[Pkg-sssd-devel] [Git][sssd-team/sssd][ubuntu-xenial] Import Xenial (1.13.4-1ubuntu1.10)
Victor Tapia
gitlab at salsa.debian.org
Thu May 17 17:06:26 BST 2018
Victor Tapia pushed to branch ubuntu-xenial at Debian SSSD packaging / sssd
Commits:
95074c2c by Victor Tapia at 2018-05-17T18:06:05+02:00
Import Xenial (1.13.4-1ubuntu1.10)
- - - - -
7 changed files:
- debian/changelog
- + debian/patches/CVE-2017-12173.patch
- + debian/patches/attempt_ptr_update_on_nonzero_return.diff
- + debian/patches/bad-initgroups-results-3045.patch
- debian/patches/series
- debian/rules
- debian/sssd-common.install
Changes:
=====================================
debian/changelog
=====================================
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,36 @@
+sssd (1.13.4-1ubuntu1.10) xenial-security; urgency=medium
+
+ * SECURITY UPDATE: unsanitized input
+ - debian/patches/CVE-2017-12173.patch: sanitizes the input
+ for sysdb searches by UPN/email, SID and UUID in src/db/sysdb_ops.c
+ and add test src/tests/sysdb-tests.c.
+ - CVE-2017-12173
+
+ -- Leonidas S. Barbosa <leo.barbosa at canonical.com> Mon, 08 Jan 2018 13:56:02 -0300
+
+sssd (1.13.4-1ubuntu1.9) xenial; urgency=medium
+
+ * debian/patches/bad-initgroups-results-3045.patch: sdap: Fix
+ ldap_rfc_2307_fallback_to_local_users. Thanks to Michal Židek
+ <mzidek at redhat.com>. Closes LP: #1684295.
+
+ -- Andreas Hasenack <andreas at canonical.com> Mon, 06 Nov 2017 12:15:20 -0200
+
+sssd (1.13.4-1ubuntu1.8) xenial; urgency=medium
+
+ * d/p/attempt_ptr_update_on_nonzero_return.diff: Continue to send the PTR
+ record update in situations where the nsupdate child forward zone updates
+ are successful but nsupdate returns non-zero. (LP: #1706284)
+
+ -- Keith Ward <keith at darkspace.me> Tue, 25 Jul 2017 11:16:18 +0100
+
+sssd (1.13.4-1ubuntu1.7) xenial; urgency=medium
+
+ * d/rules, d/sssd-common.install: Fix sssd_krb5_locator_plugin install path.
+ (LP: #1664566)
+
+ -- Andreas Hasenack <andreas at canonical.com> Fri, 21 Jul 2017 14:17:56 -0300
+
sssd (1.13.4-1ubuntu1.6) xenial; urgency=medium
* Fix regression where SSSD doesn't start on boot if autofs is not
=====================================
debian/patches/CVE-2017-12173.patch
=====================================
--- /dev/null
+++ b/debian/patches/CVE-2017-12173.patch
@@ -0,0 +1,121 @@
+Backport of:
+
+From 1f2662c8f97c9c0fa250055d4b6750abfc6d0835 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose at redhat.com>
+Date: Oct 11 2017 15:28:53 +0000
+Subject: sysdb: sanitize search filter input
+
+
+This patch sanitizes the input for sysdb searches by UPN/email, SID and
+UUID.
+
+This security issue was assigned CVE-2017-12173
+
+Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
+Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
+
+diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
+index 843251b..6e720e6 100644
+--- a/src/db/sysdb_ops.c
++++ b/src/db/sysdb_ops.c
+@@ -486,6 +486,7 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx,
+ int ret;
+ const char *def_attrs[] = { SYSDB_NAME, SYSDB_UPN, SYSDB_CANONICAL_UPN,
+ NULL };
++ char *sanitized;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+@@ -493,6 +494,12 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx,
+ goto done;
+ }
+
++ ret = sss_filter_sanitize(tmp_ctx, upn, &sanitized);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n");
++ goto done;
++ }
++
+ base_dn = sysdb_base_dn(domain->sysdb, tmp_ctx);
+ if (base_dn == NULL) {
+ ret = ENOMEM;
+@@ -501,7 +508,7 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx,
+
+ ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res,
+ base_dn, LDB_SCOPE_SUBTREE, attrs ? attrs : def_attrs,
+- SYSDB_PWUPN_FILTER, upn, upn);
++ SYSDB_PWUPN_FILTER, sanitized, sanitized);
+ if (ret != EOK) {
+ ret = sysdb_error_to_errno(ret);
+ goto done;
+@@ -3663,6 +3670,17 @@ static errno_t sysdb_search_object_by_str_attr(TALLOC_CTX *mem_ctx,
+ struct ldb_dn *basedn;
+ int ret;
+ struct ldb_result *res = NULL;
++ char *sanitized = NULL;
++
++ if (str == NULL) {
++ return EINVAL;
++ }
++
++ ret = sss_filter_sanitize(NULL, str, &sanitized);
++ if (ret != EOK || sanitized == NULL) {
++ DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n");
++ goto done;
++ }
+
+ tmp_ctx = talloc_new(NULL);
+ if (!tmp_ctx) {
+@@ -3706,6 +3724,7 @@ done:
+ DEBUG(SSSDBG_OP_FAILURE, "Error: %d (%s)\n", ret, strerror(ret));
+ }
+
++ talloc_free(sanitized);
+ talloc_zfree(tmp_ctx);
+ return ret;
+ }
+@@ -3737,7 +3756,8 @@ errno_t sysdb_search_object_by_cert(TALLOC_CTX *mem_ctx,
+ struct ldb_result **res)
+ {
+ int ret;
+- char *user_filter;
++ char *user_filter = NULL;
++ char *filter = NULL;
+
+ ret = sss_cert_derb64_to_ldap_filter(mem_ctx, cert, SYSDB_USER_CERT,
+ &user_filter);
+@@ -3746,11 +3766,13 @@ errno_t sysdb_search_object_by_cert(TALLOC_CTX *mem_ctx,
+ return ret;
+ }
+
+- ret = sysdb_search_object_by_str_attr(mem_ctx, domain,
+- SYSDB_USER_CERT_FILTER,
+- user_filter, attrs, res);
++ filter = talloc_asprintf(NULL, SYSDB_USER_CERT_FILTER, user_filter);
+ talloc_free(user_filter);
++ if (filter == NULL) {
++ return ENOMEM;
++ }
+
++ talloc_free(filter);
+ return ret;
+ }
+
+diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
+index 3c3e30a..a07923f 100644
+--- a/src/tests/sysdb-tests.c
++++ b/src/tests/sysdb-tests.c
+@@ -5960,6 +5960,13 @@ START_TEST(test_upn_basic_case)
+ fail_unless(strcmp(str, UPN_PRINC) == 0,
+ "Expected [%s], got [%s].", UPN_PRINC, str);
+
++ /* check if input is sanitized */
++ ret = sysdb_search_user_by_upn(test_ctx, test_ctx->domain, false,
++ "abc at def.ghi)(name="UPN_USER_NAME")(abc=xyz",
++ NULL, &msg);
++ fail_unless(ret == ENOENT,
++ "sysdb_search_user_by_upn failed with un-sanitized input.");
++
+ talloc_free(test_ctx);
+ }
+ END_TEST
=====================================
debian/patches/attempt_ptr_update_on_nonzero_return.diff
=====================================
--- /dev/null
+++ b/debian/patches/attempt_ptr_update_on_nonzero_return.diff
@@ -0,0 +1,14 @@
+Index: sssd-1.13.4/src/providers/ldap/sdap_dyndns.c
+===================================================================
+--- sssd-1.13.4.orig/src/providers/ldap/sdap_dyndns.c
++++ sssd-1.13.4/src/providers/ldap/sdap_dyndns.c
+@@ -379,9 +379,6 @@ sdap_dyndns_update_done(struct tevent_re
+ return;
+ }
+ }
+-
+- tevent_req_error(req, ret);
+- return;
+ }
+
+ if (state->update_ptr == false) {
=====================================
debian/patches/bad-initgroups-results-3045.patch
=====================================
--- /dev/null
+++ b/debian/patches/bad-initgroups-results-3045.patch
@@ -0,0 +1,23 @@
+Description: sdap: Fix ldap_rfc_2307_fallback_to_local_users
+ We wrongly tried to store empty user attributes instead of the local user
+ attributes with ldap_rfc_2307_fallback_to_local_users set to true. This gave us
+ bad initgroups results and caused segfaults.
+Origin: backport, https://pagure.io/SSSD/sssd/c/5a0fb268e836e600d864ded7de5d935946ae6c61
+Author: Michal Židek <mzidek at redhat.com>
+Bug: https://pagure.io/SSSD/sssd/issue/3045
+Bug-Ubuntu: https://launchpad.net/bugs/1684295
+Last-Update: 2017-11-06
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/providers/ldap/sdap_async_initgroups.c
++++ b/src/providers/ldap/sdap_async_initgroups.c
+@@ -2860,6 +2860,9 @@
+ SDAP_RFC2307_FALLBACK_TO_LOCAL_USERS) == true)) {
+ ret = sdap_fallback_local_user(state, state->opts,
+ state->name, -1, &usr_attrs);
++ if (ret == EOK) {
++ state->orig_user = usr_attrs[0];
++ }
+ } else {
+ ret = ENOENT;
+ }
=====================================
debian/patches/series
=====================================
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,6 @@ gpo-add-unity-to-ad-gpo-map-interactive.diff
restart_providers_on_timeshift.patch
pidfile-creation.diff
sanitize_newline.diff
+attempt_ptr_update_on_nonzero_return.diff
+bad-initgroups-results-3045.patch
+CVE-2017-12173.patch
=====================================
debian/rules
=====================================
--- a/debian/rules
+++ b/debian/rules
@@ -31,7 +31,7 @@ override_dh_auto_configure:
dh_auto_configure -- --enable-krb5-locator-plugin \
--datadir=/usr/share/ \
--with-ldb-lib-dir=/usr/lib/$(DEB_HOST_MULTIARCH)/ldb/modules/ldb \
- --with-krb5-plugin-path=/usr/lib/$(DEB_HOST_MULTIARCH)/krb5/plugins/krb5 \
+ --with-krb5-plugin-path=/usr/lib/$(DEB_HOST_MULTIARCH)/krb5/plugins/libkrb5 \
--enable-nsslibdir=/lib/$(DEB_HOST_MULTIARCH) \
--enable-pammoddir=/lib/$(DEB_HOST_MULTIARCH)/security \
--disable-static \
=====================================
debian/sssd-common.install
=====================================
--- a/debian/sssd-common.install
+++ b/debian/sssd-common.install
@@ -3,7 +3,7 @@ usr/bin/sss_ssh_authorizedkeys
usr/bin/sss_ssh_knownhostsproxy
usr/lib/*/cifs-utils/cifs_idmap_sss.so
usr/lib/*/krb5/plugins/authdata/sssd_pac_plugin.so
-usr/lib/*/krb5/plugins/krb5/sssd_krb5_locator_plugin.so
+usr/lib/*/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
usr/lib/*/ldb/modules/ldb/memberof.so
usr/lib/*/libnfsidmap/sss.so
usr/lib/*/sssd/libsss_cert.so
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/commit/95074c2c122700d48914862bde0f8933bbadb94e
---
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/commit/95074c2c122700d48914862bde0f8933bbadb94e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20180517/82f9f5b5/attachment-0001.html>
More information about the Pkg-sssd-devel
mailing list