[Pkg-sssd-devel] Bug#902860: sssd: CVE-2018-10852: information leak from the sssd-sudo responder
Moritz Mühlenhoff
jmm at inutil.org
Mon Apr 29 22:38:40 BST 2019
On Mon, Jul 02, 2018 at 02:35:45PM +0200, Salvatore Bonaccorso wrote:
> Source: sssd
> Version: 1.16.2-1
> Severity: important
> Tags: security upstream
> Forwarded: https://pagure.io/SSSD/sssd/issue/3766
>
> Hi,
>
> The following vulnerability was published for sssd.
>
> CVE-2018-10852[0]:
> | The UNIX pipe which sudo uses to contact SSSD and read the available
> | sudo rules from SSSD has too wide permissions, which means that anyone
> | who can send a message using the same raw protocol that sudo and SSSD
> | use can read the sudo rules available for any user. This affects
> | versions of SSSD before 1.16.3.
This is fixed in https://pagure.io/SSSD/sssd/c/ed90a20a0f0e936eb00d268080716c0384ffb01d
and this bug is almost a year old.
Can we please get that fixed in time for the buster release (along with
https://security-tracker.debian.org/tracker/CVE-2019-3811 and
https://security-tracker.debian.org/tracker/CVE-2018-16883)
Cheers,
Moritz
More information about the Pkg-sssd-devel
mailing list