RHBA-2011:0097 - Bug Fix Advisory

Topic

An updated nss_ldap package that fixes multiple bugs is now available for Red
Hat Enterprise Linux 5.

Description

The nss_ldap package contains the nss_ldap and pam_ldap modules. The nss_ldap
module is a plug-in which allows applications to retrieve information about
users and groups from a directory server. The pam_ldap module allows a directory
server to be used by PAM-aware applications to verify user passwords.

This update fixes the following bugs:

• When looking up host names and addresses, the 'gethostbyname_r' function did

not return a proper value for the 'errno_p' parameter when the length of the
name or the address was less than was required. This resulted in the host name
and the address being overlooked and not returned. With this update, the
aforementioned function has been fixed and works as expected. (BZ#468807)

• Under certain conditions, an application which spawned a new child process

would begin exhibiting undefined behavior. This was caused by the 'free()'
function being called in the 'fork()' function which resulted in a race and hung
the application. This update fixes the race issue and the application no longer
hangs. (BZ#474181)

• Prior to this update, some processes would trigger SELinux policy denials when

attempting to use a connection to a directory server which its parent process
had opened. This was caused by a leaked file descriptor. With this update, file
descriptors are no longer leaked, thus, SELinux policy denials are no longer
triggered. (BZ#500397)

• When using pluggable authentication modules (PAM), selected modules can be

loaded and unloaded upon each authentication attempt. However, unloading the
pam_ldap module could cause the memory that is allocated by libraries on which
it depends to be lost. Consequent to this, multiple authentication attempts may
have led to a significant memory loss. To prevent this, the pam_ldap module is
no longer unloaded. (BZ#511238)

• When authenticating users using a directory server which provides a password

aging policy, a user whose password will expire in less than a day would not be
warned of the impending expiration. With this update, a password expiry warning
is shown that reminds the user of the impending password expiration. (BZ#537358)

• When the "/etc/ldap.conf" configuration file contained an incomplete

configuration or a setting with too large a value, a process which attempted to
use nss_ldap could crash. With this update, a crash no longer occurs and an
appropriate error is returned. (BZ#538498)

• Adding a large amount of users (multiple kilobytes of usernames) to the

'nss_initgroups_ignoreusers' option in the "/etc/ldap.conf" configuration file
resulted in an "Assertion failed" error when executing any nss_ldap related
commands. With this update, adding multiple users to the
'nss_initgroups_ignoreusers' option works as expected. (BZ#584157)

• When an LDAP context has been established, obtaining the list of groups a user

belongs to could result in a memory leak. With this update, a patch has been
applied to address this issue, and such memory leaks no longer occur.
(BZ#654650)

• Under certain circumstances, the nss_ldap module may have been unable to

correctly process LDAP entries with a large number of group members. This was
due to an error number being accidentally overwritten before the control was
returned to the caller. When this happened, various utilities failed to produce
expected results. With this update, this error has been fixed, the error number
is no longer overwritten, and affected utilities now work properly. (BZ#661630)

All users of nss_ldap are advised to upgrade to this updated package, which
resolves these issues.

Solution

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 468807 - The function _nss_ldap_gethostbyname_r doen't set the proper return value and errno_p when the length of name is less than required
• BZ - 474181 - race in fork()
• BZ - 500397 - spamc denials
• BZ - 537358 - RHEL ldap clients are not showing password expiry warning
• BZ - 654650 - Memory leak in nss_ldap
• BZ - 661630 - id returns failure when nss_ldap uses TLS and oneshot nss_connect_policy

CVEs

(none)

References

(none)