RHBA-2011:0239 - Bug Fix Advisory

Topic

An updated nss_ldap package that fixes various bugs is now available.

Description

The nss_ldap package contains the nss_ldap and pam_ldap modules. The nss_ldap
module is a plug-in which allows applications to retrieve information about
users and groups from a directory server. The pam_ldap module allows a directory
server to be used by PAM-aware applications to verify user passwords.

This updated nss_ldap package includes fixes for the following bugs:

• When the "gethostbyname2()" function requested an Internet Protocol version 6

(IPv6) address, the returned address was presented as the Internet Protocol
version 4 (IPv4) address. With this update, nss_ldap correctly fails to return
an IPv6 address. (BZ#205243)

• If hostname resolution was configured to use 'ldap' only, it was impossible to

resolve a hostname of the target Lightweight Directory Access Protocol (LDAP)
server to its address without contacting it. This caused a recursion in the
underlying nss_ldap module until a segmentation fault occurred and the calling
application crashed. The updated nss_ldap package ensures that no segmentation
fault occurs. (BZ#448884)

• The nss_ldap module is built with a static copy of the libldap library.

Applications which called the getpwuid() or getpwuid_r() functions could have
triggered an assertion failure in libldap, thus causing the nss_ldap module to
terminate abnormally. This fix updates the static copy of libldap built into
nss_ldap, and potential assertion failures are no longer triggered. (BZ#525576)

• If the nss_initgroups_ignoreusers option in the nss_ldap configuration file

exceeded the allowed length, errors while parsing the configuration file could
have occurred. This could have resulted in an "Assertion failed" error when
executing any nss_ldap-related commands. With this update, the length of the
'nss_initgroups_ignoreusers' option is not restricted. (BZ#557927)

• Under certain circumstances, nss_ldap may have leaked file descriptors. As a

result, the number of open sockets could have reached the maximum limit of 1024.
With this update, this error is fixed and nss_ldap no longer causes applications
to leak file descriptors. (BZ#563362)

• Previously, enabling the "nss_connect_policy oneshot" option in the

/etc/ldap.conf configuration file may have caused an application crash.
With this update, enabling "nss_connect_policy oneshot" works as expected.
(BZ#566632)

• In certain cases, nss_ldap failed to get a response from the Lightweight

Directory Access Protocol (LDAP) server and the client became temporarily unable
to query the server. With this update the issue is fixed and the server responds
as expected. (BZ#574306)

• The "endpwent" function called ldap query with the NULL handle and the parent

process crashed. With this update, the handle is used only if it is valid.
(BZ#604945)

• The nss_ldap module could have failed to return a result if an entry was too

large. With this update, the ERANGE error is returned as expected. (BZ#613555)

• The shell wrote to a socket that was not connected to an LDAP server. This

resulted in an EPIPE error and no shell commands were resolved when logged in as
an LDAP user. The SIGPIPE signal is now unblocked when the connection in a child
element is closed and shell commands work as expected. (BZ#621586)

All users of nss_ldap are advised to upgrade to this updated package, which
resolves these issues.

Solution

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red Hat
Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 4 x86_64
• Red Hat Enterprise Linux Server 4 ia64
• Red Hat Enterprise Linux Server 4 i386
• Red Hat Enterprise Linux Workstation 4 x86_64
• Red Hat Enterprise Linux Workstation 4 ia64
• Red Hat Enterprise Linux Workstation 4 i386
• Red Hat Enterprise Linux Desktop 4 x86_64
• Red Hat Enterprise Linux Desktop 4 i386
• Red Hat Enterprise Linux for IBM z Systems 4 s390x
• Red Hat Enterprise Linux for IBM z Systems 4 s390
• Red Hat Enterprise Linux for Power, big endian 4 ppc

Fixes

• BZ - 205243 - gethostbyname2 queried with AF_INET6 (IPv6) return ok with IPv4 address
• BZ - 448884 - getent -s 'ldap' passwd -- Segmentation fault
• BZ - 525576 - Rebuild nss_ldap with latest openldap
• BZ - 563362 - nscd with nss_ldap leaks file descriptors
• BZ - 566632 - nss_ldap bug causes nscd to crash with `ldap_result: Assertion `ld != ((void *)0)' failed.'
• BZ - 574306 - nss_ldap client does not seem to get a response from ldap server
• BZ - 604945 - sendmail local delivery assertion failure when using MatchGECOS=True and nss lookups on ldap
• BZ - 613555 - id returns failure when nss_ldap uses TLS and oneshot nss_connect_policy
• BZ - 621586 - nss_ldap EPIPE when forking process
• BZ - 651364 - gethostbyname2 returns 0.0.0.0 IPv4 address for hosts from LDAP on s390x

CVEs

(none)

References

(none)