Gentoo Logo

OpenLDAP, Gauche: RUNPATH issues


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200512-07 / OpenLDAP Gauche
Release Date December 15, 2005
Latest Revision December 30, 2007: 03
Impact low
Exploitable local
Package Vulnerable versions Unaffected versions Architecture(s)
net-nds/openldap < 2.2.28-r3 >= 2.2.28-r3, revision >= 2.1.30-r6 All supported architectures
dev-scheme/gauche < 0.8.6-r1 >= 0.8.6-r1 All supported architectures

Related bugreports: #105380, #112577


OpenLDAP and Gauche suffer from RUNPATH issues that may allow users in the "portage" group to escalate privileges.

2.  Impact Information


OpenLDAP is a suite of LDAP-related application and development tools. Gauche is an R5RS Scheme interpreter.


Gentoo packaging for OpenLDAP and Gauche may introduce insecure paths into the list of directories that are searched for libraries at runtime.


A local attacker, who is a member of the "portage" group, could create a malicious shared object in the Portage temporary build directory that would be loaded at runtime by a dependent binary, potentially resulting in privilege escalation.

3.  Resolution Information


Only grant "portage" group rights to trusted users.


All OpenLDAP users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose net-nds/openldap

All Gauche users should upgrade to the latest version:

Code Listing 3.2: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-scheme/gauche-0.8.6-r1"

4.  References


Page updated December 15, 2005

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.