From nobody@FreeBSD.org  Wed Feb 20 13:39:16 2013
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
	by hub.freebsd.org (Postfix) with ESMTP id AE44C877
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 20 Feb 2013 13:39:16 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 7020A268
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 20 Feb 2013 13:39:16 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r1KDdGk9023458
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 20 Feb 2013 13:39:16 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id r1KDdGrK023457;
	Wed, 20 Feb 2013 13:39:16 GMT
	(envelope-from nobody)
Message-Id: <201302201339.r1KDdGrK023457@red.freebsd.org>
Date: Wed, 20 Feb 2013 13:39:16 GMT
From: Sergey Kandaurov <pluknet@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [patch][security] net/nss-pam-ldapd: add vuxml entry for CVE-2013-0288
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         176293
>Category:       ports
>Synopsis:       [patch][security] net/nss-pam-ldapd: add vuxml entry for CVE-2013-0288
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    rm
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Feb 20 13:40:00 UTC 2013
>Closed-Date:    Wed Feb 20 14:02:57 UTC 2013
>Last-Modified:  Wed Feb 20 14:02:57 UTC 2013
>Originator:     Sergey Kandaurov
>Release:        FreebSD 8.3-RELEASE amd64
>Organization:
RU-CENTER
>Environment:
>Description:

>How-To-Repeat:

>Fix:


Patch attached with submission follows:

Index: security/vuxml/vuln.xml
===================================================================
--- security/vuxml/vuln.xml	(revision 312625)
+++ security/vuxml/vuln.xml	(working copy)
@@ -51,6 +51,35 @@
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="58c15292-7b61-11e2-95da-001e8c1a8a0e">
+    <topic>nss-pam-ldapd -- file descriptor buffer overflow</topic>
+    <affects>
+      <package>
+	<name>nss-pam-ldapd</name>
+	<range><lt>0.8.12</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Garth Mollett reports:</p>
+	<blockquote cite="http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288">
+	  <p>A file descriptor overflow issue in the use of FD_SET()
+	    in nss-pam-ldapd can lead to a stack-based buffer overflow.
+	    An attacker could, under some circumstances, use this flaw
+	    to cause a process that has the NSS or PAM module loaded to
+	    crash or potentially execute arbitrary code.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2013-0288</cvename>
+    </references>
+    <dates>
+      <discovery>2013-02-18</discovery>
+      <entry>2013-02-20</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="1c8a039b-7b23-11e2-b17b-20cf30e32f6d">
     <topic>bugzilla -- multiple vulnerabilities</topic>
     <affects>


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->rm 
Responsible-Changed-By: rm 
Responsible-Changed-When: Wed Feb 20 13:41:26 UTC 2013 
Responsible-Changed-Why:  
I will take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=176293 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/176293: commit references a PR
Date: Wed, 20 Feb 2013 13:58:32 +0000 (UTC)

 Author: rm
 Date: Wed Feb 20 13:58:19 2013
 New Revision: 312626
 URL: http://svnweb.freebsd.org/changeset/ports/312626
 
 Log:
   - add an entry for net/nss-pam-ldapd stack-based buffer overflow
   
   According to advisory, vulnerability exists in nss-pam-ldapd < 0.8.11,
   but since we never had this version in the ports tree, mark everything
   < 0.8.12 as vulnerable.
   
   PR:		176293
   Submitted by:	pluknet
 
 Modified:
   head/security/vuxml/vuln.xml
 
 Modified: head/security/vuxml/vuln.xml
 ==============================================================================
 --- head/security/vuxml/vuln.xml	Wed Feb 20 11:12:25 2013	(r312625)
 +++ head/security/vuxml/vuln.xml	Wed Feb 20 13:58:19 2013	(r312626)
 @@ -51,6 +51,35 @@ Note:  Please add new entries to the beg
  
  -->
  <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
 +  <vuln vid="58c15292-7b61-11e2-95da-001e8c1a8a0e">
 +    <topic>nss-pam-ldapd -- file descriptor buffer overflow</topic>
 +    <affects>
 +      <package>
 +	<name>nss-pam-ldapd</name>
 +	<range><lt>0.8.12</lt></range>
 +      </package>
 +    </affects>
 +    <description>
 +      <body xmlns="http://www.w3.org/1999/xhtml">
 +	<p>Garth Mollett reports:</p>
 +	<blockquote cite="http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288">
 +	  <p>A file descriptor overflow issue in the use of FD_SET()
 +	    in nss-pam-ldapd can lead to a stack-based buffer overflow.
 +	    An attacker could, under some circumstances, use this flaw
 +	    to cause a process that has the NSS or PAM module loaded to
 +	    crash or potentially execute arbitrary code.</p>
 +	</blockquote>
 +      </body>
 +    </description>
 +    <references>
 +      <cvename>CVE-2013-0288</cvename>
 +    </references>
 +    <dates>
 +      <discovery>2013-02-18</discovery>
 +      <entry>2013-02-20</entry>
 +    </dates>
 +  </vuln>
 +
    <vuln vid="1c8a039b-7b23-11e2-b17b-20cf30e32f6d">
      <topic>bugzilla -- multiple vulnerabilities</topic>
      <affects>
 _______________________________________________
 svn-ports-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-ports-all
 To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: rm 
State-Changed-When: Wed Feb 20 14:02:56 UTC 2013 
State-Changed-Why:  
Committed, thank you! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=176293 
>Unformatted:
