From 813653acf7a9b3a3240ff43bad0a268b06f5480d Mon Sep 17 00:00:00 2001 From: Xu Raoqing Date: Mon, 20 Oct 2025 11:54:26 +0800 Subject: [PATCH] fix CVE-2025-11561 Signed-off-by: Xu Raoqing --- backport-fix-CVE-2025-11561.patch | 48 +++++++++++++++++++++++++++++++ sssd.spec | 6 +++- 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 backport-fix-CVE-2025-11561.patch diff --git a/backport-fix-CVE-2025-11561.patch b/backport-fix-CVE-2025-11561.patch new file mode 100644 index 0000000..941237a --- /dev/null +++ b/backport-fix-CVE-2025-11561.patch @@ -0,0 +1,48 @@ +From 9939c39d1949fad48af2f0b43c788bad0809e310 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 10 Oct 2025 12:57:40 +0200 +Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a client is joined to AD or IPA SSSD's localauth plugin can handle +the mapping of Kerberos principals to local accounts. In case it cannot +map the Kerberos principals libkrb5 is currently configured to fall back +to the default localauth plugins 'default', 'rule', 'names', +'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details). +All plugins except 'an2ln' require some explicit configuration by either +the administrator or the local user. To avoid some unexpected mapping is +done by the 'an2ln' plugin this patch disables it in the configuration +snippets for SSSD's localauth plugin. + +Resolves: https://github.com/SSSD/sssd/issues/8021 + +:relnote: After startup SSSD already creates a Kerberos configuration + snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin + if the AD or IPA providers are used. This enables SSSD's localauth plugin. + Starting with this release the an2ln plugin is disabled in the + configuration snippet as well. If this file or its content are included in + the Kerberos configuration it will fix CVE-2025-11561. + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Pavel Březina +--- + src/util/domain_info_utils.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c +index 487145e3d..e76189ef1 100644 +--- a/src/util/domain_info_utils.c ++++ b/src/util/domain_info_utils.c +@@ -722,6 +722,7 @@ done: + #define LOCALAUTH_PLUGIN_CONFIG \ + "[plugins]\n" \ + " localauth = {\n" \ ++" disable = an2ln\n" \ + " module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \ + " }\n" + +-- +2.48.1 + diff --git a/sssd.spec b/sssd.spec index e3e0bde..470a0ea 100644 --- a/sssd.spec +++ b/sssd.spec @@ -8,7 +8,7 @@ Name: sssd Version: 2.9.4 -Release: 14 +Release: 15 Summary: System Security Services Daemon License: GPL-3.0-or-later URL: https://github.com/SSSD/sssd/ @@ -34,6 +34,7 @@ Patch0017: backport-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch Patch0018: backport-PAM-fix-issue-found-by-Coverity.patch Patch0019: backport-pam_sss-add-some-missing-cleanup-calls.patch Patch0020: backport-SSS_CLIENT-MC-simplify-logic-and.patch +Patch0021: backport-fix-CVE-2025-11561.patch Requires: sssd-ad = %{version}-%{release} Requires: sssd-common = %{version}-%{release} @@ -933,6 +934,9 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Mon Oct 20 2025 xuraoqing - 2.9.4-15 +- fix CVE-2025-11561 + * Tue Aug 26 2025 yixiangzhike - 2.9.4-14 - backport upstream patch to fix nss coredump -- Gitee