[Pkg-openldap-devel] Bug#253838: Security risk in libldap
Moritz Muehlenhoff
jmm at inutil.org
Thu Nov 6 21:59:47 UTC 2008
On Mon, Oct 13, 2008 at 10:18:19PM +0200, Torsten Landschoff wrote:
> On Monday 13 October 2008 21:03:36 you wrote:
> > From: Rafal Kupka <kupson at kupson.fdns.net>
> > To: Debian Bug Tracking System <submit at bugs.debian.org>
> > Subject: libldap2 reads from ~/.ldaprc and $PWD/ldaprc while running
> > privileged programs
> > Date: Fri, 11 Jun 2004 14:21:48 +0200
> > Package: libldap2
> > Version: 2.1.30-1
> > Severity: normal
> > Tags: security
> >
> > This bug is visible in systems with libnss-ldap and libpam-ldap.
> > Even privileged programs (like su) read configuration file from users
> > home and current directory (follows symlinks too).
>
> Ouch, I can't understand that I let this slip back then. I just checked the
> sources to OpenLDAP 2.4.11-1 and basically this report still applies.
>
> That is, libldap will gladly read $HOME/.ldaprc. The ldaprc in the current
> directory is not read for quite some time now, that misfeature was removed in
> 1998:
> http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/init.c.diff?r1=1.8&r2=1.9&hideattic=1&sortbydate=0&f=h
> Now, a ldaprc can be defined using the "LDAPRC" environment variable instead,
> which is not that much better. LDAPCONF will work as well.
>
> The RedHat fix can be found here, BTW:
> http://cvs.fedoraproject.org/viewvc/rpms/openldap/F-9/openldap-2.0.11-ldaprc.patch?revision=1.1&view=markup
>
> This completely disables the .ldaprc file, but LDAPRC and LDAPCONF environment
> variables would still work.
>
> I would like to apply a patch to disable LDAPRC, LDAPCONF and .ldaprc when the
> effective uid does not match the real uid.
Sounds like a good plan. What's the status of this fix for Lenny?
Cheers,
Moritz
More information about the Pkg-openldap-devel
mailing list