commit:     f85b90959ccdba7479d1fa455031e3bb0b839c14
Author:     Mikle Kolyada <zlogene <AT> gentoo <DOT> org>
AuthorDate: Fri Mar  8 15:09:20 2019 +0000
Commit:     Mikle Kolyada <zlogene <AT> gentoo <DOT> org>
CommitDate: Fri Mar  8 15:10:17 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f85b9095

sys-auth/sssd: fix CVE-2019-3811

Bug: https://bugs.gentoo.org/679538
Signed-off-by: Mikle Kolyada <zlogene <AT> gentoo.org>
Package-Manager: Portage-2.3.51, Repoman-2.3.11

 sys-auth/sssd/files/sssd-fix-CVE-2019-3811.patch |  96 +++++++++
 sys-auth/sssd/sssd-1.16.3-r2.ebuild              | 239 +++++++++++++++++++++++
 2 files changed, 335 insertions(+)

diff --git a/sys-auth/sssd/files/sssd-fix-CVE-2019-3811.patch 
b/sys-auth/sssd/files/sssd-fix-CVE-2019-3811.patch
new file mode 100644
index 00000000000..87db45fd24b
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-fix-CVE-2019-3811.patch
@@ -0,0 +1,96 @@
+From 28792523a01a7d21bcc8931794164f253e691a68 Mon Sep 17 00:00:00 2001
+From: Tomas Halman <thal...@redhat.com>
+Date: Mon, 3 Dec 2018 14:11:31 +0100
+Subject: [PATCH] nss: sssd returns '/' for emtpy home directories
+
+For empty home directory in passwd file sssd returns "/". Sssd
+should respect system behaviour and return the same as nsswitch
+"files" module - return empty string.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3901
+
+Reviewed-by: Simo Sorce <s...@redhat.com>
+Reviewed-by: Jakub Hrozek <jhro...@redhat.com>
+(cherry picked from commit 90f32399b4100ce39cf665649fde82d215e5eb49)
+---
+ src/confdb/confdb.c                      |  9 +++++++++
+ src/man/include/ad_modified_defaults.xml | 19 +++++++++++++++++++
+ src/responder/nss/nss_protocol_pwent.c   |  2 +-
+ src/tests/intg/test_files_provider.py    |  2 +-
+ 4 files changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
+index a3eb9c66d9..17bb4f8274 100644
+--- a/src/confdb/confdb.c
++++ b/src/confdb/confdb.c
+@@ -1301,6 +1301,15 @@ static int confdb_get_domain_internal(struct confdb_ctx 
*cdb,
+             ret = ENOMEM;
+             goto done;
+         }
++    } else {
++        if (strcasecmp(domain->provider, "ad") == 0) {
++            /* ad provider default */
++            domain->fallback_homedir = talloc_strdup(domain, "/home/%d/%u");
++            if (!domain->fallback_homedir) {
++                ret = ENOMEM;
++                goto done;
++            }
++        }
+     }
+ 
+     tmp = ldb_msg_find_attr_as_string(res->msgs[0],
+diff --git a/src/man/include/ad_modified_defaults.xml 
b/src/man/include/ad_modified_defaults.xml
+index 818a2bf787..425b7e8ee0 100644
+--- a/src/man/include/ad_modified_defaults.xml
++++ b/src/man/include/ad_modified_defaults.xml
+@@ -76,4 +76,23 @@
+             </listitem>
+         </itemizedlist>
+     </refsect2>
++    <refsect2 id='nss_modifications'>
++        <title>NSS configuration</title>
++        <itemizedlist>
++            <listitem>
++                <para>
++                    fallback_homedir = /home/%d/%u
++                </para>
++                <para>
++                    The AD provider automatically sets
++                    "fallback_homedir = /home/%d/%u" to provide personal
++                    home directories for users without the homeDirectory
++                    attribute. If your AD Domain is properly
++                    populated with Posix attributes, and you want to avoid
++                    this fallback behavior, you can explicitly
++                    set "fallback_homedir = %o".
++                </para>
++            </listitem>
++        </itemizedlist>
++    </refsect2>
+ </refsect1>
+diff --git a/src/responder/nss/nss_protocol_pwent.c 
b/src/responder/nss/nss_protocol_pwent.c
+index af9e74fc86..86fa4ec465 100644
+--- a/src/responder/nss/nss_protocol_pwent.c
++++ b/src/responder/nss/nss_protocol_pwent.c
+@@ -118,7 +118,7 @@ nss_get_homedir(TALLOC_CTX *mem_ctx,
+ 
+     homedir = nss_get_homedir_override(mem_ctx, msg, nss_ctx, domain, 
&hd_ctx);
+     if (homedir == NULL) {
+-        return "/";
++        return "";
+     }
+ 
+     return homedir;
+diff --git a/src/tests/intg/test_files_provider.py 
b/src/tests/intg/test_files_provider.py
+index ead1cc4c34..4761f1bd15 100644
+--- a/src/tests/intg/test_files_provider.py
++++ b/src/tests/intg/test_files_provider.py
+@@ -678,7 +678,7 @@ def test_user_no_dir(setup_pw_with_canary, 
files_domain_only):
+     Test that resolving a user without a homedir defined works and returns
+     a fallback value
+     """
+-    check_user(incomplete_user_setup(setup_pw_with_canary, 'dir', '/'))
++    check_user(incomplete_user_setup(setup_pw_with_canary, 'dir', ''))
+ 
+ 
+ def test_user_no_gecos(setup_pw_with_canary, files_domain_only):

diff --git a/sys-auth/sssd/sssd-1.16.3-r2.ebuild 
b/sys-auth/sssd/sssd-1.16.3-r2.ebuild
new file mode 100644
index 00000000000..a52daabfc41
--- /dev/null
+++ b/sys-auth/sssd/sssd-1.16.3-r2.ebuild
@@ -0,0 +1,239 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python{2_7,3_3,3_4,3_5,3_6,3_7} )
+
+inherit autotools flag-o-matic linux-info multilib-minimal pam python-r1 
systemd toolchain-funcs
+
+DESCRIPTION="System Security Services Daemon provides access to identity and 
authentication"
+HOMEPAGE="https://pagure.io/SSSD/sssd";
+SRC_URI="http://releases.pagure.org/SSSD/${PN}/${P}.tar.gz";
+KEYWORDS="amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh 
~sparc x86"
+
+LICENSE="GPL-3"
+SLOT="0"
+IUSE="acl autofs +locator +netlink nfsv4 nls +manpages python samba selinux 
sudo ssh test"
+
+COMMON_DEP="
+       >=virtual/pam-0-r1[${MULTILIB_USEDEP}]
+       >=dev-libs/popt-1.16
+       dev-libs/glib:2
+       >=dev-libs/ding-libs-0.2
+       >=sys-libs/talloc-2.0.7
+       >=sys-libs/tdb-1.2.9
+       >=sys-libs/tevent-0.9.16
+       >=sys-libs/ldb-1.1.17-r1:=
+       >=net-nds/openldap-2.4.30[sasl]
+       net-libs/http-parser
+       >=dev-libs/libpcre-8.30
+       >=app-crypt/mit-krb5-1.10.3
+       dev-libs/jansson
+       net-misc/curl
+       locator? (
+               >=app-crypt/mit-krb5-1.12.2[${MULTILIB_USEDEP}]
+               >=net-dns/c-ares-1.10.0-r1[${MULTILIB_USEDEP}]
+       )
+       >=sys-apps/keyutils-1.5
+       >=net-dns/c-ares-1.7.4
+       >=dev-libs/nss-3.12.9
+       selinux? (
+               >=sys-libs/libselinux-2.1.9
+               >=sys-libs/libsemanage-2.1
+       )
+       >=net-dns/bind-tools-9.9[gssapi]
+       >=dev-libs/cyrus-sasl-2.1.25-r3[kerberos]
+       >=sys-apps/dbus-1.6
+       acl? ( net-fs/cifs-utils[acl] )
+       nfsv4? ( || ( >=net-fs/nfs-utils-2.3.1-r2 net-libs/libnfsidmap ) )
+       nls? ( >=sys-devel/gettext-0.18 )
+       virtual/libintl
+       netlink? ( dev-libs/libnl:3 )
+       samba? ( >=net-fs/samba-4.5 )
+       "
+
+RDEPEND="${COMMON_DEP}
+       >=sys-libs/glibc-2.17[nscd]
+       selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 )
+       "
+DEPEND="${COMMON_DEP}
+       test? ( dev-libs/check )
+       manpages? (
+               >=dev-libs/libxslt-1.1.26
+               app-text/docbook-xml-dtd:4.4
+               )"
+
+CONFIG_CHECK="~KEYS"
+
+MULTILIB_WRAPPED_HEADERS=(
+       /usr/include/ipa_hbac.h
+       /usr/include/sss_idmap.h
+       /usr/include/sss_nss_idmap.h
+       /usr/include/wbclient_sssd.h
+       # --with-ifp
+       /usr/include/sss_sifp.h
+       /usr/include/sss_sifp_dbus.h
+       # from 1.15.3
+       /usr/include/sss_certmap.h
+)
+
+pkg_setup(){
+       linux-info_pkg_setup
+}
+
+src_prepare() {
+       sed -i 's:#!/sbin/runscript:#!/sbin/openrc-run:' \
+               "${S}"/src/sysv/gentoo/sssd.in || die "sed sssd.in"
+
+       eapply "${FILESDIR}"/${PN}-curl-macros.patch
+       eapply "${FILESDIR}"/${PN}-fix-CVE-2019-3811.patch
+
+       default
+       eautoreconf
+       multilib_copy_sources
+}
+
+src_configure() {
+       local native_dbus_cflags=$($(tc-getPKG_CONFIG) --cflags dbus-1)
+
+       multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+       # set initscript to sysv because the systemd option needs systemd to
+       # be installed. We provide our own systemd file anyway.
+       local myconf=()
+       if [[ "${PYTHON_TARGETS}" == *python2* ]]; then
+               myconf+=($(multilib_native_use_with python python2-bindings))
+       fi
+       if [[ "${PYTHON_TARGETS}" == *python3* ]]; then
+               myconf+=($(multilib_native_use_with python python3-bindings))
+       fi
+       #Work around linker dependency problem.
+       append-ldflags "-Wl,--allow-shlib-undefined"
+
+       myconf+=(
+               --localstatedir="${EPREFIX}"/var
+               --enable-nsslibdir="${EPREFIX}"/$(get_libdir)
+               --with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd
+               --enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir)
+               --with-ldb-lib-dir="${EPREFIX}"/usr/$(get_libdir)/samba/ldb
+               --with-os=gentoo
+               --with-nscd
+               --with-unicode-lib="glib2"
+               --disable-rpath
+               --disable-silent-rules
+               --sbindir=/usr/sbin
+               --without-kcm
+               $(use_with samba libwbclient)
+               --with-secrets
+               $(multilib_native_use_with samba)
+               $(multilib_native_use_enable acl cifs-idmap-plugin)
+               $(multilib_native_use_with selinux)
+               $(multilib_native_use_with selinux semanage)
+               $(use_enable locator krb5-locator-plugin)
+               $(multilib_native_use_with nfsv4 nfsv4-idmapd-plugin)
+               $(use_enable nls )
+               $(multilib_native_use_with netlink libnl)
+               $(multilib_native_use_with manpages)
+               $(multilib_native_use_with sudo)
+               $(multilib_native_use_with autofs)
+               $(multilib_native_use_with ssh)
+               --with-crypto="nss"
+               --with-initscript="sysv"
+
+               KRB5_CONFIG=/usr/bin/${CHOST}-krb5-config
+       )
+
+       if ! multilib_is_native_abi; then
+               # work-around all the libraries that are used for CLI and server
+               myconf+=(
+                       {POPT,TALLOC,TDB,TEVENT,LDB}_{CFLAGS,LIBS}=' '
+                       # ldb headers are fine since native needs it
+                       # ldb lib fails... but it does not seem to bother
+                       
{DHASH,COLLECTION,INI_CONFIG_V{0,1,1_1}}_{CFLAGS,LIBS}=' '
+                       
{PCRE,CARES,SYSTEMD_LOGIN,SASL,GLIB2,DBUS,CRYPTO}_{CFLAGS,LIBS}=' '
+
+                       # use native include path for dbus (needed for build)
+                       DBUS_CFLAGS="${native_dbus_cflags}"
+
+                       # non-pkgconfig checks
+                       ac_cv_lib_ldap_ldap_search=yes
+                       --without-secrets
+                       --without-libwbclient
+                       --without-kcm
+                       --with-crypto=""
+               )
+
+               use locator || myconf+=(
+                               KRB5_CONFIG=/bin/true
+               )
+       fi
+
+       econf "${myconf[@]}"
+}
+
+multilib_src_compile() {
+       if multilib_is_native_abi; then
+               default
+       else
+               emake libnss_sss.la pam_sss.la
+               use locator && emake sssd_krb5_locator_plugin.la
+       fi
+}
+
+multilib_src_install() {
+       if multilib_is_native_abi; then
+               emake -j1 DESTDIR="${D}" "${_at_args[@]}" install
+       else
+               # easier than playing with automake...
+               dopammod .libs/pam_sss.so
+
+               into /
+               dolib .libs/libnss_sss.so*
+
+               if use locator; then
+                       exeinto /usr/$(get_libdir)/krb5/plugins/libkrb5
+                       doexe .libs/sssd_krb5_locator_plugin.so
+               fi
+       fi
+}
+
+multilib_src_install_all() {
+       einstalldocs
+       find "${ED}" -type f -name '*.la' -delete || die
+
+       insinto /etc/sssd
+       insopts -m600
+       doins "${S}"/src/examples/sssd-example.conf
+
+       insinto /etc/logrotate.d
+       insopts -m644
+       newins "${S}"/src/examples/logrotate sssd
+
+       newconfd "${FILESDIR}"/sssd.conf sssd
+       newinitd "${FILESDIR}"/sssd sssd
+
+       keepdir /var/lib/sss/db
+       keepdir /var/lib/sss/deskprofile
+       keepdir /var/lib/sss/gpo_cache
+       keepdir /var/lib/sss/keytabs
+       keepdir /var/lib/sss/mc
+       keepdir /var/lib/sss/pipes/private
+       keepdir /var/lib/sss/pubconf/krb5.include.d
+       keepdir /var/lib/sss/secrets
+       keepdir /var/log/sssd
+
+       systemd_dounit "${FILESDIR}/${PN}.service"
+}
+
+multilib_src_test() {
+       default
+}
+
+pkg_postinst(){
+       elog "You must set up sssd.conf (default installed into /etc/sssd)"
+       elog "and (optionally) configuration in /etc/pam.d in order to use SSSD"
+       elog "features. Please see howto in     
https://docs.pagure.org/SSSD.sssd/design_pages/index.html#implemented-in-1-16-x";
+}

Reply via email to