| Summary: | <sys-auth/sssd-1.16.3-r2: access validation error | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Joakim Tjernlund <joakim.tjernlund> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | alexxy, zlogene |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_2_1_0.html | ||
| Whiteboard: | B3 [noglsa cve] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Joakim Tjernlund
2019-03-05 18:27:48 UTC
CVE-2019-3811: SSSD used to return “/” in case a user entry had no home directory. This was deemed a security issue because this flaw could impact services that restrict the user’s filesystem access to within their home directory. An empty home directory field would indicate “no filesystem access”, where sssd reporting it as “/” would grant full access (though still confined by unix permissions, SELinux etc). The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f85b90959ccdba7479d1fa455031e3bb0b839c14 commit f85b90959ccdba7479d1fa455031e3bb0b839c14 Author: Mikle Kolyada <zlogene@gentoo.org> AuthorDate: 2019-03-08 15:09:20 +0000 Commit: Mikle Kolyada <zlogene@gentoo.org> CommitDate: 2019-03-08 15:10:17 +0000 sys-auth/sssd: fix CVE-2019-3811 Bug: https://bugs.gentoo.org/679538 Signed-off-by: Mikle Kolyada <zlogene@gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11 sys-auth/sssd/files/sssd-fix-CVE-2019-3811.patch | 96 +++++++++ sys-auth/sssd/sssd-1.16.3-r2.ebuild | 239 +++++++++++++++++++++++ 2 files changed, 335 insertions(+) |
