Bug 1656618 (CVE-2019-3811)

Summary: CVE-2019-3811 sssd: fallback_homedir returns '/' for empty home directories in passwd file
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, abokovoy, asn, dbaker, grajaiya, jhrozek, jokerman, lslebodn, mupadhye, mzidek, pbrezina, rharwood, sbose, ssorce, sssd-maint, sthangav, trankin, tscherf
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in sssd where, if a user was configured with no home directory set, sssd would return '/' (the root directory) instead of '' (the empty string / no home directory). This could impact services that restrict the user's filesystem access to within their home directory through chroot().
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:20:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1652719, 1656619, 1659843, 1660693    
Bug Blocks: 1652985    

Description Laura Pardo 2018-12-05 21:17:54 UTC 
An issue was found in SSSD. The default option for fallback_homedir returns '/' for empty home directories in the passwd file.


References:
https://github.com/SSSD/sssd/pull/703

Upstream Patch:
https://github.com/SSSD/sssd/pull/703/commits/fa0a6400ebd2f4056a057914355ec2ddefc14fe6
https://github.com/SSSD/sssd/pull/703/commits/fe11bd0d5b7dea9f1723c5a59ba0c47641802797
Comment 1 Laura Pardo 2018-12-05 21:18:24 UTC 
Created sssd tracking bugs for this issue:

Affects: fedora-all [bug 1656619]
Comment 2 Doran Moppert 2018-12-14 06:06:09 UTC 
Introduced in:

https://github.com/SSSD/sssd/commit/704cc1c7
Comment 4 Doran Moppert 2018-12-17 02:14:00 UTC 
Further upstream patch:

https://github.com/SSSD/sssd/commit/90f32399b4

This addresses another part of the flaw that was introduced prior to the part linked on comment 2.  SSSD versions back to at least 1.14.3 are most probably affected.
Comment 5 Doran Moppert 2018-12-17 02:20:14 UTC 
This flaw could impact services that restrict the user's filesystem access to within their home directory.  An empty home directory field would indicate "no filesystem access", where sssd reporting it as "/" would grant full access (though still confined by unix permissions, SELinux etc).
Comment 6 Jakub Hrozek 2018-12-17 07:56:59 UTC 
(In reply to Doran Moppert from comment #4)
> Further upstream patch:
> 
> https://github.com/SSSD/sssd/commit/90f32399b4
> 
> This addresses another part of the flaw that was introduced prior to the
> part linked on comment 2.  

"Another part" ? I would hope that commit addresses it all.

> SSSD versions back to at least 1.14.3 are most
> probably affected.

The way I read the original patch, back to 0.2.0 (so, all versions, ever)
Comment 7 Doran Moppert 2018-12-19 01:33:14 UTC 
In reply to comment #6:
> (In reply to Doran Moppert from comment #4)
> > Further upstream patch:
> > 
> > https://github.com/SSSD/sssd/commit/90f32399b4
> > 
> > This addresses another part of the flaw that was introduced prior to the
> > part linked on comment 2.  
> 
> "Another part" ? I would hope that commit addresses it all.

Indeed!  It looks like this is actually the squashed version of the commits linked from comment#0; my apologies.

> > SSSD versions back to at least 1.14.3 are most
> > probably affected.
> 
> The way I read the original patch, back to 0.2.0 (so, all versions, ever)

Thanks
Comment 10 Doran Moppert 2018-12-19 02:06:21 UTC 
Upstream ticket:

https://pagure.io/SSSD/sssd/issue/3901
Comment 13 Andreas Schneider 2019-01-23 10:14:53 UTC 
You don't do any CVE descriptions for sssd, do you?

Example: https://www.samba.org/samba/security/CVE-2018-16857.html
Comment 14 Jakub Hrozek 2019-01-23 11:14:15 UTC 
(In reply to Andreas Schneider from comment #13)
> You don't do any CVE descriptions for sssd, do you?
> 
> Example: https://www.samba.org/samba/security/CVE-2018-16857.html

We normally do, I 'just' forgot to do this for this CI..

e.g. https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/IKWCIYZ3E6ATZECU2SIWCJ22POSDTI2V/
Comment 16 errata-xmlrpc 2019-08-06 12:24:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2177 https://access.redhat.com/errata/RHSA-2019:2177
Comment 17 Product Security DevOps Team 2019-08-06 13:20:52 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3811