CVE-2013-219 - race conditions when creating or removing home directories for users in local domain
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| sssd (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Precise |
Fix Released
|
Medium
|
Unassigned | ||
| Quantal |
Fix Released
|
Medium
|
Timo Aaltonen | ||
Bug Description
=======
=
= Subject: TOCTOU race conditions when creating or removing home
= directories for users in local domain
=
= CVE ID#: CVE-2013-0219
=
= Summary: A TOCTOU (time-of-check, time-of-use) race condition was found
= in the way SSSD performed copying and removal of home
= directory trees.
=
=
= Impact: low
=
= Acknowledgements: The bug was found by Florian Weimer of the Red Hat
= Product Security Team
=
= Affects default
= configuration: no
=
= Introduced with: 0.7.0
=
=======
==== DESCRIPTION ====
SSSD versions 0.7.0 through 1.9.3 (inclusive) are vulnerable to a security bug.
The removal of a home directory is sensitive to concurrent modification of the
directory tree being removed and can unlink files outside the directory tree.
When removing a home directory, if another process is modifying that directory
at the same time, it becomes possible for the SSSD to unlink files that are
outside the directory tree.
When creating a home directory, the destination tree can be modified in various
ways while it is being constructed because directory permissions are set before
populating the directory. This can lead to file creation and permission changes
outside the target directory tree using hard links.
The fix will be delivered as part of the upcoming 1.9.4 release. There
won't be a separate 1.9 security release as the 1.9.4 version will be
released later this week. The flaw will be fixed in a separate release
for the 1.8 and 1.5 LTM release branches as well.
The bug is being tracked in the following Red Hat Bugzilla report:
https:/
==== WORKAROUND ====
These vulnerabilities are present only while creating or removing home
directories, so until patched packages are available, you can simply
refrain from performing these actions.
==== PATCH AVAILABILITY ====
The patches are available at:
http://
http://
| Timo Aaltonen (tjaalton) wrote | #1 |
| information type: | Public → Public Security |
| Changed in sssd (Ubuntu): | |
| status: | New → Fix Released |
| Changed in sssd (Ubuntu Precise): | |
| importance: | Undecided → Medium |
| status: | New → In Progress |
| Changed in sssd (Ubuntu Quantal): | |
| assignee: | nobody → Timo Aaltonen (tjaalton) |
| importance: | Undecided → Medium |
| status: | New → In Progress |
| Timo Aaltonen (tjaalton) wrote | #2 |
| Timo Aaltonen (tjaalton) wrote | #3 |
| Adam Conrad (adconrad) wrote Please test proposed package | #4 |
| Changed in sssd (Ubuntu Precise): | |
| status: | In Progress → Fix Committed |
| tags: | added: verification-needed |
| Changed in sssd (Ubuntu Quantal): | |
| status: | In Progress → Fix Committed |
| Adam Conrad (adconrad) wrote | #5 |
| tags: |
added: verification-done removed: verification-needed |
| Changed in sssd (Ubuntu Quantal): | |
| status: | Fix Committed → Fix Released |
| Timo Aaltonen (tjaalton) wrote | #6 |
| Changed in sssd (Ubuntu Precise): | |
| status: | Fix Committed → Fix Released |
fixed for raring in 1.9.3-0ubuntu2