Hello community,
here is the log from the commit of package nss-pam-ldapd.1442 for
openSUSE:12.1:Update checked in at 2013-03-22 20:44:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.1:Update/nss-pam-ldapd.1442 (Old)
and /work/SRC/openSUSE:12.1:Update/.nss-pam-ldapd.1442.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nss-pam-ldapd.1442", Maintainer is ""
Changes:
--------
New Changes file:
--- /dev/null 2013-02-26 18:15:11.936010755 +0100
+++
/work/SRC/openSUSE:12.1:Update/.nss-pam-ldapd.1442.new/nss-pam-ldapd.changes
2013-03-22 20:44:09.000000000 +0100
@@ -0,0 +1,104 @@
+-------------------------------------------------------------------
+Wed Mar 13 14:51:16 UTC 2013 - [email protected]
+
+- bnc#804682.diff : CVE-2013-0288: nss-pam-ldapd: FD_SET array index
+ error, leading to stack-based buffer overflow
+
+-------------------------------------------------------------------
+Tue Aug 2 13:11:24 UTC 2011 - [email protected]
+
+- Create ghost /var/run/nslcd to fix build failure.
+
+-------------------------------------------------------------------
+Tue Jan 4 09:57:06 UTC 2011 - [email protected]
+
+- update to 0.7.13:
+ * fix handling of idle_timelimit option
+ * fix error code for problem while doing password modification
+- fix build for pre-11.3 systems
+
+-------------------------------------------------------------------
+Tue Nov 16 14:25:00 UTC 2010 - [email protected]
+
+- Renamed to nss-pam-ldapd to reflect upstream rename
+- Updated to 0.7.12:
+ * rename software to nss-pam-ldapd to indicate that PAM module
+ is now a standard part of the software
+ * the PAM module is now built by default
+ * the default configuration file name has been changed to
+ /etc/nslcd.conf
+
+-------------------------------------------------------------------
+Mon Feb 1 12:08:53 UTC 2010 - [email protected]
+
+- package baselibs.conf
+
+-------------------------------------------------------------------
+Wed Aug 26 12:53:54 CEST 2009 - [email protected]
+
+- make patch0 usage consistent
+
+-------------------------------------------------------------------
+Tue Jun 30 09:12:03 CEST 2009 - [email protected]
+
+- Updated to 0.6.10:
+ * implement searching through multiple search bases, based on a
+ patch by Leigh Wedding
+ * fix a segmentation fault that could occur when using any of
+ the tls_* options with a string parameter
+ * the code for reading and writing protocol entries between the
+ NSS module and the daemon was improved
+ * documentation updates
+ * removed SSL/TLS related warnings during startup
+ * produce more detailed logging in debug mode and allow
+ multiple -d options to be specified to also include logging
+ from the LDAP library
+ * some LDAP configuration options are now initialized globally
+ instead of per connection which should fix problems with the
+ tls_reqcert option
+ * documentation improvements for the NSLCD protocol used between
+ the NSS module and the nslcd server
+ * fix a bug with writing alternate service names and add checks
+ for validity of passed buffer in NSS module
+- Fixed a possible off by one bug in nslcd (bnc#515559)
+
+-------------------------------------------------------------------
+Thu Jun 25 12:52:57 CEST 2009 - [email protected]
+
+- Supplement glibc-32bit/glibc-64bit in baselibs.conf (bnc#354164).
+
+-------------------------------------------------------------------
+Wed Mar 25 16:46:09 CET 2009 - [email protected]
+
+- Updated to 0.6.8:
+ * the nss-ldapd.conf was created world-readable which could cause
+ problems if the bindpw option is used. (bnc#487737, CVE-2009-1073)
+ * clean the environment and set LDAPNOINIT to disable parsing of LDAP
+ configuration files (.ldaprc, /etc/ldap/ldap.conf, etc)
+ * remove sslpath option because it wasn't used
+ * correctly set SSL/TLS options when using StartTLS
+ * rename the tls_checkpeer option to tls_reqcert, deprecating the old name
+ and supporting all values that OpenLDAP supports
+ * allow backslashes in user and group names execpt as first or last
+ character
+ * check user and group names against LOGIN_NAME_MAX if it is defined
+ * allow spaces in user and group names because it was causing problems in
+ some environments
+ * if ldap_set_option() fails log the option name instead of number
+ * retry connecting to LDAP server in more cases
+- Adjust config file permissions upon update, to fix world-readable
+ /etc/nss-ldapd.conf as created by older versions
+ (bnc#487737, CVE-2009-1073)
+
+-------------------------------------------------------------------
+Fri Aug 15 09:18:57 CEST 2008 - [email protected]
+
+- Fixed "Required-Stop" Tag to include the same services as
+ "Required-Start"
+- removed "Should-Start" Tag
+
+-------------------------------------------------------------------
+Wed Aug 6 16:33:20 CEST 2008 - [email protected]
+
+- initial version for nss-ldapd-0.6.4 (Fate#303597)
+
New:
----
baselibs.conf
bnc#804682.dif
nslcd-user-conf.dif
nss-pam-ldapd-0.7.12-rpmlintrc
nss-pam-ldapd-0.7.13.tar.bz2
nss-pam-ldapd.changes
nss-pam-ldapd.spec
rc.nslcd
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ nss-pam-ldapd.spec ++++++
#
# spec file for package nss-pam-ldapd
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: nss-pam-ldapd
BuildRequires: krb5-devel
BuildRequires: openldap2-devel
BuildRequires: pam-devel
Version: 0.7.13
Release: 0
Summary: NSS module and daemon for using LDAP as a naming service
License: LGPL-2.1+
Group: Productivity/Networking/LDAP/Clients
Url: http://arthurdejong.org/nss-ldapd/
PreReq: /bin/chmod
Conflicts: nss_ldap pam_ldap
Obsoletes: nss-ldapd < %{version}-%{release}
Provides: nss-ldapd = %{version}-%{release}
Source: nss-pam-ldapd-%{version}.tar.bz2
Source1: rc.nslcd
Source2: baselibs.conf
Source100: nss-pam-ldapd-0.7.12-rpmlintrc
Patch0: nslcd-user-conf.dif
Patch1: bnc#804682.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
This package provides a Name Service Switch module that allows your
LDAP server to provide user account, group, host name, alias, netgroup,
and basically any other information that you would normally get from
/etc flat files or NIS. Nss-ldapd is a fork of the nss_ldap package by
PADL Software Pty Ltd.. implementing some structural design changes
that were needed to fix some issues of the original design.
Authors:
--------
Luke Howard <[email protected]>
West Consulting <[email protected]>
Arthur de Jong <[email protected]>
%prep
%setup -q
cp -v %{S:1} .
%patch0 -p1
%patch1 -p1
%build
%{?suse_update_config:%{suse_update_config -f}}
autoreconf
CFLAGS="$RPM_OPT_FLAGS" \
CPPFLAGS="-I/usr/include/sasl" \
./configure --prefix=/usr \
--mandir=%{_mandir} \
--libdir=/%{_lib} \
--sysconfdir=/etc
make %{?jobs:-j%jobs}
%install
mkdir -p $RPM_BUILD_ROOT/etc/init.d/
mkdir -p $RPM_BUILD_ROOT/usr/sbin/
install -m 755 rc.nslcd $RPM_BUILD_ROOT/etc/init.d/nslcd
ln -sf ../../etc/init.d/nslcd $RPM_BUILD_ROOT/usr/sbin/rcnslcd
make DESTDIR=$RPM_BUILD_ROOT install
install -d $RPM_BUILD_ROOT/var/run/nslcd
%clean
rm -fr $RPM_BUILD_ROOT
%post
/sbin/ldconfig
%preun
%stop_on_removal nslcd
%postun
/sbin/ldconfig
%restart_on_update nslcd
%insserv_cleanup
%files
%defattr(-,root,root)
%doc AUTHORS COPYING ChangeLog NEWS README
/%{_lib}/libnss_ldap.so.2
/%{_lib}/security/pam_ldap.so
%doc %{_mandir}/man5/*
%doc %{_mandir}/man8/*
%config(noreplace) %attr(640,root,root) /etc/nslcd.conf
%config /etc/init.d/nslcd
/usr/sbin/rcnslcd
%dir %attr(0755, root, root) %ghost /var/run/nslcd
/usr/sbin/nslcd
%changelog
++++++ baselibs.conf ++++++
nss-pam-ldapd
supplements "packageand(nss-pam-ldapd:glibc-<targettype>)"
++++++ bnc#804682.dif ++++++
diff -ur nss-pam-ldapd-0.7.13/common/tio.c
nss-pam-ldapd-0.7.13-fixed/common/tio.c
--- nss-pam-ldapd-0.7.13/common/tio.c 2010-09-24 09:07:17.000000000 +0200
+++ nss-pam-ldapd-0.7.13-fixed/common/tio.c 2013-03-13 15:47:25.000000000
+0100
@@ -2,7 +2,7 @@
tio.c - timed io functions
This file is part of the nss-pam-ldapd library.
- Copyright (C) 2007, 2008 Arthur de Jong
+ Copyright (C) 2007, 2008, 2010, 2011, 2012 Arthur de Jong
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
@@ -34,6 +34,7 @@
#include <string.h>
#include <signal.h>
#include <stdio.h>
+#include <limits.h>
#include "tio.h"
@@ -183,6 +184,11 @@
while (1)
{
/* prepare our filedescriptorset */
+ if (fp->fd>=FD_SETSIZE)
+ {
+ errno=EBADFD;
+ return -1;
+ }
FD_ZERO(&fdset);
FD_SET(fp->fd,&fdset);
/* figure out the time we need to wait */
@@ -229,6 +235,7 @@
int rv;
uint8_t *tmp;
size_t newsz;
+ size_t len;
/* have a more convenient storage type for the buffer */
uint8_t *ptr=(uint8_t *)buf;
/* build a time by which we should be finished */
@@ -293,7 +300,12 @@
if (tio_select(fp,1,&deadline))
return -1;
/* read the input in the buffer */
-
rv=read(fp->fd,fp->readbuffer.buffer+fp->readbuffer.start,fp->readbuffer.size-fp->readbuffer.start);
+ len=fp->readbuffer.size-fp->readbuffer.start;
+#ifdef SSIZE_MAX
+ if (len>SSIZE_MAX)
+ len=SSIZE_MAX;
+#endif /* SSIZE_MAX */
+ rv=read(fp->fd,fp->readbuffer.buffer+fp->readbuffer.start,len);
/* check for errors */
if ((rv==0)||((rv<0)&&(errno!=EINTR)&&(errno!=EAGAIN)))
return -1; /* something went wrong with the read */
@@ -390,6 +402,11 @@
fd_set fdset;
int rv;
/* prepare our filedescriptorset */
+ if (fp->fd>=FD_SETSIZE)
+ {
+ errno=EBADFD;
+ return -1;
+ }
FD_ZERO(&fdset);
FD_SET(fp->fd,&fdset);
/* set the timeout to 0 to poll */
++++++ nslcd-user-conf.dif ++++++
Index: nss-pam-ldapd-0.7.12/nslcd.conf
===================================================================
--- nss-pam-ldapd-0.7.12.orig/nslcd.conf
+++ nss-pam-ldapd-0.7.12/nslcd.conf
@@ -5,8 +5,8 @@
# See the manual page nslcd.conf(5) for more information.
# The user and group nslcd should run as.
-uid nslcd
-gid nslcd
+#uid nslcd
+#gid nslcd
# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
++++++ nss-pam-ldapd-0.7.12-rpmlintrc ++++++
# Silence rpmlint's warning regarding the shared library policy as
# splitting of a library package for libnss_ldap.so.2 doesn't make much
# sense. The NSS Module doesn't do anything useful with out the nslcd
# daemon
addFilter("shlib-policy-name-error .*")
++++++ rc.nslcd ++++++
#! /bin/sh
# Copyright (c) 2007 SUSE Linux Products GmbH, Nuernberg, Germany.
# All rights reserved.
#
# Author: Ralf Haferkamp <[email protected]>
#
# /etc/init.d/nslcd
# and its symbolic link
# /usr/sbin/rcnslcd
#
### BEGIN INIT INFO
# Provides: nslcd
# Required-Start: $network $syslog $remote_fs
# Required-Stop: $network $syslog $remote_fs
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: NSS/PAM LDAP client daemon
# Description: nslcd is a LDAP connection daemon that is
# used to do LDAP queries for the NSS and PAM LDAP modules.
### END INIT INFO
NSLCD_BIN="/usr/sbin/nslcd"
test -x $NSLCD_BIN || exit 5
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v ditto but be verbose in local rc status
# rc_status -v -r ditto and clear the local rc status
# rc_failed set local and overall rc status to failed
# rc_failed <num> set local and overall rc status to <num><num>
# rc_reset clear local rc status (overall remains)
# rc_exit exit appropriate to overall rc status
. /etc/rc.status
# First reset status of this service
rc_reset
case "$1" in
start)
echo -n "Starting local LDAP Name Service Daemon"
# /var/run might be a tmpfs
test -d /var/run/nslcd || mkdir -m0755 /var/run/nslcd
/sbin/startproc -p /var/run/nslcd/nslcd.pid $NSLCD_BIN
rc_status -v
;;
stop)
echo -n "Shutting down local LDAP Name Service Daemon"
/sbin/killproc -p /var/run/nslcd/nslcd.pid $NSLCD_BIN
rc_status -v
;;
try-restart)
## Stop the service and if this succeeds (i.e. the
## service was running before), start it again.
## Note: try-restart is not (yet) part of LSB (as of 0.7.5)
$0 status >/dev/null && $0 restart
# Remember status and be quiet
rc_status
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
$0 start
# Remember status and be quiet
rc_status
;;
force-reload)
$0 stop; sleep 3; $0 start
rc_status
;;
reload)
echo -n "Reload local LDAP Name Service Daemon"
## Otherwise if it does not support reload:
rc_failed 3
rc_status -v
;;
status)
echo -n "Checking for local LDAP Name Service Daemon"
checkproc -p /var/run/nslcd/nslcd.pid $NSLCD_BIN
rc_status -v
;;
*)
echo "Usage: $0
{start|stop|status|try-restart|restart|force-reload|reload}"
exit 1
esac
rc_exit
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
