Summary: | <sys-auth/sssd-1.9.4: Multiple Denial of Service Vulnerabilities (CVE-2013-{0219,0220}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | andreis.vinogradovs, maksbotan, proxy-maint |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/51928/ | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-01-24 12:46:31 UTC
upstream relozed new, 1.9.4, version: A security bug assigned CVE-2013-0219 was fixed - TOCTOU race conditions when creating or removing home directories for users in local domain A security bug assigned CVE-2013-0220 was fixed - out-of-bounds reads in autofs and ssh responder Proxy, please bump from 1.9.2 to 1.9.4 and remove all other 1.9.x ebuild. Thank's Bumped, vulnerable versions cleaned. Arches, please test and mark stable: =sys-auth/sssd-1.8.6 Target keywords : "amd64 x86" amd64 stable x86 stable CVE-2013-0219 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0219): System Security Services Daemon (SSSD) before 1.9.4, when (1) creating, (2) copying, or (3) removing a user home directory tree, allows local users to create, modify, or delete arbitrary files via a symlink attack on another user's files. GLSA vote: no. CVE-2013-0220 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0220): The (1) sss_autofs_cmd_getautomntent and (2) sss_autofs_cmd_getautomntbyname function in responder/autofs/autofssrv_cmd.c and the (3) ssh_cmd_parse_request function in responder/ssh/sshsrv_cmd.c in System Security Services Daemon (SSSD) before 1.9.4 allow remote attackers to cause a denial of service (out-of-bounds read, crash, and restart) via a crafted SSSD packet. GLSA vote: no, closing noglsa. |