[Pkg-openldap-devel] r750 - in openldap/trunk-2.1: debian
libraries/libldap
Steve Langasek
vorlon at alioth.debian.org
Tue Nov 14 01:54:38 CET 2006
Author: vorlon
Date: 2006-11-14 01:54:38 +0100 (Tue, 14 Nov 2006)
New Revision: 750
Modified:
openldap/trunk-2.1/debian/changelog
openldap/trunk-2.1/libraries/libldap/init.c
Log:
Don't check for user configuration files when the caller is setuid; addresses
#387467, which is a potential security hole allowing libnss-ldap settings to
be overridden. Thanks to Stephen Frost for bringing this to my attention.
Modified: openldap/trunk-2.1/debian/changelog
===================================================================
--- openldap/trunk-2.1/debian/changelog 2006-11-12 10:08:20 UTC (rev 749)
+++ openldap/trunk-2.1/debian/changelog 2006-11-14 00:54:38 UTC (rev 750)
@@ -1,8 +1,12 @@
openldap2 (2.1.30-14) UNRELEASED; urgency=low
* Acknowledge l10n NMUs; thanks, Christian!
+ * Don't check for user configuration files when the caller is setuid;
+ addresses #387467, which is a potential security hole allowing
+ libnss-ldap settings to be overridden. Thanks to Stephen Frost for
+ bringing this to my attention.
- -- Steve Langasek <vorlon at debian.org> Thu, 9 Nov 2006 19:00:33 -0800
+ -- Steve Langasek <vorlon at debian.org> Mon, 13 Nov 2006 16:43:04 -0800
openldap2 (2.1.30-13.2) unstable; urgency=low
Modified: openldap/trunk-2.1/libraries/libldap/init.c
===================================================================
--- openldap/trunk-2.1/libraries/libldap/init.c 2006-11-12 10:08:20 UTC (rev 749)
+++ openldap/trunk-2.1/libraries/libldap/init.c 2006-11-14 00:54:38 UTC (rev 750)
@@ -252,6 +252,12 @@
char *home;
char *path = NULL;
+ if (getuid() != geteuid()) {
+ /* Caller is setuid -- don't read any per-user configs in
+ these circumstances, as this may not be safe */
+ return;
+ }
+
if (file == NULL) {
/* no file name */
return;
More information about the Pkg-openldap-devel
mailing list