CVE-2013-219 - race conditions when creating or removing home directories for users in local domain

Bug #1105893 reported by Timo Aaltonen on 2013-01-26
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Undecided
Unassigned
Precise
Medium
Unassigned
Quantal
Medium
Timo Aaltonen

Bug Description

======================== A security bug in SSSD ===============
=
= Subject: TOCTOU race conditions when creating or removing home
= directories for users in local domain
=
= CVE ID#: CVE-2013-0219
=
= Summary: A TOCTOU (time-of-check, time-of-use) race condition was found
= in the way SSSD performed copying and removal of home
= directory trees.
=
=
= Impact: low
=
= Acknowledgements: The bug was found by Florian Weimer of the Red Hat
= Product Security Team
=
= Affects default
= configuration: no
=
= Introduced with: 0.7.0
=
===============================================================

==== DESCRIPTION ====

SSSD versions 0.7.0 through 1.9.3 (inclusive) are vulnerable to a security bug.

The removal of a home directory is sensitive to concurrent modification of the
directory tree being removed and can unlink files outside the directory tree.
When removing a home directory, if another process is modifying that directory
at the same time, it becomes possible for the SSSD to unlink files that are
outside the directory tree.

When creating a home directory, the destination tree can be modified in various
ways while it is being constructed because directory permissions are set before
populating the directory. This can lead to file creation and permission changes
outside the target directory tree using hard links.

The fix will be delivered as part of the upcoming 1.9.4 release. There
won't be a separate 1.9 security release as the 1.9.4 version will be
released later this week. The flaw will be fixed in a separate release
for the 1.8 and 1.5 LTM release branches as well.

The bug is being tracked in the following Red Hat Bugzilla report:
https://bugzilla.redhat.com/show_bug.cgi?id=884254

==== WORKAROUND ====

These vulnerabilities are present only while creating or removing home
directories, so until patched packages are available, you can simply
refrain from performing these actions.

==== PATCH AVAILABILITY ====

The patches are available at:
http://git.fedorahosted.org/cgit/sssd.git/patch/?id=94cbf1cfb0f88c967f1fb0a4cf23723148868e4a
http://git.fedorahosted.org/cgit/sssd.git/patch/?id=020bf88fd1c5bdac8fc671b37c7118f5378c7047

Timo Aaltonen (tjaalton) wrote :

fixed for raring in 1.9.3-0ubuntu2

information type: Public → Public Security
Changed in sssd (Ubuntu):
status: New → Fix Released
Changed in sssd (Ubuntu Precise):
importance: Undecided → Medium
status: New → In Progress
Changed in sssd (Ubuntu Quantal):
assignee: nobody → Timo Aaltonen (tjaalton)
importance: Undecided → Medium
status: New → In Progress
Timo Aaltonen (tjaalton) wrote :
Timo Aaltonen (tjaalton) wrote :

Hello Timo, or anyone else affected,

Accepted sssd into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/sssd/1.8.6-0ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sssd (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in sssd (Ubuntu Quantal):
status: In Progress → Fix Committed
Adam Conrad (adconrad) wrote :

Hello Timo, or anyone else affected,

Accepted sssd into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/sssd/1.9.1-0ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Timo Aaltonen (tjaalton) on 2013-02-27
tags: added: verification-done
removed: verification-needed
Timo Aaltonen (tjaalton) on 2013-03-12
Changed in sssd (Ubuntu Quantal):
status: Fix Committed → Fix Released
Timo Aaltonen (tjaalton) wrote :

This bug was fixed in the package sssd - 1.8.6-0ubuntu0.2

---------------
sssd (1.8.6-0ubuntu0.2) precise-proposed; urgency=low

  * rules: Really install the new pam-auth-update file for password
    changes. (LP: #1086272)
  * rules: Pass --datadir, so the path in autogenerated python files is
    correctly substituted. (LP: #1079938)

Changed in sssd (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers