) at ldap/servers/slapd/plugin.c:1944 #6 plugin_call_plugins (pb=0x7f77feb9fd00, whichfunction=403) at ldap/servers/slapd/plugin.c:414 #7 0x00007f7802e222a9 in op_shared_search (pb=pb@entry=0x7f77feb9fd00, send_result=send_result@entry=1) at ldap/servers/slapd/opshared.c:586 #8 0x0000556eb3f0db14 in do_search (pb=<optimized out>) at ldap/servers/slapd/search.c:388 #9 0x0000556eb3efcb7f in connection_dispatch_operation (pb=0x7f77feb9fd00, op=<optimized out>, conn=<optimized out>) at ldap/servers/slapd/connection.c:659 #10 connection_threadmain () at ldap/servers/slapd/connection.c:1785 #11 0x00007f780290ec34 in _pt_root () at target:/lib64/libnspr4.so #12 0x00007f7802b75802 in start_thread () at target:/lib64/libc.so.6 #13 0x00007f7802b15450 in clone3 () at target:/lib64/libc.so.6 Automated reproducer: <a href="https://github.com/389ds/389-ds-base/blob/main/dirsrvtests/tests/tickets/ticket48013_test.py">https://github.com/389ds/389-ds-base/blob/main/dirsrvtests/tests/tickets/ticket48013_test.py</a> Version-Release number of selected component (if applicable): 389-ds-base-2.0.x+ (earliest I was able to test was 2.0.5). How reproducible: Deterministically Steps to Reproduce: 1. <a href="https://github.com/389ds/389-ds-base/blob/main/dirsrvtests/tests/tickets/ticket48013_test.py">https://github.com/389ds/389-ds-base/blob/main/dirsrvtests/tests/tickets/ticket48013_test.py</a> Actual results: Server crashes Expected results: Should return an error that the cookie is invalid and not crash. Additional info: Upstream ticket: <a href="https://github.com/389ds/389-ds-base/issues/4711#issuecomment-1205100979">https://github.com/389ds/389-ds-base/issues/4711#issuecomment-1205100979</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| 389 Directory Server | >=2.0.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1952907
- https://github.com/389ds/389-ds-base/blob/main/dirsrvtests/tests/tickets/ticket48013_test.py
- https://github.com/389ds/389-ds-base/issues/4711#issuecomment-1205100979
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2118761
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2118762
- https://access.redhat.com/errata/RHSA-2022:7087
- https://access.redhat.com/errata/RHSA-2022:7133
- https://access.redhat.com/errata/RHSA-2022:8162
- https://access.redhat.com/errata/RHSA-2022:8680
- https://access.redhat.com/errata/RHSA-2022:8886
- https://access.redhat.com/errata/RHSA-2022:8976
- https://access.redhat.com/security/cve/cve-2022-2850
- https://access.redhat.com/errata/RHSA-2023:0479
- https://bugzilla.redhat.com/show_bug.cgi?id=2118691
Frequently Asked Questions
What is the severity of REDHAT-BUG-2118691?
The severity of REDHAT-BUG-2118691 is categorized as moderate due to the potential impact on system stability.
How do I fix REDHAT-BUG-2118691?
To fix REDHAT-BUG-2118691, you should apply the latest updates provided for Red Hat 389 Directory Server.
Which versions of the 389 Directory Server are affected by REDHAT-BUG-2118691?
REDHAT-BUG-2118691 affects Red Hat 389 Directory Server versions starting from 2.0.5.
Is there a workaround for REDHAT-BUG-2118691?
Currently, there is no official workaround for REDHAT-BUG-2118691, and applying the fix is recommended.
What is the nature of the vulnerability in REDHAT-BUG-2118691?
The vulnerability in REDHAT-BUG-2118691 involves a NULL pointer dereference in the sync_create_state_control() function.
- agent/references
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-2850
- agent/last-modified-date
- agent/first-publish-date
- agent/source
- agent/severity
- agent/weakness
- agent/description
- agent/event
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/red hat
- canonical/389 directory server