Bug 155187

Summary: CVE-2007-5794 nss_ldap randomly replying with wrong user's data [rhel-4.7]
Product: Red Hat Enterprise Linux 4 Reporter: Josh Bressers <bressers>
Component: nss_ldapAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Jay Turner <jturner>
Severity: medium Docs Contact:
Priority: high    
Version: 4.0CC: bressers, cward, jplans, jskrabal, mjc, omoris, psvredhat, srevivo, wtogami
Target Milestone: rcKeywords: OtherQA, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,source=redhat,reported=20050409,public=20050409
Fixed In Version: RHSA-2008-0715 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-24 19:55:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 201333, 252337, 367461    

Description Josh Bressers 2005-04-17 21:00:45 UTC 
+++ This bug was initially created as a clone of Bug #154314 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.6)
Gecko/20050225 Firefox/1.0.1

Description of problem:
Second time already when I hear nss_ldap is replying with wrong results and
causing peoples' mails to be shown to wrong people:

http://www.dovecot.org/list/dovecot/2005-March/006345.html
http://www.dovecot.org/list/dovecot/2005-April/006859.html

Something should really be done about this. At the very least I'm adding a check
to make sure getpwnam() returns the same user name that is being requested, and
if not put out some huge warnings about something being broken..

Version-Release number of selected component (if applicable):


How reproducible:
Sometimes

Steps to Reproduce:
Install Dovecot with nss_pam enabled. Try logging in enough times with different
users and see how at some point it shows you wrong user's mailbox.


Additional info:
Comment 1 Peter Svensson 2006-04-15 10:32:07 UTC 
Can this be related to nss_ldap sometimes not closing the filedescriptors across
forks as it is supposed to do? That can cause all sorts of strange errors in the
returned data used by forking daemons. Sendmail suffers quite a bit from this.
Comment 14 RHEL Program Management 2007-05-09 11:23:43 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 15 Jose Plans 2007-06-11 15:26:24 UTC 
*** Bug 243715 has been marked as a duplicate of this bug. ***
Comment 23 Tomas Janousek 2007-12-20 16:27:11 UTC 
Just realized I've never posted this link:

The last and most reliable reproducer I have for this:
http://people.redhat.com/tjanouse/dovecot/154314/ldaptest2.c
Comment 30 Chris Ward 2008-06-16 08:42:52 UTC 
~~~~~~~~~~~~~~
~ Attention: ~ Immediate attention required for this ***High Priority*** bug.
~~~~~~~~~~~~~~

A fix for this issue should be included in the latest packages contained in
**RHEL4.7-Snapshot2**, accessible now on http://partners.redhat.com.

After you (Red Hat Partner) have verified that this issue has been addressed,
submit a comment describing the results of your test in appropriate detail,    
 along with which snapshot and package version tested. The bugzilla will be
updated by Red Hat Quality Engineering for you when this information has been  
    received.

If this issue has not been properly fixed or you are unable to verify the issue
for any reason, please add a comment describing the most recent issues you are
experiencing, along with which snapshot and package version tested. If you are
sure the bug has not been fixed, change the status of the bug to ASSIGNED.

For IssueTracker users, submit verification results as usual; Bugzilla will be
updated by Red Hat Quality Engineering for you.

For additional information, contact your Partner Manager.

Thank you,
Red Hat QE Partner Management
Comment 34 RHEL Program Management 2008-06-16 09:21:15 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 36 RHEL Program Management 2008-06-18 15:49:41 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 38 errata-xmlrpc 2008-07-24 19:55:29 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2008-0715.html
Comment 42 Chris Ward 2008-07-29 07:27:00 UTC 
Partners, I would like to thank you all for your participation in assuring the
quality of this RHEL 4.7 Update Release. My hat's off to you all. Thanks.