Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: s...@packages.debian.org Control: affects -1 + src:sssd User: release.debian....@packages.debian.org Usertags: pu
[ Reason ]
Fix no-dsa vulnerability CVE-2023-3758: Due to a race condition flaw the
GPO policy is not consistently applied for authenticated users.
[ Impact ]
Bookworm users will remain vulnerable. Also the issues were fixed in
Bullseye LTS, so users upgrading to Bookworm will regress if it isn't
fixed to that suite too.
[ Tests ]
The upstream test suite doesn't run at build time, but I manually ran it
and verified that the patch doesn't cause any regression.
[ Risks ]
The fixes are trivial; 2.8.x is officially supported upstream and the
upstream patch was cherry-picked to 2.8.2 without conflict.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Fix CVE-2023-3758: Due to a race condition flaw the GPO policy is not
consistently applied for authenticated users. (Closes: #1070369)
* Add d/.gitlab-ci.yml for Salsa CI.
* Add d/.gitignore file to exclude d/p/*.patch from upstream gitignore(5)'d
rules.
--
Guilhem.
diffstat for sssd-2.8.2 sssd-2.8.2 .gitlab-ci.yml | 8 + changelog | 11 ++ patches/CVE-2023-3758.patch | 214 ++++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 4 files changed, 234 insertions(+) diff -Nru sssd-2.8.2/debian/changelog sssd-2.8.2/debian/changelog --- sssd-2.8.2/debian/changelog 2023-04-11 14:19:36.000000000 +0200 +++ sssd-2.8.2/debian/changelog 2025-02-09 11:45:11.000000000 +0100 @@ -1,3 +1,14 @@ +sssd (2.8.2-4+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2023-3758: Due to a race condition flaw the GPO policy is not + consistently applied for authenticated users. (Closes: #1070369) + * Add d/.gitlab-ci.yml for Salsa CI. + * Add d/.gitignore file to exclude d/p/*.patch from upstream gitignore(5)'d + rules. + + -- Guilhem Moulin <guil...@debian.org> Sun, 09 Feb 2025 11:45:11 +0100 + sssd (2.8.2-4) unstable; urgency=medium [ Sam Morris ] diff -Nru sssd-2.8.2/debian/.gitlab-ci.yml sssd-2.8.2/debian/.gitlab-ci.yml --- sssd-2.8.2/debian/.gitlab-ci.yml 1970-01-01 01:00:00.000000000 +0100 +++ sssd-2.8.2/debian/.gitlab-ci.yml 2025-02-09 11:45:11.000000000 +0100 @@ -0,0 +1,8 @@ +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml + +variables: + RELEASE: 'bookworm' + SALSA_CI_DISABLE_REPROTEST: 1 + SALSA_CI_DISABLE_LINTIAN: 1 + SALSA_CI_DISABLE_PIUPARTS: 1 diff -Nru sssd-2.8.2/debian/patches/CVE-2023-3758.patch sssd-2.8.2/debian/patches/CVE-2023-3758.patch --- sssd-2.8.2/debian/patches/CVE-2023-3758.patch 1970-01-01 01:00:00.000000000 +0100 +++ sssd-2.8.2/debian/patches/CVE-2023-3758.patch 2025-02-09 11:45:11.000000000 +0100 @@ -0,0 +1,214 @@ +From: Sumit Bose <sb...@redhat.com> +Date: Wed, 8 Nov 2023 14:50:24 +0100 +Subject: ad-gpo: use hash to store intermediate results + +Currently after the evaluation of a single GPO file the intermediate +results are stored in the cache and this cache entry is updated until +all applicable GPO files are evaluated. Finally the data in the cache is +used to make the decision of access is granted or rejected. + +If there are two or more access-control request running in parallel one +request might overwrite the cache object with intermediate data while +another request reads the cached data for the access decision and as a +result will do this decision based on intermediate data. + +To avoid this the intermediate results are not stored in the cache +anymore but in hash tables which are specific to the request. Only the +final result is written to the cache to have it available for offline +authentication. + +Reviewed-by: Alexey Tikhonov <atikh...@redhat.com> +Reviewed-by: Tomáš Halman <thal...@redhat.com> +Origin: https://github.com/SSSD/sssd/commit/f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726 +Bug: https://github.com/SSSD/sssd/pull/7302 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-3758 +Bug-Debian: https://bugs.debian.org/1070369 +--- + src/providers/ad/ad_gpo.c | 116 ++++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 102 insertions(+), 14 deletions(-) + +diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c +index 4b7bbf1..904aa1e 100644 +--- a/src/providers/ad/ad_gpo.c ++++ b/src/providers/ad/ad_gpo.c +@@ -1316,6 +1316,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx, + return ret; + } + ++static errno_t ++add_result_to_hash(hash_table_t *hash, const char *key, char *value) ++{ ++ int hret; ++ hash_key_t k; ++ hash_value_t v; ++ ++ if (hash == NULL || key == NULL || value == NULL) { ++ return EINVAL; ++ } ++ ++ k.type = HASH_KEY_CONST_STRING; ++ k.c_str = key; ++ ++ v.type = HASH_VALUE_PTR; ++ v.ptr = value; ++ ++ hret = hash_enter(hash, &k, &v); ++ if (hret != HASH_SUCCESS) { ++ DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n", ++ key, value, hash_error_string(hret)); ++ return EIO; ++ } ++ ++ return EOK; ++} ++ + /* + * This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename, + * and stores the allow_key and deny_key of all of the gpo_map_types present +@@ -1323,6 +1350,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx, + */ + static errno_t + ad_gpo_store_policy_settings(struct sss_domain_info *domain, ++ hash_table_t *allow_maps, hash_table_t *deny_maps, + const char *filename) + { + struct ini_cfgfile *file_ctx = NULL; +@@ -1456,14 +1484,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain, + goto done; + } else if (ret != ENOENT) { + const char *value = allow_value ? allow_value : empty_val; +- ret = sysdb_gpo_store_gpo_result_setting(domain, +- allow_key, +- value); ++ ret = add_result_to_hash(allow_maps, allow_key, ++ talloc_strdup(allow_maps, value)); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "sysdb_gpo_store_gpo_result_setting failed for key:" +- "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value, +- ret, sss_strerror(ret)); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] " ++ "value: [%s] to allow maps " ++ "[%d][%s].\n", ++ allow_key, value, ret, ++ sss_strerror(ret)); + goto done; + } + } +@@ -1483,14 +1511,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain, + goto done; + } else if (ret != ENOENT) { + const char *value = deny_value ? deny_value : empty_val; +- ret = sysdb_gpo_store_gpo_result_setting(domain, +- deny_key, +- value); ++ ret = add_result_to_hash(deny_maps, deny_key, ++ talloc_strdup(deny_maps, value)); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "sysdb_gpo_store_gpo_result_setting failed for key:" +- "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value, +- ret, sss_strerror(ret)); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] " ++ "value: [%s] to deny maps " ++ "[%d][%s].\n", ++ deny_key, value, ret, ++ sss_strerror(ret)); + goto done; + } + } +@@ -1783,6 +1811,8 @@ struct ad_gpo_access_state { + int num_cse_filtered_gpos; + int cse_gpo_index; + const char *ad_domain; ++ hash_table_t *allow_maps; ++ hash_table_t *deny_maps; + }; + + static void ad_gpo_connect_done(struct tevent_req *subreq); +@@ -1905,6 +1935,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx, + goto immediately; + } + ++ ret = sss_hash_create(state, 0, &state->allow_maps); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps " ++ "hash table [%d]: %s\n", ret, sss_strerror(ret)); ++ goto immediately; ++ } ++ ++ ret = sss_hash_create(state, 0, &state->deny_maps); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps " ++ "hash table [%d]: %s\n", ret, sss_strerror(ret)); ++ goto immediately; ++ } + + subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); + if (subreq == NULL) { +@@ -2724,6 +2767,43 @@ ad_gpo_cse_step(struct tevent_req *req) + return EAGAIN; + } + ++static errno_t ++store_hash_maps_in_cache(struct sss_domain_info *domain, ++ hash_table_t *allow_maps, hash_table_t *deny_maps) ++{ ++ int ret; ++ struct hash_iter_context_t *iter; ++ hash_entry_t *entry; ++ size_t c; ++ hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL}; ++ ++ ++ for (c = 0; hash_list[c] != NULL; c++) { ++ iter = new_hash_iter_context(hash_list[c]); ++ if (iter == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n"); ++ return EINVAL; ++ } ++ ++ while ((entry = iter->next(iter)) != NULL) { ++ ret = sysdb_gpo_store_gpo_result_setting(domain, ++ entry->key.c_str, ++ entry->value.ptr); ++ if (ret != EOK) { ++ free(iter); ++ DEBUG(SSSDBG_OP_FAILURE, ++ "sysdb_gpo_store_gpo_result_setting failed for key:" ++ "[%s] value:[%s] [%d][%s]\n", entry->key.c_str, ++ (char *) entry->value.ptr, ret, sss_strerror(ret)); ++ return ret; ++ } ++ } ++ talloc_free(iter); ++ } ++ ++ return EOK; ++} ++ + /* + * This cse-specific function (GP_EXT_GUID_SECURITY) increments the + * cse_gpo_index until the policy settings for all applicable GPOs have been +@@ -2765,6 +2845,7 @@ ad_gpo_cse_done(struct tevent_req *subreq) + * (as part of the GPO Result object in the sysdb cache). + */ + ret = ad_gpo_store_policy_settings(state->host_domain, ++ state->allow_maps, state->deny_maps, + cse_filtered_gpo->policy_filename); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, +@@ -2778,6 +2859,13 @@ ad_gpo_cse_done(struct tevent_req *subreq) + + if (ret == EOK) { + /* ret is EOK only after all GPO policy files have been downloaded */ ++ ret = store_hash_maps_in_cache(state->host_domain, ++ state->allow_maps, state->deny_maps); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps " ++ "[%d][%s].\n", ret, sss_strerror(ret)); ++ goto done; ++ } + ret = ad_gpo_perform_hbac_processing(state, + state->gpo_mode, + state->gpo_map_type, diff -Nru sssd-2.8.2/debian/patches/series sssd-2.8.2/debian/patches/series --- sssd-2.8.2/debian/patches/series 2023-03-24 09:10:33.000000000 +0100 +++ sssd-2.8.2/debian/patches/series 2025-02-09 11:45:11.000000000 +0100 @@ -2,3 +2,4 @@ default-to-socket-activated-services.diff fix-shebang-on-sss_analyze.patch 0004-Makefile-Install-dbus-policy-in-usr-not-etc.patch +CVE-2023-3758.patch
signature.asc
Description: PGP signature
