*** This bug is a security vulnerability *** Public security bug reported:
======================== A security bug in SSSD =============== = = Subject: TOCTOU race conditions when creating or removing home = directories for users in local domain = = CVE ID#: CVE-2013-0219 = = Summary: A TOCTOU (time-of-check, time-of-use) race condition was found = in the way SSSD performed copying and removal of home = directory trees. = = = Impact: low = = Acknowledgements: The bug was found by Florian Weimer of the Red Hat = Product Security Team = = Affects default = configuration: no = = Introduced with: 0.7.0 = =============================================================== ==== DESCRIPTION ==== SSSD versions 0.7.0 through 1.9.3 (inclusive) are vulnerable to a security bug. The removal of a home directory is sensitive to concurrent modification of the directory tree being removed and can unlink files outside the directory tree. When removing a home directory, if another process is modifying that directory at the same time, it becomes possible for the SSSD to unlink files that are outside the directory tree. When creating a home directory, the destination tree can be modified in various ways while it is being constructed because directory permissions are set before populating the directory. This can lead to file creation and permission changes outside the target directory tree using hard links. The fix will be delivered as part of the upcoming 1.9.4 release. There won't be a separate 1.9 security release as the 1.9.4 version will be released later this week. The flaw will be fixed in a separate release for the 1.8 and 1.5 LTM release branches as well. The bug is being tracked in the following Red Hat Bugzilla report: https://bugzilla.redhat.com/show_bug.cgi?id=884254 ==== WORKAROUND ==== These vulnerabilities are present only while creating or removing home directories, so until patched packages are available, you can simply refrain from performing these actions. ==== PATCH AVAILABILITY ==== The patches are available at: http://git.fedorahosted.org/cgit/sssd.git/patch/?id=94cbf1cfb0f88c967f1fb0a4cf23723148868e4a http://git.fedorahosted.org/cgit/sssd.git/patch/?id=020bf88fd1c5bdac8fc671b37c7118f5378c7047 ** Affects: sssd (Ubuntu) Importance: Undecided Status: Fix Released ** Affects: sssd (Ubuntu Precise) Importance: Medium Status: In Progress ** Affects: sssd (Ubuntu Quantal) Importance: Medium Assignee: Timo Aaltonen (tjaalton) Status: In Progress ** Information type changed from Public to Public Security ** Also affects: sssd (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: sssd (Ubuntu Quantal) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1105893 Title: CVE-2013-219 - race conditions when creating or removing home directories for users in local domain To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1105893/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
