| Summary: | nss-pam-ldapd new security issue CVE-2013-0288 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, guillomovitch, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/538863/ | ||
| Whiteboard: | MGA2-32-OK MGA2-64-OK | ||
| Source RPM: | nss-pam-ldapd-0.8.6-3.mga2.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-02-19 02:34:05 CET
I just submitted 0.8.6-3.1.mga2 in updates_testing, using upstream patch to fix the issue. I propose the following summary of upstream advisory for our own: Garth Mollett discovered that a file descriptor overflow issue in the use of FD_SET() in nss-pam-ldapd can lead to a stack-based buffer overflow. An attacker could, under some circumstances, use this flaw to cause a process that has the NSS or PAM module loaded to crash or potentially execute arbitrary code. The issue can be triggered in a network daemon by opening a large number of connections and forcing a name lookup. This would result in a crash and possibly remote code execution. This issue may also allow local privilege escalation if a suid program does name lookups and doesn't close file descriptors inherited from the parent process. This problem has been assigned CVE-2013-0288. See ustream advisory (http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288) for more details. Status:
NEW =>
ASSIGNED Thanks Guillaume. I don't see a subrel in the package that was just built in updates_testing. It probably needs to be rebuilt. I forgot to commit changes first... I just submitted a new release; Thanks Guillaume! Assigning to QA. See the advisory in Comment 1. References are listed in Comment 0. CC:
(none) =>
guillomovitch Possible PoC: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690319 Testing complete on Mageia 2 i586. In the poc code for bug.c, have to change the path from /usr/bin/id to /bin/id. In /etc/nsswitch.conf and ldap after files for passwd, shadow, and group. Running "time /home/dave/bug foobar" before installing the update show it's timing out after 20 seconds. (The user foobar is not a valid user). After installing the update, the response is immediate. Testing x86_64 shortly. CC:
(none) =>
davidwhodgins Forgot to mention in comment 6, before running the bug, have to manually install nss-pam-ldapd and run "ulimit -n 1152". Testing complete on Mageia 2 x86_64. Could someone from the sysadmin team push the srpm nss-pam-ldapd-0.8.6-3.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Garth Mollett discovered that a file descriptor overflow issue in the use of FD_SET() in nss-pam-ldapd can lead to a stack-based buffer overflow. An attacker could, under some circumstances, use this flaw to cause a process that has the NSS or PAM module loaded to crash or potentially execute arbitrary code. The issue can be triggered in a network daemon by opening a large number of connections and forcing a name lookup. This would result in a crash and possibly remote code execution. This issue may also allow local privilege escalation if a suid program does name lookups and doesn't close file descriptors inherited from the parent process. This problem has been assigned CVE-2013-0288. References: http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288 https://bugs.mageia.org/show_bug.cgi?id=9113 Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0071 Status:
ASSIGNED =>
RESOLVED |