Re: libnss-ldap/libpam-ldap security issue

To: debian-devel@lists.debian.org
Subject: Re: libnss-ldap/libpam-ldap security issue
From: Brian May <brian@microcomaustralia.com.au>
Date: Sun, 22 Jun 2008 10:20:18 +1000
Message-id: <[🔎] 485D9AC2.2000000@microcomaustralia.com.au>
In-reply-to: <[🔎] 20080621233931.GA23767@dario.dodds.net>
References: <[🔎] 484E036C.9050601@snoopy.debian.net> <[🔎] 87fxrl7fj6.fsf@windlord.stanford.edu> <[🔎] 20080621233931.GA23767@dario.dodds.net>

Steve Langasek wrote:

I think your memory is probably better than mine here, I didn't remember
half of the details until I read them again in your message. :)

So do we have some sort of reproducible parser crash in libldap here, then?
Is there a bug report open about this (with Debian or upstream)?

Crash yes, I suspect not a parser bug though. Suspect it might berelated to using the wrong certificates used in $HOME/.ldaprc for theserver.

As it involves a number of packages and in stable too, I wasn't surewhere to file a bug report, or even if it is appropriate to file bug report.

My main concern wasn't the crash though, it was the fact that I couldoverride the certificates used for checking the remote LDAP server usedfor checking sudo passwords in the untrusted user's home directory.


Brian May

Reply to:

References:
- libnss-ldap/libpam-ldap security issue
  - From: Brian May <bam@snoopy.debian.net>
- Re: libnss-ldap/libpam-ldap security issue
  - From: Russ Allbery <rra@debian.org>
- Re: libnss-ldap/libpam-ldap security issue
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Re: libnss-ldap/libpam-ldap security issue
Next by Date: Re: divergence from upstream as a bug
Previous by thread: Re: libnss-ldap/libpam-ldap security issue
Next by thread: Mien phi lap dat ADSL va DTCD. Tang Modem va dien thoai
Index(es):
- Date
- Thread