A flaw was found in 389 Directory Server in the __aclp__normalize_acltxt() function of aclparse.c. A malformed ACI (Access Control Instruction) string can trigger heap-buffer-overflow writes and reads during ACI parsing. The function fails to validate that the ACI keyword has sufficient length after whitespace stripping, leading to a 1-byte out-of-bounds write and subsequent out-of-bounds reads. An authenticated user with write access to the aci attribute could send a crafted ACI value to silently corrupt heap memory in the directory server process.
Ensure that only highly privileged accounts (Directory Manager or explicitly delegated ACI administrators) have write access to the 'aci' attribute. Review existing ACIs for overly broad targetattr rules (especially negated rules like targetattr!="..." or wildcards like targetattr="*") that may inadvertently grant regular users write access to operational attributes including 'aci'. The 389 DS ACI linting tool (lib389) can help identify such misconfigurations.