Ticket #1696 (new defect)

Opened 2 years ago

Last modified 3 months ago

sssd: potential LDAP filter injection issues

Reported by: jhrozek Owned by: somebody
Priority: minor Milestone: SSSD 1.15 beta
Component: SSSD Version:
Keywords: Cc:
Blocked By: Blocking:
Tests Updated: no Coverity Bug:
Patch Submitted: no Red Hat Bugzilla: 883947
Design link:
Feature Milestone:
Design review: no Fedora test page:
Chosen: Not need Candidate to push out: yes
Release Notes:
Temp mark: no

Description

https://bugzilla.redhat.com/show_bug.cgi?id=883947 (Fedora)

I went through the sssd 1.9.2 source code and identified potential LDAP filter
injection issues:

src/providers/ldap/ldap_auth.c: get_user_dn() username
src/providers/ldap/sdap_sudo.c: sdap_sudo_build_host_filter() hostnames,
ip_addr
src/providers/ldap/sdap_async_groups.c: sdap_process_missing_member_2307()
member_name
src/providers/ldap/ldap_id_cleanup.c: cleanup_groups() dn
src/providers/ldap/ldap_id_cleanup.c: netgr_translate_members_send()
dn_item->dn
src/providers/ipa/ipa_hosts.c: ipa_host_info_send() hostname
src/tools/sss_cache.c: init_context() user, group, netgroup, map
src/tools/sss_groupshow.c: group_show_trim_memberof() memberofs, dn
src/db/sysdb_ssh.c: sysdb_get_ssh_host() name
src/db/sysdb_ops.c: sysdb_add_user() name, alias_el->values[i].data
src/db/sysdb_ops.c: sysdb_delete_user() name
src/db/sysdb_sudo.c: sysdb_get_sudo_filter() username, groupnames

(Format is file name, function name, variable name)

The situation is a bit like SQL injection, except that LDAP filters should not
be as powerful as SQL statements, so this is probably just a correctness issue
and not a security problem (unless it allows altering the results of queries in
interesting ways).  An interface which separates query parameters from the
query structure would be desirable as a replacement for all this string
concatenation.

Change History

comment:1 Changed 2 years ago by dpal

  • Tests Updated unset
  • Milestone changed from NEEDS_TRIAGE to SSSD 1.10 beta
  • Design review unset

comment:2 Changed 2 years ago by dpal

  • Chosen set to Not need

comment:3 Changed 2 years ago by dpal

  • Milestone changed from SSSD 1.10 beta to SSSD 1.11 beta

Moving tickets that are not a priority for SSSD 1.10 into the next release.

comment:4 Changed 8 months ago by dpal

  • Temp mark unset

comment:5 Changed 3 months ago by jhrozek

  • Candidate to push out set
  • Milestone changed from SSSD 1.13 beta to SSSD 1.13 backlog
  • Priority changed from major to minor

comment:6 Changed 3 months ago by jhrozek

  • Milestone changed from SSSD 1.13 backlog to SSSD 1.15 beta

Mass-moving tickets not planned for the next two releases.

Please reply with a comment if you disagree about the move..

Note: See TracTickets for help on using tickets.