Ubuntu
phpldapadmin package

phpldapadmin fatal error renaming cn

Bug #384157 reported by Edwin Fine
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
phpldapadmin (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: phpldapadmin

Ubuntu release: 9.04
phpLDAPAdmin version: 1.1.0.5-6ubuntu3

This bug occurs when attempting to rename a cn entry when the only difference between the old and new cn entry is in capitalization. It's easy to reproduce: just try to rename a cn for (say) an inetOrgPerson by only changing the spelling (e.g. JohnMclean to JohnMcLean), and you should see this:

Fatal error: Call to a member function rename() on a non-object in /usr/share/phpldapadmin/lib/Tree.php on line 171

Line 171 of this file is as follows:

166: $olddnlower = $this->indexDN($oldDn);
167: $newdnlower = $this->indexDN($newDn);
168:
169: $this->entries[$newdnlower] = $this->entries[$olddnlower];
170: unset($this->entries[$olddnlower]);
171: $this->entries[$newdnlower]->rename($newDn); // Fatal error

The problem is in line 170.

Let's say the cn was JohnMclean, and we wanted to change it to JohnMcLean (uppercase '"L"). When the old and new names are both lowercased in lines 166 and 167, the code that is executed is effectively this:

unset($this->entries["johnmclean"]);
this->entries["johnmclean"]->rename("JohnMcLean"); // We just unset this very entry - BOOM

The fix is obviously not to unset the variable if old and new names are equal when lowercased. Fixed code (works now, tested with same name, different name, change only in spelling) is:

169: $this->entries[$newdnlower] = $this->entries[$olddnlower];
***: if ($olddnlower != $newdnlower)
170: unset($this->entries[$olddnlower]);
171: $this->entries[$newdnlower]->rename($newDn);

CVE References

Revision history for this message
Deon George (deon-leenooks) wrote :

Fix committed upstream. Will be available in release after 1.2.0.1.

Any bugs about PLA code should be submitted on sourceforge - they may not necessarily be seen here.

Changed in phpldapadmin (Ubuntu):
status: New → Fix Committed
Revision history for this message
Edwin Fine (emofine) wrote : Re: [Bug 384157] Re: phpldapadmin fatal error renaming cn

Ok, thanks, next time (hopefully there isn't a next time) I will use sf.

On Sun, Aug 16, 2009 at 5:57 AM, Deon George <email address hidden> wrote:

> Fix committed upstream. Will be available in release after 1.2.0.1.
>
> Any bugs about PLA code should be submitted on sourceforge - they may
> not necessarily be seen here.
>
>
> ** Changed in: phpldapadmin (Ubuntu)
> Status: New => Fix Committed
>
> --
> phpldapadmin fatal error renaming cn
> https://bugs.launchpad.net/bugs/384157
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in “phpldapadmin” package in Ubuntu: Fix Committed
>
> Bug description:
> Binary package hint: phpldapadmin
>
> Ubuntu release: 9.04
> phpLDAPAdmin version: 1.1.0.5-6ubuntu3
>
> This bug occurs when attempting to rename a cn entry when the only
> difference between the old and new cn entry is in capitalization. It's easy
> to reproduce: just try to rename a cn for (say) an inetOrgPerson by only
> changing the spelling (e.g. JohnMclean to JohnMcLean), and you should see
> this:
>
> Fatal error: Call to a member function rename() on a non-object in
> /usr/share/phpldapadmin/lib/Tree.php on line 171
>
> Line 171 of this file is as follows:
>
> 166: $olddnlower = $this->indexDN($oldDn);
> 167: $newdnlower = $this->indexDN($newDn);
> 168:
> 169: $this->entries[$newdnlower] = $this->entries[$olddnlower];
> 170: unset($this->entries[$olddnlower]);
> 171: $this->entries[$newdnlower]->rename($newDn); // Fatal error
>
> The problem is in line 170.
>
> Let's say the cn was JohnMclean, and we wanted to change it to JohnMcLean
> (uppercase '"L"). When the old and new names are both lowercased in lines
> 166 and 167, the code that is executed is effectively this:
>
> unset($this->entries["johnmclean"]);
> this->entries["johnmclean"]->rename("JohnMcLean"); // We just unset this
> very entry - BOOM
>
> The fix is obviously not to unset the variable if old and new names are
> equal when lowercased. Fixed code (works now, tested with same name,
> different name, change only in spelling) is:
>
> 169: $this->entries[$newdnlower] = $this->entries[$olddnlower];
> ***: if ($olddnlower != $newdnlower)
> 170: unset($this->entries[$olddnlower]);
> 171: $this->entries[$newdnlower]->rename($newDn);
>
>

Stefan Lesicnik (stefanlsd)
Changed in phpldapadmin (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package phpldapadmin - 1.2.0.5-1ubuntu1.10.04.1

---------------
phpldapadmin (1.2.0.5-1ubuntu1.10.04.1) lucid-proposed; urgency=low

  * New upstream release
    - Fix compatibility with PHP 5.3 (LP: #551269)
    - Fix error on renaming a CN (LP: #384157)
  * SECURITY UPDATE: Input passed via the "cmd" parameter to cmd.php is not
    properly verified before being used to include files. This can be
    exploited to include arbitrary files from local resources. (LP: #511189)
    - Fixed by upstream release
    - CVE-2009-4427
 -- Stefan Lesicnik <email address hidden> Fri, 14 May 2010 18:48:40 +0200

Changed in phpldapadmin (Ubuntu Lucid):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.