Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 511670 (CVE-2014-0249)

Summary: <sys-auth/sssd-1.12.1: incorrect expansion of group membership when encountering a non-POSIX group (CVE-2014-0249)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: hwoarang
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1101751
See Also: https://bugs.gentoo.org/show_bug.cgi?id=516764
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-05-28 08:24:40 UTC
From ${URL} :

It was reported [1] that SSSD improperly expanded group membership when it encountered a non-POSIX group in the group membership chain.  For instance:

  user -> posix_group1 -> non_posix_group -> posix_group2

With the group memberships noted above, SSSD should include the user as a member of both posix_group1 and posix_group2, however due to the position of the non-POSIX group, SSSD halts processing at it and never reaches posix_group2, leaving the user as a member of posix_group1 and 
not posix_group2.

SSSD has the capability to set a 'deny' ACL for both users and groups, so in a situation like that illustrated above, if posix_group2 was present in a 'deny' ACL, the user would be granted access because they are not shown as having membership in the denied group.  This could 
grant unintended access to certain users in an environment where non-POSIX groups are used in addition to POSIX groups.

There is currently no patch to correct this issue.


[1] https://lists.fedorahosted.org/pipermail/sssd-devel/2014-May/019495.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Lukas Slebodnik 2014-09-21 19:08:37 UTC
Upstream ticket is already fixed https://fedorahosted.org/sssd/ticket/2343
Patches are included in releases sssd-1.12.1 and sssd-1.11.7
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-09-22 04:22:39 UTC
CVE-2014-0249 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0249):
  The System Security Services Daemon (SSSD) 1.11.6 does not properly identify
  group membership when a non-POSIX group is in a group membership chain,
  which allows local users to bypass access restrictions via unspecified
  vectors.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-09-22 04:40:14 UTC
*sssd-1.12.1 (14 Sep 2014)
14 Sep 2014; Markos Chandras <hwoarang@gentoo.org> 
+sssd-1.12.1.ebuild,
metadata.xml:
Version bump

Maintainer(s): please let us know when the ebuild is ready for  stabilization.
Comment 4 Markos Chandras (RETIRED) gentoo-dev 2014-10-04 11:34:50 UTC
I have been using it in production for a while. seems ok. Feel free to go ahead with the stabilization (note there are might be quite a few reverse deps to stabilize to the process may not be very smooth)
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2014-10-05 13:28:08 UTC
Arches, please test and mark stable:

=sys-auth/sssd-1.12.1

Target Keywords : "amd64 x86"

Thank you!
Comment 6 Agostino Sarubbo gentoo-dev 2014-10-06 19:01:19 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-10-06 19:02:29 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-10-06 19:04:47 UTC
(In reply to Agostino Sarubbo from comment #7)
> x86 stable.
> 
> Maintainer(s), please cleanup.
> Security, please vote.

GLSA Vote: No
Comment 9 Markos Chandras (RETIRED) gentoo-dev 2014-11-15 11:27:18 UTC
(In reply to Agostino Sarubbo from comment #7)
> x86 stable.
> 
> Maintainer(s), please cleanup.
> Security, please vote.

This may going to be a problem. New sssd lacks some functionality because samba4 is masked. Some people still use 1.8 or 1.9 because of that. I am going to leave these ebuilds around for a while and clean up later on.
Comment 10 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-11-18 07:58:17 UTC
GLSA vote: no.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2015-03-16 13:59:26 UTC
(In reply to Markos Chandras from comment #9)
> (In reply to Agostino Sarubbo from comment #7)
> > x86 stable.
> > 
> > Maintainer(s), please cleanup.
> > Security, please vote.
> 
> This may going to be a problem. New sssd lacks some functionality because
> samba4 is masked. Some people still use 1.8 or 1.9 because of that. I am
> going to leave these ebuilds around for a while and clean up later on.

Markos, just a gentle nudge to see if anything changed.
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-19 07:45:27 UTC
@Markos, any changes on this?  Can you purge the vulnerable ebuilds yet?  Thanks.
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-11 10:41:27 UTC
@Maintainer, please purge the old packages or let us know if you need more time.