sssd / CVE-2018-10852

To: debian-lts@lists.debian.org
Subject: sssd / CVE-2018-10852
From: Brian May <bam@debian.org>
Date: Fri, 06 Jul 2018 17:34:32 +1000
Message-id: <[🔎] 874lhcu8af.fsf@silverfish.pri>

Attached is my proposed patch produced by debdiff to fix tihs
vulnerability.

Unfortunately I am not in a position to test this feature, I wasn't even
aware of this sudo/sssd feature until I looked into this CVE.

However the active party of patch is a very simple one line change. I
had to modify it slightly from upstream because there are two extra -1
parameters to the sss_process_init function that don't appear to be in
this version.
-- 
Brian May <bam@debian.org>

diff -u sssd-1.11.7/debian/changelog sssd-1.11.7/debian/changelog
--- sssd-1.11.7/debian/changelog
+++ sssd-1.11.7/debian/changelog
@@ -1,3 +1,10 @@
+sssd (1.11.7-3+deb8u1) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2018-10852: Use private socket for pipe to read available sudo rules.
+
+ -- Brian May <bam@debian.org>  Fri, 06 Jul 2018 17:16:21 +1000
+
 sssd (1.11.7-3) unstable; urgency=medium
 
   * libsss-sudo.postrm: Delete sudoers line from nsswitch.conf, if only
diff -u sssd-1.11.7/debian/patches/series sssd-1.11.7/debian/patches/series
--- sssd-1.11.7/debian/patches/series
+++ sssd-1.11.7/debian/patches/series
@@ -3,0 +4 @@
+CVE-2018-10852.patch
only in patch2:
unchanged:
--- sssd-1.11.7.orig/debian/patches/CVE-2018-10852.patch
+++ sssd-1.11.7/debian/patches/CVE-2018-10852.patch
@@ -0,0 +1,32 @@
+From b0614512bee0b07ab1ab9c314220402c7c4680ac Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Jun 25 2018 07:23:05 +0000
+Subject: SUDO: Create the socket with stricter permissions
+
+
+This patch switches the sudo responder from being created as a public
+responder where the permissions are open and not checked by the sssd
+deaamon to a private socket. In this case, sssd creates the pipes with
+strict permissions (see the umask in the call to create_pipe_fd() in
+set_unix_socket()) and additionaly checks the permissions with every read
+via the tevent integrations (see accept_fd_handler()).
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3766 (CVE-2018-10852)
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+
+---
+
+--- a/src/responder/sudo/sudosrv.c
++++ b/src/responder/sudo/sudosrv.c
+@@ -93,7 +93,7 @@
+     sudo_cmds = get_sudo_cmds();
+     ret = sss_process_init(mem_ctx, ev, cdb,
+                            sudo_cmds,
+-                           SSS_SUDO_SOCKET_NAME, NULL,
++                           NULL, SSS_SUDO_SOCKET_NAME,
+                            CONFDB_SUDO_CONF_ENTRY,
+                            SSS_SUDO_SBUS_SERVICE_NAME,
+                            SSS_SUDO_SBUS_SERVICE_VERSION,

Reply to:

Prev by Date: Re: jetty CVE triage: jetty8 ignored?
Next by Date: Re: phpmyadmin update (Was Re: last call for wheezy updates and remaining work for transition)
Previous by thread: Re: phpmyadmin update (Was Re: last call for wheezy updates and remaining work for transition)
Next by thread: Thunderbird 52.9.0 for LTS?
Index(es):
- Date
- Thread