製品・ソフトウェアに関する情報

JVN脆弱性詳細

nss-pam-ldapd におけるサービス運用妨害 (アプリケーションクラッシュ) の脆弱性

Title	nss-pam-ldapd におけるサービス運用妨害 (アプリケーションクラッシュ) の脆弱性
Summary	nss-pam-ldapd には、サービス運用妨害 (アプリケーションクラッシュ) 状態となる、および任意のコードを実行される脆弱性が存在します。
Possible impacts	攻撃者により、多数のオープンファイル記述子を伴うアプリケーションで名前の検索 (name lookup) を実行され、FD_SET マクロの不正な使用に関連したスタックベースのバッファオーバーフローを誘発されることにより、サービス運用妨害 (アプリケーションクラッシュ) 状態にされる、および任意のコードを実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Feb. 18, 2013, midnight
Registration Date	March 7, 2013, 7:05 p.m.
Last Update	March 28, 2014, 4:33 p.m.

CVSS2.0 : 警告
Score	6.8
Vector	AV:N/AC:M/Au:N/C:P/I:P/A:P

Affected System

arthurdejong

nss-pam-ldapd 0.7.18 未満

nss-pam-ldapd 0.8.11 未満の 0.8.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
arthurdejong
1	CVE-2013-0288	http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288
Common Vulnerabilities and Exposures (CVE)
2	CVE-2013-0288	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0288
National Vulnerability Database (NVD)
3	CVE-2013-0288	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0288

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-119	https://jvndb.jvn.jp/ja/cwe/CWE-119.html

ベンダー情報

No	Name	URL
arthurdejong
1	check if the file descriptor can be stored in the select() file descriptor set	http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=7867b93f9a7c76b96f1571cddc1de0811134bb81
2	check if the file descriptor can be stored in the select() file descriptor set (r1781 from 0.8)	http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=abf03bc54032beeff95b1b8634cc005137e11f32
3	use poll() instead of select() for checking file descriptor activity to also correctly work if more than FD_SETSIZE files are already open	http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=f266f05f20afe73e89c3946a7bd60bd7c5948e1b
Debian Bug report logs
4	#690319	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690319
Debian Security Advisory
5	DSA-2628	http://www.debian.org/security/2013/dsa-2628
Fedora Update Notification
6	FEDORA-2013-2754	http://lists.fedoraproject.org/pipermail/package-announce/2013-February/099438.html
opensuse-updates
7	openSUSE-SU-2013:0522	http://lists.opensuse.org/opensuse-updates/2013-03/msg00087.html
8	openSUSE-SU-2013:0524	http://lists.opensuse.org/opensuse-updates/2013-03/msg00091.html
Red Hat Bugzilla
9	Bug 909119	https://bugzilla.redhat.com/show_bug.cgi?id=909119
Red Hat Security Advisory
10	RHSA-2013:0590	http://rhn.redhat.com/errata/RHSA-2013-0590.html

その他

No	Name	URL
関連文書
1	MGASA-2013-0071	https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0071

Change Log

No	Changed Details	Date of change
0	[2013年03月07日] 掲載 [2013年05月17日] ベンダ情報：openSUSE (openSUSE-SU-2013:0524) を追加ベンダ情報：openSUSE (openSUSE-SU-2013:0522) を追加 [2014年03月28日] 参考情報：関連文書 (MGASA-2013-0071) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2013-0288

Summary	nss-pam-ldapd before 0.7.18 and 0.8.x before 0.8.11 allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code by performing a name lookup on an application with a large number of open file descriptors, which triggers a stack-based buffer overflow related to incorrect use of the FD_SET macro.
Publication Date	March 6, 2013, 6:38 a.m.
Registration Date	Jan. 26, 2021, 3:33 p.m.
Last Update	Nov. 21, 2024, 10:47 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.8.2:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.8.9:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.8.7:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.8.1:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.8.5:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.8.3:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.8.0:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.8.10:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.8.4:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.8.6:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.8.8:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.2.1:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.10:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.5:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.10:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.7:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.15:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.8:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.7.1:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.8:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.0:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.2:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.4:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.4.1:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.12:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.4:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.12:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.7.2:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.1:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.16:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.5:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.9:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.4:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.5:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.14:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.1:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.2:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.11:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.3:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.2:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd::::::::		0.7.17
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.9:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.11:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.7:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.0:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.3:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.6:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.3:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.13:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.1:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.6:::::::*

Related information, measures and tools

No	URL	タグ
1	http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=7867b93f9a7c76b96f1571cddc1de0811134bb81
2	http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=7867b93f9a7c76b96f1571cddc1de0811134bb81
3	http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=abf03bc54032beeff95b1b8634cc005137e11f32
4	http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=abf03bc54032beeff95b1b8634cc005137e11f32
5	http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=f266f05f20afe73e89c3946a7bd60bd7c5948e1b
6	http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=f266f05f20afe73e89c3946a7bd60bd7c5948e1b
7	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690319
8	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690319
9	http://lists.arthurdejong.org/nss-pam-ldapd-announce/2013/msg00001.html
10	http://lists.arthurdejong.org/nss-pam-ldapd-announce/2013/msg00001.html
11	http://lists.fedoraproject.org/pipermail/package-announce/2013-February/099438.html
12	http://lists.fedoraproject.org/pipermail/package-announce/2013-February/099438.html
13	http://lists.opensuse.org/opensuse-updates/2013-03/msg00087.html
14	http://lists.opensuse.org/opensuse-updates/2013-03/msg00087.html
15	http://lists.opensuse.org/opensuse-updates/2013-03/msg00091.html
16	http://lists.opensuse.org/opensuse-updates/2013-03/msg00091.html
17	http://rhn.redhat.com/errata/RHSA-2013-0590.html
18	http://rhn.redhat.com/errata/RHSA-2013-0590.html
19	http://secunia.com/advisories/52212
20	http://secunia.com/advisories/52212
21	http://secunia.com/advisories/52242	Vendor Advisory
22	http://secunia.com/advisories/52242	Vendor Advisory
23	http://www.debian.org/security/2012/dsa-2628
24	http://www.debian.org/security/2012/dsa-2628
25	http://www.mandriva.com/security/advisories?name=MDVSA-2013:106
26	http://www.mandriva.com/security/advisories?name=MDVSA-2013:106
27	http://www.openwall.com/lists/oss-security/2013/02/18/2
28	http://www.openwall.com/lists/oss-security/2013/02/18/2
29	http://www.securityfocus.com/bid/58007
30	http://www.securityfocus.com/bid/58007
31	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0288
32	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0288
33	https://exchange.xforce.ibmcloud.com/vulnerabilities/82175
34	https://exchange.xforce.ibmcloud.com/vulnerabilities/82175
35	https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0071
36	https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0071

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-119	バッファエラー	https://cwe.mitre.org/data/definitions/118.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.8.2:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.8.9:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.8.7:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.8.1:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.8.5:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.8.3:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.8.0:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.8.10:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.8.4:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.8.6:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.8.8:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.2.1:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.10:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.5:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.10:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.7:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.15:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.8:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.7.1:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.8:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.0:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.2:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.4:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.4.1:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.12:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.4:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.12:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.7.2:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.1:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.16:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.5:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.9:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.4:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.5:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.14:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.1:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.2:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.11:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.3:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.2:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd::::::::		0.7.17
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.9:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.11:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.7:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.0:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.3:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.6:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.3:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.13:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.6.1:::::::*
cpe:2.3:a:arthurdejong:nss-pam-ldapd:0.7.6:::::::*