File 0014-CVE-2014-0249-incorrect-expansion-of-group-membership.patch of Package sssd.openSUSE_Leap_42.1_Update
The following three commits address CVE-2014-0249: sssd: incorrect expansion of group membership when encountering a non-POSIX group
commit 4da27d52078497c5c095f4a4cd9975fe5c83c330
Author: Pavel Reichl <preichl@redhat.com>
Date: Thu Aug 21 19:03:08 2014 +0100
AD: process non-posix nested groups w/o tokenGroups
When initgr is performed for AD not supporting tokenGroups, do not
filter out groups without gid attribute or with gid equal to zero.
Resolves:
https://fedorahosted.org/sssd/ticket/2343
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 981bf55532fbec91a106f82d7daf32094c76dfe0)
commit 0b6b4b7669b46d3d0b0ebefbc0e1621965444717
Author: Pavel Reichl <preichl@redhat.com>
Date: Wed Jul 16 13:52:43 2014 +0100
IPA: process non-posix nested groups
Do not expect objectClass to be posixGroup but rather more general
groupofnames.
Resolves:
https://fedorahosted.org/sssd/ticket/2343
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit bc8c93ffe881271043492c938c626a9be948000e)
commit 191d7f7ce3de10d9e19eaa0a6ab3319bcd4ca95d
Author: Pavel Reichl <preichl@redhat.com>
Date: Fri Aug 22 13:56:32 2014 +0100
AD: process non-posix nested groups using tokenGroups
When initgr is performed for AD supporting tokenGroups, do not skip
non-posix groups.
Resolves:
https://fedorahosted.org/sssd/ticket/2343
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 4932db6258ccfb612a3a28eb6a618c2f042b9d58)
diff -rupN sssd-1.11.5.1/src/providers/ipa/ipa_opts.h sssd-1.11.5.1-patched/src/providers/ipa/ipa_opts.h
--- sssd-1.11.5.1/src/providers/ipa/ipa_opts.h 2016-10-10 15:25:54.241246043 +0200
+++ sssd-1.11.5.1-patched/src/providers/ipa/ipa_opts.h 2016-10-10 15:30:54.472443326 +0200
@@ -201,7 +201,7 @@ struct sdap_attr_map ipa_user_map[] = {
};
struct sdap_attr_map ipa_group_map[] = {
- { "ldap_group_object_class", "posixGroup", SYSDB_GROUP_CLASS, NULL },
+ { "ldap_group_object_class", "groupofnames", SYSDB_GROUP_CLASS, NULL },
{ "ldap_group_name", "cn", SYSDB_NAME, NULL },
{ "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL },
{ "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL },
diff -rupN sssd-1.11.5.1/src/providers/ldap/sdap_async_initgroups_ad.c sssd-1.11.5.1-patched/src/providers/ldap/sdap_async_initgroups_ad.c
--- sssd-1.11.5.1/src/providers/ldap/sdap_async_initgroups_ad.c 2016-10-10 15:25:54.241246043 +0200
+++ sssd-1.11.5.1-patched/src/providers/ldap/sdap_async_initgroups_ad.c 2016-10-10 15:29:12.799360592 +0200
@@ -1140,8 +1140,7 @@ sdap_ad_tokengroups_initgr_posix_tg_done
struct tevent_req *req = NULL;
struct sss_domain_info *domain = NULL;
struct ldb_message *msg = NULL;
- const char *attrs[] = {SYSDB_NAME, SYSDB_POSIX, NULL};
- const char *is_posix = NULL;
+ const char *attrs[] = {SYSDB_NAME, NULL};
const char *name = NULL;
char *sid = NULL;
char **sids = NULL;
@@ -1202,11 +1201,6 @@ sdap_ad_tokengroups_initgr_posix_tg_done
ret = sysdb_search_group_by_sid_str(tmp_ctx, domain->sysdb, domain,
sid, attrs, &msg);
if (ret == EOK) {
- is_posix = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL);
- if (is_posix != NULL && strcmp(is_posix, "FALSE") == 0) {
- /* skip non-posix group */
- continue;
- }
/* we will update membership of this group */
name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
diff -rupN sssd-1.11.5.1/src/providers/ldap/sdap_async_initgroups.c sssd-1.11.5.1-patched/src/providers/ldap/sdap_async_initgroups.c
--- sssd-1.11.5.1/src/providers/ldap/sdap_async_initgroups.c 2016-10-10 15:25:54.237246001 +0200
+++ sssd-1.11.5.1-patched/src/providers/ldap/sdap_async_initgroups.c 2016-10-10 15:29:46.775722552 +0200
@@ -1566,11 +1566,7 @@ static struct tevent_req *sdap_initgr_rf
"(%s=*))",
opts->group_map[SDAP_AT_GROUP_OBJECTSID].name);
} else {
- /* When not ID-mapping, make sure there is a non-NULL UID */
- state->base_filter = talloc_asprintf_append(state->base_filter,
- "(&(%s=*)(!(%s=0))))",
- opts->group_map[SDAP_AT_GROUP_GID].name,
- opts->group_map[SDAP_AT_GROUP_GID].name);
+ state->base_filter = talloc_asprintf_append(state->base_filter, ")");
}
if (!state->base_filter) {
talloc_zfree(req);