slapd crashed with SIGSEGV in lutil_str2bin() when using mdb

StacktraceTop:
 lutil_str2bin (in=<optimized out>, out=0x7f0c76ffd430, ctx=0x7f0c70000ea0) at ../../../../libraries/liblutil/utils.c:812
 integerVal2Key (in=<optimized out>, tmp=<optimized out>, ctx=<optimized out>, key=<optimized out>) at ../../../../servers/slapd/schema_init.c:2545
 integerIndexer (use=<optimized out>, flags=<optimized out>, syntax=<optimized out>, mr=<optimized out>, prefix=<optimized out>, values=0x7f0c70001bb8, keysp=0x7f0c76ffd570, ctx=0x7f0c70000ea0) at ../../../../servers/slapd/schema_init.c:2634
 indexer (op=0x7f0c70000900, txn=<optimized out>, ai=<optimized out>, atname=0x7f208f9657b8, vals=0x7f0c70001bb8, id=4103, opid=2, mask=4, ad=<optimized out>) at ../../../../../servers/slapd/back-mdb/index.c:211
 index_at_values (op=0x7f0c70000900, txn=0x7f0c70100f80, type=0x7f208f965750, tags=0x7f208f965900, vals=0x7f0c70001bb8, id=4103, opid=2, ad=<optimized out>) at ../../../../../servers/slapd/back-mdb/index.c:337

StacktraceTop:
 lutil_str2bin (in=<optimized out>, out=0x7f0c76ffd430, ctx=0x7f0c70000ea0) at ../../../../libraries/liblutil/utils.c:812
 integerVal2Key (in=<optimized out>, tmp=<optimized out>, ctx=<optimized out>, key=<optimized out>) at ../../../../servers/slapd/schema_init.c:2545
 integerIndexer (use=<optimized out>, flags=<optimized out>, syntax=<optimized out>, mr=<optimized out>, prefix=<optimized out>, values=0x7f0c70001bb8, keysp=0x7f0c76ffd570, ctx=0x7f0c70000ea0) at ../../../../servers/slapd/schema_init.c:2634
 indexer (op=0x7f0c70000900, txn=<optimized out>, ai=<optimized out>, atname=0x7f208f9657b8, vals=0x7f0c70001bb8, id=4103, opid=2, mask=4, ad=<optimized out>) at ../../../../../servers/slapd/back-mdb/index.c:211
 index_at_values (op=0x7f0c70000900, txn=0x7f0c70100f80, type=0x7f208f965750, tags=0x7f208f965900, vals=0x7f0c70001bb8, id=4103, opid=2, ad=<optimized out>) at ../../../../../servers/slapd/back-mdb/index.c:337

Status changed to 'Confirmed' because the bug affects multiple users.

Here's the linked patch as a file.

Triaged: Has the upstream patch to fix it.

The attachment "its-7174-lutil_str2bin-cant-modify-input-strings.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Here's a test scenario that will fail on 12.04 (but not when the patch is applied), and will not fail on 12.10 and up:

[Test Case]
1. Install OpenLDAP (apt-get install slapd ldap-utils)
2. Run testbug.sh as root (WARNING: this will wipe /etc/ldap/slapd.d and /var/lib/ldap, do this on a clean install)
3. Run "ldapdelete -x -D cn=admin,dc=example,dc=com -w test -H ldap:/// 'uid=johndoe,dc=example,dc=com'
4. - Expected result: The delete action succeeds, "ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com 'uid=johndoe'" should return nothing.
   - Actual result: slapd crashes with SIGSEGV (see /var/log/syslog). The entry is not deleted.

Marking Fix released because original description said that it's already fixed:
'which is fixed in later versions of Ubuntu (it was fixed in OpenLDAP 2.4.30), but not in precise.'

I've reviewed and tested this. I failed to reproduce in Saucy as expected. I reproduced in Precise, verified that this patch fixes the bug, and reviewed the patch itself. Uploaded, with some help from cjwatson and infinity for ~ubuntu-server-dev packageset permissions.

I made one modification: I added dep3 headers to the quilt patch. Please see http://dep.debian.net/deps/dep3/ for details.

Hello Roel, or anyone else affected,

Accepted openldap into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/openldap/2.4.28-1.1ubuntu4.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

I tested version 2.4.28-1.1ubuntu4.4 and slapd doesn't crash anymore. Delete operations are performed correctly.

Thank you for your testing.

This bug was fixed in the package openldap - 2.4.28-1.1ubuntu4.4

---------------
openldap (2.4.28-1.1ubuntu4.4) precise-proposed; urgency=low

  * Backport fix for back-mdb, fixes crash when deleting an entry
    that contains an indexed numeric attribute (LP: #1216650):
    - d/patches/its-7174-lutil_str2bin-cant-modify-input-strings.patch:
      Upstream patch to make sure that lutil_str2bin does not
      attempt to modify its input.
 -- Roel Standaert <email address hidden> Sat, 31 Aug 2013 08:29:45 +0200

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.