Bug#610034: CVE-2011-0002: libuser creates LDAP users with a default
The attached file is an updated debdiff between the current version in sid and my NMU. diff -u libuser-0.56.9.dfsg.1/debian/rules libuser-0.56.9.dfsg.1/debian/rules --- libuser-0.56.9.dfsg.1/debian/rules +++ libuser-0.56.9.dfsg.1/debian/rules @@ -59,6 +59,22 @@ # install for pythonX.Y $(MAKE) install DESTDIR=$(CURDIR)/debian/tmp + chrpath -d $(CURDIR)/debian/tmp/usr/bin/lchfn \ + $(CURDIR)/debian/tmp/usr/bin/lchsh \ + $(CURDIR)/debian/tmp/usr/sbin/lchage \ + $(CURDIR)/debian/tmp/usr/sbin/lgroupadd \ + $(CURDIR)/debian/tmp/usr/sbin/lgroupdel \ + $(CURDIR)/debian/tmp/usr/sbin/lgroupmod \ + $(CURDIR)/debian/tmp/usr/sbin/lid \ + $(CURDIR)/debian/tmp/usr/sbin/lnewusers \ + $(CURDIR)/debian/tmp/usr/sbin/lpasswd \ + $(CURDIR)/debian/tmp/usr/sbin/luseradd \ + $(CURDIR)/debian/tmp/usr/sbin/luserdel \ + $(CURDIR)/debian/tmp/usr/sbin/lusermod \ + $(CURDIR)/debian/tmp/usr/lib/libuser.so.1.2.0 \ + $(CURDIR)/debian/tmp/usr/lib/libuser/libuser_files.so \ + $(CURDIR)/debian/tmp/usr/lib/libuser/libuser_shadow.so \ + $(CURDIR)/debian/tmp/usr/lib/python$*/site-packages/libusermodule.so mkdir -p $(CURDIR)/debian/python-libuser/usr/lib/python$*/site-packages cp $(CURDIR)/debian/tmp/usr/lib/python$*/site-packages/libusermodule.so \ $(CURDIR)/debian/python-libuser/usr/lib/python$*/site-packages/libuser.so diff -u libuser-0.56.9.dfsg.1/debian/control libuser-0.56.9.dfsg.1/debian/control --- libuser-0.56.9.dfsg.1/debian/control +++ libuser-0.56.9.dfsg.1/debian/control @@ -4,8 +4,9 @@ Maintainer: Ghe Rivero Build-Depends: debhelper (>= 4.0.0), python-all-dev, pkg-config, libglib2.0-dev, linuxdoc-tools, groff, libpam0g-dev, libpopt-dev, - dpatch, autotools-dev, python-support (>= 0.4) + dpatch, autotools-dev, python-support (>= 0.4), chrpath Standards-Version: 3.7.3 +Homepage: https://fedorahosted.org/libuser/ Package: libuser Architecture: any diff -u libuser-0.56.9.dfsg.1/debian/changelog libuser-0.56.9.dfsg.1/debian/changelog --- libuser-0.56.9.dfsg.1/debian/changelog +++ libuser-0.56.9.dfsg.1/debian/changelog @@ -1,3 +1,15 @@ +libuser (1:0.56.9.dfsg.1-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix CVE-2011-0002 +Mark the LDAP default password value as encrypted +Patch taken from libuser-0.56.18-3.fc14.src.rpm +Add 02libuser-0.56.18-default-pw.dpatch +Closes: 610034 + * Fix binary-or-shlib-defines-rpath + + -- Anibal Monsalve Salazar Wed, 09 Feb 2011 11:22:30 +1100 + libuser (1:0.56.9.dfsg.1-1) unstable; urgency=low * New upstream release diff -u libuser-0.56.9.dfsg.1/debian/patches/00list libuser-0.56.9.dfsg.1/debian/patches/00list --- libuser-0.56.9.dfsg.1/debian/patches/00list +++ libuser-0.56.9.dfsg.1/debian/patches/00list @@ -1,0 +2 @@ +02libuser-0.56.18-default-pw.dpatch only in patch2: unchanged: --- libuser-0.56.9.dfsg.1.orig/debian/patches/02libuser-0.56.18-default-pw.dpatch +++ libuser-0.56.9.dfsg.1/debian/patches/02libuser-0.56.18-default-pw.dpatch @@ -0,0 +1,373 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 02libuser-0.56.18-default-pw.dpatch by Miloslav Trmac +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Correctly mark the LDAP default password value as encrypted (CVE-2011-0002) + +@DPATCH@ +--- a/Makefile.am 2008-04-10 07:14:41.0 +1000 b/Makefile.am 2011-02-08 12:21:36.0 +1100 +@@ -16,7 +16,7 @@ PYTHON_CPPFLAGS = -I/usr/include/python$ + SUBDIRS = po docs + TESTS = tests/config_test.sh tests/files_test tests/pwhash_test tests/utils_test + if LDAP +-TESTS += tests/ldap_test ++TESTS += tests/default_pw_test tests/ldap_test + endif + + EXTRA_DIST = \ +@@ -27,6 +27,7 @@ EXTRA_DIST = \ + tests/config_import.conf.in tests/config_import2.conf.in \ + tests/config_login.defs tests/config_login2.defs \ + tests/config_override.conf.in tests/config_test.sh \ ++ tests/default_pw_test \ + tests/files.conf.in tests/files_test tests/files_test.py \ + tests/ldap.conf.in tests/ldaprc tests/ldap_skel.ldif tests/ldap_test \ + tests/ldap_test.py \ +--- a/modules/ldap.c 2008-04-10 07:14:41.0 +1000 b/modules/ldap.c 2011-02-08 12:31:59.0 +1100 +@@ -981,6 +981,7 @@ get_ent_adds(const char *dn, struct lu_e + mod_count = 0; + for (a = attrs; a != NULL; a = a->next) { + const char *attribute; ++ gboolean is_userpassword; + + attribute = a->data; + if (strcasecmp(attribute, DISTINGUISHED_NAME) == 0) +@@ -999,9 +1000,26 @@ get_ent_adds(const char *dn, struct lu_e + mod->mod_values + = g_malloc0((vals->n_values + 1) + * sizeof(*mod->mod_values))
Bug#610034: CVE-2011-0002: libuser creates LDAP users with a default
package libuser tag 610034 + patch stop The attached file is the debdiff between the current version in sid and my NMU. diff -u libuser-0.56.9.dfsg.1/debian/changelog libuser-0.56.9.dfsg.1/debian/changelog --- libuser-0.56.9.dfsg.1/debian/changelog +++ libuser-0.56.9.dfsg.1/debian/changelog @@ -1,3 +1,14 @@ +libuser (1:0.56.9.dfsg.1-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix CVE-2011-0002 +Mark the LDAP default password value as encrypted +Patch taken from libuser-0.56.18-3.fc14.src.rpm +Add 02libuser-0.56.18-default-pw.dpatch +Closes: 610034 + + -- Anibal Monsalve Salazar Tue, 08 Feb 2011 13:15:34 +1100 + libuser (1:0.56.9.dfsg.1-1) unstable; urgency=low * New upstream release diff -u libuser-0.56.9.dfsg.1/debian/patches/00list libuser-0.56.9.dfsg.1/debian/patches/00list --- libuser-0.56.9.dfsg.1/debian/patches/00list +++ libuser-0.56.9.dfsg.1/debian/patches/00list @@ -1,0 +2 @@ +02libuser-0.56.18-default-pw.dpatch only in patch2: unchanged: --- libuser-0.56.9.dfsg.1.orig/debian/patches/02libuser-0.56.18-default-pw.dpatch +++ libuser-0.56.9.dfsg.1/debian/patches/02libuser-0.56.18-default-pw.dpatch @@ -0,0 +1,373 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 02libuser-0.56.18-default-pw.dpatch by Miloslav Trmac +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Correctly mark the LDAP default password value as encrypted (CVE-2011-0002) + +@DPATCH@ +--- a/Makefile.am 2008-04-10 07:14:41.0 +1000 b/Makefile.am 2011-02-08 12:21:36.0 +1100 +@@ -16,7 +16,7 @@ PYTHON_CPPFLAGS = -I/usr/include/python$ + SUBDIRS = po docs + TESTS = tests/config_test.sh tests/files_test tests/pwhash_test tests/utils_test + if LDAP +-TESTS += tests/ldap_test ++TESTS += tests/default_pw_test tests/ldap_test + endif + + EXTRA_DIST = \ +@@ -27,6 +27,7 @@ EXTRA_DIST = \ + tests/config_import.conf.in tests/config_import2.conf.in \ + tests/config_login.defs tests/config_login2.defs \ + tests/config_override.conf.in tests/config_test.sh \ ++ tests/default_pw_test \ + tests/files.conf.in tests/files_test tests/files_test.py \ + tests/ldap.conf.in tests/ldaprc tests/ldap_skel.ldif tests/ldap_test \ + tests/ldap_test.py \ +--- a/modules/ldap.c 2008-04-10 07:14:41.0 +1000 b/modules/ldap.c 2011-02-08 12:31:59.0 +1100 +@@ -981,6 +981,7 @@ get_ent_adds(const char *dn, struct lu_e + mod_count = 0; + for (a = attrs; a != NULL; a = a->next) { + const char *attribute; ++ gboolean is_userpassword; + + attribute = a->data; + if (strcasecmp(attribute, DISTINGUISHED_NAME) == 0) +@@ -999,9 +1000,26 @@ get_ent_adds(const char *dn, struct lu_e + mod->mod_values + = g_malloc0((vals->n_values + 1) + * sizeof(*mod->mod_values)); ++ /* Ugly hack: Detect userPassword values set by ++ default (by this module and others), and replace them ++ by LU_CRYPTED "!!" - the default values would be ++ interpreted as plaintext passwords. */ ++ is_userpassword ++ = (g_ascii_strcasecmp(attribute, "userPassword") ++ == 0); + for (i = 0; i < vals->n_values; i++) { + value = g_value_array_get_nth(vals, i); + mod->mod_values[i] = lu_value_strdup(value); ++ if (is_userpassword ++ && (strcmp(mod->mod_values[i], ++ LU_COMMON_DEFAULT_PASSWORD) == 0 ++ || strcmp(mod->mod_values[i], "!!") == 0 ++ || strcmp(mod->mod_values[i], "x") ++ == 0)) { ++ g_free(mod->mod_values[i]); ++ mod->mod_values[i] ++ = g_strdup(LU_CRYPTED "!!"); ++ } + } + mods[mod_count++] = mod; + } +@@ -2185,6 +2203,10 @@ lu_ldap_user_default(struct lu_module *m +const char *user, gboolean is_system, +struct lu_ent *ent, struct lu_error **error) + { ++ /* Note that this will set LU_USERPASSWORD to ++ LU_COMMON_DEFAULT_PASSWORD, which is a valid plaintext password in ++ LDAP. get_ent_adds () makes sure this value is replaced by an ++ invalid encrypted hash. */ + return lu_common_user_default(module, user, is_system, ent, error) && + lu_common_suser_default(module, user, is_syst
Bug#610034: CVE-2011-0002: libuser creates LDAP users with a default password
On Sat, Jan 15, 2011 at 12:37:29AM +0100, Moritz Muehlenhoff wrote: > Package: libuser > Severity: grave > Tags: security > > Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0002 for > a description and patch. I'm not really sure if Debian is affected? Ghe, Are you still maintaining this package? There has been no upload since 2008, popcon is marginal and there's no followup from your side to any of its bugs. If not, we should rather remove it from Squeeze. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#610034: CVE-2011-0002: libuser creates LDAP users with a default password
Processing commands for cont...@bugs.debian.org: > user release.debian@packages.debian.org Setting user to release.debian@packages.debian.org (was a...@adam-barratt.org.uk). > tag 610034 + squeeze-ignore Bug #610034 [libuser] CVE-2011-0002: libuser creates LDAP users with a default password Added tag(s) squeeze-ignore. > usertag 610034 + squeeze-can-defer Bug#610034: CVE-2011-0002: libuser creates LDAP users with a default password There were no usertags set. Usertags are now: squeeze-can-defer. > thanks Stopping processing here. Please contact me if you need assistance. -- 610034: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610034 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#610034: CVE-2011-0002: libuser creates LDAP users with a default password
user release.debian@packages.debian.org tag 610034 + squeeze-ignore usertag 610034 + squeeze-can-defer thanks On Sat, 2011-01-15 at 00:37 +0100, Moritz Muehlenhoff wrote: > Package: libuser > Severity: grave > Tags: security > > Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0002 for > a description and patch. I'm not really sure if Debian is affected? Can be fixed via stable-security after release if required; marking as not a blocker for Squeeze. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#610034: CVE-2011-0002: libuser creates LDAP users with a default password
Package: libuser Severity: grave Tags: security Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0002 for a description and patch. I'm not really sure if Debian is affected? Cheers, Moritz -- System Information: Debian Release: 6.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org