Date: Tue, 24 Mar 2009 20:19:52 -0600 From: Vincent Danen <vdanen@...hat.com> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE request -- ucd-snmp / net-snmp, libnss-ldapd / nss_ldap * [2009-03-24 21:05:49 -0400] Steven M. Christey wrote: >> >2, libnss-ldapd / nss_ldap: LDAP service configuration file >> > shipped with world readable permissions >> > References: >> > https://bugzilla.redhat.com/show_bug.cgi?id=491623 >> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520476 >> >> On a side note, this is pretty specific to libnss-ldapd and not so much >> nss_ldap. > >So, the various bug reports and followups list: > > libnss-ldapd > nss_ldap > nss-ldapd > openldap > >Which package is actually affected and what versions might they be? nss-ldapd is the name of the upstream package. I suppose Debian and others may package it with a package name of libnss-ldapd. nss-ldapd is a fork of nss_ldap... I don't know enough to say how much it differs, but for nss_ldap at least, /etc/ldap.conf should be world-readable (or at least typically is, with no real exposure since using non-anonymous binds to LDAP would be unusual -- at least from everything I've seen and done with LDAP authentication). /etc/ldap.conf has nothing to do with openldap and while the filename, and probably file contents are the same, it sounds like libnss-ldap may require more protection and/or be meant to run with a protected configuration file. It also, and someone correct me if I'm wrong, be due to the debian package allowing someone to specify a bindpw at install and then not protecting the file contents if someone does specify a bindpw. With RHEL and Fedora, there are no mechanisms to ask a user for a bindpw (because it is not typical), so we would expect that an admin who puts a bindpw in there for a user that is meant to be protected (i.e. something other than an unprivileged user that suits the criteria for anonymous binds for the purpose of obtaining certain non-privileged user information), would also adequately protect the file when manually setting the password. And, if that is the case, then I would argue this is a debconf-specific issue for this package than a general nss-ldapd-specific issue. In fact, if you look here: http://ch.tudelft.nl/~arthur/nss-ldapd/news.html#20090322 you'll see that this is noted as a "security problem in ... the Debian package configuration". >Use CVE-2009-1073, to be filled in once I have some more detail. -- Vincent Danen / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.