--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Hi
Attached is the proposed debdiff for an sssd upload for stretch
(originally it was planned to release a DSA for it, but in meanwhile
it has passed enough time that it does not make much sense to release
it via a DSA). It addresses the CVE-2017-12173 (#877885).
The upload was tested not in a production environment tough, but only
by explicitly chekcing the testsuite for the sysdb-tests case (it
needed locally additionall build-depends to actually enable the
tests). The upload done contains as well the testcase (even tough it
will not be tested during build).
Regards,
Salvatore
diff -u sssd-1.15.0/debian/changelog sssd-1.15.0/debian/changelog
--- sssd-1.15.0/debian/changelog
+++ sssd-1.15.0/debian/changelog
@@ -1,3 +1,10 @@
+sssd (1.15.0-3+deb9u1) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * sysdb: sanitize search filter input (CVE-2017-12173) (Closes: #877885)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Sun, 29 Dec 2019 14:12:24 +0100
+
sssd (1.15.0-3) unstable; urgency=medium
* rules, install: Remove responder service and socket files for now, the
diff -u sssd-1.15.0/debian/patches/series sssd-1.15.0/debian/patches/series
--- sssd-1.15.0/debian/patches/series
+++ sssd-1.15.0/debian/patches/series
@@ -1 +1 @@
-#placeholder
+sysdb-sanitize-search-filter-input.patch
only in patch2:
unchanged:
--- sssd-1.15.0.orig/debian/patches/sysdb-sanitize-search-filter-input.patch
+++ sssd-1.15.0/debian/patches/sysdb-sanitize-search-filter-input.patch
@@ -0,0 +1,138 @@
+From: Sumit Bose <sb...@redhat.com>
+Date: Thu, 5 Oct 2017 11:07:38 +0200
+Subject: sysdb: sanitize search filter input
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://pagure.io/SSSD/sssd/c/1f2662c8f97c9c0fa250055d4b6750abfc6d0835
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12173
+Bug-Debian: https://bugs.debian.org/877885
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1498173
+
+This patch sanitizes the input for sysdb searches by UPN/email, SID and
+UUID.
+
+This security issue was assigned CVE-2017-12173
+
+Reviewed-by: Lukáš Slebodník <lsleb...@redhat.com>
+Reviewed-by: Jakub Hrozek <jhro...@redhat.com>
+[Salvatore Bonaccorso: Backport to 1.15.0: Adjsust for context changes, adapt
+changes in sysdb_search_object_by_cert as support for multiple results for
+searches by certificates only added in 1.15.2. Changes to search the whole DB
+or only the given domain introduced in 1.15.1 only, adjust testcase]
+---
+ src/db/sysdb_ops.c | 43 +++++++++++++++++++++++++++++++++--------
+ src/tests/sysdb-tests.c | 7 +++++++
+ 2 files changed, 42 insertions(+), 8 deletions(-)
+
+--- a/src/db/sysdb_ops.c
++++ b/src/db/sysdb_ops.c
+@@ -547,6 +547,7 @@ int sysdb_search_user_by_upn_res(TALLOC_
+ int ret;
+ const char *def_attrs[] = { SYSDB_NAME, SYSDB_UPN, SYSDB_CANONICAL_UPN,
+ SYSDB_USER_EMAIL, NULL };
++ char *sanitized;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+@@ -554,6 +555,12 @@ int sysdb_search_user_by_upn_res(TALLOC_
+ goto done;
+ }
+
++ ret = sss_filter_sanitize(tmp_ctx, upn, &sanitized);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n");
++ goto done;
++ }
++
+ base_dn = sysdb_base_dn(domain->sysdb, tmp_ctx);
+ if (base_dn == NULL) {
+ ret = ENOMEM;
+@@ -562,7 +569,7 @@ int sysdb_search_user_by_upn_res(TALLOC_
+
+ ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res,
+ base_dn, LDB_SCOPE_SUBTREE, attrs ? attrs : def_attrs,
+- SYSDB_PWUPN_FILTER, upn, upn, upn);
++ SYSDB_PWUPN_FILTER, sanitized, sanitized, sanitized);
+ if (ret != EOK) {
+ ret = sysdb_error_to_errno(ret);
+ goto done;
+@@ -4550,16 +4557,30 @@ static errno_t sysdb_search_object_by_st
+ const char **attrs,
+ struct ldb_result **_res)
+ {
+- char *filter;
++ char *filter = NULL;
+ errno_t ret;
++ char *sanitized = NULL;
++
++ if (str == NULL) {
++ return EINVAL;
++ }
++
++ ret = sss_filter_sanitize(NULL, str, &sanitized);
++ if (ret != EOK || sanitized == NULL) {
++ DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n");
++ goto done;
++ }
+
+- filter = talloc_asprintf(NULL, filter_tmpl, str);
++ filter = talloc_asprintf(NULL, filter_tmpl, sanitized);
+ if (filter == NULL) {
+- return ENOMEM;
++ ret = ENOMEM;
++ goto done;
+ }
+
+ ret = sysdb_search_object_attr(mem_ctx, domain, filter, attrs, _res);
+
++done:
++ talloc_free(sanitized);
+ talloc_free(filter);
+ return ret;
+ }
+@@ -4648,7 +4669,8 @@ errno_t sysdb_search_object_by_cert(TALL
+ struct ldb_result **res)
+ {
+ int ret;
+- char *user_filter;
++ char *user_filter = NULL;
++ char *filter = NULL;
+
+ ret = sss_cert_derb64_to_ldap_filter(mem_ctx, cert, SYSDB_USER_CERT,
+ &user_filter);
+@@ -4657,10 +4679,15 @@ errno_t sysdb_search_object_by_cert(TALL
+ return ret;
+ }
+
+- ret = sysdb_search_object_by_str_attr(mem_ctx, domain,
+- SYSDB_USER_CERT_FILTER,
+- user_filter, attrs, res);
++ filter = talloc_asprintf(NULL, SYSDB_USER_CERT_FILTER, user_filter);
+ talloc_free(user_filter);
++ if (filter == NULL) {
++ return ENOMEM;
++ }
++
++ ret = sysdb_search_object_attr(mem_ctx, domain, filter, attrs, res);
++
++ talloc_free(filter);
+
+ return ret;
+ }
+--- a/src/tests/sysdb-tests.c
++++ b/src/tests/sysdb-tests.c
+@@ -6272,6 +6272,13 @@ START_TEST(test_upn_basic)
+ fail_unless(strcmp(str, UPN_PRINC) == 0,
+ "Expected [%s], got [%s].", UPN_PRINC, str);
+
++ /* check if input is sanitized */
++ ret = sysdb_search_user_by_upn(test_ctx, test_ctx->domain,
++
"a...@def.ghi)(name="UPN_USER_NAME")(abc=xyz",
++ NULL, &msg);
++ fail_unless(ret == ENOENT,
++ "sysdb_search_user_by_upn failed with un-sanitized input.");
++
+ talloc_free(test_ctx);
+ }
+ END_TEST
--- End Message ---
