merged thanks On 9/10/21 1:39 AM, kai wrote: > From: Kai Kang <[email protected]> > > SSSD 2.5.2 Highlights > * General information > - originalADgidNumber attribute in the SSSD cache is now indexed > > * New features > - Debug messages in data provider include a unique request ID that can > be used to track the request from its start to its end (requires > libtevent >= 0.11.0) > > * Important fixes > - Update large files in the files provider in batches to avoid timeouts > > * Configuration changes > - Add new config option fallback_to_nss > > Full release notes: > * https://sssd.io/release-notes/sssd-2.5.2.html > > And backport patch to fix CVE-2021-3621. > > CVE: CVE-2021-3621 > > Signed-off-by: Kai Kang <[email protected]> > --- > .../sssd/files/CVE-2021-3621.patch | 288 ++++++++++++++++++ > .../sssd/{sssd_2.5.1.bb => sssd_2.5.2.bb} | 3 +- > 2 files changed, 290 insertions(+), 1 deletion(-) > create mode 100644 recipes-security/sssd/files/CVE-2021-3621.patch > rename recipes-security/sssd/{sssd_2.5.1.bb => sssd_2.5.2.bb} (97%) > > diff --git a/recipes-security/sssd/files/CVE-2021-3621.patch > b/recipes-security/sssd/files/CVE-2021-3621.patch > new file mode 100644 > index 0000000..7a59df9 > --- /dev/null > +++ b/recipes-security/sssd/files/CVE-2021-3621.patch > @@ -0,0 +1,288 @@ > +Backport patch to fix CVE-2021-3621. > + > +Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/7ab83f9] > +CVE: CVE-2021-3621 > + > +Signed-off-by: Kai Kang <[email protected]> > + > +From 7ab83f97e1cbefb78ece17232185bdd2985f0bbe Mon Sep 17 00:00:00 2001 > +From: Alexey Tikhonov <[email protected]> > +Date: Fri, 18 Jun 2021 13:17:19 +0200 > +Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of > + user supplied command > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +:relnote: A flaw was found in SSSD, where the sssctl command was > +vulnerable to shell command injection via the logs-fetch and > +cache-expire subcommands. This flaw allows an attacker to trick > +the root user into running a specially crafted sssctl command, > +such as via sudo, to gain root access. The highest threat from this > +vulnerability is to confidentiality, integrity, as well as system > +availability. > +This patch fixes a flaw by replacing system() with execvp(). > + > +:fixes: CVE-2021-3621 > + > +Reviewed-by: Pavel Březina <[email protected]> > +--- > + src/tools/sssctl/sssctl.c | 39 ++++++++++++++++------- > + src/tools/sssctl/sssctl.h | 2 +- > + src/tools/sssctl/sssctl_data.c | 57 +++++++++++----------------------- > + src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++---- > + 4 files changed, 73 insertions(+), 57 deletions(-) > + > +diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c > +index 2997dbf968..8adaf30910 100644 > +--- a/src/tools/sssctl/sssctl.c > ++++ b/src/tools/sssctl/sssctl.c > +@@ -97,22 +97,36 @@ sssctl_prompt(const char *message, > + return SSSCTL_PROMPT_ERROR; > + } > + > +-errno_t sssctl_run_command(const char *command) > ++errno_t sssctl_run_command(const char *const argv[]) > + { > + int ret; > ++ int wstatus; > + > +- DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command); > ++ DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]); > + > +- ret = system(command); > ++ ret = fork(); > + if (ret == -1) { > +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command); > + ERROR("Error while executing external command\n"); > + return EFAULT; > +- } else if (WEXITSTATUS(ret) != 0) { > +- DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n", > +- command, WEXITSTATUS(ret)); > ++ } > ++ > ++ if (ret == 0) { > ++ /* cast is safe - see > ++ https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html > ++ "The statement about argv[] and envp[] being constants ... " > ++ */ > ++ execvp(argv[0], discard_const_p(char * const, argv)); > + ERROR("Error while executing external command\n"); > +- return EIO; > ++ _exit(1); > ++ } else { > ++ if (waitpid(ret, &wstatus, 0) == -1) { > ++ ERROR("Error while executing external command '%s'\n", argv[0]); > ++ return EFAULT; > ++ } else if (WEXITSTATUS(wstatus) != 0) { > ++ ERROR("Command '%s' failed with [%d]\n", > ++ argv[0], WEXITSTATUS(wstatus)); > ++ return EIO; > ++ } > + } > + > + return EOK; > +@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum > sssctl_svc_action action) > + #elif defined(HAVE_SERVICE) > + switch (action) { > + case SSSCTL_SVC_START: > +- return sssctl_run_command(SERVICE_PATH" sssd start"); > ++ return sssctl_run_command( > ++ (const char *[]){SERVICE_PATH, "sssd", "start", > NULL}); > + case SSSCTL_SVC_STOP: > +- return sssctl_run_command(SERVICE_PATH" sssd stop"); > ++ return sssctl_run_command( > ++ (const char *[]){SERVICE_PATH, "sssd", "stop", NULL}); > + case SSSCTL_SVC_RESTART: > +- return sssctl_run_command(SERVICE_PATH" sssd restart"); > ++ return sssctl_run_command( > ++ (const char *[]){SERVICE_PATH, "sssd", "restart", > NULL}); > + } > + #endif > + > +diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h > +index 0115b2457c..599ef65196 100644 > +--- a/src/tools/sssctl/sssctl.h > ++++ b/src/tools/sssctl/sssctl.h > +@@ -47,7 +47,7 @@ enum sssctl_prompt_result > + sssctl_prompt(const char *message, > + enum sssctl_prompt_result defval); > + > +-errno_t sssctl_run_command(const char *command); > ++errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command > */ > + bool sssctl_start_sssd(bool force); > + bool sssctl_stop_sssd(bool force); > + bool sssctl_restart_sssd(bool force); > +diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c > +index 8d79b977fd..bf22913416 100644 > +--- a/src/tools/sssctl/sssctl_data.c > ++++ b/src/tools/sssctl/sssctl_data.c > +@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force) > + } > + } > + > +- ret = sssctl_run_command("sss_override user-export " > +- SSS_BACKUP_USER_OVERRIDES); > ++ ret = sssctl_run_command((const char *[]){"sss_override", "user-export", > ++ SSS_BACKUP_USER_OVERRIDES, > NULL}); > + if (ret != EOK) { > + ERROR("Unable to export user overrides\n"); > + return ret; > + } > + > +- ret = sssctl_run_command("sss_override group-export " > +- SSS_BACKUP_GROUP_OVERRIDES); > ++ ret = sssctl_run_command((const char *[]){"sss_override", > "group-export", > ++ SSS_BACKUP_GROUP_OVERRIDES, > NULL}); > + if (ret != EOK) { > + ERROR("Unable to export group overrides\n"); > + return ret; > +@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool > force_restart) > + } > + > + if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { > +- ret = sssctl_run_command("sss_override user-import " > +- SSS_BACKUP_USER_OVERRIDES); > ++ ret = sssctl_run_command((const char *[]){"sss_override", > "user-import", > ++ > SSS_BACKUP_USER_OVERRIDES, NULL}); > + if (ret != EOK) { > + ERROR("Unable to import user overrides\n"); > + return ret; > +@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool > force_restart) > + } > + > + if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { > +- ret = sssctl_run_command("sss_override group-import " > +- SSS_BACKUP_GROUP_OVERRIDES); > ++ ret = sssctl_run_command((const char *[]){"sss_override", > "group-import", > ++ > SSS_BACKUP_GROUP_OVERRIDES, NULL}); > + if (ret != EOK) { > + ERROR("Unable to import group overrides\n"); > + return ret; > +@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline > *cmdline, > + void *pvt) > + { > + errno_t ret; > +- char *cmd_args = NULL; > +- const char *cachecmd = SSS_CACHE; > +- char *cmd = NULL; > +- int i; > +- > +- if (cmdline->argc == 0) { > +- ret = sssctl_run_command(cachecmd); > +- goto done; > +- } > + > +- cmd_args = talloc_strdup(tool_ctx, ""); > +- if (cmd_args == NULL) { > +- ret = ENOMEM; > +- goto done; > ++ const char **args = talloc_array_size(tool_ctx, > ++ sizeof(char *), > ++ cmdline->argc + 2); > ++ if (!args) { > ++ return ENOMEM; > + } > ++ memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc); > ++ args[0] = SSS_CACHE; > ++ args[cmdline->argc + 1] = NULL; > + > +- for (i = 0; i < cmdline->argc; i++) { > +- cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]); > +- if (i != cmdline->argc - 1) { > +- cmd_args = talloc_strdup_append(cmd_args, " "); > +- } > +- } > +- > +- cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args); > +- if (cmd == NULL) { > +- ret = ENOMEM; > +- goto done; > +- } > +- > +- ret = sssctl_run_command(cmd); > +- > +-done: > +- talloc_free(cmd_args); > +- talloc_free(cmd); > ++ ret = sssctl_run_command(args); > + > ++ talloc_free(args); > + return ret; > + } > +diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c > +index 9ff2be05b6..ebb2c4571c 100644 > +--- a/src/tools/sssctl/sssctl_logs.c > ++++ b/src/tools/sssctl/sssctl_logs.c > +@@ -31,6 +31,7 @@ > + #include <ldb.h> > + #include <popt.h> > + #include <stdio.h> > ++#include <glob.h> > + > + #include "util/util.h" > + #include "tools/common/sss_process.h" > +@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline, > + { > + struct sssctl_logs_opts opts = {0}; > + errno_t ret; > ++ glob_t globbuf; > + > + /* Parse command line. */ > + struct poptOption options[] = { > +@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline, > + > + sss_signal(SIGHUP); > + } else { > ++ globbuf.gl_offs = 4; > ++ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf); > ++ if (ret != 0) { > ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n"); > ++ return ret; > ++ } > ++ globbuf.gl_pathv[0] = discard_const_p(char, "truncate"); > ++ globbuf.gl_pathv[1] = discard_const_p(char, "--no-create"); > ++ globbuf.gl_pathv[2] = discard_const_p(char, "--size"); > ++ globbuf.gl_pathv[3] = discard_const_p(char, "0"); > ++ > + PRINT("Truncating log files...\n"); > +- ret = sssctl_run_command("truncate --no-create --size 0 " > LOG_FILES); > ++ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv); > ++ globfree(&globbuf); > + if (ret != EOK) { > + ERROR("Unable to truncate log files\n"); > + return ret; > +@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline, > + void *pvt) > + { > + const char *file; > +- const char *cmd; > + errno_t ret; > ++ glob_t globbuf; > + > + /* Parse command line. */ > + ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL, > +@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline, > + return ret; > + } > + > +- cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES); > +- if (cmd == NULL) { > +- ERROR("Out of memory!"); > ++ globbuf.gl_offs = 3; > ++ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf); > ++ if (ret != 0) { > ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n"); > ++ return ret; > + } > ++ globbuf.gl_pathv[0] = discard_const_p(char, "tar"); > ++ globbuf.gl_pathv[1] = discard_const_p(char, "-czf"); > ++ globbuf.gl_pathv[2] = discard_const_p(char, file); > + > + PRINT("Archiving log files into %s...\n", file); > +- ret = sssctl_run_command(cmd); > ++ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv); > ++ globfree(&globbuf); > + if (ret != EOK) { > + ERROR("Unable to archive log files\n"); > + return ret; > diff --git a/recipes-security/sssd/sssd_2.5.1.bb > b/recipes-security/sssd/sssd_2.5.2.bb > similarity index 97% > rename from recipes-security/sssd/sssd_2.5.1.bb > rename to recipes-security/sssd/sssd_2.5.2.bb > index 1c77480..76d6e03 100644 > --- a/recipes-security/sssd/sssd_2.5.1.bb > +++ b/recipes-security/sssd/sssd_2.5.2.bb > @@ -23,9 +23,10 @@ SRC_URI = > "https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.g > file://drop_ntpdate_chk.patch \ > file://fix-ldblibdir.patch \ > file://musl_fixup.patch \ > + file://CVE-2021-3621.patch \ > " > > -SRC_URI[sha256sum] = > "ce2f5d84a3f1750093318afd27f4fd75b1e3e75f7d80fc42d21a40cc54b58ea4" > +SRC_URI[sha256sum] = > "5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f" > > inherit autotools pkgconfig gettext python3-dir features_check systemd > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#54727): https://lists.yoctoproject.org/g/yocto/message/54727 Mute This Topic: https://lists.yoctoproject.org/mt/85504983/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
