File 0014-CVE-2014-0249-incorrect-expansion-of-group-membership.patch of Package sssd.openSUSE_Leap_42.1_Update

The following three commits address CVE-2014-0249: sssd: incorrect expansion of group membership when encountering a non-POSIX group

commit 4da27d52078497c5c095f4a4cd9975fe5c83c330
Author: Pavel Reichl <preichl@redhat.com>
Date:   Thu Aug 21 19:03:08 2014 +0100

    AD: process non-posix nested groups w/o tokenGroups

    When initgr is performed for AD not supporting tokenGroups, do not
    filter out groups without gid attribute or with gid equal to zero.

    Resolves:
    https://fedorahosted.org/sssd/ticket/2343

    Reviewed-by: Michal Židek <mzidek@redhat.com>
    (cherry picked from commit 981bf55532fbec91a106f82d7daf32094c76dfe0)


commit 0b6b4b7669b46d3d0b0ebefbc0e1621965444717
Author: Pavel Reichl <preichl@redhat.com>
Date:   Wed Jul 16 13:52:43 2014 +0100

    IPA: process non-posix nested groups

    Do not expect objectClass to be posixGroup but rather more general
    groupofnames.

    Resolves:
    https://fedorahosted.org/sssd/ticket/2343

    Reviewed-by: Michal Židek <mzidek@redhat.com>
    (cherry picked from commit bc8c93ffe881271043492c938c626a9be948000e)


commit 191d7f7ce3de10d9e19eaa0a6ab3319bcd4ca95d
Author: Pavel Reichl <preichl@redhat.com>
Date:   Fri Aug 22 13:56:32 2014 +0100

    AD: process non-posix nested groups using tokenGroups

    When initgr is performed for AD supporting tokenGroups, do not skip
    non-posix groups.

    Resolves:
    https://fedorahosted.org/sssd/ticket/2343

    Reviewed-by: Michal Židek <mzidek@redhat.com>
    (cherry picked from commit 4932db6258ccfb612a3a28eb6a618c2f042b9d58)

diff -rupN sssd-1.11.5.1/src/providers/ipa/ipa_opts.h sssd-1.11.5.1-patched/src/providers/ipa/ipa_opts.h
--- sssd-1.11.5.1/src/providers/ipa/ipa_opts.h	2016-10-10 15:25:54.241246043 +0200
+++ sssd-1.11.5.1-patched/src/providers/ipa/ipa_opts.h	2016-10-10 15:30:54.472443326 +0200
@@ -201,7 +201,7 @@ struct sdap_attr_map ipa_user_map[] = {
 };
 
 struct sdap_attr_map ipa_group_map[] = {
-    { "ldap_group_object_class", "posixGroup", SYSDB_GROUP_CLASS, NULL },
+    { "ldap_group_object_class", "groupofnames", SYSDB_GROUP_CLASS, NULL },
     { "ldap_group_name", "cn", SYSDB_NAME, NULL },
     { "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL },
     { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL },
diff -rupN sssd-1.11.5.1/src/providers/ldap/sdap_async_initgroups_ad.c sssd-1.11.5.1-patched/src/providers/ldap/sdap_async_initgroups_ad.c
--- sssd-1.11.5.1/src/providers/ldap/sdap_async_initgroups_ad.c	2016-10-10 15:25:54.241246043 +0200
+++ sssd-1.11.5.1-patched/src/providers/ldap/sdap_async_initgroups_ad.c	2016-10-10 15:29:12.799360592 +0200
@@ -1140,8 +1140,7 @@ sdap_ad_tokengroups_initgr_posix_tg_done
     struct tevent_req *req = NULL;
     struct sss_domain_info *domain = NULL;
     struct ldb_message *msg = NULL;
-    const char *attrs[] = {SYSDB_NAME, SYSDB_POSIX, NULL};
-    const char *is_posix = NULL;
+    const char *attrs[] = {SYSDB_NAME, NULL};
     const char *name = NULL;
     char *sid = NULL;
     char **sids = NULL;
@@ -1202,11 +1201,6 @@ sdap_ad_tokengroups_initgr_posix_tg_done
         ret = sysdb_search_group_by_sid_str(tmp_ctx, domain->sysdb, domain,
                                             sid, attrs, &msg);
         if (ret == EOK) {
-            is_posix = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL);
-            if (is_posix != NULL && strcmp(is_posix, "FALSE") == 0) {
-                /* skip non-posix group */
-                continue;
-            }
 
             /* we will update membership of this group */
             name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
diff -rupN sssd-1.11.5.1/src/providers/ldap/sdap_async_initgroups.c sssd-1.11.5.1-patched/src/providers/ldap/sdap_async_initgroups.c
--- sssd-1.11.5.1/src/providers/ldap/sdap_async_initgroups.c	2016-10-10 15:25:54.237246001 +0200
+++ sssd-1.11.5.1-patched/src/providers/ldap/sdap_async_initgroups.c	2016-10-10 15:29:46.775722552 +0200
@@ -1566,11 +1566,7 @@ static struct tevent_req *sdap_initgr_rf
                                         "(%s=*))",
                                         opts->group_map[SDAP_AT_GROUP_OBJECTSID].name);
     } else {
-        /* When not ID-mapping, make sure there is a non-NULL UID */
-        state->base_filter = talloc_asprintf_append(state->base_filter,
-                                        "(&(%s=*)(!(%s=0))))",
-                                        opts->group_map[SDAP_AT_GROUP_GID].name,
-                                        opts->group_map[SDAP_AT_GROUP_GID].name);
+        state->base_filter = talloc_asprintf_append(state->base_filter, ")");
     }
     if (!state->base_filter) {
         talloc_zfree(req);