[Pkg-sssd-devel] sssd: Changes to 'master'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Thu Oct 12 06:33:12 UTC 2017
debian/changelog | 8 -
debian/patches/series | 2
debian/patches/sysdb-sanitize-search-filter-input.diff | 133 +++++++++++++++++
3 files changed, 139 insertions(+), 4 deletions(-)
New commits:
commit 3d222fec9730e492f5e48615fd099b2dd9bccd07
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Thu Oct 12 09:32:29 2017 +0300
releasing package sssd version 1.15.3-2
diff --git a/debian/changelog b/debian/changelog
index 58b8800..e46b0bc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,11 +1,11 @@
-sssd (1.15.3-2) UNRELEASED; urgency=medium
+sssd (1.15.3-2) unstable; urgency=medium
* control: Fix libipa-hbac-dev short description.
* generate-config: Update the config template. (Closes: #872787)
* sysdb-sanitize-search-filter-input.diff: Fix CVE-2017-12173.
(Closes: #877885)
- -- Timo Aaltonen <tjaalton at debian.org> Sat, 29 Jul 2017 12:16:36 +0300
+ -- Timo Aaltonen <tjaalton at debian.org> Thu, 12 Oct 2017 08:24:51 +0300
sssd (1.15.3-1) unstable; urgency=medium
commit 3be0afe419fb7aa257dc678cb69e911102f5c3a0
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Oct 11 08:03:08 2017 +0300
close a bug
diff --git a/debian/changelog b/debian/changelog
index 8937fd4..58b8800 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,7 @@
sssd (1.15.3-2) UNRELEASED; urgency=medium
* control: Fix libipa-hbac-dev short description.
- * generate-config: Update the config template.
+ * generate-config: Update the config template. (Closes: #872787)
* sysdb-sanitize-search-filter-input.diff: Fix CVE-2017-12173.
(Closes: #877885)
commit 516ed67a7d56d366b0e5f4f0eade5f7a69b06bf1
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Oct 11 08:00:38 2017 +0300
sysdb-sanitize-search-filter-input.diff: Fix CVE-2017-12173. (Closes: #877885)
diff --git a/debian/changelog b/debian/changelog
index 817adc4..8937fd4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,8 @@ sssd (1.15.3-2) UNRELEASED; urgency=medium
* control: Fix libipa-hbac-dev short description.
* generate-config: Update the config template.
+ * sysdb-sanitize-search-filter-input.diff: Fix CVE-2017-12173.
+ (Closes: #877885)
-- Timo Aaltonen <tjaalton at debian.org> Sat, 29 Jul 2017 12:16:36 +0300
diff --git a/debian/patches/series b/debian/patches/series
index a82d1b4..8763183 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1 @@
-#placeholder
+sysdb-sanitize-search-filter-input.diff
diff --git a/debian/patches/sysdb-sanitize-search-filter-input.diff b/debian/patches/sysdb-sanitize-search-filter-input.diff
new file mode 100644
index 0000000..a9e994e
--- /dev/null
+++ b/debian/patches/sysdb-sanitize-search-filter-input.diff
@@ -0,0 +1,133 @@
+From d71be41ed6c44602781b7174a760d5a55a7c53ec Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose at redhat.com>
+Date: Thu, 5 Oct 2017 11:07:38 +0200
+Subject: [PATCH] sysdb: sanitize search filter input
+
+This patch sanitizes the input for sysdb seaches by UPN/email, SID and
+UUID.
+
+This security issue was assigned CVE-2017-12173
+---
+ src/db/sysdb_ops.c | 43 +++++++++++++++++++++++++++++++++++--------
+ src/tests/sysdb-tests.c | 7 +++++++
+ 2 files changed, 42 insertions(+), 8 deletions(-)
+
+diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
+index 4cfef68239a5f145967c942b1fb6647c5542f019..0e39a629a5823ff49ed02ec4c08a21b66119f06f 100644
+--- a/src/db/sysdb_ops.c
++++ b/src/db/sysdb_ops.c
+@@ -601,6 +601,7 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx,
+ int ret;
+ const char *def_attrs[] = { SYSDB_NAME, SYSDB_UPN, SYSDB_CANONICAL_UPN,
+ SYSDB_USER_EMAIL, NULL };
++ char *sanitized;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+@@ -608,6 +609,12 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx,
+ goto done;
+ }
+
++ ret = sss_filter_sanitize(tmp_ctx, upn, &sanitized);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n");
++ goto done;
++ }
++
+ if (domain_scope == true) {
+ base_dn = sysdb_user_base_dn(tmp_ctx, domain);
+ } else {
+@@ -620,7 +627,7 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx,
+
+ ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res,
+ base_dn, LDB_SCOPE_SUBTREE, attrs ? attrs : def_attrs,
+- SYSDB_PWUPN_FILTER, upn, upn, upn);
++ SYSDB_PWUPN_FILTER, sanitized, sanitized, sanitized);
+ if (ret != EOK) {
+ ret = sysdb_error_to_errno(ret);
+ goto done;
+@@ -4823,17 +4830,31 @@ static errno_t sysdb_search_object_by_str_attr(TALLOC_CTX *mem_ctx,
+ bool expect_only_one_result,
+ struct ldb_result **_res)
+ {
+- char *filter;
++ char *filter = NULL;
+ errno_t ret;
++ char *sanitized = NULL;
+
+- filter = talloc_asprintf(NULL, filter_tmpl, str);
++ if (str == NULL) {
++ return EINVAL;
++ }
++
++ ret = sss_filter_sanitize(NULL, str, &sanitized);
++ if (ret != EOK || sanitized == NULL) {
++ DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n");
++ goto done;
++ }
++
++ filter = talloc_asprintf(NULL, filter_tmpl, sanitized);
+ if (filter == NULL) {
+- return ENOMEM;
++ ret = ENOMEM;
++ goto done;
+ }
+
+ ret = sysdb_search_object_attr(mem_ctx, domain, filter, attrs,
+ expect_only_one_result, _res);
+
++done:
++ talloc_free(sanitized);
+ talloc_free(filter);
+ return ret;
+ }
+@@ -4922,7 +4943,8 @@ errno_t sysdb_search_object_by_cert(TALLOC_CTX *mem_ctx,
+ struct ldb_result **res)
+ {
+ int ret;
+- char *user_filter;
++ char *user_filter = NULL;
++ char *filter = NULL;
+
+ ret = sss_cert_derb64_to_ldap_filter(mem_ctx, cert, SYSDB_USER_MAPPED_CERT,
+ NULL, NULL, &user_filter);
+@@ -4931,10 +4953,15 @@ errno_t sysdb_search_object_by_cert(TALLOC_CTX *mem_ctx,
+ return ret;
+ }
+
+- ret = sysdb_search_object_by_str_attr(mem_ctx, domain,
+- SYSDB_USER_CERT_FILTER,
+- user_filter, attrs, false, res);
++ filter = talloc_asprintf(NULL, SYSDB_USER_CERT_FILTER, user_filter);
+ talloc_free(user_filter);
++ if (filter == NULL) {
++ return ENOMEM;
++ }
++
++ ret = sysdb_search_object_attr(mem_ctx, domain, filter, attrs, false, res);
++
++ talloc_free(filter);
+
+ return ret;
+ }
+diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
+index 63572e067b11a7149b872b3a3eae38776e2bcf21..4652661087238c18f7fabb398d054db99f77d6cf 100644
+--- a/src/tests/sysdb-tests.c
++++ b/src/tests/sysdb-tests.c
+@@ -6513,6 +6513,13 @@ START_TEST(test_upn_basic)
+ fail_unless(strcmp(str, UPN_PRINC) == 0,
+ "Expected [%s], got [%s].", UPN_PRINC, str);
+
++ /* check if input is sanitized */
++ ret = sysdb_search_user_by_upn(test_ctx, test_ctx->domain, false,
++ "abc at def.ghi)(name="UPN_USER_NAME")(abc=xyz",
++ NULL, &msg);
++ fail_unless(ret == ENOENT,
++ "sysdb_search_user_by_upn failed with un-sanitized input.");
++
+ talloc_free(test_ctx);
+ }
+ END_TEST
+--
+2.9.3
+
More information about the Pkg-sssd-devel
mailing list