Debian Bug report logs -
#877885
sssd: CVE-2017-12173: unsanitized input when searching in local cache database
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 6 Oct 2017 16:57:05 UTC
Severity: important
Tags: security, upstream
Found in versions sssd/1.15.0-1, sssd/1.15.0-3
Fixed in version sssd/1.15.3-2
Done: Timo Aaltonen <tjaalton@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian SSSD Team <pkg-sssd-devel@lists.alioth.debian.org>:
Bug#877885; Package src:sssd.
(Fri, 06 Oct 2017 16:57:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian SSSD Team <pkg-sssd-devel@lists.alioth.debian.org>.
(Fri, 06 Oct 2017 16:57:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: sssd
Severity: important
Tags: upstream security
Hi,
the following vulnerability was published for sssd.
CVE-2017-12173[0]:
unsanitized input when searching in local cache database
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-12173
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12173
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1498173
Please adjust the affected versions in the BTS as needed, and
unfortuantely at time of writing, I have not found any furhter
information on the issue than what is written in [1].
Any ideas? Is there an upstream issue to track?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian SSSD Team <pkg-sssd-devel@lists.alioth.debian.org>:
Bug#877885; Package src:sssd.
(Wed, 11 Oct 2017 18:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian SSSD Team <pkg-sssd-devel@lists.alioth.debian.org>.
(Wed, 11 Oct 2017 18:57:04 GMT) (full text, mbox, link).
Message #10 received at 877885@bugs.debian.org (full text, mbox, reply):
Hi
On Fri, Oct 06, 2017 at 06:54:34PM +0200, Salvatore Bonaccorso wrote:
> Source: sssd
> Severity: important
> Tags: upstream security
>
> Hi,
>
> the following vulnerability was published for sssd.
>
> CVE-2017-12173[0]:
> unsanitized input when searching in local cache database
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-12173
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12173
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1498173
>
> Please adjust the affected versions in the BTS as needed, and
> unfortuantely at time of writing, I have not found any furhter
> information on the issue than what is written in [1].
>
> Any ideas? Is there an upstream issue to track?
There is now more information available, and a fix commited as https://pagure.io/SSSD/sssd/c/1f2662c8f97c9c0fa250055d4b6750abfc6d0835
Regards,
Salvatore
Marked as found in versions sssd/1.15.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 11 Oct 2017 18:57:06 GMT) (full text, mbox, link).
Reply sent
to Timo Aaltonen <tjaalton@debian.org>:
You have taken responsibility.
(Thu, 12 Oct 2017 06:51:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 12 Oct 2017 06:51:06 GMT) (full text, mbox, link).
Message #17 received at 877885-close@bugs.debian.org (full text, mbox, reply):
Source: sssd
Source-Version: 1.15.3-2
We believe that the bug you reported is fixed in the latest version of
sssd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 877885@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Timo Aaltonen <tjaalton@debian.org> (supplier of updated sssd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 12 Oct 2017 08:24:51 +0300
Source: sssd
Binary: sssd sssd-common sssd-ad sssd-ad-common sssd-dbus sssd-ipa sssd-kcm sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy sssd-tools libnss-sss libpam-sss libipa-hbac0 libipa-hbac-dev libsss-certmap0 libsss-certmap-dev libsss-idmap0 libsss-idmap-dev libsss-nss-idmap0 libsss-nss-idmap-dev libsss-sudo libsss-simpleifp0 libsss-simpleifp-dev libwbclient-sssd libwbclient-sssd-dev python-libipa-hbac python-libsss-nss-idmap python-sss python3-libipa-hbac python3-libsss-nss-idmap python3-sss
Architecture: source
Version: 1.15.3-2
Distribution: unstable
Urgency: medium
Maintainer: Debian SSSD Team <pkg-sssd-devel@lists.alioth.debian.org>
Changed-By: Timo Aaltonen <tjaalton@debian.org>
Description:
libipa-hbac-dev - FreeIPA HBAC Evaluator library -- development files
libipa-hbac0 - FreeIPA HBAC Evaluator library
libnss-sss - Nss library for the System Security Services Daemon
libpam-sss - Pam module for the System Security Services Daemon
libsss-certmap-dev - Certificate mapping library for SSSD -- development files
libsss-certmap0 - Certificate mapping library for SSSD
libsss-idmap-dev - ID mapping library for SSSD -- development files
libsss-idmap0 - ID mapping library for SSSD
libsss-nss-idmap-dev - SID based lookups library for SSSD -- development files
libsss-nss-idmap0 - SID based lookups library for SSSD
libsss-simpleifp-dev - SSSD D-Bus responder helper library -- development files
libsss-simpleifp0 - SSSD D-Bus responder helper library
libsss-sudo - Communicator library for sudo
libwbclient-sssd - SSSD libwbclient implementation
libwbclient-sssd-dev - SSSD libwbclient implementation -- development files
python-libipa-hbac - Python bindings for the FreeIPA HBAC Evaluator library
python-libsss-nss-idmap - Python bindings for the SID lookups library
python-sss - Python module for the System Security Services Daemon
python3-libipa-hbac - Python3 bindings for the FreeIPA HBAC Evaluator library
python3-libsss-nss-idmap - Python3 bindings for the SID lookups library
python3-sss - Python3 module for the System Security Services Daemon
sssd - System Security Services Daemon -- metapackage
sssd-ad - System Security Services Daemon -- Active Directory back end
sssd-ad-common - System Security Services Daemon -- PAC responder
sssd-common - System Security Services Daemon -- common files
sssd-dbus - System Security Services Daemon -- D-Bus responder
sssd-ipa - System Security Services Daemon -- IPA back end
sssd-kcm - System Security Services Daemon -- Kerberos KCM server implementa
sssd-krb5 - System Security Services Daemon -- Kerberos back end
sssd-krb5-common - System Security Services Daemon -- Kerberos helpers
sssd-ldap - System Security Services Daemon -- LDAP back end
sssd-proxy - System Security Services Daemon -- proxy back end
sssd-tools - System Security Services Daemon -- tools
Closes: 872787 877885
Changes:
sssd (1.15.3-2) unstable; urgency=medium
.
* control: Fix libipa-hbac-dev short description.
* generate-config: Update the config template. (Closes: #872787)
* sysdb-sanitize-search-filter-input.diff: Fix CVE-2017-12173.
(Closes: #877885)
Checksums-Sha1:
9b45a787b815eac87e456efcc5f4a8896bb04a7f 4605 sssd_1.15.3-2.dsc
a6d7d69f7f9f63310ba18128badef45e4965b810 39403 sssd_1.15.3-2.diff.gz
Checksums-Sha256:
d6f6dd4597f28987115404ce84b4277f0a7876bce7c91ac676d052b0a544a4d9 4605 sssd_1.15.3-2.dsc
214686f109616ca04ea25d85479aab1fd86e94e8f19e02ec7b4eb294dca82cc8 39403 sssd_1.15.3-2.diff.gz
Files:
d77e48622fd4bc1c7eb3e16581cdebe2 4605 utils extra sssd_1.15.3-2.dsc
f012c1df55ebe7bd0f517614f9460cc0 39403 utils extra sssd_1.15.3-2.diff.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJZ3wyCAAoJEMtwMWWoiYTczmwQAInMC6ysZIy3PcJTKYSAu21L
uTYkM8HYAWb/rqAwBWzLVdCuN1jeZx1RnVxJuG03xrOZncRshFYl0Mp2Y3oqqxIX
goHdnCE07ziTtC8ipSS9mH6FDqQLk/ZeaffIOs+PoRbY1NR/CPx8FPixWIFjwpQ/
YUAjcSexq+V4SfWwafYqtkYXnM91ZH/gGojyC4UjAhDoyFCn3bsg4JwEEgqnWvUL
eJomk1UiqHv6op0xtIJNcELN89pLMODWkZ36hFfIBAJvgVX2cKs6KjLJZ0U1x7Pc
fzZsgH3OwSJpVlrDLVmUB/s+kp1jmZV2UvkKTk9/wr5o2d/gKg2vRnIYdB/tukdz
iPZhHLLhbWOTdGg/UufkL1GqISHzuzgaAEgRUxn/iXbwkZNtFsutShfw6S9rMZuw
kRdnLWpV3z/0aMf/ketLzlo0hFarWbvlHFXE8FWyW4VzwYZkutaYHKhTKivYLTgV
RfFYcVjIYU8qK0/wZDlc66FTVpQD0DltyDyA8ZlrMPw76fXwK9dbgOvNJlhNrlre
2G/om69P53ke+yvzdwQibSFVgEAE6LLmWESfTRn4ehE2HZ8CkNZBZXVF/SEdCFU8
4MiP1q1wB0PLxrhXRsh4GFEM1rkNQKFR/rQEFwmg7Vq9oaj7ooTgelN3rDJH6xF8
I5RufWYuu5/H711Wx88W
=0PKo
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 01 Dec 2017 07:31:35 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 26 May 2018 12:06:10 GMT) (full text, mbox, link).
Marked as found in versions sssd/1.15.0-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 26 May 2018 12:06:11 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Jun 2018 07:29:56 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 25 Jul 2018 21:15:07 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 23 Aug 2018 07:28:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:54:35 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon