Debian Security Advisory

DSA-1517-1 ldapscripts -- programming error

Date Reported:
15 Mar 2008
Affected Packages:
ldapscripts
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 445582.
In Mitre's CVE dictionary: CVE-2007-5373.
More information:

Don Armstrong discovered that ldapscripts, a suite of tools to manipulate user accounts in LDAP, sends the password as a command line argument when calling LDAP programs, which may allow a local attacker to read this password from the process listing.

The old stable distribution (sarge) does not contain an ldapscripts package.

For the stable distribution (etch), this problem has been fixed in version 1.4-2etch1.

For the unstable distribution (sid), this problem has been fixed in version 1.7.1-2.

We recommend that you upgrade your ldapscripts package.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Source:
http://security.debian.org/pool/updates/main/l/ldapscripts/ldapscripts_1.4.orig.tar.gz
http://security.debian.org/pool/updates/main/l/ldapscripts/ldapscripts_1.4-2etch1.diff.gz
http://security.debian.org/pool/updates/main/l/ldapscripts/ldapscripts_1.4-2etch1.dsc
Architecture-independent component:
http://security.debian.org/pool/updates/main/l/ldapscripts/ldapscripts_1.4-2etch1_all.deb

MD5 checksums of the listed files are available in the original advisory.