The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


GLSA: nss_ldap


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Sun, 13 Oct 2002 14:43:50 +0200
From: Daniel Ahlberg <[email protected]>
To: [email protected]
Subject: GLSA: nss_ldap

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT
- - --------------------------------------------------------------------

PACKAGE ═ ═ ═ ═:nss_ldap
SUMMARY ═ ═ ═ ═:Buffer overflow
DATE ═ ═ ═ ═ ═ :2002-10-13 12:45 UTC

- - --------------------------------------------------------------------

Buffer overflow in the DNS SRV code for nss_ldap before nss_ldap-198 
allows remote attackers to cause a denial of service and possibly 
execute arbitrary code.

DETAIL

When versions of nss_ldap prior to nss_ldap-198 are configured 
without a value for the "host" setting, nss_ldap will attempt to 
configure itself by using SRV records stored in DNS.  When parsing the 
results of the DNS query, nss_ldap does not check that the data 
returned by the server willfit into an internal buffer, leaving it 
vulnerable to a buffer overflow. The Common Vulnerabilities and 
Exposures project (cve.mitre.org) has assigned the name CAN-2002-0825 
to this issue.

When versions of nss_ldap prior to nss_ldap-199 are configured 
without a value for the "host" setting, nss_ldap will attempt to 
configure itself by using SRV records stored in DNS.  When parsing 
the results of the DNS query, nss_ldap does not check that the data 
returned has not been truncated by the resolver libraries to avoid a 
buffer overflow, and may attempt to parse more data than is actually 
available, leaving it vulnerable to a read buffer overflow.

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-libs/nss_ldap-174-r2 and earlier update their systems
as follows:

emerge rsync
emerge nss_ldap
emerge clean

- - --------------------------------------------------------------------
[email protected] - GnuPG key is available at www.gentoo.org/~aliz
- - --------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9qWqGfT7nyhUpoZMRAl5/AJ9OguSgjT472Jc3wPhXSBZA8k8YcwCeMNDj
ZEvGURfhv4eJwk0ZYFUiCWo=
=7SpP
-----END PGP SIGNATURE-----

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру