Gentoo Logo

nss_ldap: Information disclosure

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200711-33 / nss_ldap
Release Date November 25, 2007
Latest Revision November 25, 2007: 01
Impact low
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
sys-auth/nss_ldap < 258 >= 258 All supported architectures

Related bugreports: #198390

Synopsis

A race condition might lead to theft of user credentials or information disclosure in services using nss_ldap.

2.  Impact Information

Background

nss_ldap is a Name Service Switch module which allows 'passwd', 'group' and 'host' database information to be pulled from LDAP.

Description

Josh Burley reported that nss_ldap does not properly handle the LDAP connections due to a race condition that can be triggered by multi-threaded applications using nss_ldap, which might lead to requested data being returned to a wrong process.

Impact

Remote attackers could exploit this race condition by sending queries to a vulnerable server using nss_ldap, possibly leading to theft of user credentials or information disclosure (e.g. Dovecot returning wrong mailbox contents).

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All nss_ldap users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-auth/nss_ldap-258"

4.  References



Print

Page updated November 25, 2007

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.