[Pkg-openldap-devel] Bug#253838: Security risk in libldap
jmm at inutil.org
Thu Nov 6 21:59:47 UTC 2008
On Mon, Oct 13, 2008 at 10:18:19PM +0200, Torsten Landschoff wrote:
> On Monday 13 October 2008 21:03:36 you wrote:
> > From: Rafal Kupka <kupson at kupson.fdns.net>
> > To: Debian Bug Tracking System <submit at bugs.debian.org>
> > Subject: libldap2 reads from ~/.ldaprc and $PWD/ldaprc while running
> > privileged programs
> > Date: Fri, 11 Jun 2004 14:21:48 +0200
> > Package: libldap2
> > Version: 2.1.30-1
> > Severity: normal
> > Tags: security
> > This bug is visible in systems with libnss-ldap and libpam-ldap.
> > Even privileged programs (like su) read configuration file from users
> > home and current directory (follows symlinks too).
> Ouch, I can't understand that I let this slip back then. I just checked the
> sources to OpenLDAP 2.4.11-1 and basically this report still applies.
> That is, libldap will gladly read $HOME/.ldaprc. The ldaprc in the current
> directory is not read for quite some time now, that misfeature was removed in
> Now, a ldaprc can be defined using the "LDAPRC" environment variable instead,
> which is not that much better. LDAPCONF will work as well.
> The RedHat fix can be found here, BTW:
> This completely disables the .ldaprc file, but LDAPRC and LDAPCONF environment
> variables would still work.
> I would like to apply a patch to disable LDAPRC, LDAPCONF and .ldaprc when the
> effective uid does not match the real uid.
Sounds like a good plan. What's the status of this fix for Lenny?
More information about the Pkg-openldap-devel