Bug 25234 - sssd new security issue CVE-2018-16838
Summary: sssd new security issue CVE-2018-16838
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-06 21:42 CEST by David Walser
Modified: 2019-11-11 12:06 CET (History)
4 users (show)

See Also:
Source RPM: sssd-1.16.3-3.mga7.src.rpm
CVE: CVE-2018-16838
Status comment:


Attachments
testconfig file for sssd (201 bytes, text/plain)
2019-11-11 12:06 CET, Herman Viaene
Details

Description David Walser 2019-08-06 21:42:07 CEST
RedHat has issued an advisory today (August 6):
https://access.redhat.com/errata/RHSA-2019:2177

The fix for 1.16.x is here:
https://pagure.io/SSSD/sssd/c/ad058011b6b75b15c674be46a3ae9b3cc5228175

Mageia 6 and Mageia 7 are also affected.
David Walser 2019-08-06 21:42:13 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 Marja Van Waes 2019-08-11 17:38:08 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing two submitters.

CC: (none) => geiger.david68210, marja11, nicolas.salguero
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2019-11-08 14:35:01 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated users to login instead of denying access. (CVE-2018-16838)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16838
https://access.redhat.com/errata/RHSA-2019:2177
========================

Updated packages in core/updates_testing:
========================
sssd-1.16.3-3.1.mga7
sssd-common-1.16.3-3.1.mga7
sssd-client-1.16.3-3.1.mga7
libsss_sudo-1.16.3-3.1.mga7
libsss_autofs-1.16.3-3.1.mga7
sssd-tools-1.16.3-3.1.mga7
python2-sssdconfig-1.16.3-3.1.mga7
python3-sssdconfig-1.16.3-3.1.mga7
python2-sss-1.16.3-3.1.mga7
python3-sss-1.16.3-3.1.mga7
python2-sss-murmur-1.16.3-3.1.mga7
python3-sss-murmur-1.16.3-3.1.mga7
sssd-ldap-1.16.3-3.1.mga7
sssd-krb5-common-1.16.3-3.1.mga7
sssd-krb5-1.16.3-3.1.mga7
sssd-common-pac-1.16.3-3.1.mga7
sssd-ipa-1.16.3-3.1.mga7
sssd-ad-1.16.3-3.1.mga7
sssd-proxy-1.16.3-3.1.mga7
libsss_idmap-1.16.3-3.1.mga7
libsss_idmap-devel-1.16.3-3.1.mga7
libipa_hbac-1.16.3-3.1.mga7
libipa_hbac-devel-1.16.3-3.1.mga7
python2-libipa_hbac-1.16.3-3.1.mga7
python3-libipa_hbac-1.16.3-3.1.mga7
libsss_nss_idmap-1.16.3-3.1.mga7
libsss_nss_idmap-devel-1.16.3-3.1.mga7
python2-libsss_nss_idmap-1.16.3-3.1.mga7
python3-libsss_nss_idmap-1.16.3-3.1.mga7
sssd-dbus-1.16.3-3.1.mga7
libsss_simpleifp-1.16.3-3.1.mga7
libsss_simpleifp-devel-1.16.3-3.1.mga7
sssd-libwbclient-1.16.3-3.1.mga7
sssd-libwbclient-devel-1.16.3-3.1.mga7
sssd-winbind-idmap-1.16.3-3.1.mga7
sssd-nfs-idmap-1.16.3-3.1.mga7
libsss_certmap-1.16.3-3.1.mga7
libsss_certmap-devel-1.16.3-3.1.mga7
sssd-kcm-1.16.3-3.1.mga7

from SRPMS:
sssd-1.16.3-3.1.mga7.src.rpm

Whiteboard: MGA7TOO, MGA6TOO => (none)
Version: Cauldron => 7
Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2018-16838
Status: NEW => ASSIGNED

Comment 3 Herman Viaene 2019-11-11 12:02:26 CET
MGA7-64 Plasma on Lenovo B50
No installation issues.
Followed my own procedure as per bug 23381 Comment 10 (which I used in bug 24513 as well).
Added sssd.conf file as described (will attach it here)
and then
# systemctl start sssd
# systemctl -l status sssd
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2019-11-11 11:25:33 CET; 26min ago
 Main PID: 935 (sssd)
   Memory: 36.9M
   CGroup: /system.slice/sssd.service
           ├─ 935 /usr/sbin/sssd -i --logger=files
           ├─1285 /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files
           └─1322 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files

nov 11 11:25:27 mach5.hviaene.thuis systemd[1]: Starting System Security Services Daemon...
nov 11 11:25:31 mach5.hviaene.thuis sssd[935]: Starting up
nov 11 11:25:32 mach5.hviaene.thuis sssd[be[implicit_files]][1285]: Starting up
nov 11 11:25:33 mach5.hviaene.thuis sssd[nss][1322]: Starting up
nov 11 11:25:33 mach5.hviaene.thuis systemd[1]: Started System Security Services Daemon.

But then
# sss_useradd prutser
Fout bij de initialisatie van de tools - geen lokaal domein
(Error at initialisation - no local domain)

Googled a bit on this error,but found no explanation straight away.

Just as a note: I cann't remember any such service which hasn''t a default conf file after installation - annoying.

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2019-11-11 12:06:50 CET
Created attachment 11351 [details]
testconfig file for sssd

Note You need to log in before you can comment on or make changes to this bug.