Fix for CVE-2013-0288 in precise package

The attachment "Backported from http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=f266f05f20afe73e89c3946a7bd60bd7c5948e1b" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Subscribing the sponsors team.

Package seems to build fine on precise. Backported patch does not match the upstream fix 100%, needs review.

Err, sorry, I meant the security sponsors team.

Thanks for the debdiff! I have a few comments:
 * debian/changelog does not use 'precise-security'
 * debian/changelog is too terse. Per https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging, it should be something like:
   * SECURITY UPDATE: use poll() instead of select() for checking file
     descriptor activity to also correctly work if more than FD_SETSIZE files
     are already open
     - http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288
     - <link to upstream patch #1>
     - <link to upstream patch #2>
     - ...
     - CVE-2013-0288
     - LP: #1347614

Importantly, as Daniel said, the patch does not match upstream. Upstream http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288 has a minimal patch that would be more appropriate for a security update:
- http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=7867b93f9a7c76b96f1571cddc1de0811134bb81

That said, we could incorporate the larger patchset:
- http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=f266f05f20afe73e89c3946a7bd60bd7c5948e1b

if it could be shown to be correct and free of regressions.

Please do one of:
- update the patch for the changelog changes, use the minimal patch and document it in debian/changelog
- update the patch for the changelog changes, use the bigger patchset, document the patch URLs in debian/changelog. Please also detail the testing performed

Unsuscribing ubuntu-security-sponsors for now. Please resubscribe after attaching a new debdiff. Thanks again.

Thanks for your guidance on this.

I've attached a new debdiff with the minimal patch. I would have liked to incorporate the poll() changes, but it makes sense to do the minimum to fix this bug for now.

Patch was applied from http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=7867b93f9a7c76b96f1571cddc1de0811134bb81 , it did not apply completely as it patches tio_skipall, which had not been introduced in the version currently in precise.

Resubscribing the security sponsors team.

ACK on the debdiff, the package is building now and will be released today.

Thanks!

This bug was fixed in the package nss-pam-ldapd - 0.8.4ubuntu0.3

---------------
nss-pam-ldapd (0.8.4ubuntu0.3) precise-security; urgency=low

  * SECURITY UPDATE: denial of service related to incorrect use
    of the FD_SET macro.
    - http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288
    - common/tio.c added checks to make sure the file descriptor
      can be stored in the file descriptor set, from upstream patch
      http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=7867b93f9a7c76b96f1571cddc1de0811134bb81
    - CVE-2013-0288
    - LP: #1347614
 -- Mike Heald <email address hidden> Tue, 29 Jul 2014 12:27:23 +0100

There is a serious bug here that is not introduced in this change but on upgrade none the less causes /etc/nslcd.conf to get mangled creating situation where one is no longer able to access their server. :(

@cody-somerville new bug opened for that at https://bugs.launchpad.net/ubuntu/+source/nss-pam-ldapd/+bug/1350778