5 - RHSA-2013:0508

Problem Description:

Updated sssd packages that fix two security issues, multiple bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64

3. Description:

The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward the system and a pluggable back-end system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects such as FreeIPA.

A race condition was found in the way SSSD copied and removed user home directories. A local attacker who is able to write into the home directory of a different user who is being removed could use this flaw to perform symbolic link attacks, possibly allowing them to modify and delete arbitrary files with the privileges of the root user. (CVE-2013-0219)

Multiple out-of-bounds memory read flaws were found in the way the autofs and SSH service responders parsed certain SSSD packets. An attacker could spend a specially-crafted packet that, when processed by the autofs or SSH service responders, would cause SSSD to crash. This issue only caused a temporary denial of service, as SSSD was automatically restarted by the monitor process after the crash. (CVE-2013-0220)

The CVE-2013-0219 and CVE-2013-0220 issues were discovered by Florian Weimer of the Red Hat Product Security Team.

These updated sssd packages also include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.4 Technical Notes, linked to in the References, for information on the most significant of these changes.

All SSSD users are advised to upgrade to these updated packages, which upgrade SSSD to upstream version 1.9 to correct these issues, fix these bugs and add these enhancements.

4. Solution:

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258

5. Bugs fixed (http://bugzilla.redhat.com/):

743505 - [RFE] Implement "AD friendly" schema mapping 761573 - [RFE] Integrate with SUDO utility 766000 - [RFE]Add support for central management of the SELinux user mappings 768165 - [RFE] Support range retrievals 768168 - [RFE] Allow Constructing uid from Active Directory objectSid 789470 - [RFE] Introduce the concept of a Primary Server in SSSD 789507 - [RFE] SSSD should provide fast in memory cache to provide similar functionality as NSCD currently provides 790105 - Filter out inappropriate IP addresses from IPA dynamic DNS update 790107 - Document sss_tools better 799009 - Warn to syslog when dereference requests fail 799928 - [RFE] Hash the hostname/port information in the known_hosts file. 801431 - [RFE] sudo: send username and uid while requesting default options 801719 - "Error looking up public keys" while ssh to replica using IP address. 802718 - Unable to lookup user aliases with proxy provider. 805920 - [RFE] Introduce concept of Ghost User instead of using Fake User 805921 - Document the expectations about ghost users showing in the lookups 808307 - No info in sssd manpages for "ldap_sasl_minssf" 811987 - autofs: maximum key name must be PATH_MAX 813327 - [RFE] support looking up autofs maps via SSSD 814249 - [RFE] for faster SSSD startup 822404 - sssd does not provide maps for automounter when custom schema is being used 824244 - sssd does not warn into sssd.log for broken configurations 827036 - Add support for terminating idle connections in sssd_nss 829740 - Init script reports complete before sssd is actually working 832103 - [RFE] Optimize memberOf search criteria with AD 832120 - [RFE] Add AD provider 845251 - sssd does not try another server when unable to resolve hostname 845253 - Fail over does not work correctly when IPA server is establishing a GSSAPI-encrypted LDAP connection 848547 - [TECH PREVIEW] Support DIR: credential caches for multiple TGT support 852948 - ldap_chpass_update_last_change is not included in the manual page 854619 - SSSD cannot cope with empty naming context coming from Novell eDirectory 854997 - Add details about TGT validation to sssd-krb5 man page 857047 - [abrt] sssd-1.8.4-13.fc16: __GI_exit: Process /usr/libexec/sssd/sssd_pam was killed by signal 6 (SIGABRT) 860667 - [man sssd-ldap] 'ldap_access_filter' description needs to be updated 861075 - SSSD_NSS failure to gracefully restart after sbus failure 861076 - Flip the default value of ldap_initgroups_use_matching_rule_in_chain 861079 - Collect Krb5 Trace on High Debug Levels 861082 - Manpage has ldap_autofs_search_base as experimental feature 861091 - pam_sss report System Error on wrong password 863131 - sssd_nss process hangs, stuck in loop; "self restart" does recover, but old process hangs around using 100% CPU 866542 - sssd_be crashes while looking up users 867932 - Selinuxusermap rule is not honoured 867933 - invalidating the memcache with sss_cache doesn't work if the sssd is not running 869013 - Sudo smart refresh doesn't occur on time 869071 - Password authentication for users from trusted domains does not work 869150 - ldap_child crashes on using invalid keytab during gssapi connection 869443 - The sssd_nss process grows the memory consumption over time 869678 - sssd not granting access for AD trusted user in HBAC rule 870039 - sss_cache says 'Wrong DB version' 870045 - always reread the master map from LDAP 870060 - SSH host keys are not being removed from the cache 870238 - IPA client cannot change AD Trusted User password 870278 - ipa client setup should configure host properly in a trust is in place 870280 - ipa reconfigure functionality needed for fixing clients to support trusts 870505 - sss_cache: Multiple domains not handled properly 871160 - sudo failing for ad trusted user in IPA environment 871576 - sssd does not resolve group names from AD 871843 - Nested groups are not retrieved appropriately from cache 872110 - User appears twice on looking up a nested group 872180 - subdomains: Invalid sub-domain request type. 872324 - pam: fd leak when writing the selinux login file in the pam responder 872683 - sssd_be segfaults with enumeration enabled and anonymous LDAP access disabled 873032 - Move sss_cache to the main subpackage 873988 - Man page issue to list 'force_timeout' as an option for the [sssd] section 874579 - sssd caching not working as expected for selinux usermap contexts 874616 - Silence the DEBUG messages when ID mapping code skips a built-in group 874618 - sss_cache: fqdn not accepted 874673 - user id lookup fails using proxy provider 875677 - password expiry warning message doesn't appear during auth 875738 - offline authentication failure always returns System Error 875740 - "defaults" entry ignored 875851 - sysdb upgrade failed converting db to 0.11 876531 - sss_cache does not work for automount maps 877126 - subdomains code does not save the proper user/group name 877130 - LDAP provider fails to save empty groups 877354 - ldap_connection_expire_timeout doesn't expire ldap connections 877972 - ldap_sasl_authid no longer accepts full principal 877974 - updating top-level group does not reflect ghost members correctly 878262 - ipa password auth failing for user principal name when shorter than IPA Realm name 878419 - sss_userdel doesn't remove entries from in-memory cache 878420 - SIGSEGV in IPA provider when ldap_sasl_authid is not set 878583 - IPA Trust does not show secondary groups for AD Users for commands like id and getent 880140 - sssd hangs at startup with broken configurations 880159 - delete operation is not implemented for ghost users 880176 - memberUid required for primary groups to match sudo rule 880546 - krb5_kpasswd failover doesn't work 880956 - Primary server status is not always reset after failover to backup server happened 881773 - mmap cache needs update after db changes 882076 - SSSD crashes when c-ares returns success but an empty hostent during the DNS update 882221 - Offline sudo denies access with expired entry_cache_timeout 882290 - arithmetic bug in the SSSD causes netgroup midpoint refresh to be always set to 10 seconds 882923 - Negative cache timeout is not working for proxy provider 883336 - sssd crashes during start if id_provider is not mentioned 883408 - Make it clear that ldap_sudo_include_regexp can only handle wildcards 884254 - CVE-2013-0219 sssd: TOCTOU race conditions by copying and removing directory trees 884480 - user is not removed from group membership during initgroups 884600 - ldap_chpass_uri failover fails on using same hostname 884601 - CVE-2013-0220 sssd: Out-of-bounds read flaws in autofs and ssh services responders 884666 - sudo: if first full refresh fails, schedule another first full refresh 885078 - sssd_nss crashes during enumeration if the enumeration is taking too long 885105 - sudo denies access with disabled ldap_sudo_use_host_filter 886038 - sssd components seem to mishandle sighup 886091 - Disallow root SSH public key authentication 886848 - user id lookup fails for case sensitive users using proxy provider 887961 - AD provider: getgrgid removes nested group memberships 888614 - Failure in memberof can lead to failed database update 888800 - MEmory leak in new memcache initgr cleanup function 889168 - krb5 ticket renewal does not read the renewable tickets from cache 889182 - crash in memory cache 890520 - Failover to krb5_backup_kpasswd doesn't work 891356 - Smart refresh doesn't notice "defaults" addition with OpenLDAP 892197 - Incorrect principal searched for in keytab 894302 - sssd fails to update to changes on autofs maps 894381 - memory cache is not updated after user is deleted from ldb cache 894428 - wrong filter for autofs maps in sss_cache 894738 - Failover to ldap_chpass_backup_uri doesn't work 894997 - sssd_be crashes looking up members with groups outside the nesting limit 895132 - Modifications using sss_usermod tool are not reflected in memory cache 895615 - ipa-client-automount: autofs failed in s390x and ppc64 platform 896476 - SSSD should warn when pam_pwd_expiration_warning value is higher than passwordWarning LDAP attribute. 902436 - possible segfault when backend callback is removed 902716 - Rule mismatch isn't noticed before smart refresh on ppc64 and s390x