[Pkg-openldap-devel] Bug#253838: Security risk in libldap
Moritz Muehlenhoff
jmm at inutil.org
Thu Nov 20 22:37:34 UTC 2008
On Thu, Nov 06, 2008 at 10:59:47PM +0100, Moritz Muehlenhoff wrote:
> On Mon, Oct 13, 2008 at 10:18:19PM +0200, Torsten Landschoff wrote:
> > On Monday 13 October 2008 21:03:36 you wrote:
> > > From: Rafal Kupka <kupson at kupson.fdns.net>
> > > To: Debian Bug Tracking System <submit at bugs.debian.org>
> > > Subject: libldap2 reads from ~/.ldaprc and $PWD/ldaprc while running
> > > privileged programs
> > > Date: Fri, 11 Jun 2004 14:21:48 +0200
> > > Package: libldap2
> > > Version: 2.1.30-1
> > > Severity: normal
> > > Tags: security
> > >
> > > This bug is visible in systems with libnss-ldap and libpam-ldap.
> > > Even privileged programs (like su) read configuration file from users
> > > home and current directory (follows symlinks too).
> >
> > Ouch, I can't understand that I let this slip back then. I just checked the
> > sources to OpenLDAP 2.4.11-1 and basically this report still applies.
> >
> > That is, libldap will gladly read $HOME/.ldaprc. The ldaprc in the current
> > directory is not read for quite some time now, that misfeature was removed in
> > 1998:
> > http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/init.c.diff?r1=1.8&r2=1.9&hideattic=1&sortbydate=0&f=h
> > Now, a ldaprc can be defined using the "LDAPRC" environment variable instead,
> > which is not that much better. LDAPCONF will work as well.
> >
> > The RedHat fix can be found here, BTW:
> > http://cvs.fedoraproject.org/viewvc/rpms/openldap/F-9/openldap-2.0.11-ldaprc.patch?revision=1.1&view=markup
> >
> > This completely disables the .ldaprc file, but LDAPRC and LDAPCONF environment
> > variables would still work.
> >
> > I would like to apply a patch to disable LDAPRC, LDAPCONF and .ldaprc when the
> > effective uid does not match the real uid.
>
> Sounds like a good plan. What's the status of this fix for Lenny?
*poke*
Cheers,
Moritz
More information about the Pkg-openldap-devel
mailing list