Ticket #1696 (new defect)

Opened 17 months ago

Last modified 16 months ago

sssd: potential LDAP filter injection issues

Reported by: jhrozek Owned by: somebody
Priority: major Milestone: SSSD 1.13 beta
Component: SSSD Version:
Keywords: Cc:
Blocked By: Blocking:
Tests Updated: no Coverity Bug:
Patch Submitted: no Red Hat Bugzilla: 883947
Design link:
Feature Milestone:
Design review: no Fedora test page:
Chosen: Not need Candidate to push out:
Release Notes:

Description

https://bugzilla.redhat.com/show_bug.cgi?id=883947 (Fedora)

I went through the sssd 1.9.2 source code and identified potential LDAP filter
injection issues:

src/providers/ldap/ldap_auth.c: get_user_dn() username
src/providers/ldap/sdap_sudo.c: sdap_sudo_build_host_filter() hostnames,
ip_addr
src/providers/ldap/sdap_async_groups.c: sdap_process_missing_member_2307()
member_name
src/providers/ldap/ldap_id_cleanup.c: cleanup_groups() dn
src/providers/ldap/ldap_id_cleanup.c: netgr_translate_members_send()
dn_item->dn
src/providers/ipa/ipa_hosts.c: ipa_host_info_send() hostname
src/tools/sss_cache.c: init_context() user, group, netgroup, map
src/tools/sss_groupshow.c: group_show_trim_memberof() memberofs, dn
src/db/sysdb_ssh.c: sysdb_get_ssh_host() name
src/db/sysdb_ops.c: sysdb_add_user() name, alias_el->values[i].data
src/db/sysdb_ops.c: sysdb_delete_user() name
src/db/sysdb_sudo.c: sysdb_get_sudo_filter() username, groupnames

(Format is file name, function name, variable name)

The situation is a bit like SQL injection, except that LDAP filters should not
be as powerful as SQL statements, so this is probably just a correctness issue
and not a security problem (unless it allows altering the results of queries in
interesting ways).  An interface which separates query parameters from the
query structure would be desirable as a replacement for all this string
concatenation.

Change History

comment:1 Changed 17 months ago by dpal

  • Tests Updated unset
  • Milestone changed from NEEDS_TRIAGE to SSSD 1.10 beta
  • Design review unset

comment:2 Changed 16 months ago by dpal

  • Chosen set to Not need

comment:3 Changed 16 months ago by dpal

  • Milestone changed from SSSD 1.10 beta to SSSD 1.11 beta

Moving tickets that are not a priority for SSSD 1.10 into the next release.

Note: See TracTickets for help on using tickets.