Re: [meta-security][PATCH] sssd: 2.5.1 -> 2.5.2

Home Messages Hashtags Subgroups

#54727

Re: [meta-security][PATCH] sssd: 2.5.1 -> 2.5.2

Armin Kuster #54727 merged thanks toggle quoted message Show quoted text On 9/10/21 1:39 AM, kai wrote: From: Kai Kang <kai.kang@...> SSSD 2.5.2 Highlights * General information - originalADgidNumber attribute in the SSSD cache is now indexed * New features - Debug messages in data provider include a unique request ID that can be used to track the request from its start to its end (requires libtevent >= 0.11.0) * Important fixes - Update large files in the files provider in batches to avoid timeouts * Configuration changes - Add new config option fallback_to_nss Full release notes: * https://sssd.io/release-notes/sssd-2.5.2.html And backport patch to fix CVE-2021-3621. CVE: CVE-2021-3621 Signed-off-by: Kai Kang <kai.kang@...> --- .../sssd/files/CVE-2021-3621.patch \| 288 ++++++++++++++++++ .../sssd/{sssd_2.5.1.bb => sssd_2.5.2.bb} \| 3 +- 2 files changed, 290 insertions(+), 1 deletion(-) create mode 100644 recipes-security/sssd/files/CVE-2021-3621.patch rename recipes-security/sssd/{sssd_2.5.1.bb => sssd_2.5.2.bb} (97%) diff --git a/recipes-security/sssd/files/CVE-2021-3621.patch b/recipes-security/sssd/files/CVE-2021-3621.patch new file mode 100644 index 0000000..7a59df9 --- /dev/null +++ b/recipes-security/sssd/files/CVE-2021-3621.patch @@ -0,0 +1,288 @@ +Backport patch to fix CVE-2021-3621. + +Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/7ab83f9] +CVE: CVE-2021-3621 + +Signed-off-by: Kai Kang <kai.kang@...> + +From 7ab83f97e1cbefb78ece17232185bdd2985f0bbe Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov <atikhono@...> +Date: Fri, 18 Jun 2021 13:17:19 +0200 +Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of + user supplied command +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +:relnote: A flaw was found in SSSD, where the sssctl command was +vulnerable to shell command injection via the logs-fetch and +cache-expire subcommands. This flaw allows an attacker to trick +the root user into running a specially crafted sssctl command, +such as via sudo, to gain root access. The highest threat from this +vulnerability is to confidentiality, integrity, as well as system +availability. +This patch fixes a flaw by replacing system() with execvp(). + +:fixes: CVE-2021-3621 + +Reviewed-by: Pavel Březina <pbrezina@...> +--- + src/tools/sssctl/sssctl.c \| 39 ++++++++++++++++------- + src/tools/sssctl/sssctl.h \| 2 +- + src/tools/sssctl/sssctl_data.c \| 57 +++++++++++----------------------- + src/tools/sssctl/sssctl_logs.c \| 32 +++++++++++++++---- + 4 files changed, 73 insertions(+), 57 deletions(-) + +diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c +index 2997dbf968..8adaf30910 100644 +--- a/src/tools/sssctl/sssctl.c ++++ b/src/tools/sssctl/sssctl.c +@@ -97,22 +97,36 @@ sssctl_prompt(const char message, + return SSSCTL_PROMPT_ERROR; + } + +-errno_t sssctl_run_command(const char command) ++errno_t sssctl_run_command(const char const argv[]) + { + int ret; ++ int wstatus; + +- DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command); ++ DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]); + +- ret = system(command); ++ ret = fork(); + if (ret == -1) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command); + ERROR("Error while executing external command\n"); + return EFAULT; +- } else if (WEXITSTATUS(ret) != 0) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n", +- command, WEXITSTATUS(ret)); ++ } ++ ++ if (ret == 0) { ++ / cast is safe - see ++ https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html ++ "The statement about argv[] and envp[] being constants ... " ++ / ++ execvp(argv[0], discard_const_p(char const, argv)); + ERROR("Error while executing external command\n"); +- return EIO; ++ _exit(1); ++ } else { ++ if (waitpid(ret, &wstatus, 0) == -1) { ++ ERROR("Error while executing external command '%s'\n", argv[0]); ++ return EFAULT; ++ } else if (WEXITSTATUS(wstatus) != 0) { ++ ERROR("Command '%s' failed with [%d]\n", ++ argv[0], WEXITSTATUS(wstatus)); ++ return EIO; ++ } + } + + return EOK; +@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action) + #elif defined(HAVE_SERVICE) + switch (action) { + case SSSCTL_SVC_START: +- return sssctl_run_command(SERVICE_PATH" sssd start"); ++ return sssctl_run_command( ++ (const char []){SERVICE_PATH, "sssd", "start", NULL}); + case SSSCTL_SVC_STOP: +- return sssctl_run_command(SERVICE_PATH" sssd stop"); ++ return sssctl_run_command( ++ (const char []){SERVICE_PATH, "sssd", "stop", NULL}); + case SSSCTL_SVC_RESTART: +- return sssctl_run_command(SERVICE_PATH" sssd restart"); ++ return sssctl_run_command( ++ (const char []){SERVICE_PATH, "sssd", "restart", NULL}); + } + #endif + +diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h +index 0115b2457c..599ef65196 100644 +--- a/src/tools/sssctl/sssctl.h ++++ b/src/tools/sssctl/sssctl.h +@@ -47,7 +47,7 @@ enum sssctl_prompt_result + sssctl_prompt(const char message, + enum sssctl_prompt_result defval); + +-errno_t sssctl_run_command(const char command); ++errno_t sssctl_run_command(const char const argv[]); /* argv[0] - command / + bool sssctl_start_sssd(bool force); + bool sssctl_stop_sssd(bool force); + bool sssctl_restart_sssd(bool force); +diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c +index 8d79b977fd..bf22913416 100644 +--- a/src/tools/sssctl/sssctl_data.c ++++ b/src/tools/sssctl/sssctl_data.c +@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force) + } + } + +- ret = sssctl_run_command("sss_override user-export " +- SSS_BACKUP_USER_OVERRIDES); ++ ret = sssctl_run_command((const char []){"sss_override", "user-export", ++ SSS_BACKUP_USER_OVERRIDES, NULL}); + if (ret != EOK) { + ERROR("Unable to export user overrides\n"); + return ret; + } + +- ret = sssctl_run_command("sss_override group-export " +- SSS_BACKUP_GROUP_OVERRIDES); ++ ret = sssctl_run_command((const char []){"sss_override", "group-export", ++ SSS_BACKUP_GROUP_OVERRIDES, NULL}); + if (ret != EOK) { + ERROR("Unable to export group overrides\n"); + return ret; +@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart) + } + + if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { +- ret = sssctl_run_command("sss_override user-import " +- SSS_BACKUP_USER_OVERRIDES); ++ ret = sssctl_run_command((const char []){"sss_override", "user-import", ++ SSS_BACKUP_USER_OVERRIDES, NULL}); + if (ret != EOK) { + ERROR("Unable to import user overrides\n"); + return ret; +@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart) + } + + if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { +- ret = sssctl_run_command("sss_override group-import " +- SSS_BACKUP_GROUP_OVERRIDES); ++ ret = sssctl_run_command((const char []){"sss_override", "group-import", ++ SSS_BACKUP_GROUP_OVERRIDES, NULL}); + if (ret != EOK) { + ERROR("Unable to import group overrides\n"); + return ret; +@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline cmdline, + void pvt) + { + errno_t ret; +- char cmd_args = NULL; +- const char cachecmd = SSS_CACHE; +- char cmd = NULL; +- int i; +- +- if (cmdline->argc == 0) { +- ret = sssctl_run_command(cachecmd); +- goto done; +- } + +- cmd_args = talloc_strdup(tool_ctx, ""); +- if (cmd_args == NULL) { +- ret = ENOMEM; +- goto done; ++ const char *args = talloc_array_size(tool_ctx, ++ sizeof(char ), ++ cmdline->argc + 2); ++ if (!args) { ++ return ENOMEM; + } ++ memcpy(&args[1], cmdline->argv, sizeof(char ) cmdline->argc); ++ args[0] = SSS_CACHE; ++ args[cmdline->argc + 1] = NULL; + +- for (i = 0; i < cmdline->argc; i++) { +- cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]); +- if (i != cmdline->argc - 1) { +- cmd_args = talloc_strdup_append(cmd_args, " "); +- } +- } +- +- cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args); +- if (cmd == NULL) { +- ret = ENOMEM; +- goto done; +- } +- +- ret = sssctl_run_command(cmd); +- +-done: +- talloc_free(cmd_args); +- talloc_free(cmd); ++ ret = sssctl_run_command(args); + ++ talloc_free(args); + return ret; + } +diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c +index 9ff2be05b6..ebb2c4571c 100644 +--- a/src/tools/sssctl/sssctl_logs.c ++++ b/src/tools/sssctl/sssctl_logs.c +@@ -31,6 +31,7 @@ + #include <ldb.h> + #include <popt.h> + #include <stdio.h> ++#include <glob.h> + + #include "util/util.h" + #include "tools/common/sss_process.h" +@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline cmdline, + { + struct sssctl_logs_opts opts = {0}; + errno_t ret; ++ glob_t globbuf; + + / Parse command line. / + struct poptOption options[] = { +@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline cmdline, + + sss_signal(SIGHUP); + } else { ++ globbuf.gl_offs = 4; ++ ret = glob(LOG_PATH"/.log", GLOB_ERR\|GLOB_DOOFFS, NULL, &globbuf); ++ if (ret != 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n"); ++ return ret; ++ } ++ globbuf.gl_pathv[0] = discard_const_p(char, "truncate"); ++ globbuf.gl_pathv[1] = discard_const_p(char, "--no-create"); ++ globbuf.gl_pathv[2] = discard_const_p(char, "--size"); ++ globbuf.gl_pathv[3] = discard_const_p(char, "0"); ++ + PRINT("Truncating log files...\n"); +- ret = sssctl_run_command("truncate --no-create --size 0 " LOG_FILES); ++ ret = sssctl_run_command((const char const)globbuf.gl_pathv); ++ globfree(&globbuf); + if (ret != EOK) { + ERROR("Unable to truncate log files\n"); + return ret; +@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline cmdline, + void pvt) + { + const char file; +- const char cmd; + errno_t ret; ++ glob_t globbuf; + + / Parse command line. / + ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL, +@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline cmdline, + return ret; + } + +- cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES); +- if (cmd == NULL) { +- ERROR("Out of memory!"); ++ globbuf.gl_offs = 3; ++ ret = glob(LOG_PATH"/.log", GLOB_ERR\|GLOB_DOOFFS, NULL, &globbuf); ++ if (ret != 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n"); ++ return ret; + } ++ globbuf.gl_pathv[0] = discard_const_p(char, "tar"); ++ globbuf.gl_pathv[1] = discard_const_p(char, "-czf"); ++ globbuf.gl_pathv[2] = discard_const_p(char, file); + + PRINT("Archiving log files into %s...\n", file); +- ret = sssctl_run_command(cmd); ++ ret = sssctl_run_command((const char const*)globbuf.gl_pathv); ++ globfree(&globbuf); + if (ret != EOK) { + ERROR("Unable to archive log files\n"); + return ret; diff --git a/recipes-security/sssd/sssd_2.5.1.bb b/recipes-security/sssd/sssd_2.5.2.bb similarity index 97% rename from recipes-security/sssd/sssd_2.5.1.bb rename to recipes-security/sssd/sssd_2.5.2.bb index 1c77480..76d6e03 100644 --- a/recipes-security/sssd/sssd_2.5.1.bb +++ b/recipes-security/sssd/sssd_2.5.2.bb @@ -23,9 +23,10 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.g file://drop_ntpdate_chk.patch \ file://fix-ldblibdir.patch \ file://musl_fixup.patch \ + file://CVE-2021-3621.patch \ " -SRC_URI[sha256sum] = "ce2f5d84a3f1750093318afd27f4fd75b1e3e75f7d80fc42d21a40cc54b58ea4" +SRC_URI[sha256sum] = "5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f" inherit autotools pkgconfig gettext python3-dir features_check systemd
More All Messages By This Member

View All 2 Messages In Topic

#54727

Join {yocto@lists.yoctoproject.org to automatically receive all group messages.

Home Hashtags Subgroups Terms