Overview

File 0004-sysdb-sanitize-search-filter-input.patch of Package sssd.6481

From cd974fe3c3d1296327d70c15d7f5cde7b6abca65 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 5 Oct 2017 11:07:38 +0200
Subject: [PATCH 4/7] sysdb: sanitize search filter input

This patch sanitizes the input for sysdb seaches by UPN/email, SID and
UUID.

This security issue was assigned CVE-2017-12173
---
 src/db/sysdb_ops.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 843251b3e..853f70a13 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -487,12 +487,20 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx,
     const char *def_attrs[] = { SYSDB_NAME, SYSDB_UPN, SYSDB_CANONICAL_UPN,
                                 NULL };
 
+    char *sanitized;
+
     tmp_ctx = talloc_new(NULL);
     if (tmp_ctx == NULL) {
         ret = ENOMEM;
         goto done;
     }
 
+    ret = sss_filter_sanitize(tmp_ctx, upn, &sanitized);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n");
+        goto done;
+    }
+
     base_dn = sysdb_base_dn(domain->sysdb, tmp_ctx);
     if (base_dn == NULL) {
         ret = ENOMEM;
@@ -501,7 +509,7 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx,
 
     ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res,
                      base_dn, LDB_SCOPE_SUBTREE, attrs ? attrs : def_attrs,
-                     SYSDB_PWUPN_FILTER, upn, upn);
+                     SYSDB_PWUPN_FILTER, sanitized, sanitized);
     if (ret != EOK) {
         ret = sysdb_error_to_errno(ret);
         goto done;
@@ -3677,6 +3685,13 @@ static errno_t sysdb_search_object_by_str_attr(TALLOC_CTX *mem_ctx,
         goto done;
     }
 
+    char *sanitized = NULL;
+    ret = sss_filter_sanitize(NULL, str, &sanitized);
+    if (ret != EOK || sanitized == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n");
+        goto done;
+    }
+
     ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res,
                      basedn, LDB_SCOPE_SUBTREE, attrs?attrs:def_attrs,
                      filter_tmpl, str);
@@ -3705,7 +3720,7 @@ done:
     } else if (ret) {
         DEBUG(SSSDBG_OP_FAILURE, "Error: %d (%s)\n", ret, strerror(ret));
     }
-
+    talloc_free(sanitized);
     talloc_zfree(tmp_ctx);
     return ret;
 }
-- 
2.15.1
openSUSE Build Service is sponsored by
Places