Vigil@nce - OpenLDAP: overflow via UTF8StringNormalize
October 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use an empty field, in order to generate an
overflow of one byte in OpenLDAP, leading to a denial of service.
Severity: 1/4
Creation date: 27/10/2011
IMPACTED PRODUCTS
– OpenLDAP
DESCRIPTION OF THE VULNERABILITY
The UTF8StringNormalize() function of file
servers/slapd/schema_init.c deletes unnecessary spaces in a UTF-8
string. When the string only contains spaces, it is converted to a
space alone followed by a ’\0’.
When the string is empty, is it however also converted to a space
alone. The size of the result is thus superior of one byte to the
expected size. Functions which call UTF8StringNormalize() have to
handle this case.
The postalAddressNormalize() function of the schema_init.c file
normalizes a postalAddressAttribute using UTF8StringNormalize().
However, it does not handle the above case, and an overflow of one
byte occurs.
An attacker can therefore use an empty field, in order to generate
an overflow of one byte in OpenLDAP, leading to a denial of
service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OpenLDAP-overflow-via-UTF8StringNormalize-11105