Hide Forgot
Sebastian Krahmer discovered that it was possible to make sssd hang forever inside a loop in the pam_parse_in_data_v2() function of SSSD's PAM responder by using a carefully crafted packet to sssd. This could be exploited by a local attacker to crash sssd and prevent other legitimate users from logging into the system. Acknowledgements: Red Hat would like to thank Sebastian Krahmer for reporting this issue.
Created attachment 469438 [details] Patch for RHEL5 and RHEL6 This patch applies to the SSSD 1.2.x branch and will resolve the issue on RHEL 5 and RHEL 6.
Created attachment 469439 [details] Patch for Fedora 13 This patch applies to the SSSD 1.3 branch and will resolve the issue on Fedora 13.
Created attachment 469440 [details] Patch for Fedora 14 This patch applies to the SSSD 1.4.x branch and will resolve the issue on Fedora 14.
Thanks for the patches. I'm going to pass these on to other vendors and coordinate an unembargo date.
Created sssd tracking bugs for this issue Affects: fedora-all [bug 668888]
Statement: (none)
Verified with Sumit's reproducer script. The script hangs on running on RHEL 6.0 32-bit (sssd-1.2.1-28) and sssd_pam consumes 100% cpu. The script works fine on running on RHEL 6.1 32 bit (sssd-1.5.1-25). Verified on version: # rpm -qi sssd | head Name : sssd Relocations: (not relocatable) Version : 1.5.1 Vendor: Red Hat, Inc. Release : 25.el6 Build Date: Fri 08 Apr 2011 10:53:37 PM IST Install Date: Tue 12 Apr 2011 11:01:14 AM IST Build Host: x86-002.build.bos.redhat.com Group : Applications/System Source RPM: sssd-1.5.1-25.el6.src.rpm Size : 3582701 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://fedorahosted.org/sssd/ Summary : System Security Services Daemon
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0560 https://rhn.redhat.com/errata/RHSA-2011-0560.html
This was corrected in upstream sssd version 1.5.1: https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.1
Why was this BZ reopened?
It was never closed, and it is still unresolved in Red Hat Enterprise Linux 5. SRT bugs shouldn't be in VERIFIED state, so I just flipped the state back to NEW where it is supposed to be.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:0975 https://rhn.redhat.com/errata/RHSA-2011-0975.html