Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi Attached is the proposed debdiff for an sssd upload for stretch (originally it was planned to release a DSA for it, but in meanwhile it has passed enough time that it does not make much sense to release it via a DSA). It addresses the CVE-2017-12173 (#877885). The upload was tested not in a production environment tough, but only by explicitly chekcing the testsuite for the sysdb-tests case (it needed locally additionall build-depends to actually enable the tests). The upload done contains as well the testcase (even tough it will not be tested during build). Regards, Salvatore
diff -u sssd-1.15.0/debian/changelog sssd-1.15.0/debian/changelog --- sssd-1.15.0/debian/changelog +++ sssd-1.15.0/debian/changelog @@ -1,3 +1,10 @@ +sssd (1.15.0-3+deb9u1) stretch; urgency=medium + + * Non-maintainer upload. + * sysdb: sanitize search filter input (CVE-2017-12173) (Closes: #877885) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 29 Dec 2019 14:12:24 +0100 + sssd (1.15.0-3) unstable; urgency=medium * rules, install: Remove responder service and socket files for now, the diff -u sssd-1.15.0/debian/patches/series sssd-1.15.0/debian/patches/series --- sssd-1.15.0/debian/patches/series +++ sssd-1.15.0/debian/patches/series @@ -1 +1 @@ -#placeholder +sysdb-sanitize-search-filter-input.patch only in patch2: unchanged: --- sssd-1.15.0.orig/debian/patches/sysdb-sanitize-search-filter-input.patch +++ sssd-1.15.0/debian/patches/sysdb-sanitize-search-filter-input.patch @@ -0,0 +1,138 @@ +From: Sumit Bose <sb...@redhat.com> +Date: Thu, 5 Oct 2017 11:07:38 +0200 +Subject: sysdb: sanitize search filter input +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://pagure.io/SSSD/sssd/c/1f2662c8f97c9c0fa250055d4b6750abfc6d0835 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12173 +Bug-Debian: https://bugs.debian.org/877885 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1498173 + +This patch sanitizes the input for sysdb searches by UPN/email, SID and +UUID. + +This security issue was assigned CVE-2017-12173 + +Reviewed-by: Lukáš Slebodník <lsleb...@redhat.com> +Reviewed-by: Jakub Hrozek <jhro...@redhat.com> +[Salvatore Bonaccorso: Backport to 1.15.0: Adjsust for context changes, adapt +changes in sysdb_search_object_by_cert as support for multiple results for +searches by certificates only added in 1.15.2. Changes to search the whole DB +or only the given domain introduced in 1.15.1 only, adjust testcase] +--- + src/db/sysdb_ops.c | 43 +++++++++++++++++++++++++++++++++-------- + src/tests/sysdb-tests.c | 7 +++++++ + 2 files changed, 42 insertions(+), 8 deletions(-) + +--- a/src/db/sysdb_ops.c ++++ b/src/db/sysdb_ops.c +@@ -547,6 +547,7 @@ int sysdb_search_user_by_upn_res(TALLOC_ + int ret; + const char *def_attrs[] = { SYSDB_NAME, SYSDB_UPN, SYSDB_CANONICAL_UPN, + SYSDB_USER_EMAIL, NULL }; ++ char *sanitized; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { +@@ -554,6 +555,12 @@ int sysdb_search_user_by_upn_res(TALLOC_ + goto done; + } + ++ ret = sss_filter_sanitize(tmp_ctx, upn, &sanitized); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n"); ++ goto done; ++ } ++ + base_dn = sysdb_base_dn(domain->sysdb, tmp_ctx); + if (base_dn == NULL) { + ret = ENOMEM; +@@ -562,7 +569,7 @@ int sysdb_search_user_by_upn_res(TALLOC_ + + ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, + base_dn, LDB_SCOPE_SUBTREE, attrs ? attrs : def_attrs, +- SYSDB_PWUPN_FILTER, upn, upn, upn); ++ SYSDB_PWUPN_FILTER, sanitized, sanitized, sanitized); + if (ret != EOK) { + ret = sysdb_error_to_errno(ret); + goto done; +@@ -4550,16 +4557,30 @@ static errno_t sysdb_search_object_by_st + const char **attrs, + struct ldb_result **_res) + { +- char *filter; ++ char *filter = NULL; + errno_t ret; ++ char *sanitized = NULL; ++ ++ if (str == NULL) { ++ return EINVAL; ++ } ++ ++ ret = sss_filter_sanitize(NULL, str, &sanitized); ++ if (ret != EOK || sanitized == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n"); ++ goto done; ++ } + +- filter = talloc_asprintf(NULL, filter_tmpl, str); ++ filter = talloc_asprintf(NULL, filter_tmpl, sanitized); + if (filter == NULL) { +- return ENOMEM; ++ ret = ENOMEM; ++ goto done; + } + + ret = sysdb_search_object_attr(mem_ctx, domain, filter, attrs, _res); + ++done: ++ talloc_free(sanitized); + talloc_free(filter); + return ret; + } +@@ -4648,7 +4669,8 @@ errno_t sysdb_search_object_by_cert(TALL + struct ldb_result **res) + { + int ret; +- char *user_filter; ++ char *user_filter = NULL; ++ char *filter = NULL; + + ret = sss_cert_derb64_to_ldap_filter(mem_ctx, cert, SYSDB_USER_CERT, + &user_filter); +@@ -4657,10 +4679,15 @@ errno_t sysdb_search_object_by_cert(TALL + return ret; + } + +- ret = sysdb_search_object_by_str_attr(mem_ctx, domain, +- SYSDB_USER_CERT_FILTER, +- user_filter, attrs, res); ++ filter = talloc_asprintf(NULL, SYSDB_USER_CERT_FILTER, user_filter); + talloc_free(user_filter); ++ if (filter == NULL) { ++ return ENOMEM; ++ } ++ ++ ret = sysdb_search_object_attr(mem_ctx, domain, filter, attrs, res); ++ ++ talloc_free(filter); + + return ret; + } +--- a/src/tests/sysdb-tests.c ++++ b/src/tests/sysdb-tests.c +@@ -6272,6 +6272,13 @@ START_TEST(test_upn_basic) + fail_unless(strcmp(str, UPN_PRINC) == 0, + "Expected [%s], got [%s].", UPN_PRINC, str); + ++ /* check if input is sanitized */ ++ ret = sysdb_search_user_by_upn(test_ctx, test_ctx->domain, ++ "a...@def.ghi)(name="UPN_USER_NAME")(abc=xyz", ++ NULL, &msg); ++ fail_unless(ret == ENOENT, ++ "sysdb_search_user_by_upn failed with un-sanitized input."); ++ + talloc_free(test_ctx); + } + END_TEST