Debian has issued an advisory today (February 18): http://www.debian.org/security/2013/dsa-2628 Cauldron is not affected as it was fixed upstream in 0.8.11. There is an upstream advisory too: http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288
I just submitted 0.8.6-3.1.mga2 in updates_testing, using upstream patch to fix the issue. I propose the following summary of upstream advisory for our own: Garth Mollett discovered that a file descriptor overflow issue in the use of FD_SET() in nss-pam-ldapd can lead to a stack-based buffer overflow. An attacker could, under some circumstances, use this flaw to cause a process that has the NSS or PAM module loaded to crash or potentially execute arbitrary code. The issue can be triggered in a network daemon by opening a large number of connections and forcing a name lookup. This would result in a crash and possibly remote code execution. This issue may also allow local privilege escalation if a suid program does name lookups and doesn't close file descriptors inherited from the parent process. This problem has been assigned CVE-2013-0288. See ustream advisory (http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288) for more details.
Status: NEW => ASSIGNED
Thanks Guillaume. I don't see a subrel in the package that was just built in updates_testing. It probably needs to be rebuilt.
I forgot to commit changes first... I just submitted a new release;
Thanks Guillaume! Assigning to QA. See the advisory in Comment 1. References are listed in Comment 0.
CC: (none) => guillomovitchAssignee: guillomovitch => qa-bugs
Possible PoC: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690319
Testing complete on Mageia 2 i586. In the poc code for bug.c, have to change the path from /usr/bin/id to /bin/id. In /etc/nsswitch.conf and ldap after files for passwd, shadow, and group. Running "time /home/dave/bug foobar" before installing the update show it's timing out after 20 seconds. (The user foobar is not a valid user). After installing the update, the response is immediate. Testing x86_64 shortly.
CC: (none) => davidwhodgins
Forgot to mention in comment 6, before running the bug, have to manually install nss-pam-ldapd and run "ulimit -n 1152". Testing complete on Mageia 2 x86_64. Could someone from the sysadmin team push the srpm nss-pam-ldapd-0.8.6-3.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Garth Mollett discovered that a file descriptor overflow issue in the use of FD_SET() in nss-pam-ldapd can lead to a stack-based buffer overflow. An attacker could, under some circumstances, use this flaw to cause a process that has the NSS or PAM module loaded to crash or potentially execute arbitrary code. The issue can be triggered in a network daemon by opening a large number of connections and forcing a name lookup. This would result in a crash and possibly remote code execution. This issue may also allow local privilege escalation if a suid program does name lookups and doesn't close file descriptors inherited from the parent process. This problem has been assigned CVE-2013-0288. References: http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288 https://bugs.mageia.org/show_bug.cgi?id=9113
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: (none) => MGA2-32-OK MGA2-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0071
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED