389-ds-base/0003-Issue-7554-deref-plugin-null-pointer-dereference-if-.patch
Viktor Ashirov 5a8e6532df Bump version to 3.3.0
- Resolves: RHEL-58681 - high wtime can hide a worker reading a large requests
- Resolves: RHEL-62876 - Inconsistencies in the log messages
- Resolves: RHEL-68692 - Replication halt caused by an incorrect setting of "nsslapd-changelogmaxage"
- Resolves: RHEL-76836 - Crash in replica_config_add when manually configuring a replica with an incorrect nsds5ReplicaRoot.
- Resolves: RHEL-80256 - [RFE] RHDS healthcheck tool could provide more information in offline mode
- Resolves: RHEL-84531 - access log - suspicious wtime  optime negative and large values in internal op
- Resolves: RHEL-86325 - dbscan utility not filtering using -k option
- Resolves: RHEL-88942 - LDAP healthcheck and ignoring entrydn index and associated config
- Resolves: RHEL-109505 - Possible memory leak when using the Retro Changelog plugin.
- Resolves: RHEL-117666 - [RFE] Expose stats from deferred memberof
- Resolves: RHEL-118811 - Password policy can be created even though the same one already exists
- Resolves: RHEL-118867 - Memory leak issue in an IPA deployment.
- Resolves: RHEL-121119 - Differences on export ldif using online of off-line method on RHDS
- Resolves: RHEL-121169 - dsctl should report error when the ldif to import doesn't have permissions to be read by dirsrv.
- Resolves: RHEL-129204 - Local password policies can be created with unallowed values
- Resolves: RHEL-129597 - Remediate "Could not read password attribute" error on directory Servers with chaining enabled(DBLink)
- Resolves: RHEL-132767 - An online reinitialization with LMDB is terminating the receiving server
- Resolves: RHEL-134188 - RFE: add server-side configuration to ignore malformed controls and/or override critical controls from clients
- Resolves: RHEL-138569 - AddressSanitizer: SEGV ldap/servers/plugins/automember/automember.c:1962 in automember_mod_post_op
- Resolves: RHEL-140005 - Memory leaks in IPA context on server restart
- Resolves: RHEL-141049 - Fail open condition in ACL
- Resolves: RHEL-141480 - [RFE] Add shadowLastChange fixup task
- Resolves: RHEL-146147 - Fix dsconf to allow specifying multiple certificates for use in 389-ds server
- Resolves: RHEL-149125 - dnaSharedConfig: "dnaPortNum: 0"
- Resolves: RHEL-151246 - dsctl healthcheck DSMOLE0001 inaccurate recommendations when there is more than 1 LDAP backend
- Resolves: RHEL-152373 - Entry cache DN hash table corruption causes SIGSEGV in ns-slapd
- Resolves: RHEL-153088 - [RFE] Add OS-level thread names to all server threads
- Resolves: RHEL-153089 - [RFE] Add work queue metrics to cn=monitor
- Resolves: RHEL-153092 - [RFE] Per-operation thread pool context via STAT extension
- Resolves: RHEL-153372 - dirsrv@.service missing NoNewPrivileges and MemoryDenyWriteExecute despite broad capability set
- Resolves: RHEL-154374 - Prevent the ability of creating a replication agreement from a node back to itself is needed
- Resolves: RHEL-154380 - DS 12 does not handle escape char in bind user
- Resolves: RHEL-157894 - Online export is failing when using the option "-s"
- Resolves: RHEL-163373 - WARN - keys2idl - received NULL idl from index_read_ext_allids
- Resolves: RHEL-165956 - can't modify user's name/dn if it's owner of SubIDs
- Resolves: RHEL-169529 - Rebase 389-ds-base to 3.3.x
- Resolves: RHEL-170277 - Memory leaks in syncrepl plugin during persistent search operations
- Resolves: RHEL-170643 - passwordbadwords attribute of the local password policy is not functioning
- Resolves: RHEL-170907 - Substring index produces empty results and can crash when non-default nsSubStrBegin/nsSubStrEnd lengths are configured
- Resolves: RHEL-172228 - Replacing a group's member list modifies users who were already members
- Resolves: RHEL-174908 - Replication errors in logs
- Resolves: RHEL-181022 - Server shutdown during online reindex may lead to data loss
2026-06-05 14:01:13 +02:00

46 lines
1.6 KiB
Diff

From c36ad54ed05c4821fbd2211f0be78163cfdc1464 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 3 Jun 2026 17:52:09 -0400
Subject: [PATCH 3/6] Issue 7554 - deref plugin null pointer dereference if
ber_init fails
Description:
**CWE**: CWE-476 (NULL Pointer Dereference)
A flaw in the 389 Directory Server's dereference control plugin allows an
unauthenticated attacker to crash the LDAP server when the system is under
memory pressure(OOM). The deref plugin, enabled by default, fails to check for
a memory allocation failure before using the result, causing the server
process to terminate.
CI test 'test_deref_and_access_control' already covers this fix.
relates: https://github.com/389ds/389-ds-base/issues/7554
Reviewed by: tbordaz & progier(Thanks!!)
---
ldap/servers/plugins/deref/deref.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c
index fc1c10f71..fc157f6d6 100644
--- a/ldap/servers/plugins/deref/deref.c
+++ b/ldap/servers/plugins/deref/deref.c
@@ -357,6 +357,12 @@ deref_parse_ctrl_value(DerefSpecList *speclist, const struct berval *ctrlbv, int
}
ber = ber_init((struct berval *)ctrlbv);
+ if (!ber) {
+ *ldapcode = LDAP_UNWILLING_TO_PERFORM;
+ *ldaperrtext = "Deref control parsing failed to initialize BER element";
+ return;
+ }
+
for (tag = ber_first_element(ber, &len, &last);
(tag != LBER_ERROR) && (tag != LBER_END_OF_SEQORSET);
tag = ber_next_element(ber, &len, last)) {
--
2.54.0