Gentoo Logo

nss_ldap: Information disclosure

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200711-33 / nss_ldap
Release Date November 25, 2007
Latest Revision November 25, 2007: 01
Impact low
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
sys-auth/nss_ldap < 258 >= 258 All supported architectures

Related bugreports: #198390

Synopsis

A race condition might lead to theft of user credentials or information disclosure in services using nss_ldap.

2.  Impact Information

Background

nss_ldap is a Name Service Switch module which allows 'passwd', 'group' and 'host' database information to be pulled from LDAP.

Description

Josh Burley reported that nss_ldap does not properly handle the LDAP connections due to a race condition that can be triggered by multi-threaded applications using nss_ldap, which might lead to requested data being returned to a wrong process.

Impact

Remote attackers could exploit this race condition by sending queries to a vulnerable server using nss_ldap, possibly leading to theft of user credentials or information disclosure (e.g. Dovecot returning wrong mailbox contents).

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All nss_ldap users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-auth/nss_ldap-258"

4.  References

Print

Updated November 25, 2007

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Support OSL

Support OSL

Gentoo Centric Hosting: vr.org

VR Hosted

Tek Alchemy

Tek Alchemy

SevenL.net

SevenL.net

Global Netoptex Inc.

Global Netoptex Inc.

Linux World Expo

Linux World Expo
Copyright 2001-2008 Gentoo Foundation, Inc. Questions, Comments? Contact us.