Date: Sat, 13 Oct 2007 12:49:52 GMT From: Ganael Laplanche <ganael.laplanche@martymac.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/117152: [Maintainer update] net/ldapscripts -> v1.7.1 Message-ID: <200710131249.l9DCnqQ8010056@www.freebsd.org> Resent-Message-ID: <200710131250.l9DCo0O0083556@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 117152 >Category: ports >Synopsis: [Maintainer update] net/ldapscripts -> v1.7.1 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Sat Oct 13 12:50:00 UTC 2007 >Closed-Date: >Last-Modified: >Originator: Ganael Laplanche >Release: 6.2-STABLE >Organization: http://contribs.martymac.com >Environment: FreeBSD camembert.sis.pasteur.fr 6.2-STABLE FreeBSD 6.2-STABLE #0: Fri Oct 5 16:13:13 CEST 2007 root@camembert.sis.pasteur.fr:/usr/src/sys/amd64/compile/MYKERNEL amd64 >Description: Fixes several security flaws (CVE-2007-5373) that may lead to reveal the bind password and/or a user password to someone monitoring processes with `ps` while the scripts are being used. See : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5373 Changelog : 2007/10/13 : ldapscripts 1.7.1 - Fixes for CVE-2007-5373 see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5373 and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=445582 1) Up to now, each ldap* command was called with the -w parameter, which allows to specify the bind password on the command line. Unfortunately, this could make the password appear to anybody performing a `ps` during the call. This is now avoided by using the -y parameter and a password file. -> A new BINDPWDFILE option has been added : it specifies the path to the bind password file. This file can be created by something like : 'echo -n 'password' > $BINDPWDFILE' and you can now safely remove (or comment) the BINDPWD parameter from your configuration file. 2) Changing a user password could also reveal the new password on the command line, because of the use of ldappasswd's -s option. This has been fixed by using a temporary file containing the new password (and ldappassword's -T option). -> [internals] New mktempf() and reltempf() functions have been added [For older versions of OpenLDAP, -y and -T parameters may not be available. It is still possible to use the old BINDPWD parameter. Just uncomment it from the configuration file and comment the BINDPWDFILE parameter (which takes precedence over BINDPWD). The ldapscripts will just behave as previously and use inline -w and -s parameters, warning you this is not secure way of running them.] 3) A similar problem related to sed expressions has been found : it may also lead to reveal a user's password to `ps` users. This is now fixed by using temporary files containing sed expressions (and sed's -f option). 4) A new test has been added to check if 'echo' and '[' are built-in or not. If not, you'll be warned that the ldapscripts may not be safe to use (because these commands manipulate passwords when creating temporary files). -> [internals] New is_builtin() function Note that these flaws depend largely on your kernel configuration : hardened kernels should not be impacted (e.g. if you use security.bsd.see_other_[u|g]ids sysctls on FreeBSD). It may also depend on the version of OpenLDAP client commands you run. Thanks a lot to Don and Madcoder for their help ! - Few fixes to avoid using non-standard 'if ! command's... >How-To-Repeat: >Fix: Patch attached with submission follows: diff -aurN ldapscripts.orig/Makefile ldapscripts/Makefile --- ldapscripts.orig/Makefile 2007-09-05 17:47:54.000000000 +0200 +++ ldapscripts/Makefile 2007-10-13 14:28:24.000000000 +0200 @@ -6,7 +6,7 @@ # PORTNAME= ldapscripts -PORTVERSION= 1.7 +PORTVERSION= 1.7.1 CATEGORIES= net MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} \ http://contribs.martymac.com/ldapscripts/ @@ -46,6 +46,7 @@ ${REINPLACE_CMD} -E -e "s|^_RUNTIMEFILE=.*|_RUNTIMEFILE=\"${ETCDIR}/runtime\"|g" ${WRKSRC}/bin/* ${REINPLACE_CMD} -E -e "s|^_CONFIGFILE=.*|_CONFIGFILE=\"${ETCDIR}/ldapscripts.conf\"|g" ${WRKSRC}/etc/runtime + ${REINPLACE_CMD} -E -e "s|^BINDPWDFILE=.*|BINDPWDFILE=\"${ETCDIR}/ldapscripts.passwd\"|g" ${WRKSRC}/etc/ldapscripts.conf ${REINPLACE_CMD} -E -e "s|^LDAPSEARCHBIN=.*|LDAPSEARCHBIN=\"${PREFIX}/bin/ldapsearch\"|g" ${WRKSRC}/etc/ldapscripts.conf ${REINPLACE_CMD} -E -e "s|^LDAPADDBIN=.*|LDAPADDBIN=\"${PREFIX}/bin/ldapadd\"|g" ${WRKSRC}/etc/ldapscripts.conf ${REINPLACE_CMD} -E -e "s|^LDAPDELETEBIN=.*|LDAPDELETEBIN=\"${PREFIX}/bin/ldapdelete\"|g" ${WRKSRC}/etc/ldapscripts.conf @@ -77,9 +78,15 @@ ${MKDIR} ${ETCDIR} ${INSTALL_DATA} ${WRKSRC}/etc/ldapscripts.conf ${ETCDIR}/ldapscripts.conf.sample + ${CHMOD} 0440 ${ETCDIR}/ldapscripts.conf.sample if [ ! -f ${ETCDIR}/ldapscripts.conf ]; then \ ${CP} -p ${ETCDIR}/ldapscripts.conf.sample ${ETCDIR}/ldapscripts.conf; \ fi + ${INSTALL_DATA} ${WRKSRC}/etc/ldapscripts.passwd ${ETCDIR}/ldapscripts.passwd.sample + ${CHMOD} 0440 ${ETCDIR}/ldapscripts.passwd.sample + if [ ! -f ${ETCDIR}/ldapscripts.passwd ]; then \ + ${CP} -p ${ETCDIR}/ldapscripts.passwd.sample ${ETCDIR}/ldapscripts.passwd; \ + fi ${INSTALL_DATA} ${WRKSRC}/etc/runtime ${ETCDIR} ${INSTALL_DATA} ${WRKSRC}/etc/ldapaddgroup.template.sample ${ETCDIR} ${INSTALL_DATA} ${WRKSRC}/etc/ldapadduser.template.sample ${ETCDIR} @@ -97,4 +104,7 @@ ${INSTALL_MAN} ${WRKSRC}/man/man1/* ${MAN1PREFIX}/man/man1 ${INSTALL_MAN} ${WRKSRC}/man/man5/* ${MAN5PREFIX}/man/man5 +post-install: + @${CAT} ${PKGMESSAGE} + .include <bsd.port.mk> diff -aurN ldapscripts.orig/distinfo ldapscripts/distinfo --- ldapscripts.orig/distinfo 2007-09-05 17:47:54.000000000 +0200 +++ ldapscripts/distinfo 2007-10-13 13:52:04.000000000 +0200 @@ -1,3 +1,3 @@ -MD5 (ldapscripts-1.7.tgz) = 6d2322170707e8dd28897aa5b20d061d -SHA256 (ldapscripts-1.7.tgz) = 6dade33e3660c456bd4fbf1cdba465401d1c9f7b0862c1ed8b1d04cffb51d16f -SIZE (ldapscripts-1.7.tgz) = 24470 +MD5 (ldapscripts-1.7.1.tgz) = 33cc2ef99cc70d9dc9a89a1955aa765c +SHA256 (ldapscripts-1.7.1.tgz) = 73c4154f80ca61ea133811cdff8097643690422879a27ae62b1df35b42cbc7a9 +SIZE (ldapscripts-1.7.1.tgz) = 26149 diff -aurN ldapscripts.orig/pkg-message ldapscripts/pkg-message --- ldapscripts.orig/pkg-message 1970-01-01 01:00:00.000000000 +0100 +++ ldapscripts/pkg-message 2007-10-13 14:24:43.000000000 +0200 @@ -0,0 +1,19 @@ + +=============================================================== + + Security warning : + + For security reasons, ldapscripts.conf and ldapscripts.passwd + files are now set read-only for user and group owners. Do not + forget to fine-tune ownership of these two files before using + the scripts (and to make them read-only if they are not). + + e.g. : chmod 0440 ${ETCDIR}/ldapscripts.conf + chgrp ldapadmins ${ETCDIR}/ldapscripts.conf + chmod 0440 ${ETCDIR}/ldapscripts.passwd + chgrp ldapadmins ${ETCDIR}/ldapscripts.passwd + + The ldapscripts are now installed, enjoy ! + +=============================================================== + diff -aurN ldapscripts.orig/pkg-plist ldapscripts/pkg-plist --- ldapscripts.orig/pkg-plist 2007-09-05 17:47:54.000000000 +0200 +++ ldapscripts/pkg-plist 2007-10-13 14:31:37.000000000 +0200 @@ -1,6 +1,9 @@ @unexec if cmp -s %D/%%ETCDIR%%/ldapscripts.conf.sample %D/%%ETCDIR%%/ldapscripts.conf; then rm -f %D/%%ETCDIR%%/ldapscripts.conf; fi %%ETCDIR%%/ldapscripts.conf.sample @exec if [ ! -f %D/%%ETCDIR%%/ldapscripts.conf ] ; then cp -p %D/%F %B/ldapscripts.conf; fi +@unexec if cmp -s %D/%%ETCDIR%%/ldapscripts.passwd.sample %D/%%ETCDIR%%/ldapscripts.passwd; then rm -f %D/%%ETCDIR%%/ldapscripts.passwd; fi +%%ETCDIR%%/ldapscripts.passwd.sample +@exec if [ ! -f %D/%%ETCDIR%%/ldapscripts.passwd ] ; then cp -p %D/%F %B/ldapscripts.passwd; fi %%ETCDIR%%/runtime %%ETCDIR%%/ldapaddgroup.template.sample %%ETCDIR%%/ldapadduser.template.sample >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200710131249.l9DCnqQ8010056>