Debian Bug report logs - #690319
lookup fail to contact nslcd when first 1024 filedescriptor are already used (select)

version graph

Package: nss-pam-ldapd; Maintainer for nss-pam-ldapd is Arthur de Jong <adejong@debian.org>;

Reported by: Adrien Urban <adrien.urban@nbs-system.com>

Date: Fri, 12 Oct 2012 14:12:01 UTC

Severity: critical

Tags: security

Found in version 0.7.15+squeeze2

Fixed in versions 0.7.15+squeeze3, nss-pam-ldapd/0.8.10-3

Done: Arthur de Jong <adejong@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, adrien.urban@nbs-system.com, Arthur de Jong <adejong@debian.org>:
Bug#690319; Package nss-pam-ldapd. (Fri, 12 Oct 2012 14:12:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Adrien Urban <adrien.urban@nbs-system.com>:
New Bug report received and forwarded. Copy sent to adrien.urban@nbs-system.com, Arthur de Jong <adejong@debian.org>. (Fri, 12 Oct 2012 14:12:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Adrien Urban <adrien.urban@nbs-system.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: lookup fail to contact nslcd when first 1024 filedescriptor are already used (select)
Date: Fri, 12 Oct 2012 16:04:28 +0200
[Message part 1 (text/plain, inline)]
Package: nss-pam-ldapd
Version: 0.7.15+squeeze2
Severity: critical


When trying to get the identity, after establishing the connection
(connect /var/run/nslcd/socket), it uses select to wait on it. If the
filedescriptor is over 1024, it still uses FD_SET to write outside of
the fd_set, and calls select with a max at 1024.

The select won't have any fd to check, and will timeout.

The FD_SET writes outside of the space, and might corrupts memory, and
provide crash.

Exemple provided with binary id. First noticed it after tracing nginx
having *alot* of log files, and crashing less than a minute after
starting.

Attached files :

bug.c - example of sources used to show the bug
cli.txt - example usage, and results from previous prog
trace.log - strace showing the select
dpkg.txt - list of packages on a box where the trace was generated


Regards,
Adrien
[bug.c (text/x-c, attachment)]
[cli.txt (text/plain, attachment)]
[dpkg.txt (text/plain, attachment)]
[bug.c (text/x-c, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Arthur de Jong <adejong@debian.org>:
Bug#690319; Package nss-pam-ldapd. (Fri, 12 Oct 2012 17:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to 690319@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Arthur de Jong <adejong@debian.org>. (Fri, 12 Oct 2012 17:09:03 GMT) Full text and rfc822 format available.

Message #10 received at 690319@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: Adrien Urban <adrien.urban@nbs-system.com>, 690319@bugs.debian.org
Subject: Re: Bug#690319: lookup fail to contact nslcd when first 1024 filedescriptor are already used (select)
Date: Fri, 12 Oct 2012 19:06:13 +0200
[Message part 1 (text/plain, inline)]
On Fri, 2012-10-12 at 16:04 +0200, Adrien Urban wrote:
> When trying to get the identity, after establishing the connection
> (connect /var/run/nslcd/socket), it uses select to wait on it. If the
> filedescriptor is over 1024, it still uses FD_SET to write outside of
> the fd_set, and calls select with a max at 1024.
> 
> The select won't have any fd to check, and will timeout.

Thanks for reporting this and providing the detailed test. I guess the
proper solution is to switch to poll() instead of select(). A smaller
change would be to implement a check to see the FD would fit in the set.

> Exemple provided with binary id. First noticed it after tracing nginx
> having *alot* of log files, and crashing less than a minute after
> starting.
> 
> Attached files :
> 
> bug.c - example of sources used to show the bug
> cli.txt - example usage, and results from previous prog
> trace.log - strace showing the select
> dpkg.txt - list of packages on a box where the trace was generated

trace.log is missing but with bug.c I can reproduce the problem easily.
Thanks.

Btw, I first couldn't reproduce the problem because I had nscd running
(which also may be a good idea in your configuration) so that is at
least a workaround in some cases.

The patch with minimal changes for the 0.7 and 0.8 branches are here:
  http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1782&view=revision
  http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1781&view=revision

With this patch the id command will still fail but it will do so quickly
and memory shouldn't be corrupted. I will work on switching to poll()
instead.

Thanks,

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
[signature.asc (application/pgp-signature, inline)]

Added tag(s) pending. Request was from Arthur de Jong <adejong@debian.org> to control@bugs.debian.org. (Sat, 13 Oct 2012 15:27:08 GMT) Full text and rfc822 format available.

Reply sent to Arthur de Jong <adejong@debian.org>:
You have taken responsibility. (Sun, 14 Oct 2012 21:24:13 GMT) Full text and rfc822 format available.

Notification sent to Adrien Urban <adrien.urban@nbs-system.com>:
Bug acknowledged by developer. (Sun, 14 Oct 2012 21:24:13 GMT) Full text and rfc822 format available.

Message #17 received at 690319-close@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: 690319-close@bugs.debian.org
Subject: Bug#690319: fixed in nss-pam-ldapd 0.8.10-3
Date: Sun, 14 Oct 2012 21:21:44 +0000
Source: nss-pam-ldapd
Source-Version: 0.8.10-3

We believe that the bug you reported is fixed in the latest version of
nss-pam-ldapd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 690319@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Arthur de Jong <adejong@debian.org> (supplier of updated nss-pam-ldapd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 14 Oct 2012 23:00:00 +0200
Source: nss-pam-ldapd
Binary: nslcd libnss-ldapd libpam-ldapd
Architecture: source i386
Version: 0.8.10-3
Distribution: unstable
Urgency: low
Maintainer: Arthur de Jong <adejong@debian.org>
Changed-By: Arthur de Jong <adejong@debian.org>
Description: 
 libnss-ldapd - NSS module for using LDAP as a naming service
 libpam-ldapd - PAM module for using LDAP as an authentication service
 nslcd      - Daemon for NSS and PAM lookups using LDAP
Closes: 689296 690319
Changes: 
 nss-pam-ldapd (0.8.10-3) unstable; urgency=low
 .
   * fix a problem in sed logic for commenting out disabled options
     (closes: #689296)
   * support "EXTERNAL" SASL mechanism in debconf configuration (LP: #1063923)
     (the debconf template has been postponed to avoid having to update all
     translations for a relatively minor change)
   * 01-use-poll-instead-of-select.patch: use poll() instead of select()
     for checking file descriptor activity to also correctly work if more
     than FD_SETSIZE files are already open (closes: #690319)
Checksums-Sha1: 
 7a4d9d7b9aa36cc6db9adeecfc7406c67eb4f82b 1517 nss-pam-ldapd_0.8.10-3.dsc
 0c3a652ea10dfb68f6eb0abb8ada4ff4fc98d4eb 92997 nss-pam-ldapd_0.8.10-3.debian.tar.gz
 13ca7bafb66088ecf6de8ef24707b14f290d950c 169224 nslcd_0.8.10-3_i386.deb
 9dd93c0364572efce3b731be51b4a8e9e966b4e4 63568 libnss-ldapd_0.8.10-3_i386.deb
 a28e03d6a15b6692a4a9f2b13378131a39b2becf 49776 libpam-ldapd_0.8.10-3_i386.deb
Checksums-Sha256: 
 52fc3116ccbf9520f59e9e4cf37c14ff6b6a0c50d29670c053159a8325315766 1517 nss-pam-ldapd_0.8.10-3.dsc
 f115e0b1b3cc688244fe0c0c4301daf6b64636e14d31e958a40f8c18d847702e 92997 nss-pam-ldapd_0.8.10-3.debian.tar.gz
 7732294b5e8d3c9635dfd605c3b4fe2afcd607472c3e697bcae643d1208e1853 169224 nslcd_0.8.10-3_i386.deb
 7d5d64c80f0187966bf19290522f2b262375b798d965348d5b581d6b95c16f84 63568 libnss-ldapd_0.8.10-3_i386.deb
 cad6f0c6023b96fdeb5ac911663414a2f4cd4cd3588952127cabccd07f77f132 49776 libpam-ldapd_0.8.10-3_i386.deb
Files: 
 3fac857f09f40976e97a6ca2f6c6dacb 1517 admin extra nss-pam-ldapd_0.8.10-3.dsc
 da3d56b755abf0126bd1b1abbe7138b0 92997 admin extra nss-pam-ldapd_0.8.10-3.debian.tar.gz
 11f6b214953316ee9a6de87e7fa00038 169224 admin extra nslcd_0.8.10-3_i386.deb
 20b5cb750b98cd8e20cee4dbfbe5d1de 63568 admin extra libnss-ldapd_0.8.10-3_i386.deb
 e27f1d070c1bc129ee93b19180be37e3 49776 admin extra libpam-ldapd_0.8.10-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlB7KYMACgkQVYan35+NCKcO/ACdHi4nSOyXF5wJEL+u401yDam0
/dcAn0Hlmlex8YLhRO4UNNzBWnmI9wIA
=j5Ja
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#690319; Package nss-pam-ldapd. (Mon, 18 Feb 2013 17:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arthur de Jong <adejong@debian.org>:
Extra info received and forwarded to list. (Mon, 18 Feb 2013 17:09:03 GMT) Full text and rfc822 format available.

Message #22 received at 690319@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: 690319@bugs.debian.org
Subject: Re: Bug#690319: lookup fail to contact nslcd when first 1024 filedescriptor are already used (select)
Date: Mon, 18 Feb 2013 18:06:25 +0100
[Message part 1 (text/plain, inline)]
Control: tags -1 + security

It has been determined that this bug has security implications and
CVE-2013-0288 has been assigned to this issue. For more details see the
upstream advisory:

http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288

A Debian security advisory for this issue will be issued shortly and a
0.7.15+squeeze3 release will be made available.

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from Arthur de Jong <adejong@debian.org> to 690319-submit@bugs.debian.org. (Mon, 18 Feb 2013 17:09:03 GMT) Full text and rfc822 format available.

Marked as fixed in versions 0.7.15+squeeze3. Request was from Arthur de Jong <adejong@debian.org> to control@bugs.debian.org. (Fri, 22 Feb 2013 20:39:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Arthur de Jong <adejong@debian.org>:
Bug#690319; Package nss-pam-ldapd. (Wed, 01 May 2013 22:09:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to Arthur de Jong <adejong@debian.org>. (Wed, 01 May 2013 22:09:04 GMT) Full text and rfc822 format available.

Message #31 received at 690319@bugs.debian.org (full text, mbox):

From: Steven Chamberlain <steven@pyro.eu.org>
To: 690319@bugs.debian.org, team@security.debian.org
Cc: "debian-bsd@lists.debian.org" <debian-bsd@lists.debian.org>
Subject: Re: Bug#690319: lookup fail to contact nslcd when first 1024 filedescriptor are already used (select)
Date: Wed, 01 May 2013 23:05:15 +0100
[Message part 1 (text/plain, inline)]
Hi,

I noticed (by chance) there is a problem with the squeeze-security patch
for #690319;  it introduces a regression on kfreebsd and has not built.
 I'm not sure where to find build logs of this, or if they are public,
but I think it is due to using a non-standard EBADFD errno ("file
descriptor in bad state").

Perhaps EBADF ("is not a valid file descriptor" / "bad file number")
would be suitable instead and is more portable;  please consider
attached bug690319-amend-1.diff

Alternatively we could #define EBADFD EBADF on platforms that don't have
it;  please see bug690319-amend-2.diff if that is preferred.

Thanks,
Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org
[bug690319-amend-1.diff (text/x-patch, attachment)]
[bug690319-amend-2.diff (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Arthur de Jong <adejong@debian.org>:
Bug#690319; Package nss-pam-ldapd. (Thu, 02 May 2013 21:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to 690319@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Arthur de Jong <adejong@debian.org>. (Thu, 02 May 2013 21:57:04 GMT) Full text and rfc822 format available.

Message #36 received at 690319@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: Steven Chamberlain <steven@pyro.eu.org>, 690319@bugs.debian.org
Cc: team@security.debian.org, "debian-bsd@lists.debian.org" <debian-bsd@lists.debian.org>
Subject: Re: Bug#690319: lookup fail to contact nslcd when first 1024 filedescriptor are already used (select)
Date: Thu, 02 May 2013 23:55:22 +0200
[Message part 1 (text/plain, inline)]
On Wed, 2013-05-01 at 23:05 +0100, Steven Chamberlain wrote:
> I noticed (by chance) there is a problem with the squeeze-security
> patch for #690319;  it introduces a regression on kfreebsd and has not
> built. I'm not sure where to find build logs of this, or if they are
> public, but I think it is due to using a non-standard EBADFD errno
> ("file descriptor in bad state").

I don't think the security build logs are public (even after the
advisory is released) and I hadn't noticed the buil failure before.

> Perhaps EBADF ("is not a valid file descriptor" / "bad file number")
> would be suitable instead and is more portable;  please consider
> attached bug690319-amend-1.diff

This looks like the right approach. The exact value of errno doesn't
make that much of a difference in this case.

I've applied this change upstream and am willing to prepare a
0.7.15+squeeze4 package. I think it's up to the security team to decide
whether this should go to stable or stable-security.

One thing to consider is that I'd also like to fix RC bug #700971 (the
bug report contains the patch that would be applied). People run into
this bug when installing a security update for nss-pam-ldapd.

Thanks for pointing this out,

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Arthur de Jong <adejong@debian.org>:
Bug#690319; Package nss-pam-ldapd. (Tue, 07 May 2013 19:03:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Arthur de Jong <adejong@debian.org>. (Tue, 07 May 2013 19:03:06 GMT) Full text and rfc822 format available.

Message #41 received at 690319@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 690319@bugs.debian.org
Cc: Steven Chamberlain <steven@pyro.eu.org>, team@security.debian.org, debian-bsd@lists.debian.org, jmm@debian.org
Subject: Fix regression for kfreebsd-{i386,amd64} builds (#690319/CVE-2013-0288)
Date: Tue, 7 May 2013 21:00:54 +0200
Hi Steven, hi Arthur

On Thu, May 02, 2013 at 11:55:22PM +0200, Arthur de Jong wrote:
> On Wed, 2013-05-01 at 23:05 +0100, Steven Chamberlain wrote:
> > I noticed (by chance) there is a problem with the squeeze-security
> > patch for #690319;  it introduces a regression on kfreebsd and has not
> > built. I'm not sure where to find build logs of this, or if they are
> > public, but I think it is due to using a non-standard EBADFD errno
> > ("file descriptor in bad state").
> 
> I don't think the security build logs are public (even after the
> advisory is released) and I hadn't noticed the buil failure before.
> 
> > Perhaps EBADF ("is not a valid file descriptor" / "bad file number")
> > would be suitable instead and is more portable;  please consider
> > attached bug690319-amend-1.diff
> 
> This looks like the right approach. The exact value of errno doesn't
> make that much of a difference in this case.
> 
> I've applied this change upstream and am willing to prepare a
> 0.7.15+squeeze4 package. I think it's up to the security team to decide
> whether this should go to stable or stable-security.
> 
> One thing to consider is that I'd also like to fix RC bug #700971 (the
> bug report contains the patch that would be applied). People run into
> this bug when installing a security update for nss-pam-ldapd.

Thanks for notifying. Yes, indeed nss-pam-ldapd did not build for
kfreebsd-amd64 and kfreebsd-i386. As the FTBFS is a regression for the
kfreebsd builds when appliying the initial fix for CVE-2013-0288 I
think we should release an updated version targetting squeeze-security
to include the fix for it and send an updated DSA.

But I'm cc'ing also Moritz explicitly, who released this DSA, to get
an opinion from him.

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#690319; Package nss-pam-ldapd. (Sat, 11 May 2013 18:48:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arthur de Jong <adejong@debian.org>:
Extra info received and forwarded to list. (Sat, 11 May 2013 18:48:04 GMT) Full text and rfc822 format available.

Message #46 received at 690319@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 690319@bugs.debian.org
Cc: Steven Chamberlain <steven@pyro.eu.org>, team@security.debian.org, debian-bsd@lists.debian.org, jmm@debian.org
Subject: Re: Bug#690319: Fix regression for kfreebsd-{i386,amd64} builds (#690319/CVE-2013-0288)
Date: Sat, 11 May 2013 20:45:50 +0200
[Message part 1 (text/plain, inline)]
On Tue, 2013-05-07 at 21:00 +0200, Salvatore Bonaccorso wrote:
> Thanks for notifying. Yes, indeed nss-pam-ldapd did not build for
> kfreebsd-amd64 and kfreebsd-i386. As the FTBFS is a regression for the
> kfreebsd builds when appliying the initial fix for CVE-2013-0288 I
> think we should release an updated version targetting squeeze-security
> to include the fix for it and send an updated DSA.

Thanks. Attached is a debdiff with the version I'd like to upload.

As indicated before it also provides a fix for RC bug #700971 which
happens on package upgrades in some environments.

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
[nss-pam-ldapd-squeeze3-squeeze4.debdiff (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 09 Jun 2013 07:29:41 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 25 08:07:53 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.