Bug 9113 - nss-pam-ldapd new security issue CVE-2013-0288
: nss-pam-ldapd new security issue CVE-2013-0288
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/538863/
: MGA2-32-OK MGA2-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-02-19 02:34 CET by David Walser
Modified: 2013-02-27 22:04 CET (History)
4 users (show)

See Also:
Source RPM: nss-pam-ldapd-0.8.6-3.mga2.src.rpm
CVE:


Attachments

Description David Walser 2013-02-19 02:34:05 CET
Debian has issued an advisory today (February 18):
http://www.debian.org/security/2013/dsa-2628

Cauldron is not affected as it was fixed upstream in 0.8.11.

There is an upstream advisory too:
http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288
Comment 1 Guillaume Rousse 2013-02-23 13:45:27 CET
I just submitted 0.8.6-3.1.mga2 in updates_testing, using upstream patch to fix the issue.

I propose the following summary of upstream advisory for our own:

Garth Mollett discovered that a file descriptor overflow issue in the use of FD_SET() in nss-pam-ldapd can lead to a stack-based buffer overflow. An attacker could, under some circumstances, use this flaw to cause a process that has the NSS or PAM module loaded to crash or potentially execute arbitrary code.

The issue can be triggered in a network daemon by opening a large number of connections and forcing a name lookup. This would result in a crash and possibly remote code execution. This issue may also allow local privilege escalation if a suid program does name lookups and doesn't close file descriptors inherited from the parent process.

This problem has been assigned CVE-2013-0288.

See ustream advisory (http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288) for more details.
Comment 2 David Walser 2013-02-23 14:34:28 CET
Thanks Guillaume.  I don't see a subrel in the package that was just built in updates_testing.  It probably needs to be rebuilt.
Comment 3 Guillaume Rousse 2013-02-23 15:57:29 CET
I forgot to commit changes first... I just submitted a new release;
Comment 4 David Walser 2013-02-23 16:09:41 CET
Thanks Guillaume!  Assigning to QA.

See the advisory in Comment 1.  References are listed in Comment 0.
Comment 5 claire robinson 2013-02-24 18:04:22 CET
Possible PoC: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690319
Comment 6 Dave Hodgins 2013-02-27 01:36:09 CET
Testing complete on Mageia 2 i586.

In the poc code for bug.c, have to change the path from /usr/bin/id to /bin/id.
In /etc/nsswitch.conf and ldap after files for passwd, shadow, and group.

Running "time /home/dave/bug foobar" before installing the update show
it's timing out after 20 seconds. (The user foobar is not a valid user).
After installing the update, the response is immediate.

Testing x86_64 shortly.
Comment 7 Dave Hodgins 2013-02-27 01:52:25 CET
Forgot to mention in comment 6, before running the bug, have to
manually install nss-pam-ldapd and run "ulimit -n 1152".

Testing complete on Mageia 2 x86_64.

Could someone from the sysadmin team push the srpm
nss-pam-ldapd-0.8.6-3.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Garth Mollett discovered that a file descriptor overflow issue in the use of FD_SET() in nss-pam-ldapd can lead to a stack-based buffer overflow. An attacker could, under some circumstances, use this flaw to cause a process that has the NSS or PAM module loaded to crash or potentially execute arbitrary code.

The issue can be triggered in a network daemon by opening a large number of connections and forcing a name lookup. This would result in a crash and possibly remote code execution. This issue may also allow local privilege escalation if a suid program does name lookups and doesn't close file descriptors inherited from the parent process.

This problem has been assigned CVE-2013-0288.

References: http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288
https://bugs.mageia.org/show_bug.cgi?id=9113
Comment 8 Thomas Backlund 2013-02-27 22:04:11 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0071

Note You need to log in before you can comment on or make changes to this bug.