Not sure about the security implications of this: (ITS#4587) PRIVATE: selfwrite access is broken Von: hyc@openldap.org An: openldap-its@openldap.org Datum: Di Jun 13 2006 03:17:01 +0200 Full_Name: Howard Chu Version: 2.3/HEAD OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (24.126.120.178) Submitted by: hyc An ACL of the form access to dn.subtree="ou=groups,dc=example,dc=com" attr=member by * selfwrite is intended to only allow users to add/delete their own DN to the target attribute. Currently it allows any DNs to be modified.
Public now http://secunia.com/advisories/21721/ "Description: Howard Chu has reported a security issue in OpenLDAP, which can be exploited by malicious users to bypass certain security restrictions. The security issue is caused due to an error within the Access Control List processing. If a user has "selfwrite" access to an attribute, this can be exploited to modify arbitrary values of the attribute. Solution: Update to version 2.3.25." Note for the GLSA : according to secunia, only the 2.3.x branch is vulnerable, don't forget to add the other series as "unaffected".
.27 is in the tree now, I'd recommend just updating to that.
Arches please test and mark stable. Target keywords are: openldap-2.3.27.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86"
1) emerges fine so far QA Notice: pre-stripped files found: /var/tmp/portage/openldap-2.3.27/image/usr/bin/ldapdelete /var/tmp/portage/openldap-2.3.27/image/usr/bin/ldapmodify /var/tmp/portage/openldap-2.3.27/image/usr/bin/ldapmodrdn /var/tmp/portage/openldap-2.3.27/image/usr/bin/ldappasswd /var/tmp/portage/openldap-2.3.27/image/usr/bin/ldapsearch /var/tmp/portage/openldap-2.3.27/image/usr/bin/ldapwhoami /var/tmp/portage/openldap-2.3.27/image/usr/bin/ldapcompare /var/tmp/portage/openldap-2.3.27/image/usr/lib/openldap/slapd /var/tmp/portage/openldap-2.3.27/image/usr/lib/openldap/slurpd 2) passes collision test 3) passes test suite 4) starts up Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-gentoo-r8 i686) ================================================================= System uname: 2.6.17-gentoo-r8 i686 AMD Athlon(tm) XP 2500+ Gentoo Base System version 1.12.5 Last Sync: Mon, 18 Sep 2006 20:20:01 +0000 app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.2.11-r1 dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-O2" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/" LANG="de_DE@euro" LC_ALL="de_DE@euro" LINGUAS="de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage" USE="x86 3dnow 3dnowext X Xaw3d a52 alsa arts artworkextra asf audiofile bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds elibc_glibc emacs emboss encode esd evo exif expat fam fat fbcon ffmpeg firefox fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal icq idn imagemagick imap input_devices_keyboard input_devices_mouse ipv6 isdnlog java javascript jikes jpeg jpeg2k kernel_linux ldap leim libg++ linguas_de lm_sensors mad maildir matroska mbox mhash mikmod mime mmx mmxext mng mono mp3 mpeg mpeg2 mule nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia objc ogg opengl pam pcre pdf perl plotutils pmu png ppds pppd preview-latex print python qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd tetex theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb userland_GNU vcd video_cards_fbdev video_cards_radeon video_cards_vesa videos vorbis win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Folks, For ppc64, with USE="sasl slp kerberos crypt odbc samba" I get the following failure: * Building contributed smbk5pwd ../../../libtool --mode=compile gcc -O2 -pipe -mtune=power5 -mcpu=power5 -DDO_SAMBA -DDO_KRB5 -I../../../include -I../../../servers/slapd -c smbk5pwd.c mkdir .libs gcc -O2 -pipe -mtune=power5 -mcpu=power5 -DDO_SAMBA -DDO_KRB5 -I../../../include -I../../../servers/slapd -c smbk5pwd.c -fPIC -DPIC -o .libs/smbk5pwd.o smbk5pwd.c:45:25: kadm5/admin.h: No such file or directory smbk5pwd.c:46:17: hdb.h: No such file or directory smbk5pwd.c:56: error: syntax error before "conf" smbk5pwd.c:56: warning: data definition has no type or storage class smbk5pwd.c:57: error: syntax error before '*' token smbk5pwd.c:57: warning: data definition has no type or storage class smbk5pwd.c: In function `k5key_chk': smbk5pwd.c:275: error: `krb5_salt' undeclared (first use in this function) smbk5pwd.c:275: error: (Each undeclared identifier is reported only once smbk5pwd.c:275: error: for each function it appears in.) smbk5pwd.c:275: error: syntax error before "salt" smbk5pwd.c:276: error: `hdb_entry' undeclared (first use in this function) smbk5pwd.c:291: error: `Key' undeclared (first use in this function) smbk5pwd.c:291: error: syntax error before "ekey" smbk5pwd.c:296: error: `ent' undeclared (first use in this function) smbk5pwd.c:299: error: `salt' undeclared (first use in this function) smbk5pwd.c:306: error: `ekey' undeclared (first use in this function) smbk5pwd.c:308: error: `l' undeclared (first use in this function) smbk5pwd.c:309: error: request for member `master_key_set' in something not a structure or union smbk5pwd.c:317: error: structure has no member named `keyvalue' smbk5pwd.c:318: error: structure has no member named `keyvalue' smbk5pwd.c: At top level: smbk5pwd.c:323: error: syntax error before "while" smbk5pwd.c:324: error: syntax error before numeric constant smbk5pwd.c:324: warning: data definition has no type or storage class smbk5pwd.c: In function `smbk5pwd_exop_passwd': smbk5pwd.c:363: error: `hdb_entry' undeclared (first use in this function) smbk5pwd.c:363: error: syntax error before "ent" smbk5pwd.c:375: error: `ent' undeclared (first use in this function) smbk5pwd.c:405: error: `Key' undeclared (first use in this function) smbk5pwd.c: In function `smbk5pwd_modules_init': smbk5pwd.c:789: error: syntax error before '*' token smbk5pwd.c:829: error: `KADM5_ADMIN_SERVICE' undeclared (first use in this function) smbk5pwd.c:835: warning: assignment makes pointer from integer without a cast smbk5pwd.c:294: confused by earlier errors, bailing out make: *** [smbk5pwd.lo] Error 1 The above USE flags on a relatively clean system brings in app-crypt/mit-krb5 as a dependancy. If I remove mit-krb5 and emerge app-crypt/heimdal manually, then openldap builds fine. Can anyone else, specifically amd64, confirm this behavior? If so, should be dep heimdal rather than mit-krb5 or do we need to look into what's causing this?
The build problem mentioned in comment #5 was also a problem in the last security bug for openldap (bug #134010).
(In reply to comment #5) > For ppc64, with USE="sasl slp kerberos crypt odbc samba" I get the following > failure: x86 does not suffer from that combination (as expected).
(In reply to comment #7) > (In reply to comment #5) > > For ppc64, with USE="sasl slp kerberos crypt odbc samba" I get the following > > failure: > > x86 does not suffer from that combination (as expected). Damn, sent off that comment too early: x86 does suffer!
Unfortunately the krb problem is part of a larger thing and requires more time / access to setups that we don't have right now to fix. I'll see if i can devote some time to it shortly, but as I don't use krb stuff no promises. As mentioned it has been a problem for a while.
Hm, that's quite a drag. I had to migrate from heimdal to mit-krb5 quite some time ago because samba refused to build against it, and now it looks like I'll have to go back again? Definitely something that gives me the creeps. I need to be able to connect from my servers to the M$ world. This is a production environment I wouldn't want to touch lightly. Benjamin, any bug numbers or other info on the Kerberos problem so I can acquaint myself to it?
(In reply to comment #10) > Benjamin, any bug numbers or > other info on the Kerberos problem so I can acquaint myself to it? try: http://bugs.gentoo.org/show_bug.cgi?id=135238
Arches can you mark this one stable or should the issue be fixed first?
hmm.. the kerberos compile issue is a regression? if so, then I would definetly wait for it being fixed. if current stable version has the same behaviour then I would wait. can someone clarify?
As comment #6 mentions, this appears to be no regression. Otherwise I would have reverted back to ebuild status. I was just wondering why no arches marked stable in a week.
(In reply to comment #14) > As comment #6 mentions, this appears to be no regression. Otherwise I would > have reverted back to ebuild status. I was just wondering why no arches marked > stable in a week. > because ldap sucks? ^.^;; I think mostly we were all looking to see what was going/possibly happen with the build errors (at least I was on x86, as it was a not affected opps! we are situation. Will get to it tonight as I've already compiled it.
This appears to be a regression on SPARC from the currently stable version of OpenLDAP as it builds fine against both mit-krb5 and heimdal.
x86 is marked stable as I said I would do it.
Ok, since it is a regression on SPARC we'll go back to ebuild for a fix.
Added a useflag to make sure it has correct dependencies in case one wants to use the contributed smb/krb5 password setting overlay.
got the green light from jokey... arches please test openldap-2.3.27-r2 and mark stable if possible target KEYWORDS="alpha amd64 arm hppa mips ppc ppc64 sparc x86"
RED LIGHT! x86 is out for not stopping in time :( ^.^;;
ppc64 stable
ppc stable
SPARC stable.
- emerges fine on amd64 - passes collision-test - passes multilib-strict - works Portage 2.1.1-r1 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.18-ck1 x86_64) ================================================================= System uname: 2.6.18-ck1 x86_64 AMD Athlon(tm) 64 Processor 3000+ Gentoo Base System version 1.12.5 Last Sync: Sun, 08 Oct 2006 14:30:07 +0000 ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=k8 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig buildsyspkg ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ " LANG="en_US" LC_ALL="en_US" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/overlay" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 X a52 aac acpi alsa amr berkdb bitmap-fonts branding bzip2 cairo cdinstall cdparanoia cdr cli crypt cups dbus divx dlloader dri dvd dvdr dvdread elibc_glibc emboss encode expat fam ffmpeg firefox fortran gdbm gif glut gnutls gpm gstreamer gtk gtk2 hal imagemagick input_devices_evdev input_devices_keyboard isdnlog jpeg kernel_linux lcms ldap libg++ lirc lirc_devices_inputlirc logrotate mad mikmod mng mp3 mpeg musicbrainz ncurses nls nptl nptlonly offensive ogg opengl pam pcre php png ppds pppd quicktime readline reflection reiserfs rtc sdl session socks5 spl ssl svg symlink tcpd test tiff truetype truetype-fonts type1-fonts udev unicode userland_GNU userlocales v4l v4l2 video_cards_fglrx vim-with-x vorbis wmp xfs xine xinerama xml xorg xv xvid zlib zvbi" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS
amd64 is happy again
Stable on hppa.
alpha still missing
alpha stable.
security, pls vote
i vote no
arm stable
Hm, I somehow feels this one is just a little beyond the scope of the Gentoo Security Project. No++
agreed -> closing without GLSA after three votes against mips, pls don't forget to mark stable