1656618 – (CVE-2019-3811) CVE-2019-3811 sssd: fallback_homedir returns '/' for empty home directories in passwd file

Bug 1656618 (CVE-2019-3811) - CVE-2019-3811 sssd: fallback_homedir returns '/' for empty home directories in passwd file

Summary: CVE-2019-3811 sssd: fallback_homedir returns '/' for empty home directories i...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-3811
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1652719 1656619 1659843 1660693
Blocks:	1652985
TreeView+	depends on / blocked

Reported:	2018-12-05 21:17 UTC by Laura Pardo
Modified:	2019-09-29 15:04 UTC (History)
CC List:	18 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in sssd where, if a user was configured with no home directory set, sssd would return '/' (the root directory) instead of '' (the empty string / no home directory). This could impact services that restrict the user's filesystem access to within their home directory through chroot().
Clone Of:
Environment:
Last Closed:	2019-08-06 13:20:52 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:2177	0	None	None	None	2019-08-06 12:24:23 UTC

Description Laura Pardo 2018-12-05 21:17:54 UTC

An issue was found in SSSD. The default option for fallback_homedir returns '/' for empty home directories in the passwd file.


References:
https://github.com/SSSD/sssd/pull/703

Upstream Patch:
https://github.com/SSSD/sssd/pull/703/commits/fa0a6400ebd2f4056a057914355ec2ddefc14fe6
https://github.com/SSSD/sssd/pull/703/commits/fe11bd0d5b7dea9f1723c5a59ba0c47641802797

Comment 1 Laura Pardo 2018-12-05 21:18:24 UTC

Created sssd tracking bugs for this issue:

Affects: fedora-all [bug 1656619]

Comment 2 Doran Moppert 2018-12-14 06:06:09 UTC

Introduced in:

https://github.com/SSSD/sssd/commit/704cc1c7

Comment 4 Doran Moppert 2018-12-17 02:14:00 UTC

Further upstream patch:

https://github.com/SSSD/sssd/commit/90f32399b4

This addresses another part of the flaw that was introduced prior to the part linked on comment 2.  SSSD versions back to at least 1.14.3 are most probably affected.

Comment 5 Doran Moppert 2018-12-17 02:20:14 UTC

This flaw could impact services that restrict the user's filesystem access to within their home directory.  An empty home directory field would indicate "no filesystem access", where sssd reporting it as "/" would grant full access (though still confined by unix permissions, SELinux etc).

Comment 6 Jakub Hrozek 2018-12-17 07:56:59 UTC

(In reply to Doran Moppert from comment #4)
> Further upstream patch:
> 
> https://github.com/SSSD/sssd/commit/90f32399b4
> 
> This addresses another part of the flaw that was introduced prior to the
> part linked on comment 2.  

"Another part" ? I would hope that commit addresses it all.

> SSSD versions back to at least 1.14.3 are most
> probably affected.

The way I read the original patch, back to 0.2.0 (so, all versions, ever)

Comment 7 Doran Moppert 2018-12-19 01:33:14 UTC

In reply to comment #6:
> (In reply to Doran Moppert from comment #4)
> > Further upstream patch:
> > 
> > https://github.com/SSSD/sssd/commit/90f32399b4
> > 
> > This addresses another part of the flaw that was introduced prior to the
> > part linked on comment 2.  
> 
> "Another part" ? I would hope that commit addresses it all.

Indeed!  It looks like this is actually the squashed version of the commits linked from comment#0; my apologies.

> > SSSD versions back to at least 1.14.3 are most
> > probably affected.
> 
> The way I read the original patch, back to 0.2.0 (so, all versions, ever)

Thanks

Comment 10 Doran Moppert 2018-12-19 02:06:21 UTC

Upstream ticket:

https://pagure.io/SSSD/sssd/issue/3901

Comment 13 Andreas Schneider 2019-01-23 10:14:53 UTC

You don't do any CVE descriptions for sssd, do you?

Example: https://www.samba.org/samba/security/CVE-2018-16857.html

Comment 14 Jakub Hrozek 2019-01-23 11:14:15 UTC

(In reply to Andreas Schneider from comment #13)
> You don't do any CVE descriptions for sssd, do you?
> 
> Example: https://www.samba.org/samba/security/CVE-2018-16857.html

We normally do, I 'just' forgot to do this for this CI..

e.g. https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/IKWCIYZ3E6ATZECU2SIWCJ22POSDTI2V/

Comment 16 errata-xmlrpc 2019-08-06 12:24:22 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2177 https://access.redhat.com/errata/RHSA-2019:2177

Comment 17 Product Security DevOps Team 2019-08-06 13:20:52 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3811

Note You need to log in before you can comment on or make changes to this bug.