[meta-security][PATCH] sssd: update to 2.7.1


Armin Kuster
 

drop CVE-2021-3621.patch
refresh a few patches

fixup configure-unsafe globally via sed in build.m4

=== test
RESULTS - sssd.SSSDTest.test_sssd_help: PASSED (1.70s)
RESULTS - sssd.SSSDTest.test_sssd_sssctl_conf_perms_chk: PASSED (2.71s)
RESULTS - sssd.SSSDTest.test_sssd_sssctl_deamon: PASSED (2.07s)

Signed-off-by: Armin Kuster <akuster808@...>
---
.../sssd/files/CVE-2021-3621.patch | 288 ------------------
.../recipes-security/sssd/files/fix_gid.patch | 8 +-
.../recipes-security/sssd/files/no_gen.patch | 8 +-
.../sssd/{sssd_2.5.2.bb => sssd_2.7.1.bb} | 27 +-
4 files changed, 24 insertions(+), 307 deletions(-)
delete mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch
rename dynamic-layers/networking-layer/recipes-security/sssd/{sssd_2.5.2.bb => sssd_2.7.1.bb} (86%)

diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch
deleted file mode 100644
index 7a59df9..0000000
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch
+++ /dev/null
@@ -1,288 +0,0 @@
-Backport patch to fix CVE-2021-3621.
-
-Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/7ab83f9]
-CVE: CVE-2021-3621
-
-Signed-off-by: Kai Kang <kai.kang@...>
-
-From 7ab83f97e1cbefb78ece17232185bdd2985f0bbe Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@...>
-Date: Fri, 18 Jun 2021 13:17:19 +0200
-Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of
- user supplied command
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-:relnote: A flaw was found in SSSD, where the sssctl command was
-vulnerable to shell command injection via the logs-fetch and
-cache-expire subcommands. This flaw allows an attacker to trick
-the root user into running a specially crafted sssctl command,
-such as via sudo, to gain root access. The highest threat from this
-vulnerability is to confidentiality, integrity, as well as system
-availability.
-This patch fixes a flaw by replacing system() with execvp().
-
-:fixes: CVE-2021-3621
-
-Reviewed-by: Pavel Březina <pbrezina@...>
----
- src/tools/sssctl/sssctl.c | 39 ++++++++++++++++-------
- src/tools/sssctl/sssctl.h | 2 +-
- src/tools/sssctl/sssctl_data.c | 57 +++++++++++-----------------------
- src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++----
- 4 files changed, 73 insertions(+), 57 deletions(-)
-
-diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
-index 2997dbf968..8adaf30910 100644
---- a/src/tools/sssctl/sssctl.c
-+++ b/src/tools/sssctl/sssctl.c
-@@ -97,22 +97,36 @@ sssctl_prompt(const char *message,
- return SSSCTL_PROMPT_ERROR;
- }
-
--errno_t sssctl_run_command(const char *command)
-+errno_t sssctl_run_command(const char *const argv[])
- {
- int ret;
-+ int wstatus;
-
-- DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command);
-+ DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]);
-
-- ret = system(command);
-+ ret = fork();
- if (ret == -1) {
-- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command);
- ERROR("Error while executing external command\n");
- return EFAULT;
-- } else if (WEXITSTATUS(ret) != 0) {
-- DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n",
-- command, WEXITSTATUS(ret));
-+ }
-+
-+ if (ret == 0) {
-+ /* cast is safe - see
-+ https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
-+ "The statement about argv[] and envp[] being constants ... "
-+ */
-+ execvp(argv[0], discard_const_p(char * const, argv));
- ERROR("Error while executing external command\n");
-- return EIO;
-+ _exit(1);
-+ } else {
-+ if (waitpid(ret, &wstatus, 0) == -1) {
-+ ERROR("Error while executing external command '%s'\n", argv[0]);
-+ return EFAULT;
-+ } else if (WEXITSTATUS(wstatus) != 0) {
-+ ERROR("Command '%s' failed with [%d]\n",
-+ argv[0], WEXITSTATUS(wstatus));
-+ return EIO;
-+ }
- }
-
- return EOK;
-@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action)
- #elif defined(HAVE_SERVICE)
- switch (action) {
- case SSSCTL_SVC_START:
-- return sssctl_run_command(SERVICE_PATH" sssd start");
-+ return sssctl_run_command(
-+ (const char *[]){SERVICE_PATH, "sssd", "start", NULL});
- case SSSCTL_SVC_STOP:
-- return sssctl_run_command(SERVICE_PATH" sssd stop");
-+ return sssctl_run_command(
-+ (const char *[]){SERVICE_PATH, "sssd", "stop", NULL});
- case SSSCTL_SVC_RESTART:
-- return sssctl_run_command(SERVICE_PATH" sssd restart");
-+ return sssctl_run_command(
-+ (const char *[]){SERVICE_PATH, "sssd", "restart", NULL});
- }
- #endif
-
-diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
-index 0115b2457c..599ef65196 100644
---- a/src/tools/sssctl/sssctl.h
-+++ b/src/tools/sssctl/sssctl.h
-@@ -47,7 +47,7 @@ enum sssctl_prompt_result
- sssctl_prompt(const char *message,
- enum sssctl_prompt_result defval);
-
--errno_t sssctl_run_command(const char *command);
-+errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */
- bool sssctl_start_sssd(bool force);
- bool sssctl_stop_sssd(bool force);
- bool sssctl_restart_sssd(bool force);
-diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
-index 8d79b977fd..bf22913416 100644
---- a/src/tools/sssctl/sssctl_data.c
-+++ b/src/tools/sssctl/sssctl_data.c
-@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force)
- }
- }
-
-- ret = sssctl_run_command("sss_override user-export "
-- SSS_BACKUP_USER_OVERRIDES);
-+ ret = sssctl_run_command((const char *[]){"sss_override", "user-export",
-+ SSS_BACKUP_USER_OVERRIDES, NULL});
- if (ret != EOK) {
- ERROR("Unable to export user overrides\n");
- return ret;
- }
-
-- ret = sssctl_run_command("sss_override group-export "
-- SSS_BACKUP_GROUP_OVERRIDES);
-+ ret = sssctl_run_command((const char *[]){"sss_override", "group-export",
-+ SSS_BACKUP_GROUP_OVERRIDES, NULL});
- if (ret != EOK) {
- ERROR("Unable to export group overrides\n");
- return ret;
-@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
- }
-
- if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
-- ret = sssctl_run_command("sss_override user-import "
-- SSS_BACKUP_USER_OVERRIDES);
-+ ret = sssctl_run_command((const char *[]){"sss_override", "user-import",
-+ SSS_BACKUP_USER_OVERRIDES, NULL});
- if (ret != EOK) {
- ERROR("Unable to import user overrides\n");
- return ret;
-@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
- }
-
- if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
-- ret = sssctl_run_command("sss_override group-import "
-- SSS_BACKUP_GROUP_OVERRIDES);
-+ ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
-+ SSS_BACKUP_GROUP_OVERRIDES, NULL});
- if (ret != EOK) {
- ERROR("Unable to import group overrides\n");
- return ret;
-@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline,
- void *pvt)
- {
- errno_t ret;
-- char *cmd_args = NULL;
-- const char *cachecmd = SSS_CACHE;
-- char *cmd = NULL;
-- int i;
--
-- if (cmdline->argc == 0) {
-- ret = sssctl_run_command(cachecmd);
-- goto done;
-- }
-
-- cmd_args = talloc_strdup(tool_ctx, "");
-- if (cmd_args == NULL) {
-- ret = ENOMEM;
-- goto done;
-+ const char **args = talloc_array_size(tool_ctx,
-+ sizeof(char *),
-+ cmdline->argc + 2);
-+ if (!args) {
-+ return ENOMEM;
- }
-+ memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc);
-+ args[0] = SSS_CACHE;
-+ args[cmdline->argc + 1] = NULL;
-
-- for (i = 0; i < cmdline->argc; i++) {
-- cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]);
-- if (i != cmdline->argc - 1) {
-- cmd_args = talloc_strdup_append(cmd_args, " ");
-- }
-- }
--
-- cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args);
-- if (cmd == NULL) {
-- ret = ENOMEM;
-- goto done;
-- }
--
-- ret = sssctl_run_command(cmd);
--
--done:
-- talloc_free(cmd_args);
-- talloc_free(cmd);
-+ ret = sssctl_run_command(args);
-
-+ talloc_free(args);
- return ret;
- }
-diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
-index 9ff2be05b6..ebb2c4571c 100644
---- a/src/tools/sssctl/sssctl_logs.c
-+++ b/src/tools/sssctl/sssctl_logs.c
-@@ -31,6 +31,7 @@
- #include <ldb.h>
- #include <popt.h>
- #include <stdio.h>
-+#include <glob.h>
-
- #include "util/util.h"
- #include "tools/common/sss_process.h"
-@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
- {
- struct sssctl_logs_opts opts = {0};
- errno_t ret;
-+ glob_t globbuf;
-
- /* Parse command line. */
- struct poptOption options[] = {
-@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
-
- sss_signal(SIGHUP);
- } else {
-+ globbuf.gl_offs = 4;
-+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
-+ if (ret != 0) {
-+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
-+ return ret;
-+ }
-+ globbuf.gl_pathv[0] = discard_const_p(char, "truncate");
-+ globbuf.gl_pathv[1] = discard_const_p(char, "--no-create");
-+ globbuf.gl_pathv[2] = discard_const_p(char, "--size");
-+ globbuf.gl_pathv[3] = discard_const_p(char, "0");
-+
- PRINT("Truncating log files...\n");
-- ret = sssctl_run_command("truncate --no-create --size 0 " LOG_FILES);
-+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
-+ globfree(&globbuf);
- if (ret != EOK) {
- ERROR("Unable to truncate log files\n");
- return ret;
-@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
- void *pvt)
- {
- const char *file;
-- const char *cmd;
- errno_t ret;
-+ glob_t globbuf;
-
- /* Parse command line. */
- ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL,
-@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
- return ret;
- }
-
-- cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES);
-- if (cmd == NULL) {
-- ERROR("Out of memory!");
-+ globbuf.gl_offs = 3;
-+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
-+ if (ret != 0) {
-+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
-+ return ret;
- }
-+ globbuf.gl_pathv[0] = discard_const_p(char, "tar");
-+ globbuf.gl_pathv[1] = discard_const_p(char, "-czf");
-+ globbuf.gl_pathv[2] = discard_const_p(char, file);
-
- PRINT("Archiving log files into %s...\n", file);
-- ret = sssctl_run_command(cmd);
-+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
-+ globfree(&globbuf);
- if (ret != EOK) {
- ERROR("Unable to archive log files\n");
- return ret;
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
index 9b481cc..419b83f 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
@@ -12,10 +12,10 @@ from ../sssd-2.5.0/src/util/sss_pam_data.c:27:
Upstream-Status: Pending
Signed-off-by: Armin Kuster <akuster808@...>

-Index: sssd-2.5.0/src/util/debug.h
+Index: sssd-2.7.1/src/util/debug.h
===================================================================
---- sssd-2.5.0.orig/src/util/debug.h
-+++ sssd-2.5.0/src/util/debug.h
+--- sssd-2.7.1.orig/src/util/debug.h
++++ sssd-2.7.1/src/util/debug.h
@@ -24,6 +24,8 @@
#include "config.h"

@@ -23,5 +23,5 @@ Index: sssd-2.5.0/src/util/debug.h
+#include <unistd.h>
+#include <sys/types.h>
#include <stdbool.h>
+ #include <sys/types.h>

- #include "util/util_errors.h"
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
index 5c83777..7d8e80b 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
@@ -4,11 +4,11 @@ Upstream-Status: Inappropriate [OE Specific]

Signed-off-by: Armin Kuster <akuster808@...>

-Index: sssd-2.5.0/Makefile.am
+Index: sssd-2.7.1/Makefile.am
===================================================================
---- sssd-2.5.0.orig/Makefile.am
-+++ sssd-2.5.0/Makefile.am
-@@ -1033,8 +1033,6 @@ generate-sbus-code:
+--- sssd-2.7.1.orig/Makefile.am
++++ sssd-2.7.1/Makefile.am
+@@ -1023,8 +1023,6 @@ generate-sbus-code:

.PHONY: generate-sbus-code

diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.5.2.bb b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.7.1.bb
similarity index 86%
rename from dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.5.2.bb
rename to dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.7.1.bb
index 9f1d627..71f14a0 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.5.2.bb
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.7.1.bb
@@ -5,8 +5,9 @@ SECTION = "base"
LICENSE = "GPL-3.0-or-later"
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"

-DEPENDS = "acl attr openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive"
-DEPENDS:append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent bind p11-kit"
+DEPENDS = "acl attr cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive"
+DEPENDS:append = " libldb dbus libtalloc libpcre2 glib-2.0 popt e2fsprogs libtevent"
+DEPENDS:append = " openldap bind p11-kit jansson softhsm openssl libunistring"

DEPENDS:append:libc-musl = " musl-nscd"

@@ -23,10 +24,9 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.g
file://drop_ntpdate_chk.patch \
file://fix-ldblibdir.patch \
file://musl_fixup.patch \
- file://CVE-2021-3621.patch \
"

-SRC_URI[sha256sum] = "5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f"
+SRC_URI[sha256sum] = "8eebd541a640aec95ed4b2da89713f0cbe8e4edf96895fbb972c0b9d570635c3"

inherit autotools pkgconfig gettext python3-dir features_check systemd

@@ -39,7 +39,7 @@ CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \
ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \
"

-PACKAGECONFIG ?="nss nscd autofs sudo infopipe"
+PACKAGECONFIG ?="nss autofs sudo infopipe"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"

@@ -49,8 +49,8 @@ PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson"
PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, "
PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native"
PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl"
-PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no "
PACKAGECONFIG[nss] = ", ,nss,"
+PACKAGECONFIG[oidc_child] = "--with-oidc-child, --without-oidc-child"
PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings"
PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba"
PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux"
@@ -65,7 +65,6 @@ EXTRA_OECONF += " \
--without-python2-bindings \
--enable-pammoddir=${base_libdir}/security \
--without-python2-bindings \
- --without-secrets \
--with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \
--with-pid-path=/run \
"
@@ -74,8 +73,8 @@ do_configure:prepend() {
mkdir -p ${AUTOTOOLS_AUXDIR}/build
cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/

- # libresove has host path, remove it
- sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4
+ # additional_libdir defaults to /usr/lib so replace with staging_libdir globally
+ sed -i -e "s#\$additional_libdir#\${STAGING_LIBDIR}#" ${S}/src/build_macros.m4
}

do_compile:prepend () {
@@ -84,7 +83,11 @@ do_compile:prepend () {
do_install () {
oe_runmake install DESTDIR="${D}"
rmdir --ignore-fail-on-non-empty "${D}/${bindir}"
+
install -d ${D}/${sysconfdir}/${BPN}
+ install -d ${D}/${PYTHON_SITEPACKAGES_DIR}
+ mv ${D}/${BPN} ${D}/${PYTHON_SITEPACKAGES_DIR}
+
install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN}

# /var/log/sssd needs to be created in runtime. Use rmdir to catch if
@@ -106,6 +109,7 @@ do_install () {
# Remove /run as it is created on startup
rm -rf ${D}/run

+# rm -fr ${D}/sssd
rm -f ${D}${systemd_system_unitdir}/sssd-secrets.*
}

@@ -116,8 +120,6 @@ fi
chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf
}

-FILES:${PN} += "${nonarch_libdir}/tmpfiles.d"
-
CONFFILES:${PN} = "${sysconfdir}/${BPN}/${BPN}.conf"

INITSCRIPT_NAME = "sssd"
@@ -141,10 +143,13 @@ PACKAGES =+ "libsss-sudo"
ALLOW_EMPTY:libsss-sudo = "1"

FILES:${PN} += "${base_libdir}/security/pam_sss*.so \
+ ${nonarch_libdir}/tmpfiles.d \
${datadir}/dbus-1/system-services/*.service \
${libdir}/krb5/* \
${libdir}/ldb/* \
+ ${PYTHON_SITEPACKAGES_DIR}/sssd \
"
+
FILES:libsss-sudo = "${libdir}/libsss_sudo.so"

RDEPENDS:${PN} = "bind bind-utils dbus libldb libpam libsss-sudo"
--
2.25.1