Bug 117152

Summary: [Maintainer update] net/ldapscripts -> v1.7.1
Product: Ports & Packages Reporter: Ganael LAPLANCHE <ganael.laplanche>
Component: Individual Port(s)Assignee: freebsd-ports-bugs (Nobody) <ports-bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Description Flags
file.diff none

Description Ganael LAPLANCHE 2007-10-13 13:50:00 UTC
Fixes several security flaws (CVE-2007-5373) that may lead to reveal the bind password and/or a user password to someone monitoring processes with `ps` while the scripts are being used.

See : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5373

Changelog :

2007/10/13 : ldapscripts 1.7.1
  - Fixes for CVE-2007-5373
    see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5373
    and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=445582

    1) Up to now, each ldap* command was called with the -w parameter, which allows to
      specify the bind password on the command line. Unfortunately, this could make the
      password appear to anybody performing a `ps` during the call. This is now avoided
      by using the -y parameter and a password file.

      -> A new BINDPWDFILE option has been added : it specifies the path to the bind
      password file. This file can be created by something like :
      'echo -n 'password' > $BINDPWDFILE' and you can now safely remove (or comment) the
      BINDPWD parameter from your configuration file.

    2) Changing a user password could also reveal the new password on the command line,
      because of the use of ldappasswd's -s option. This has been fixed by using a temporary
      file containing the new password (and ldappassword's -T option).

      -> [internals] New mktempf() and reltempf() functions have been added

    [For older versions of OpenLDAP, -y and -T parameters may not be available. It is still
    possible to use the old BINDPWD parameter. Just uncomment it from the configuration file
    and comment the BINDPWDFILE parameter (which takes precedence over BINDPWD). The
    ldapscripts will just behave as previously and use inline -w and -s parameters, warning
    you this is not secure way of running them.]

    3) A similar problem related to sed expressions has been found : it may also lead to
      reveal a user's password to `ps` users. This is now fixed by using temporary files
      containing sed expressions (and sed's -f option).

    4) A new test has been added to check if 'echo' and '[' are built-in or not. If not,
      you'll be warned that the ldapscripts may not be safe to use (because these commands
      manipulate passwords when creating temporary files).

      -> [internals] New is_builtin() function

    Note that these flaws depend largely on your kernel configuration : hardened kernels
    should not be impacted (e.g. if you use security.bsd.see_other_[u|g]ids sysctls on
    FreeBSD). It may also depend on the version of OpenLDAP client commands you run.

    Thanks a lot to Don and Madcoder for their help !

  - Few fixes to avoid using non-standard 'if ! command's...

Fix: Patch attached with submission follows:
Comment 1 dfilter service freebsd_committer 2007-10-13 15:57:34 UTC
rafan       2007-10-13 14:57:21 UTC

  FreeBSD ports repository

  Modified files:
    net/ldapscripts      Makefile distinfo pkg-plist 
  - Update to 1.7.1
  PR:             ports/117152
  Submitted by:   Ganael Laplanche <ganael.laplanche at martymac.com> (maintainer)
  Security:       CVE-2007-5373
  Revision  Changes    Path
  1.7       +11 -1     ports/net/ldapscripts/Makefile
  1.6       +3 -3      ports/net/ldapscripts/distinfo
  1.7       +3 -0      ports/net/ldapscripts/pkg-plist
cvs-all@freebsd.org mailing list
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 2 Rong-En Fan freebsd_committer 2007-10-13 15:59:12 UTC
State Changed
From-To: open->closed

Committed. Thanks!
Comment 3 dfilter service freebsd_committer 2007-10-23 14:44:12 UTC
miwi        2007-10-23 11:12:42 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  - Document ldapscripts -- Command Line User Credentials Disclosure
  PR:             117152
  Submitted by:   Ganael Laplanche <ganael.laplanche at martymac.com> (maintainer/author)
  Reviewed by:    simon@
  Revision  Changes    Path
  1.1450    +32 -1     ports/security/vuxml/vuln.xml
cvs-all@freebsd.org mailing list
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"