[Pkg-sssd-devel] s-pu upload to fix no-dsa security issue in sssd
Guilhem Moulin
guilhem at debian.org
Sun Feb 9 13:11:50 GMT 2025
Hi there,
While working on an upload for Bullseye LTS I noticed the version of
src:sssd currently found in Bookworm is vulnerable to CVE-2023-3758
(marked no-dsa by the security team) [0]. The issue is already fixed in
trixie, and is now fixed in bullseye-security so it makes sense to fix
to fix it Bookworm as well.
The upstream patches trivially apply to 2.8.2-4 (using the patch from
upstream's sssd-2-8-branch). I attach a tested debdiff; individual
commits and tag can be found on the LTS team fork [1].
(I observed that 2.8.2-4 doesn't run the test suite, and didn't change
that in 2.8.2-4+deb12u1. sss_certmap_test fails on both versions for
reasons unreleated to that change. ad_gpo_tests passes on both versions
though.)
Unless you object I'll file a bookworm-pu bug with these changes.
Cheers,
--
Guilhem.
[0] https://security-tracker.debian.org/tracker/source-package/sssd
[1] https://salsa.debian.org/lts-team/packages/sssd/-/tree/debian/bookworm
-------------- next part --------------
diffstat for sssd-2.8.2 sssd-2.8.2
.gitlab-ci.yml | 8 +
changelog | 11 ++
patches/CVE-2023-3758.patch | 214 ++++++++++++++++++++++++++++++++++++++++++++
patches/series | 1
4 files changed, 234 insertions(+)
diff -Nru sssd-2.8.2/debian/changelog sssd-2.8.2/debian/changelog
--- sssd-2.8.2/debian/changelog 2023-04-11 14:19:36.000000000 +0200
+++ sssd-2.8.2/debian/changelog 2025-02-09 11:45:11.000000000 +0100
@@ -1,3 +1,14 @@
+sssd (2.8.2-4+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2023-3758: Due to a race condition flaw the GPO policy is not
+ consistently applied for authenticated users. (Closes: #1070369)
+ * Add d/.gitlab-ci.yml for Salsa CI.
+ * Add d/.gitignore file to exclude d/p/*.patch from upstream gitignore(5)'d
+ rules.
+
+ -- Guilhem Moulin <guilhem at debian.org> Sun, 09 Feb 2025 11:45:11 +0100
+
sssd (2.8.2-4) unstable; urgency=medium
[ Sam Morris ]
diff -Nru sssd-2.8.2/debian/.gitlab-ci.yml sssd-2.8.2/debian/.gitlab-ci.yml
--- sssd-2.8.2/debian/.gitlab-ci.yml 1970-01-01 01:00:00.000000000 +0100
+++ sssd-2.8.2/debian/.gitlab-ci.yml 2025-02-09 11:45:11.000000000 +0100
@@ -0,0 +1,8 @@
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+ RELEASE: 'bookworm'
+ SALSA_CI_DISABLE_REPROTEST: 1
+ SALSA_CI_DISABLE_LINTIAN: 1
+ SALSA_CI_DISABLE_PIUPARTS: 1
diff -Nru sssd-2.8.2/debian/patches/CVE-2023-3758.patch sssd-2.8.2/debian/patches/CVE-2023-3758.patch
--- sssd-2.8.2/debian/patches/CVE-2023-3758.patch 1970-01-01 01:00:00.000000000 +0100
+++ sssd-2.8.2/debian/patches/CVE-2023-3758.patch 2025-02-09 11:45:11.000000000 +0100
@@ -0,0 +1,214 @@
+From: Sumit Bose <sbose at redhat.com>
+Date: Wed, 8 Nov 2023 14:50:24 +0100
+Subject: ad-gpo: use hash to store intermediate results
+
+Currently after the evaluation of a single GPO file the intermediate
+results are stored in the cache and this cache entry is updated until
+all applicable GPO files are evaluated. Finally the data in the cache is
+used to make the decision of access is granted or rejected.
+
+If there are two or more access-control request running in parallel one
+request might overwrite the cache object with intermediate data while
+another request reads the cached data for the access decision and as a
+result will do this decision based on intermediate data.
+
+To avoid this the intermediate results are not stored in the cache
+anymore but in hash tables which are specific to the request. Only the
+final result is written to the cache to have it available for offline
+authentication.
+
+Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
+Reviewed-by: Tomáš Halman <thalman at redhat.com>
+Origin: https://github.com/SSSD/sssd/commit/f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726
+Bug: https://github.com/SSSD/sssd/pull/7302
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-3758
+Bug-Debian: https://bugs.debian.org/1070369
+---
+ src/providers/ad/ad_gpo.c | 116 ++++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 102 insertions(+), 14 deletions(-)
+
+diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
+index 4b7bbf1..904aa1e 100644
+--- a/src/providers/ad/ad_gpo.c
++++ b/src/providers/ad/ad_gpo.c
+@@ -1316,6 +1316,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
+ return ret;
+ }
+
++static errno_t
++add_result_to_hash(hash_table_t *hash, const char *key, char *value)
++{
++ int hret;
++ hash_key_t k;
++ hash_value_t v;
++
++ if (hash == NULL || key == NULL || value == NULL) {
++ return EINVAL;
++ }
++
++ k.type = HASH_KEY_CONST_STRING;
++ k.c_str = key;
++
++ v.type = HASH_VALUE_PTR;
++ v.ptr = value;
++
++ hret = hash_enter(hash, &k, &v);
++ if (hret != HASH_SUCCESS) {
++ DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n",
++ key, value, hash_error_string(hret));
++ return EIO;
++ }
++
++ return EOK;
++}
++
+ /*
+ * This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename,
+ * and stores the allow_key and deny_key of all of the gpo_map_types present
+@@ -1323,6 +1350,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
+ */
+ static errno_t
+ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
++ hash_table_t *allow_maps, hash_table_t *deny_maps,
+ const char *filename)
+ {
+ struct ini_cfgfile *file_ctx = NULL;
+@@ -1456,14 +1484,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
+ goto done;
+ } else if (ret != ENOENT) {
+ const char *value = allow_value ? allow_value : empty_val;
+- ret = sysdb_gpo_store_gpo_result_setting(domain,
+- allow_key,
+- value);
++ ret = add_result_to_hash(allow_maps, allow_key,
++ talloc_strdup(allow_maps, value));
+ if (ret != EOK) {
+- DEBUG(SSSDBG_CRIT_FAILURE,
+- "sysdb_gpo_store_gpo_result_setting failed for key:"
+- "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value,
+- ret, sss_strerror(ret));
++ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
++ "value: [%s] to allow maps "
++ "[%d][%s].\n",
++ allow_key, value, ret,
++ sss_strerror(ret));
+ goto done;
+ }
+ }
+@@ -1483,14 +1511,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
+ goto done;
+ } else if (ret != ENOENT) {
+ const char *value = deny_value ? deny_value : empty_val;
+- ret = sysdb_gpo_store_gpo_result_setting(domain,
+- deny_key,
+- value);
++ ret = add_result_to_hash(deny_maps, deny_key,
++ talloc_strdup(deny_maps, value));
+ if (ret != EOK) {
+- DEBUG(SSSDBG_CRIT_FAILURE,
+- "sysdb_gpo_store_gpo_result_setting failed for key:"
+- "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value,
+- ret, sss_strerror(ret));
++ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
++ "value: [%s] to deny maps "
++ "[%d][%s].\n",
++ deny_key, value, ret,
++ sss_strerror(ret));
+ goto done;
+ }
+ }
+@@ -1783,6 +1811,8 @@ struct ad_gpo_access_state {
+ int num_cse_filtered_gpos;
+ int cse_gpo_index;
+ const char *ad_domain;
++ hash_table_t *allow_maps;
++ hash_table_t *deny_maps;
+ };
+
+ static void ad_gpo_connect_done(struct tevent_req *subreq);
+@@ -1905,6 +1935,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
+ goto immediately;
+ }
+
++ ret = sss_hash_create(state, 0, &state->allow_maps);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps "
++ "hash table [%d]: %s\n", ret, sss_strerror(ret));
++ goto immediately;
++ }
++
++ ret = sss_hash_create(state, 0, &state->deny_maps);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps "
++ "hash table [%d]: %s\n", ret, sss_strerror(ret));
++ goto immediately;
++ }
+
+ subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
+ if (subreq == NULL) {
+@@ -2724,6 +2767,43 @@ ad_gpo_cse_step(struct tevent_req *req)
+ return EAGAIN;
+ }
+
++static errno_t
++store_hash_maps_in_cache(struct sss_domain_info *domain,
++ hash_table_t *allow_maps, hash_table_t *deny_maps)
++{
++ int ret;
++ struct hash_iter_context_t *iter;
++ hash_entry_t *entry;
++ size_t c;
++ hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL};
++
++
++ for (c = 0; hash_list[c] != NULL; c++) {
++ iter = new_hash_iter_context(hash_list[c]);
++ if (iter == NULL) {
++ DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n");
++ return EINVAL;
++ }
++
++ while ((entry = iter->next(iter)) != NULL) {
++ ret = sysdb_gpo_store_gpo_result_setting(domain,
++ entry->key.c_str,
++ entry->value.ptr);
++ if (ret != EOK) {
++ free(iter);
++ DEBUG(SSSDBG_OP_FAILURE,
++ "sysdb_gpo_store_gpo_result_setting failed for key:"
++ "[%s] value:[%s] [%d][%s]\n", entry->key.c_str,
++ (char *) entry->value.ptr, ret, sss_strerror(ret));
++ return ret;
++ }
++ }
++ talloc_free(iter);
++ }
++
++ return EOK;
++}
++
+ /*
+ * This cse-specific function (GP_EXT_GUID_SECURITY) increments the
+ * cse_gpo_index until the policy settings for all applicable GPOs have been
+@@ -2765,6 +2845,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
+ * (as part of the GPO Result object in the sysdb cache).
+ */
+ ret = ad_gpo_store_policy_settings(state->host_domain,
++ state->allow_maps, state->deny_maps,
+ cse_filtered_gpo->policy_filename);
+ if (ret != EOK && ret != ENOENT) {
+ DEBUG(SSSDBG_OP_FAILURE,
+@@ -2778,6 +2859,13 @@ ad_gpo_cse_done(struct tevent_req *subreq)
+
+ if (ret == EOK) {
+ /* ret is EOK only after all GPO policy files have been downloaded */
++ ret = store_hash_maps_in_cache(state->host_domain,
++ state->allow_maps, state->deny_maps);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps "
++ "[%d][%s].\n", ret, sss_strerror(ret));
++ goto done;
++ }
+ ret = ad_gpo_perform_hbac_processing(state,
+ state->gpo_mode,
+ state->gpo_map_type,
diff -Nru sssd-2.8.2/debian/patches/series sssd-2.8.2/debian/patches/series
--- sssd-2.8.2/debian/patches/series 2023-03-24 09:10:33.000000000 +0100
+++ sssd-2.8.2/debian/patches/series 2025-02-09 11:45:11.000000000 +0100
@@ -2,3 +2,4 @@
default-to-socket-activated-services.diff
fix-shebang-on-sss_analyze.patch
0004-Makefile-Install-dbus-policy-in-usr-not-etc.patch
+CVE-2023-3758.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20250209/42efc898/attachment.sig>
More information about the Pkg-sssd-devel
mailing list