diff --git a/backport-CVE-2023-3758.patch b/backport-CVE-2023-3758.patch deleted file mode 100644 index 577cedd785fe18c9f05a76f09b046d89e30d4f8d..0000000000000000000000000000000000000000 --- a/backport-CVE-2023-3758.patch +++ /dev/null @@ -1,218 +0,0 @@ -From e1bfbc2493c4194988acc3b2413df3dde0735ae3 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 8 Nov 2023 14:50:24 +0100 -Subject: [PATCH] ad-gpo: use hash to store intermediate results -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Currently after the evaluation of a single GPO file the intermediate -results are stored in the cache and this cache entry is updated until -all applicable GPO files are evaluated. Finally the data in the cache is -used to make the decision of access is granted or rejected. - -If there are two or more access-control request running in parallel one -request might overwrite the cache object with intermediate data while -another request reads the cached data for the access decision and as a -result will do this decision based on intermediate data. - -To avoid this the intermediate results are not stored in the cache -anymore but in hash tables which are specific to the request. Only the -final result is written to the cache to have it available for offline -authentication. - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Tomáš Halman -(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a) - -Reference:https://github.com/SSSD/sssd/commit/f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726 -Conflict: NA ---- - src/providers/ad/ad_gpo.c | 116 +++++++++++++++++++++++++++++++++----- - 1 file changed, 102 insertions(+), 14 deletions(-) - -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index 3d1ad39c72..b879b0a080 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -1431,6 +1431,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx, - return ret; - } - -+static errno_t -+add_result_to_hash(hash_table_t *hash, const char *key, char *value) -+{ -+ int hret; -+ hash_key_t k; -+ hash_value_t v; -+ -+ if (hash == NULL || key == NULL || value == NULL) { -+ return EINVAL; -+ } -+ -+ k.type = HASH_KEY_CONST_STRING; -+ k.c_str = key; -+ -+ v.type = HASH_VALUE_PTR; -+ v.ptr = value; -+ -+ hret = hash_enter(hash, &k, &v); -+ if (hret != HASH_SUCCESS) { -+ DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n", -+ key, value, hash_error_string(hret)); -+ return EIO; -+ } -+ -+ return EOK; -+} -+ - /* - * This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename, - * and stores the allow_key and deny_key of all of the gpo_map_types present -@@ -1438,6 +1465,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx, - */ - static errno_t - ad_gpo_store_policy_settings(struct sss_domain_info *domain, -+ hash_table_t *allow_maps, hash_table_t *deny_maps, - const char *filename) - { - struct ini_cfgfile *file_ctx = NULL; -@@ -1571,14 +1599,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain, - goto done; - } else if (ret != ENOENT) { - const char *value = allow_value ? allow_value : empty_val; -- ret = sysdb_gpo_store_gpo_result_setting(domain, -- allow_key, -- value); -+ ret = add_result_to_hash(allow_maps, allow_key, -+ talloc_strdup(allow_maps, value)); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "sysdb_gpo_store_gpo_result_setting failed for key:" -- "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value, -- ret, sss_strerror(ret)); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] " -+ "value: [%s] to allow maps " -+ "[%d][%s].\n", -+ allow_key, value, ret, -+ sss_strerror(ret)); - goto done; - } - } -@@ -1598,14 +1626,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain, - goto done; - } else if (ret != ENOENT) { - const char *value = deny_value ? deny_value : empty_val; -- ret = sysdb_gpo_store_gpo_result_setting(domain, -- deny_key, -- value); -+ ret = add_result_to_hash(deny_maps, deny_key, -+ talloc_strdup(deny_maps, value)); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "sysdb_gpo_store_gpo_result_setting failed for key:" -- "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value, -- ret, sss_strerror(ret)); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] " -+ "value: [%s] to deny maps " -+ "[%d][%s].\n", -+ deny_key, value, ret, -+ sss_strerror(ret)); - goto done; - } - } -@@ -1902,6 +1930,8 @@ struct ad_gpo_access_state { - int num_cse_filtered_gpos; - int cse_gpo_index; - const char *ad_domain; -+ hash_table_t *allow_maps; -+ hash_table_t *deny_maps; - }; - - static void ad_gpo_connect_done(struct tevent_req *subreq); -@@ -2023,6 +2053,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx, - goto immediately; - } - -+ ret = sss_hash_create(state, 0, &state->allow_maps); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps " -+ "hash table [%d]: %s\n", ret, sss_strerror(ret)); -+ goto immediately; -+ } -+ -+ ret = sss_hash_create(state, 0, &state->deny_maps); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps " -+ "hash table [%d]: %s\n", ret, sss_strerror(ret)); -+ goto immediately; -+ } - - subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); - if (subreq == NULL) { -@@ -2713,6 +2756,43 @@ ad_gpo_cse_step(struct tevent_req *req) - return EAGAIN; - } - -+static errno_t -+store_hash_maps_in_cache(struct sss_domain_info *domain, -+ hash_table_t *allow_maps, hash_table_t *deny_maps) -+{ -+ int ret; -+ struct hash_iter_context_t *iter; -+ hash_entry_t *entry; -+ size_t c; -+ hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL}; -+ -+ -+ for (c = 0; hash_list[c] != NULL; c++) { -+ iter = new_hash_iter_context(hash_list[c]); -+ if (iter == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n"); -+ return EINVAL; -+ } -+ -+ while ((entry = iter->next(iter)) != NULL) { -+ ret = sysdb_gpo_store_gpo_result_setting(domain, -+ entry->key.c_str, -+ entry->value.ptr); -+ if (ret != EOK) { -+ free(iter); -+ DEBUG(SSSDBG_OP_FAILURE, -+ "sysdb_gpo_store_gpo_result_setting failed for key:" -+ "[%s] value:[%s] [%d][%s]\n", entry->key.c_str, -+ (char *) entry->value.ptr, ret, sss_strerror(ret)); -+ return ret; -+ } -+ } -+ talloc_free(iter); -+ } -+ -+ return EOK; -+} -+ - /* - * This cse-specific function (GP_EXT_GUID_SECURITY) increments the - * cse_gpo_index until the policy settings for all applicable GPOs have been -@@ -2754,6 +2834,7 @@ ad_gpo_cse_done(struct tevent_req *subreq) - * (as part of the GPO Result object in the sysdb cache). - */ - ret = ad_gpo_store_policy_settings(state->host_domain, -+ state->allow_maps, state->deny_maps, - cse_filtered_gpo->policy_filename); - if (ret != EOK && ret != ENOENT) { - DEBUG(SSSDBG_OP_FAILURE, -@@ -2767,6 +2848,13 @@ ad_gpo_cse_done(struct tevent_req *subreq) - - if (ret == EOK) { - /* ret is EOK only after all GPO policy files have been downloaded */ -+ ret = store_hash_maps_in_cache(state->host_domain, -+ state->allow_maps, state->deny_maps); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps " -+ "[%d][%s].\n", ret, sss_strerror(ret)); -+ goto done; -+ } - ret = ad_gpo_perform_hbac_processing(state, - state->gpo_mode, - state->gpo_map_type, diff --git a/backport-RESPONDER-use-proper-context-for-getDomains.patch b/backport-RESPONDER-use-proper-context-for-getDomains.patch deleted file mode 100644 index 65af21ff308a235c177d45c5b269023f23ab6da9..0000000000000000000000000000000000000000 --- a/backport-RESPONDER-use-proper-context-for-getDomains.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 18f378921ed95dfd6a5e373c87712f7935247d71 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 26 Apr 2024 14:04:50 +0200 -Subject: [PATCH] RESPONDER: use proper context for getDomains() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Request was created on a long term responder context, but a callback -for this request tries to access memory that is allocated on a short -term client context. So if client disconnects before request is -completed, then callback dereferences already freed memory. - -Resolves: https://github.com/SSSD/sssd/issues/7319 - -Reviewed-by: Alejandro López -Reviewed-by: Pavel Březina - -Reference:https://github.com/SSSD/sssd/commit/dc637c9730d0ba04a0d8aa2645ee537224cd4b19 -Conflict:NA - ---- - src/responder/pac/pacsrv_cmd.c | 2 +- - src/responder/pam/pamsrv_cmd.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/responder/pac/pacsrv_cmd.c b/src/responder/pac/pacsrv_cmd.c -index e3aab88..29d5574 100644 ---- a/src/responder/pac/pacsrv_cmd.c -+++ b/src/responder/pac/pacsrv_cmd.c -@@ -146,7 +146,7 @@ static errno_t pac_add_pac_user(struct cli_ctx *cctx) - ret = responder_get_domain_by_id(cctx->rctx, pr_ctx->user_dom_sid_str, - &pr_ctx->dom); - if (ret == EAGAIN || ret == ENOENT) { -- req = sss_dp_get_domains_send(cctx->rctx, cctx->rctx, true, -+ req = sss_dp_get_domains_send(cctx, cctx->rctx, true, - pr_ctx->domain_name); - if (req == NULL) { - ret = ENOMEM; -diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c -index 20c332b..1570304 100644 ---- a/src/responder/pam/pamsrv_cmd.c -+++ b/src/responder/pam/pamsrv_cmd.c -@@ -1918,7 +1918,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) - - ret = pam_forwarder_parse_data(cctx, pd); - if (ret == EAGAIN) { -- req = sss_dp_get_domains_send(cctx->rctx, cctx->rctx, true, pd->domain); -+ req = sss_dp_get_domains_send(cctx, cctx->rctx, true, pd->domain); - if (req == NULL) { - ret = ENOMEM; - } else { --- -2.33.0 - diff --git a/backport-UTILS-inotify-avoid-potential-NULL-deref.patch b/backport-UTILS-inotify-avoid-potential-NULL-deref.patch deleted file mode 100644 index 86b1cafa7ba1244b273dfc4ae095f0a8986d52e9..0000000000000000000000000000000000000000 --- a/backport-UTILS-inotify-avoid-potential-NULL-deref.patch +++ /dev/null @@ -1,57 +0,0 @@ -From d24073823fa7d82726f631628923e9a5378d529d Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Mon, 18 Mar 2024 12:15:21 +0100 -Subject: [PATCH] UTILS: inotify: avoid potential NULL deref -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Fixes following error: -``` -Error: STRING_NULL (CWE-170): -sssd-2.9.1/src/util/inotify.c:298: string_null_source: Function ""read"" does not terminate string ""ev_buf"". [Note: The source code implementation of the function has been overridden by a builtin model.] -sssd-2.9.1/src/util/inotify.c:316: var_assign_var: Assigning: ""ptr"" = ""ev_buf"". Both now point to the same unterminated string. -sssd-2.9.1/src/util/inotify.c:320: var_assign_var: Assigning: ""in_event"" = ""ptr"". Both now point to the same unterminated string. -sssd-2.9.1/src/util/inotify.c:327: string_null: Passing unterminated string ""in_event->name"" to ""process_dir_event"", which expects a null-terminated string. - # 325| - # 326| if (snctx->wctx->dir_wd == in_event->wd) { - # 327|-> ret = process_dir_event(snctx, in_event); - # 328| } else if (snctx->wctx->file_wd == in_event->wd) { - # 329| ret = process_file_event(snctx, in_event); -``` - -- it might be unsafe to dereference `in_event->name` -if `in_event->len == 0` - -Reviewed-by: Alejandro López -Reviewed-by: Sumit Bose - -Reference:https://github.com/SSSD/sssd/commit/4085ee07926303aa26e46dfcc6dec87776432c62 -Conflict:NA - ---- - src/util/inotify.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/src/util/inotify.c b/src/util/inotify.c -index a3c33ed..8192cfd 100644 ---- a/src/util/inotify.c -+++ b/src/util/inotify.c -@@ -233,9 +233,13 @@ static errno_t process_dir_event(struct snotify_ctx *snctx, - { - errno_t ret; - -+ if (in_event->len == 0) { -+ DEBUG(SSSDBG_TRACE_FUNC, "Not interested in nameless event\n"); -+ return EOK; -+ } -+ - DEBUG(SSSDBG_TRACE_ALL, "inotify name: %s\n", in_event->name); -- if (in_event->len == 0 \ -- || strcmp(in_event->name, snctx->base_name) != 0) { -+ if (strcmp(in_event->name, snctx->base_name) != 0) { - DEBUG(SSSDBG_TRACE_FUNC, "Not interested in %s\n", in_event->name); - return EOK; - } --- -2.33.0 - diff --git a/backport-ad-refresh-root-domain-when-read-directly.patch b/backport-ad-refresh-root-domain-when-read-directly.patch deleted file mode 100644 index 47bcb96e71bde9df18585fe20efd27da91b3b045..0000000000000000000000000000000000000000 --- a/backport-ad-refresh-root-domain-when-read-directly.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 4d841bf2060717171fecad628480c8f2bc03760d Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 1 Mar 2024 10:50:07 +0100 -Subject: [PATCH] ad: refresh root domain when read directly -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If the domain object of the forest root domain cannot be found in the -LDAP tree of the local AD domain SSSD tries to read the request data -from an LDAP server of the forest root domain directly. After reading -this data the information is stored in the cache but currently the -information about the domain store in memory is not updated with the -additional data. As a result e.g. the domain SID is missing in this data -and only becomes available after a restart where it is read from the -cache. - -With this patch an unconditional refresh is triggered at the end of the -fallback code path. - -Resolves: https://github.com/SSSD/sssd/issues/7250 - -Reviewed-by: Dan Lavu -Reviewed-by: Tomáš Halman - -Reference:https://github.com/SSSD/sssd/commit/0de6c33047ac7a2b5316ec5ec936d6b675671c53 -Conflict:NA - ---- - src/providers/ad/ad_subdomains.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c -index 5bddf9b..e6745ce 100644 ---- a/src/providers/ad/ad_subdomains.c -+++ b/src/providers/ad/ad_subdomains.c -@@ -1395,7 +1395,7 @@ struct ad_get_root_domain_state { - static void ad_get_root_domain_done(struct tevent_req *subreq); - static void ad_check_root_domain_done(struct tevent_req *subreq); - static errno_t --ad_get_root_domain_refresh(struct ad_get_root_domain_state *state); -+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh); - - struct tevent_req * - ad_check_domain_send(TALLOC_CTX *mem_ctx, -@@ -1582,7 +1582,7 @@ static void ad_get_root_domain_done(struct tevent_req *subreq) - return; - } - -- ret = ad_get_root_domain_refresh(state); -+ ret = ad_get_root_domain_refresh(state, false); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n"); - } -@@ -1682,7 +1682,7 @@ static void ad_check_root_domain_done(struct tevent_req *subreq) - - state->reply_count = 1; - -- ret = ad_get_root_domain_refresh(state); -+ ret = ad_get_root_domain_refresh(state, true); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n"); - } -@@ -1697,7 +1697,7 @@ done: - } - - static errno_t --ad_get_root_domain_refresh(struct ad_get_root_domain_state *state) -+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh) - { - struct sss_domain_info *root_domain; - bool has_changes; -@@ -1713,7 +1713,7 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state) - goto done; - } - -- if (has_changes) { -+ if (has_changes || refresh) { - ret = ad_subdom_reinit(state->sd_ctx); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "Could not reinitialize subdomains\n"); --- -2.33.0 - diff --git a/sssd-2.9.4.tar.gz b/sssd-2.9.5.tar.gz similarity index 51% rename from sssd-2.9.4.tar.gz rename to sssd-2.9.5.tar.gz index 51a8a27f7c22c79bfe341460454f8ad1c606d675..f584fd8553e65ecb0e1051a45ed49f42dc3597d3 100644 Binary files a/sssd-2.9.4.tar.gz and b/sssd-2.9.5.tar.gz differ diff --git a/sssd.spec b/sssd.spec index 1d178bfc924b238d18123f1eae989904afc89122..9167713947c586b7dc4abfff9d2bfc430c8c1f8f 100644 --- a/sssd.spec +++ b/sssd.spec @@ -7,17 +7,13 @@ %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release}) Name: sssd -Version: 2.9.4 -Release: 6 +Version: 2.9.5 +Release: 1 Summary: System Security Services Daemon License: GPL-3.0-or-later URL: https://github.com/SSSD/sssd/ -Source0: https://github.com/SSSD/sssd/releases/download/2.9.4/sssd-2.9.4.tar.gz +Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz -Patch0001: backport-CVE-2023-3758.patch -Patch0002: backport-UTILS-inotify-avoid-potential-NULL-deref.patch -Patch0003: backport-ad-refresh-root-domain-when-read-directly.patch -Patch0004: backport-RESPONDER-use-proper-context-for-getDomains.patch Requires: sssd-ad = %{version}-%{release} Requires: sssd-common = %{version}-%{release} @@ -917,6 +913,9 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Tue Sep 3 2024 dillon chen - 2.9.5-1 +- upgrade to 2.9.5 + * Tue Jun 18 2024 wangjiang - 2.9.4-6 - backport upstream patches