A memory leak was found in the sssd_pac_plugin (sssd_pac_plugin.so library), which is distributed with the sssd_client package. Original report with additional details: https://fedorahosted.org/sssd/ticket/2803 Patch: https://fedorahosted.org/sssd/attachment/ticket/2803/0001-Fix-memory-leak-in-sssdpac_verify.patch
Created sssd tracking bugs for this issue: Affects: fedora-all [bug 1268807]
sssd-1.13.1-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
sssd-1.13.1-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
sssd-1.12.5-4.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Analysis: The issue is in the PAC responder that's provided with SSSD. When an application is configured to use Kerberos and authenticate against SSSD's PAC responder, the responder leaks a small amount of memory on every authentication attempt. This could allow an attacker to eventually exhaust all available memory on the system by sending numerous auth requests to a running application (daemon) configured as stated above. The vulnerable code is detailed in https://fedorahosted.org/sssd/ticket/2803
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:2019 https://rhn.redhat.com/errata/RHSA-2015-2019.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2355 https://rhn.redhat.com/errata/RHSA-2015-2355.html