Hello community, here is the log from the commit of package nss-pam-ldapd.1442 for openSUSE:12.2:Update checked in at 2013-03-22 20:44:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/nss-pam-ldapd.1442 (Old) and /work/SRC/openSUSE:12.2:Update/.nss-pam-ldapd.1442.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "nss-pam-ldapd.1442", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2013-02-26 18:15:11.936010755 +0100 +++ /work/SRC/openSUSE:12.2:Update/.nss-pam-ldapd.1442.new/nss-pam-ldapd.changes 2013-03-22 20:44:14.000000000 +0100 @@ -0,0 +1,109 @@ +------------------------------------------------------------------- +Wed Mar 13 14:51:38 UTC 2013 - varkoly@suse.com + +- bnc#804682.diff: CVE-2013-0288: nss-pam-ldapd: FD_SET array index + error, leading to stack-based buffer overflow + +------------------------------------------------------------------- +Fri Dec 2 16:44:28 UTC 2011 - coolo@suse.com + +- add automake as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Tue Aug 2 13:11:24 UTC 2011 - aj@suse.de + +- Create ghost /var/run/nslcd to fix build failure. + +------------------------------------------------------------------- +Tue Jan 4 09:57:06 UTC 2011 - seife+obs@b1-systems.com + +- update to 0.7.13: + * fix handling of idle_timelimit option + * fix error code for problem while doing password modification +- fix build for pre-11.3 systems + +------------------------------------------------------------------- +Tue Nov 16 14:25:00 UTC 2010 - rhafer@novell.com + +- Renamed to nss-pam-ldapd to reflect upstream rename +- Updated to 0.7.12: + * rename software to nss-pam-ldapd to indicate that PAM module + is now a standard part of the software + * the PAM module is now built by default + * the default configuration file name has been changed to + /etc/nslcd.conf + +------------------------------------------------------------------- +Mon Feb 1 12:08:53 UTC 2010 - jengelh@medozas.de + +- package baselibs.conf + +------------------------------------------------------------------- +Wed Aug 26 12:53:54 CEST 2009 - mls@suse.de + +- make patch0 usage consistent + +------------------------------------------------------------------- +Tue Jun 30 09:12:03 CEST 2009 - rhafer@novell.com + +- Updated to 0.6.10: + * implement searching through multiple search bases, based on a + patch by Leigh Wedding + * fix a segmentation fault that could occur when using any of + the tls_* options with a string parameter + * the code for reading and writing protocol entries between the + NSS module and the daemon was improved + * documentation updates + * removed SSL/TLS related warnings during startup + * produce more detailed logging in debug mode and allow + multiple -d options to be specified to also include logging + from the LDAP library + * some LDAP configuration options are now initialized globally + instead of per connection which should fix problems with the + tls_reqcert option + * documentation improvements for the NSLCD protocol used between + the NSS module and the nslcd server + * fix a bug with writing alternate service names and add checks + for validity of passed buffer in NSS module +- Fixed a possible off by one bug in nslcd (bnc#515559) + +------------------------------------------------------------------- +Thu Jun 25 12:52:57 CEST 2009 - sbrabec@suse.cz + +- Supplement glibc-32bit/glibc-64bit in baselibs.conf (bnc#354164). + +------------------------------------------------------------------- +Wed Mar 25 16:46:09 CET 2009 - rhafer@suse.de + +- Updated to 0.6.8: + * the nss-ldapd.conf was created world-readable which could cause + problems if the bindpw option is used. (bnc#487737, CVE-2009-1073) + * clean the environment and set LDAPNOINIT to disable parsing of LDAP + configuration files (.ldaprc, /etc/ldap/ldap.conf, etc) + * remove sslpath option because it wasn't used + * correctly set SSL/TLS options when using StartTLS + * rename the tls_checkpeer option to tls_reqcert, deprecating the old name + and supporting all values that OpenLDAP supports + * allow backslashes in user and group names execpt as first or last + character + * check user and group names against LOGIN_NAME_MAX if it is defined + * allow spaces in user and group names because it was causing problems in + some environments + * if ldap_set_option() fails log the option name instead of number + * retry connecting to LDAP server in more cases +- Adjust config file permissions upon update, to fix world-readable + /etc/nss-ldapd.conf as created by older versions + (bnc#487737, CVE-2009-1073) + +------------------------------------------------------------------- +Fri Aug 15 09:18:57 CEST 2008 - rhafer@suse.de + +- Fixed "Required-Stop" Tag to include the same services as + "Required-Start" +- removed "Should-Start" Tag + +------------------------------------------------------------------- +Wed Aug 6 16:33:20 CEST 2008 - rhafer@suse.de + +- initial version for nss-ldapd-0.6.4 (Fate#303597) + New: ---- baselibs.conf bnc#804682.dif nslcd-user-conf.dif nss-pam-ldapd-0.7.12-rpmlintrc nss-pam-ldapd-0.7.13.tar.bz2 nss-pam-ldapd.changes nss-pam-ldapd.spec rc.nslcd ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nss-pam-ldapd.spec ++++++ # # spec file for package nss-pam-ldapd # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: nss-pam-ldapd BuildRequires: automake BuildRequires: krb5-devel BuildRequires: openldap2-devel BuildRequires: pam-devel Version: 0.7.13 Release: 0 Summary: NSS module and daemon for using LDAP as a naming service License: LGPL-2.1+ Group: Productivity/Networking/LDAP/Clients Url: http://arthurdejong.org/nss-ldapd/ PreReq: /bin/chmod Conflicts: nss_ldap pam_ldap Obsoletes: nss-ldapd < %{version}-%{release} Provides: nss-ldapd = %{version}-%{release} Source: nss-pam-ldapd-%{version}.tar.bz2 Source1: rc.nslcd Source2: baselibs.conf Source100: nss-pam-ldapd-0.7.12-rpmlintrc Patch0: nslcd-user-conf.dif Patch1: bnc#804682.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %description This package provides a Name Service Switch module that allows your LDAP server to provide user account, group, host name, alias, netgroup, and basically any other information that you would normally get from /etc flat files or NIS. Nss-ldapd is a fork of the nss_ldap package by PADL Software Pty Ltd.. implementing some structural design changes that were needed to fix some issues of the original design. Authors: -------- Luke Howard <lukeh@padl.com> West Consulting <info@west.nl> Arthur de Jong <arthur@arthurdejong.org> %prep %setup -q cp -v %{S:1} . %patch0 -p1 %patch1 -p1 %build %{?suse_update_config:%{suse_update_config -f}} autoreconf CFLAGS="$RPM_OPT_FLAGS" \ CPPFLAGS="-I/usr/include/sasl" \ ./configure --prefix=/usr \ --mandir=%{_mandir} \ --libdir=/%{_lib} \ --sysconfdir=/etc make %{?jobs:-j%jobs} %install mkdir -p $RPM_BUILD_ROOT/etc/init.d/ mkdir -p $RPM_BUILD_ROOT/usr/sbin/ install -m 755 rc.nslcd $RPM_BUILD_ROOT/etc/init.d/nslcd ln -sf ../../etc/init.d/nslcd $RPM_BUILD_ROOT/usr/sbin/rcnslcd make DESTDIR=$RPM_BUILD_ROOT install install -d $RPM_BUILD_ROOT/var/run/nslcd %clean rm -fr $RPM_BUILD_ROOT %post /sbin/ldconfig %preun %stop_on_removal nslcd %postun /sbin/ldconfig %restart_on_update nslcd %insserv_cleanup %files %defattr(-,root,root) %doc AUTHORS COPYING ChangeLog NEWS README /%{_lib}/libnss_ldap.so.2 /%{_lib}/security/pam_ldap.so %doc %{_mandir}/man5/* %doc %{_mandir}/man8/* %config(noreplace) %attr(640,root,root) /etc/nslcd.conf %config /etc/init.d/nslcd /usr/sbin/rcnslcd %dir %attr(0755, root, root) %ghost /var/run/nslcd /usr/sbin/nslcd %changelog ++++++ baselibs.conf ++++++ nss-pam-ldapd supplements "packageand(nss-pam-ldapd:glibc-<targettype>)" ++++++ bnc#804682.dif ++++++ diff -ur nss-pam-ldapd-0.7.13/common/tio.c nss-pam-ldapd-0.7.13-fixed/common/tio.c --- nss-pam-ldapd-0.7.13/common/tio.c 2010-09-24 09:07:17.000000000 +0200 +++ nss-pam-ldapd-0.7.13-fixed/common/tio.c 2013-03-13 15:47:25.000000000 +0100 @@ -2,7 +2,7 @@ tio.c - timed io functions This file is part of the nss-pam-ldapd library. - Copyright (C) 2007, 2008 Arthur de Jong + Copyright (C) 2007, 2008, 2010, 2011, 2012 Arthur de Jong This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public @@ -34,6 +34,7 @@ #include <string.h> #include <signal.h> #include <stdio.h> +#include <limits.h> #include "tio.h" @@ -183,6 +184,11 @@ while (1) { /* prepare our filedescriptorset */ + if (fp->fd>=FD_SETSIZE) + { + errno=EBADFD; + return -1; + } FD_ZERO(&fdset); FD_SET(fp->fd,&fdset); /* figure out the time we need to wait */ @@ -229,6 +235,7 @@ int rv; uint8_t *tmp; size_t newsz; + size_t len; /* have a more convenient storage type for the buffer */ uint8_t *ptr=(uint8_t *)buf; /* build a time by which we should be finished */ @@ -293,7 +300,12 @@ if (tio_select(fp,1,&deadline)) return -1; /* read the input in the buffer */ - rv=read(fp->fd,fp->readbuffer.buffer+fp->readbuffer.start,fp->readbuffer.size-fp->readbuffer.start); + len=fp->readbuffer.size-fp->readbuffer.start; +#ifdef SSIZE_MAX + if (len>SSIZE_MAX) + len=SSIZE_MAX; +#endif /* SSIZE_MAX */ + rv=read(fp->fd,fp->readbuffer.buffer+fp->readbuffer.start,len); /* check for errors */ if ((rv==0)||((rv<0)&&(errno!=EINTR)&&(errno!=EAGAIN))) return -1; /* something went wrong with the read */ @@ -390,6 +402,11 @@ fd_set fdset; int rv; /* prepare our filedescriptorset */ + if (fp->fd>=FD_SETSIZE) + { + errno=EBADFD; + return -1; + } FD_ZERO(&fdset); FD_SET(fp->fd,&fdset); /* set the timeout to 0 to poll */ ++++++ nslcd-user-conf.dif ++++++ Index: nss-pam-ldapd-0.7.12/nslcd.conf =================================================================== --- nss-pam-ldapd-0.7.12.orig/nslcd.conf +++ nss-pam-ldapd-0.7.12/nslcd.conf @@ -5,8 +5,8 @@ # See the manual page nslcd.conf(5) for more information. # The user and group nslcd should run as. -uid nslcd -gid nslcd +#uid nslcd +#gid nslcd # The uri pointing to the LDAP server to use for name lookups. # Multiple entries may be specified. The address that is used ++++++ nss-pam-ldapd-0.7.12-rpmlintrc ++++++ # Silence rpmlint's warning regarding the shared library policy as # splitting of a library package for libnss_ldap.so.2 doesn't make much # sense. The NSS Module doesn't do anything useful with out the nslcd # daemon addFilter("shlib-policy-name-error .*") ++++++ rc.nslcd ++++++ #! /bin/sh # Copyright (c) 2007 SUSE Linux Products GmbH, Nuernberg, Germany. # All rights reserved. # # Author: Ralf Haferkamp <rhafer@suse.de> # # /etc/init.d/nslcd # and its symbolic link # /usr/sbin/rcnslcd # ### BEGIN INIT INFO # Provides: nslcd # Required-Start: $network $syslog $remote_fs # Required-Stop: $network $syslog $remote_fs # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: NSS/PAM LDAP client daemon # Description: nslcd is a LDAP connection daemon that is # used to do LDAP queries for the NSS and PAM LDAP modules. ### END INIT INFO NSLCD_BIN="/usr/sbin/nslcd" test -x $NSLCD_BIN || exit 5 # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v ditto but be verbose in local rc status # rc_status -v -r ditto and clear the local rc status # rc_failed set local and overall rc status to failed # rc_failed <num> set local and overall rc status to <num><num> # rc_reset clear local rc status (overall remains) # rc_exit exit appropriate to overall rc status . /etc/rc.status # First reset status of this service rc_reset case "$1" in start) echo -n "Starting local LDAP Name Service Daemon" # /var/run might be a tmpfs test -d /var/run/nslcd || mkdir -m0755 /var/run/nslcd /sbin/startproc -p /var/run/nslcd/nslcd.pid $NSLCD_BIN rc_status -v ;; stop) echo -n "Shutting down local LDAP Name Service Daemon" /sbin/killproc -p /var/run/nslcd/nslcd.pid $NSLCD_BIN rc_status -v ;; try-restart) ## Stop the service and if this succeeds (i.e. the ## service was running before), start it again. ## Note: try-restart is not (yet) part of LSB (as of 0.7.5) $0 status >/dev/null && $0 restart # Remember status and be quiet rc_status ;; restart) ## Stop the service and regardless of whether it was ## running or not, start it again. $0 stop $0 start # Remember status and be quiet rc_status ;; force-reload) $0 stop; sleep 3; $0 start rc_status ;; reload) echo -n "Reload local LDAP Name Service Daemon" ## Otherwise if it does not support reload: rc_failed 3 rc_status -v ;; status) echo -n "Checking for local LDAP Name Service Daemon" checkproc -p /var/run/nslcd/nslcd.pid $NSLCD_BIN rc_status -v ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload}" exit 1 esac rc_exit -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org