Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[gentoo-announce] GLSA: nss_ldap
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
klieber
Administrator
Administrator


Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA

PostPosted: Sun Oct 13, 2002 1:47 pm    Post subject: [gentoo-announce] GLSA: nss_ldap Reply with quote

Daniel Ahlberg wrote:
- - --------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT
- - --------------------------------------------------------------------

PACKAGE :nss_ldap
SUMMARY :Buffer overflow
DATE :2002-10-13 12:45 UTC

- - --------------------------------------------------------------------

Buffer overflow in the DNS SRV code for nss_ldap before nss_ldap-198 allows remote attackers to cause a denial of service and possibly execute arbitrary code.

DETAIL

When versions of nss_ldap prior to nss_ldap-198 are configured without a value for the "host" setting, nss_ldap will attempt to configure itself by using SRV records stored in DNS. When parsing the results of the DNS query, nss_ldap does not check that the data returned by the server willfit into an internal buffer, leaving it vulnerable to a buffer overflow. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0825 to this issue.

When versions of nss_ldap prior to nss_ldap-199 are configured without a value for the "host" setting, nss_ldap will attempt to configure itself by using SRV records stored in DNS. When parsing the results of the DNS query, nss_ldap does not check that the data returned has not been truncated by the resolver libraries to avoid a buffer overflow, and may attempt to parse more data than is actually available, leaving it vulnerable to a read buffer overflow.

SOLUTION

It is recommended that all Gentoo Linux users who are running net-libs/nss_ldap-174-r2 and earlier update their systems as follows:

emerge rsync
emerge nss_ldap
emerge clean

- - --------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz
- - --------------------------------------------------------------------

Mailing List Archive: http://lists.gentoo.org/pipermail/gentoo-announce/2002-October/000215.html

--kurt
_________________
The problem with political jokes is that they get elected
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum