Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 96767 - sys-auth/{pam_ldap|nss_ldap} not using tls for referred connections
Summary: sys-auth/{pam_ldap|nss_ldap} not using tls for referred connections
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Other
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2005-06-22 03:11 UTC by rob holland (RETIRED)
Modified: 2005-07-14 03:21 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

tls patch for referrals for nss_ldap (nss_ldap.patch,1022 bytes, patch)
2005-07-03 15:42 UTC, rob holland (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description rob holland (RETIRED) gentoo-dev 2005-06-22 03:11:43 UTC
pam_ldap will send credentials in plaintext if a slave ldap server refers it to a master server during a password change operation. The ldap.conf "ssl start_tls" setting is not enforced on referrals (and openldap doesn't currently allow it due to a bug).

Worst case is that server admins are not enforcing tls server-side, in which case passwd will appear to work fine, but will be sending stuff over the wire in plaintext.

Two patches are needed to fix this, one for pam_ldap to request tls on referrals, and one for openldap to accept the request.
Comment 1 rob holland (RETIRED) gentoo-dev 2005-06-22 03:13:53 UTC
setting upstream as fixes have been filed in the relevant bug systems.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-06-22 03:35:51 UTC
Cleaning up :)
Comment 3 rob holland (RETIRED) gentoo-dev 2005-06-28 03:37:21 UTC
Can we please being carrying this patch in the ebuilds? Upstream aren't
responding and this is a serious issue.
Comment 4 rob holland (RETIRED) gentoo-dev 2005-06-28 03:54:45 UTC
s/being/begin/ :)

adding robbat2 as this needs openldap lovin as well.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-06-29 13:25:13 UTC
Candidate: CAN-2005-2069
Reference: MISC:
Reference: MISC:

pam_ldap and OpenLDAP, when connecting to a slave using TLS, does not
use TLS for the subsequent connection if the client is referred to a
master, which causes a password to be sent in cleartext and allows
remote attackers to sniff the password.

Robin: please patch (or comment)
Comment 6 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-07-03 11:55:47 UTC
could security please check the code in nss_ldap as well, as it shares code 
with pam_ldap last I checked, and thus may be vulnerable to the same problem.
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-07-03 12:10:56 UTC
pam_ldap is patched now.
both 176-r1 and 178-r1 have the patch.
Could arches please test 178-r1, and if it works, stable it. If it doesn't 
work, try 176-r1 instead.
Comment 8 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-07-03 12:16:08 UTC
openldap is patched now.
2.1.30-r5 and 2.2.27-r1 have the patch.
2.1.30-r5 is the ebuild that should go stable. 
2.2.27-r1 (and the 2.2 series in general) will be considered for stable in 30 
Comment 9 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-07-03 12:16:29 UTC
Updating the package name :) 
Comment 10 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-03 15:12:38 UTC
Dear arches, please test sys-auth/pam_ldap-178-r1 and mark stable if possible
(if it fails, try 176-r1).
Please also try to mark openldap-2.1.30-r5 stable, thanks.
Comment 11 rob holland (RETIRED) gentoo-dev 2005-07-03 15:41:10 UTC
good call wrt nss_ldap. untested patch follows. if there are problems I'll try
to fix first thing tomorrow.
Comment 12 rob holland (RETIRED) gentoo-dev 2005-07-03 15:42:11 UTC
Created attachment 62564 [details, diff]
tls patch for referrals for nss_ldap
Comment 13 rob holland (RETIRED) gentoo-dev 2005-07-04 02:09:02 UTC
pam_ldap/nss_ldap ebuilds which have the tls problem fixed must DEPEND on
openldap ebuilds with the revelent library fix, otherwise they won't function.
Comment 14 Andrea Barisani (RETIRED) gentoo-dev 2005-07-04 03:41:37 UTC
Well nss_ldap doesn't performs updates, so I don't think it's affected by this issue.
Comment 15 Andrea Barisani (RETIRED) gentoo-dev 2005-07-04 03:45:46 UTC
Ok as rob pointed out referrals are used not only for updates but for subtrees as ignore me ;)
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2005-07-04 06:15:14 UTC
lcars: any reason to clear our precious status whiteboard ?
Comment 17 Andrea Barisani (RETIRED) gentoo-dev 2005-07-04 06:17:17 UTC
Sorry :/ blame /usr/bin/links. I'll be more careful in the future (but honestly it
was impossible to spot without a post-commit review). links--
Comment 18 Jason Wever (RETIRED) gentoo-dev 2005-07-04 15:40:02 UTC
pam_ldap-178-r1 and and openldap-2.1.30-r5 stable on sparc.
Comment 19 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-07-06 13:08:18 UTC
Stable on ppc.
Comment 20 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-07-06 16:47:29 UTC
ok, nss_ldap is patched as well now. Hopefully there is nothing else affected by
this bug. sorry about the delay.

please test nss_ldap-239-r1 first, but if that doesn't work, test 226-r1 instead.

sparc/ppc: sorry to bring you back, but ^^^^
Comment 21 Markus Rothe (RETIRED) gentoo-dev 2005-07-07 03:37:04 UTC
openldap-2.1.30-r5: stable on ppc64
pam_ldap-178-r1: was never marked ppc64 in any way -> added ~ppc64
nss_ldap-239-r1: versions after 226 didn't compile, this one works again ->
added ~ppc64

I'll mark those packages with ~ppc64 stable in 30 days, if no errors occur.
Comment 22 Jason Wever (RETIRED) gentoo-dev 2005-07-09 05:48:19 UTC
Stable on SPARC
Comment 23 Simon Stelling (RETIRED) gentoo-dev 2005-07-11 05:03:44 UTC
amd64 stable
Comment 24 Thierry Carrez (RETIRED) gentoo-dev 2005-07-13 07:16:24 UTC
GLSA is ready to go...

hppa,x86: please test and mark stable pam_ldap-178-r1 and nss_ldap-239-r1 (or

ppc: please test and mark stable nss_ldap-239-r1 (or 226-r1)

ppc64 : we'll need it for the GLSA before the 30 days period, as current stable
version is affected and the GLSA must go out. So please test and mark stable
nss_ldap-239-r1 if you can.
Comment 25 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-07-13 07:42:56 UTC
Stable on hppa and ppc.
Comment 26 rob holland (RETIRED) gentoo-dev 2005-07-13 08:42:26 UTC
stable on x86
Comment 27 Markus Rothe (RETIRED) gentoo-dev 2005-07-13 13:24:28 UTC
oh.. I didn't thought about that. nss_ldap-239-r1 is stable now on ppc64. sorry
for the delay...
Comment 28 Thierry Carrez (RETIRED) gentoo-dev 2005-07-13 13:35:20 UTC
Should be ready for GLSA
Comment 29 Thierry Carrez (RETIRED) gentoo-dev 2005-07-14 03:21:24 UTC
GLSA 200507-13
(Removed misc arches tat did not have those packages keyworded anyway)