Gentoo Logo

OpenLDAP, Gauche: RUNPATH issues

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200512-07 / OpenLDAP Gauche
Release Date December 15, 2005
Latest Revision December 30, 2007: 03
Impact low
Exploitable local
Package Vulnerable versions Unaffected versions Architecture(s)
net-nds/openldap < 2.2.28-r3 >= 2.2.28-r3, revision >= 2.1.30-r6 All supported architectures
dev-scheme/gauche < 0.8.6-r1 >= 0.8.6-r1 All supported architectures

Related bugreports: #105380, #112577

Synopsis

OpenLDAP and Gauche suffer from RUNPATH issues that may allow users in the "portage" group to escalate privileges.

2.  Impact Information

Background

OpenLDAP is a suite of LDAP-related application and development tools. Gauche is an R5RS Scheme interpreter.

Description

Gentoo packaging for OpenLDAP and Gauche may introduce insecure paths into the list of directories that are searched for libraries at runtime.

Impact

A local attacker, who is a member of the "portage" group, could create a malicious shared object in the Portage temporary build directory that would be loaded at runtime by a dependent binary, potentially resulting in privilege escalation.

3.  Resolution Information

Workaround

Only grant "portage" group rights to trusted users.

Resolution

All OpenLDAP users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose net-nds/openldap

All Gauche users should upgrade to the latest version:

Code Listing 3.2: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-scheme/gauche-0.8.6-r1"

4.  References

Print

Page updated December 15, 2005

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.