From ${URL} : An array index error, leading to stack-based buffer overflow flaw was found in the way nss-pam-ldapd, a PAM and nsswitch module which uses directory servers, performed management of file descriptors when performing file descriptors activity wait. An attacker could use this flaw to cause processes with a large number of opened file descriptors, that performed name lookups to crash or, potentially, execute arbitrary code with the privileges of the user running the process. Upstream advisory: [1] http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288
patch doesn't apply against 0.8.12, asking for one or for a .13 release (emailed dev).
On Mon, 2013-02-18 at 15:13 -0600, Matthew Thode wrote: > I was wondering if you had a patch that could be applied to 0.8.12 or if > 0.8.13 would be released any time soon because of the CVE. This doesn't > apply against 0.8.12 unfortunately. > > http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=7867b93f9a7c76b96f1571cddc1de0811134bb81 Both 0.8.11 and 0.8.12 are not vulnerable to this issue. This issue was found and fixed a while back and only later it was discovered to have security implications. Thanks, -- -- arthur - arthur@arthurdejong.org - http://arthurdejong.org -- invalid for the packages in tree?
(In reply to comment #2) > invalid for the packages in tree? yes, is just to track the issue