From 575d0866260edb797424b4ce2f845dac9cabddd0 Mon Sep 17 00:00:00 2001 From: fangxiuning Date: Sat, 29 Nov 2025 14:23:32 +0800 Subject: [PATCH] add --- ...ject-with-escaped-characters-in-name.patch | 62 ++++++++++++++++++ backport-PAM-fixes-following-issue.patch | 49 +++++++++++++++ ...ESPONDER-skip-mem-cache-invalidation.patch | 63 +++++++++++++++++++ sssd.spec | 8 ++- 4 files changed, 181 insertions(+), 1 deletion(-) create mode 100644 backport-Enumerate-object-with-escaped-characters-in-name.patch create mode 100644 backport-PAM-fixes-following-issue.patch create mode 100644 backport-RESPONDER-skip-mem-cache-invalidation.patch diff --git a/backport-Enumerate-object-with-escaped-characters-in-name.patch b/backport-Enumerate-object-with-escaped-characters-in-name.patch new file mode 100644 index 0000000..3534502 --- /dev/null +++ b/backport-Enumerate-object-with-escaped-characters-in-name.patch @@ -0,0 +1,62 @@ +From 158b4cdb7ac62fde1280f50a5d678f80d0e99015 Mon Sep 17 00:00:00 2001 +From: Tomas Halman +Date: Thu, 13 Mar 2025 17:37:51 +0100 +Subject: [PATCH] Enumerate object with escaped characters in name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch fixes enumeration when DN in LDAP server +contains special characters. + +The libldb expects that '\' is followed by two hex digits +in filter. Strings like '\#' must be sanitized into '\5c#' +before they are used for searching. + +Resolves: https://github.com/SSSD/sssd/issues/7876 + +Reviewed-by: Alejandro López +Reviewed-by: Dan Lavu + +Reference: https://github.com/SSSD/sssd/commit/158b4cdb7ac62fde1280f50a5d678f80d0e99015 +Conflict: NA + +--- + src/db/sysdb_search.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c +index 7f34ddbcb..fdcbdc1eb 100644 +--- a/src/db/sysdb_search.c ++++ b/src/db/sysdb_search.c +@@ -814,6 +814,7 @@ static errno_t sysdb_enum_dn_filter(TALLOC_CTX *mem_ctx, + { + TALLOC_CTX *tmp_ctx = NULL; + char *dn_filter; ++ char *sanitized_dn; + const char *fqname; + errno_t ret; + +@@ -844,11 +845,18 @@ static errno_t sysdb_enum_dn_filter(TALLOC_CTX *mem_ctx, + } + + for (size_t i = 0; i < ts_res->count; i++) { ++ ret = sss_filter_sanitize_dn(tmp_ctx, ++ ldb_dn_get_linearized(ts_res->msgs[i]->dn), ++ &sanitized_dn); ++ if (ret != EOK) { ++ goto done; ++ } + dn_filter = talloc_asprintf_append( + dn_filter, + "(%s=%s)", + SYSDB_DN, +- ldb_dn_get_linearized(ts_res->msgs[i]->dn)); ++ sanitized_dn); ++ talloc_free(sanitized_dn); + if (dn_filter == NULL) { + ret = ENOMEM; + goto done; +-- +2.43.0 + diff --git a/backport-PAM-fixes-following-issue.patch b/backport-PAM-fixes-following-issue.patch new file mode 100644 index 0000000..9ddb555 --- /dev/null +++ b/backport-PAM-fixes-following-issue.patch @@ -0,0 +1,49 @@ +From ad7dc210f79e9b521ff26449d10a0348debff4a8 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 7 May 2025 15:38:44 +0200 +Subject: [PATCH] PAM: fixes following issue: + +``` + Error: RESOURCE_LEAK (CWE-772): + sssd-2.9.1/src/responder/pam/pamsrv_gssapi.c:750: alloc_arg: ""gss_accept_sec_context"" allocates memory that is stored into ""client_name"". + sssd-2.9.1/src/responder/pam/pamsrv_gssapi.c:806: leaked_storage: Variable ""client_name"" going out of scope leaks the storage it points to. + # 804| gss_release_buffer(&minor, &output); + # 805| + # 806|-> return ret; + # 807| } + # 808| +``` + +Reviewed-by: Justin Stephenson + +Reference: https://github.com/SSSD/sssd/commit/ad7dc210f79e9b521ff26449d10a0348debff4a8 +Conflict: NA + +--- + src/responder/pam/pamsrv_gssapi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/responder/pam/pamsrv_gssapi.c b/src/responder/pam/pamsrv_gssapi.c +index 220a93225..ebc957172 100644 +--- a/src/responder/pam/pamsrv_gssapi.c ++++ b/src/responder/pam/pamsrv_gssapi.c +@@ -741,7 +741,7 @@ gssapi_handshake(struct gssapi_state *state, + OM_uint32 flags = GSS_C_MUTUAL_FLAG; + gss_buffer_desc output = GSS_C_EMPTY_BUFFER; + gss_buffer_desc input; +- gss_name_t client_name; ++ gss_name_t client_name = GSS_C_NO_NAME; + gss_cred_id_t creds; + OM_uint32 ret_flags; + gss_OID mech_type; +@@ -822,6 +822,7 @@ gssapi_handshake(struct gssapi_state *state, + done: + gss_release_cred(&minor, &creds); + gss_release_buffer(&minor, &output); ++ gss_release_name(&minor, &client_name); + + return ret; + } +-- +2.43.0 + diff --git a/backport-RESPONDER-skip-mem-cache-invalidation.patch b/backport-RESPONDER-skip-mem-cache-invalidation.patch new file mode 100644 index 0000000..1654740 --- /dev/null +++ b/backport-RESPONDER-skip-mem-cache-invalidation.patch @@ -0,0 +1,63 @@ +From 0fc6768c6ae1d788d53981d4d01e562b38c1ed00 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Tue, 3 Jun 2025 12:31:31 +0200 +Subject: [PATCH] RESPONDER: skip mem-cache invalidation + +if mem-cache is explicitly disabled + +Resolves: https://github.com/SSSD/sssd/issues/7981 + +Reviewed-by: Justin Stephenson + +Reference: https://github.com/SSSD/sssd/commit/0fc6768c6ae1d788d53981d4d01e562b38c1ed00 +Conflict: NA + +--- + src/responder/nss/nss_get_object.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/responder/nss/nss_get_object.c b/src/responder/nss/nss_get_object.c +index 29f9cb59b..073f3ebbc 100644 +--- a/src/responder/nss/nss_get_object.c ++++ b/src/responder/nss/nss_get_object.c +@@ -34,12 +34,21 @@ memcache_delete_entry_by_name(struct sss_nss_ctx *nss_ctx, + + switch (type) { + case SSS_MC_PASSWD: ++ if (nss_ctx->pwd_mc_ctx == NULL) { /* mem-cache disabled */ ++ return EOK; ++ } + ret = sss_mmap_cache_pw_invalidate(&nss_ctx->pwd_mc_ctx, name); + break; + case SSS_MC_GROUP: ++ if (nss_ctx->grp_mc_ctx == NULL) { /* mem-cache disabled */ ++ return EOK; ++ } + ret = sss_mmap_cache_gr_invalidate(&nss_ctx->grp_mc_ctx, name); + break; + case SSS_MC_INITGROUPS: ++ if (nss_ctx->initgr_mc_ctx == NULL) { /* mem-cache disabled */ ++ return EOK; ++ } + ret = sss_mmap_cache_initgr_invalidate(&nss_ctx->initgr_mc_ctx, name); + break; + default: +@@ -66,9 +75,15 @@ memcache_delete_entry_by_id(struct sss_nss_ctx *nss_ctx, + + switch (type) { + case SSS_MC_PASSWD: ++ if (nss_ctx->pwd_mc_ctx == NULL) { /* mem-cache disabled */ ++ return EOK; ++ } + ret = sss_mmap_cache_pw_invalidate_uid(&nss_ctx->pwd_mc_ctx, (uid_t)id); + break; + case SSS_MC_GROUP: ++ if (nss_ctx->grp_mc_ctx == NULL) { /* mem-cache disabled */ ++ return EOK; ++ } + ret = sss_mmap_cache_gr_invalidate_gid(&nss_ctx->grp_mc_ctx, (gid_t)id); + break; + default: +-- +2.43.0 + diff --git a/sssd.spec b/sssd.spec index 1989e78..8e6409d 100644 --- a/sssd.spec +++ b/sssd.spec @@ -8,7 +8,7 @@ Name: sssd Version: 2.9.4 -Release: 15 +Release: 16 Summary: System Security Services Daemon License: GPL-3.0-or-later URL: https://github.com/SSSD/sssd/ @@ -35,6 +35,9 @@ Patch0018: backport-PAM-fix-issue-found-by-Coverity.patch Patch0019: backport-pam_sss-add-some-missing-cleanup-calls.patch Patch0020: backport-SSS_CLIENT-MC-simplify-logic-and.patch Patch0021: backport-fix-CVE-2025-11561.patch +Patch0022: backport-Enumerate-object-with-escaped-characters-in-name.patch +Patch0023: backport-PAM-fixes-following-issue.patch +Patch0024: backport-RESPONDER-skip-mem-cache-invalidation.patch Requires: sssd-ad = %{version}-%{release} Requires: sssd-common = %{version}-%{release} @@ -934,6 +937,9 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Sat Nov 29 2025 fangxiuning - 2.9.4-16 +- backport upstream patches + * Mon Oct 20 2025 xuraoqing - 2.9.4-15 - fix CVE-2025-11561 -- Gitee