sys-auth/sssd: fix CVE-2019-3811

Bug: https://bugs.gentoo.org/679538 Signed-off-by: Mikle Kolyada <zlogene@gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11
author: Mikle Kolyada <zlogene@gentoo.org> 2019-03-08 18:09:20 +0300
committer: Mikle Kolyada <zlogene@gentoo.org> 2019-03-08 18:10:17 +0300
commit: f85b90959ccdba7479d1fa455031e3bb0b839c14 (patch)
tree: 92ea22a5420f34f2baab261ef356fa93f787643b /sys-auth/sssd/files
parent: media-libs/liblo: Bump to version 0.30 (diff)
download: gentoo-f85b90959ccdba7479d1fa455031e3bb0b839c14.tar.gz
gentoo-f85b90959ccdba7479d1fa455031e3bb0b839c14.tar.bz2
gentoo-f85b90959ccdba7479d1fa455031e3bb0b839c14.zip
1 files changed, 96 insertions, 0 deletions
diff --git a/sys-auth/sssd/files/sssd-fix-CVE-2019-3811.patch b/sys-auth/sssd/files/sssd-fix-CVE-2019-3811.patch
new file mode 100644
index 000000000000..87db45fd24bb
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-fix-CVE-2019-3811.patch
@@ -0,0 +1,96 @@
+From 28792523a01a7d21bcc8931794164f253e691a68 Mon Sep 17 00:00:00 2001
+From: Tomas Halman <thalman@redhat.com>
+Date: Mon, 3 Dec 2018 14:11:31 +0100
+Subject: [PATCH] nss: sssd returns '/' for emtpy home directories
+
+For empty home directory in passwd file sssd returns "/". Sssd
+should respect system behaviour and return the same as nsswitch
+"files" module - return empty string.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3901
+
+Reviewed-by: Simo Sorce <simo@redhat.com>
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 90f32399b4100ce39cf665649fde82d215e5eb49)
+---
+ src/confdb/confdb.c                      |  9 +++++++++
+ src/man/include/ad_modified_defaults.xml | 19 +++++++++++++++++++
+ src/responder/nss/nss_protocol_pwent.c   |  2 +-
+ src/tests/intg/test_files_provider.py    |  2 +-
+ 4 files changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
+index a3eb9c66d9..17bb4f8274 100644
+--- a/src/confdb/confdb.c
++++ b/src/confdb/confdb.c
+@@ -1301,6 +1301,15 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
+             ret = ENOMEM;
+             goto done;
+         }
++    } else {
++        if (strcasecmp(domain->provider, "ad") == 0) {
++            /* ad provider default */
++            domain->fallback_homedir = talloc_strdup(domain, "/home/%d/%u");
++            if (!domain->fallback_homedir) {
++                ret = ENOMEM;
++                goto done;
++            }
++        }
+     }
+ 
+     tmp = ldb_msg_find_attr_as_string(res->msgs[0],
+diff --git a/src/man/include/ad_modified_defaults.xml b/src/man/include/ad_modified_defaults.xml
+index 818a2bf787..425b7e8ee0 100644
+--- a/src/man/include/ad_modified_defaults.xml
++++ b/src/man/include/ad_modified_defaults.xml
+@@ -76,4 +76,23 @@
+             </listitem>
+         </itemizedlist>
+     </refsect2>
++    <refsect2 id='nss_modifications'>
++        <title>NSS configuration</title>
++        <itemizedlist>
++            <listitem>
++                <para>
++                    fallback_homedir = /home/%d/%u
++                </para>
++                <para>
++                    The AD provider automatically sets
++                    "fallback_homedir = /home/%d/%u" to provide personal
++                    home directories for users without the homeDirectory
++                    attribute. If your AD Domain is properly
++                    populated with Posix attributes, and you want to avoid
++                    this fallback behavior, you can explicitly
++                    set "fallback_homedir = %o".
++                </para>
++            </listitem>
++        </itemizedlist>
++    </refsect2>
+ </refsect1>
+diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c
+index af9e74fc86..86fa4ec465 100644
+--- a/src/responder/nss/nss_protocol_pwent.c
++++ b/src/responder/nss/nss_protocol_pwent.c
+@@ -118,7 +118,7 @@ nss_get_homedir(TALLOC_CTX *mem_ctx,
+ 
+     homedir = nss_get_homedir_override(mem_ctx, msg, nss_ctx, domain, &hd_ctx);
+     if (homedir == NULL) {
+-        return "/";
++        return "";
+     }
+ 
+     return homedir;
+diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
+index ead1cc4c34..4761f1bd15 100644
+--- a/src/tests/intg/test_files_provider.py
++++ b/src/tests/intg/test_files_provider.py
+@@ -678,7 +678,7 @@ def test_user_no_dir(setup_pw_with_canary, files_domain_only):
+     Test that resolving a user without a homedir defined works and returns
+     a fallback value
+     """
+-    check_user(incomplete_user_setup(setup_pw_with_canary, 'dir', '/'))
++    check_user(incomplete_user_setup(setup_pw_with_canary, 'dir', ''))
+ 
+ 
+ def test_user_no_gecos(setup_pw_with_canary, files_domain_only):
author	Mikle Kolyada <zlogene@gentoo.org>	2019-03-08 18:09:20 +0300
committer	Mikle Kolyada <zlogene@gentoo.org>	2019-03-08 18:10:17 +0300
commit	f85b90959ccdba7479d1fa455031e3bb0b839c14 (patch)
tree	92ea22a5420f34f2baab261ef356fa93f787643b /sys-auth/sssd/files
parent	media-libs/liblo: Bump to version 0.30 (diff)
download	gentoo-f85b90959ccdba7479d1fa455031e3bb0b839c14.tar.gz gentoo-f85b90959ccdba7479d1fa455031e3bb0b839c14.tar.bz2 gentoo-f85b90959ccdba7479d1fa455031e3bb0b839c14.zip