Bug 117152 - [Maintainer update] net/ldapscripts -> v1.7.1
Summary: [Maintainer update] net/ldapscripts -> v1.7.1
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: FreeBSD Ports Bugs (Mailing List)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-10-13 13:50 UTC by ganael.laplanche
Modified: 2007-10-23 14:50 UTC (History)
0 users

See Also:


Attachments
file.diff (4.29 KB, patch)
2007-10-13 13:50 UTC, ganael.laplanche
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description ganael.laplanche 2007-10-13 13:50:00 UTC
Fixes several security flaws (CVE-2007-5373) that may lead to reveal the bind password and/or a user password to someone monitoring processes with `ps` while the scripts are being used.

See : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5373

Changelog :

2007/10/13 : ldapscripts 1.7.1
  - Fixes for CVE-2007-5373
    see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5373
    and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=445582

    1) Up to now, each ldap* command was called with the -w parameter, which allows to
      specify the bind password on the command line. Unfortunately, this could make the
      password appear to anybody performing a `ps` during the call. This is now avoided
      by using the -y parameter and a password file.

      -> A new BINDPWDFILE option has been added : it specifies the path to the bind
      password file. This file can be created by something like :
      'echo -n 'password' > $BINDPWDFILE' and you can now safely remove (or comment) the
      BINDPWD parameter from your configuration file.

    2) Changing a user password could also reveal the new password on the command line,
      because of the use of ldappasswd's -s option. This has been fixed by using a temporary
      file containing the new password (and ldappassword's -T option).

      -> [internals] New mktempf() and reltempf() functions have been added

    [For older versions of OpenLDAP, -y and -T parameters may not be available. It is still
    possible to use the old BINDPWD parameter. Just uncomment it from the configuration file
    and comment the BINDPWDFILE parameter (which takes precedence over BINDPWD). The
    ldapscripts will just behave as previously and use inline -w and -s parameters, warning
    you this is not secure way of running them.]

    3) A similar problem related to sed expressions has been found : it may also lead to
      reveal a user's password to `ps` users. This is now fixed by using temporary files
      containing sed expressions (and sed's -f option).

    4) A new test has been added to check if 'echo' and '[' are built-in or not. If not,
      you'll be warned that the ldapscripts may not be safe to use (because these commands
      manipulate passwords when creating temporary files).

      -> [internals] New is_builtin() function

    Note that these flaws depend largely on your kernel configuration : hardened kernels
    should not be impacted (e.g. if you use security.bsd.see_other_[u|g]ids sysctls on
    FreeBSD). It may also depend on the version of OpenLDAP client commands you run.

    Thanks a lot to Don and Madcoder for their help !

  - Few fixes to avoid using non-standard 'if ! command's...

Fix: Patch attached with submission follows:
Comment 1 dfilter freebsd_committer 2007-10-13 15:57:34 UTC
rafan       2007-10-13 14:57:21 UTC

  FreeBSD ports repository

  Modified files:
    net/ldapscripts      Makefile distinfo pkg-plist 
  Log:
  - Update to 1.7.1
  
  PR:             ports/117152
  Submitted by:   Ganael Laplanche <ganael.laplanche at martymac.com> (maintainer)
  Security:       CVE-2007-5373
  
  Revision  Changes    Path
  1.7       +11 -1     ports/net/ldapscripts/Makefile
  1.6       +3 -3      ports/net/ldapscripts/distinfo
  1.7       +3 -0      ports/net/ldapscripts/pkg-plist
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 2 Rong-En Fan freebsd_committer 2007-10-13 15:59:12 UTC
State Changed
From-To: open->closed

Committed. Thanks!
Comment 3 dfilter freebsd_committer 2007-10-23 14:44:12 UTC
miwi        2007-10-23 11:12:42 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  - Document ldapscripts -- Command Line User Credentials Disclosure
  
  PR:             117152
  Submitted by:   Ganael Laplanche <ganael.laplanche at martymac.com> (maintainer/author)
                  rafan@
  Reviewed by:    simon@
  
  Revision  Changes    Path
  1.1450    +32 -1     ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"