[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: libnss-ldap/libpam-ldap security issue

Steve Langasek wrote:
I think your memory is probably better than mine here, I didn't remember
half of the details until I read them again in your message. :)

So do we have some sort of reproducible parser crash in libldap here, then?
Is there a bug report open about this (with Debian or upstream)?
Crash yes, I suspect not a parser bug though. Suspect it might be related to using the wrong certificates used in $HOME/.ldaprc for the server.

As it involves a number of packages and in stable too, I wasn't sure where to file a bug report, or even if it is appropriate to file bug report.

My main concern wasn't the crash though, it was the fact that I could override the certificates used for checking the remote LDAP server used for checking sudo passwords in the untrusted user's home directory.

Brian May

Reply to: