Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-56502

OpenLDAP should leak the SSL ctx and not try to free it in a destructor

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • rhel-9.6
    • rhel-10.0
    • openldap
    • None
    • openldap-2.6.8-1.el9
    • No
    • Important
    • rhel-idm-ds
    • ssg_idm
    • 26
    • 0
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Bug Fix
    • Hide
      .OpenLDAP library no longer fails when trying to free resources

      Before this update, the OpenLDAP library tried to release memory by using the `SSL_CTX_free()` function in its destructor when an application had already cleaned up these resources by invoking the `OPENSSL_cleanup()` function, either directly or via the `atexit()` function. As a consequence, users experienced failures or undefined behavior when the invalid `SSL_CTX_free()` call tried to release already-cleaned-up SSL context resources.

      With this update, a safe cleanup function has been added to skip SSL context cleanup in the OpenLDAP's destructor. As a result, the SSL context now leaks if not explicitly freed, ensuring a stable application shutdown.
      Show
      .OpenLDAP library no longer fails when trying to free resources Before this update, the OpenLDAP library tried to release memory by using the `SSL_CTX_free()` function in its destructor when an application had already cleaned up these resources by invoking the `OPENSSL_cleanup()` function, either directly or via the `atexit()` function. As a consequence, users experienced failures or undefined behavior when the invalid `SSL_CTX_free()` call tried to release already-cleaned-up SSL context resources. With this update, a safe cleanup function has been added to skip SSL context cleanup in the OpenLDAP's destructor. As a result, the SSL context now leaks if not explicitly freed, ensuring a stable application shutdown.
    • Done
    • None

      As mentioned in the subject, OpenLDAP incorrectly handles OpenSSL in its destructor.

      Сomprehensive information can be found here (along with a possible solution):
      https://github.com/openssl/openssl/issues/25294

      Additionally, there's an OpenLDAP bug opened - https://bugs.openldap.org/show_bug.cgi?id=9952

              spichugi@redhat.com Simon Pichugin
              spichugi@redhat.com Simon Pichugin
              IdM DS Dev IdM DS Dev
              Viktor Ashirov Viktor Ashirov
              Evgenia Martyniuk Evgenia Martyniuk
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: