Fix for CVE-2013-0288 in precise package

Bug #1347614 reported by Nicola Heald on 2014-07-23
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nss-pam-ldapd (Ubuntu)
Undecided
Nicola Heald

Bug Description

We run a busy server that uses nss-pam-ldapd on precise, and it falls over regularly due to CVE-2013-0288.

Attached is a debdiff with the backported fix for this issue.

CVE References

The attachment "Backported from http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=f266f05f20afe73e89c3946a7bd60bd7c5948e1b" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Daniel Holbach (dholbach) wrote :

Subscribing the sponsors team.

Package seems to build fine on precise. Backported patch does not match the upstream fix 100%, needs review.

Daniel Holbach (dholbach) wrote :

Err, sorry, I meant the security sponsors team.

information type: Public → Public Security
Jamie Strandboge (jdstrand) wrote :

Thanks for the debdiff! I have a few comments:
 * debian/changelog does not use 'precise-security'
 * debian/changelog is too terse. Per https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging, it should be something like:
   * SECURITY UPDATE: use poll() instead of select() for checking file
     descriptor activity to also correctly work if more than FD_SETSIZE files
     are already open
     - http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288
     - <link to upstream patch #1>
     - <link to upstream patch #2>
     - ...
     - CVE-2013-0288
     - LP: #1347614

Importantly, as Daniel said, the patch does not match upstream. Upstream http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288 has a minimal patch that would be more appropriate for a security update:
- http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=7867b93f9a7c76b96f1571cddc1de0811134bb81

That said, we could incorporate the larger patchset:
- http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=f266f05f20afe73e89c3946a7bd60bd7c5948e1b

if it could be shown to be correct and free of regressions.

Please do one of:
- update the patch for the changelog changes, use the minimal patch and document it in debian/changelog
- update the patch for the changelog changes, use the bigger patchset, document the patch URLs in debian/changelog. Please also detail the testing performed

Unsuscribing ubuntu-security-sponsors for now. Please resubscribe after attaching a new debdiff. Thanks again.

Changed in nss-pam-ldapd (Ubuntu):
status: New → In Progress
assignee: nobody → Mike Heald (jedimike)
Nicola Heald (notnownikki) wrote :

Thanks for your guidance on this.

I've attached a new debdiff with the minimal patch. I would have liked to incorporate the poll() changes, but it makes sense to do the minimum to fix this bug for now.

Patch was applied from http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=7867b93f9a7c76b96f1571cddc1de0811134bb81 , it did not apply completely as it patches tio_skipall, which had not been introduced in the version currently in precise.

Nicola Heald (notnownikki) wrote :

Resubscribing the security sponsors team.

Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiff, the package is building now and will be released today.

Thanks!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss-pam-ldapd - 0.8.4ubuntu0.3

---------------
nss-pam-ldapd (0.8.4ubuntu0.3) precise-security; urgency=low

  * SECURITY UPDATE: denial of service related to incorrect use
    of the FD_SET macro.
    - http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288
    - common/tio.c added checks to make sure the file descriptor
      can be stored in the file descriptor set, from upstream patch
      http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=7867b93f9a7c76b96f1571cddc1de0811134bb81
    - CVE-2013-0288
    - LP: #1347614
 -- Mike Heald <email address hidden> Tue, 29 Jul 2014 12:27:23 +0100

Changed in nss-pam-ldapd (Ubuntu):
status: In Progress → Fix Released

There is a serious bug here that is not introduced in this change but on upgrade none the less causes /etc/nslcd.conf to get mangled creating situation where one is no longer able to access their server. :(

Nicola Heald (notnownikki) wrote :
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers