Bug 1656618 (CVE-2019-3811) - CVE-2019-3811 sssd: fallback_homedir returns '/' for empty home directories in passwd file
Summary: CVE-2019-3811 sssd: fallback_homedir returns '/' for empty home directories i...
Status: NEW
Alias: CVE-2019-3811
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20181204,repor...
Keywords: Security
Depends On: 1656619 1660693 1652719 1659843
Blocks: 1652985
TreeView+ depends on / blocked
 
Reported: 2018-12-05 21:17 UTC by Laura Pardo
Modified: 2019-06-14 09:14 UTC (History)
18 users (show)

(edit)
A vulnerability was found in sssd where, if a user was configured with no home directory set, sssd would return '/' (the root directory) instead of '' (the empty string / no home directory). This could impact services that restrict the user's filesystem access to within their home directory through chroot().
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Laura Pardo 2018-12-05 21:17:54 UTC
An issue was found in SSSD. The default option for fallback_homedir returns '/' for empty home directories in the passwd file.


References:
https://github.com/SSSD/sssd/pull/703

Upstream Patch:
https://github.com/SSSD/sssd/pull/703/commits/fa0a6400ebd2f4056a057914355ec2ddefc14fe6
https://github.com/SSSD/sssd/pull/703/commits/fe11bd0d5b7dea9f1723c5a59ba0c47641802797

Comment 1 Laura Pardo 2018-12-05 21:18:24 UTC
Created sssd tracking bugs for this issue:

Affects: fedora-all [bug 1656619]

Comment 2 Doran Moppert 2018-12-14 06:06:09 UTC
Introduced in:

https://github.com/SSSD/sssd/commit/704cc1c7

Comment 4 Doran Moppert 2018-12-17 02:14:00 UTC
Further upstream patch:

https://github.com/SSSD/sssd/commit/90f32399b4

This addresses another part of the flaw that was introduced prior to the part linked on comment 2.  SSSD versions back to at least 1.14.3 are most probably affected.

Comment 5 Doran Moppert 2018-12-17 02:20:14 UTC
This flaw could impact services that restrict the user's filesystem access to within their home directory.  An empty home directory field would indicate "no filesystem access", where sssd reporting it as "/" would grant full access (though still confined by unix permissions, SELinux etc).

Comment 6 Jakub Hrozek 2018-12-17 07:56:59 UTC
(In reply to Doran Moppert from comment #4)
> Further upstream patch:
> 
> https://github.com/SSSD/sssd/commit/90f32399b4
> 
> This addresses another part of the flaw that was introduced prior to the
> part linked on comment 2.  

"Another part" ? I would hope that commit addresses it all.

> SSSD versions back to at least 1.14.3 are most
> probably affected.

The way I read the original patch, back to 0.2.0 (so, all versions, ever)

Comment 7 Doran Moppert 2018-12-19 01:33:14 UTC
In reply to comment #6:
> (In reply to Doran Moppert from comment #4)
> > Further upstream patch:
> > 
> > https://github.com/SSSD/sssd/commit/90f32399b4
> > 
> > This addresses another part of the flaw that was introduced prior to the
> > part linked on comment 2.  
> 
> "Another part" ? I would hope that commit addresses it all.

Indeed!  It looks like this is actually the squashed version of the commits linked from comment#0; my apologies.

> > SSSD versions back to at least 1.14.3 are most
> > probably affected.
> 
> The way I read the original patch, back to 0.2.0 (so, all versions, ever)

Thanks

Comment 10 Doran Moppert 2018-12-19 02:06:21 UTC
Upstream ticket:

https://pagure.io/SSSD/sssd/issue/3901

Comment 13 Andreas Schneider 2019-01-23 10:14:53 UTC
You don't do any CVE descriptions for sssd, do you?

Example: https://www.samba.org/samba/security/CVE-2018-16857.html

Comment 14 Jakub Hrozek 2019-01-23 11:14:15 UTC
(In reply to Andreas Schneider from comment #13)
> You don't do any CVE descriptions for sssd, do you?
> 
> Example: https://www.samba.org/samba/security/CVE-2018-16857.html

We normally do, I 'just' forgot to do this for this CI..

e.g. https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/IKWCIYZ3E6ATZECU2SIWCJ22POSDTI2V/


Note You need to log in before you can comment on or make changes to this bug.