A flaw was found in 389 Directory Server in the aclpnormalize_acltxt() function of aclparse.c. A malformed ACI (Access Control Instruction) string can trigger heap-buffer-overflow writes and reads during ACI parsing. The function fails to validate that the ACI keyword has sufficient length after whitespace stripping, leading to a 1-byte out-of-bounds write and subsequent out-of-bounds reads. An authenticated user with write access to the aci attribute could send a crafted ACI value to silently corrupt heap memory in the directory server process.
{
"binaries": [
{
"binary_name": "389-ds",
"binary_version": "2.0.15-1ubuntu2"
},
{
"binary_name": "389-ds-base",
"binary_version": "2.0.15-1ubuntu2"
},
{
"binary_name": "389-ds-base-libs",
"binary_version": "2.0.15-1ubuntu2"
},
{
"binary_name": "cockpit-389-ds",
"binary_version": "2.0.15-1ubuntu2"
},
{
"binary_name": "python3-lib389",
"binary_version": "2.0.15-1ubuntu2"
}
]
}{
"binaries": [
{
"binary_name": "389-ds",
"binary_version": "2.4.5+dfsg1-1"
},
{
"binary_name": "389-ds-base",
"binary_version": "2.4.5+dfsg1-1"
},
{
"binary_name": "389-ds-base-libs",
"binary_version": "2.4.5+dfsg1-1"
},
{
"binary_name": "cockpit-389-ds",
"binary_version": "2.4.5+dfsg1-1"
},
{
"binary_name": "python3-lib389",
"binary_version": "2.4.5+dfsg1-1"
}
]
}{
"binaries": [
{
"binary_name": "389-ds",
"binary_version": "3.1.2+dfsg1-1"
},
{
"binary_name": "389-ds-base",
"binary_version": "3.1.2+dfsg1-1"
},
{
"binary_name": "389-ds-base-libs",
"binary_version": "3.1.2+dfsg1-1"
},
{
"binary_name": "cockpit-389-ds",
"binary_version": "3.1.2+dfsg1-1"
},
{
"binary_name": "python3-lib389",
"binary_version": "3.1.2+dfsg1-1"
}
]
}{
"binaries": [
{
"binary_name": "389-ds",
"binary_version": "3.1.2+vendor1-2"
},
{
"binary_name": "389-ds-base",
"binary_version": "3.1.2+vendor1-2"
},
{
"binary_name": "389-ds-base-libs",
"binary_version": "3.1.2+vendor1-2"
},
{
"binary_name": "cockpit-389-ds",
"binary_version": "3.1.2+vendor1-2"
},
{
"binary_name": "python3-lib389",
"binary_version": "3.1.2+vendor1-2"
}
]
}{
"binaries": [
{
"binary_name": "389-ds",
"binary_version": "1.3.7.10-1ubuntu1+esm1"
},
{
"binary_name": "389-ds-base",
"binary_version": "1.3.7.10-1ubuntu1+esm1"
},
{
"binary_name": "389-ds-base-libs",
"binary_version": "1.3.7.10-1ubuntu1+esm1"
},
{
"binary_name": "python3-dirsrvtests",
"binary_version": "1.3.7.10-1ubuntu1+esm1"
},
{
"binary_name": "python3-lib389",
"binary_version": "1.3.7.10-1ubuntu1+esm1"
}
]
}{
"binaries": [
{
"binary_name": "389-ds",
"binary_version": "1.4.3.6-2ubuntu0.1~esm1"
},
{
"binary_name": "389-ds-base",
"binary_version": "1.4.3.6-2ubuntu0.1~esm1"
},
{
"binary_name": "389-ds-base-libs",
"binary_version": "1.4.3.6-2ubuntu0.1~esm1"
},
{
"binary_name": "cockpit-389-ds",
"binary_version": "1.4.3.6-2ubuntu0.1~esm1"
},
{
"binary_name": "python3-lib389",
"binary_version": "1.4.3.6-2ubuntu0.1~esm1"
}
]
}