Potential Buffer Overflow in nss_ldap DNS SRV support
There is a potential buffer overflow in the DNS SRV code in nss_ldap.
PADL do not believe this to be exploitable to elevate privilege in the default configuration of nss_ldap. When DNS is used for locating LDAP servers, the local DNS domain is implicitly trusted. A simpler mechanism to elevate privilege would thus be to configure DNS to point to a malicious LDAP server.
An exception is when a deployment explicitly does not trust DNS, uses DNS SRV records for server location, and uses another mechanism such as Kerberos or SSL to verify the integrity of the server. In this case, privilege elevation may be possible by creating a large number of SRV records, or SRV records with long target hosts.
The DNS SRV support allows nss_ldap to be self-configuring from information stored in the Domain Name System. Because similar support is not yet available in pam_ldap, we expect that most nss_ldap installations use the static configuration file, /etc/ldap.conf. This file is installed by default, and DNS will only be consulted if this file cannot be parsed.
More information on vulnerabilities and exposures in PADL open source software is available here. This vulnerability has been assigned CVE number CAN-2002-0825.
This issue has been corrected in nss_ldap-198; see bug #108. The current version of nss_ldap is available by FTP, or HTTP.