sssd (SL5)

Synopsis: Low: sssd security and bug fix update
Advisory ID: SLSA-2013:1319-1
Issue Date: 2013-09-30
CVE Numbers: CVE-2013-0219

A race condition was found in the way SSSD copied and removed user home
directories. A local attacker who is able to write into the home directory
of a different user who is being removed could use this flaw to perform
symbolic link attacks, possibly allowing them to modify and delete
arbitrary files with the privileges of the root user. (CVE-2013-0219)

This update also fixes the following bugs:

* After a paging control was used, memory in the sssd_be process was never
freed which led to the growth of the sssd_be process memory usage over
time. To fix this bug, the paging control was deallocated after use, and
thus the memory usage of the sssd_be process no longer grows.

* If the sssd_be process was terminated and recreated while there were
authentication requests pending, the sssd_pam process did not recover
correctly and did not reconnect to the new sssd_be process. Consequently,
the sssd_pam process was seemingly blocked and did not accept any new
authentication requests. The sssd_pam process has been fixes so that it
reconnects to the new instance of the sssd_be process after the original
one terminated unexpectedly. Even after a crash and reconnect, the
sssd_pam process now accepts new authentication requests.

* When the sssd_be process hung for a while, it was terminated and a new
instance was created. If the old instance did not respond to the TERM
signal and continued running, SSSD terminated unexpectedly. As a
consequence, the user could not log in. SSSD now keeps track of sssd_be
subprocesses more effectively, making the restarts of sssd_be more
reliable in such scenarios. Users can now log in whenever the sssd_be is
restarted and becomes unresponsive.

* In case the processing of an LDAP request took longer than the client
timeout upon completing the request (60 seconds by default), the PAM
client could have accessed memory that was previously freed due to the
client timeout being reached. As a result, the sssd_pam process terminated
unexpectedly with a segmentation fault. SSSD now ignores an LDAP request
result when it detects that the set timeout of this request has been
reached. The sssd_pam process no longer crashes in the aforementioned

* When there was a heavy load of users and groups to be saved in cache,
SSSD experienced a timeout. Consequently, NSS did not start the backup
process properly and it was impossible to log in. A patch has been
provided to fix this bug. The SSSD daemon now remains responsive and the
login continues as expected.

* SSSD kept the file descriptors to the log files open. Consequently, on
occasions like moving the actual log file and restarting the back end,
SSSD still kept the file descriptors open. SSSD now closes the file
descriptor after the child process execution; after a successful back end
start, the file descriptor to log files is closed.

* While performing access control in the Identity Management back end,
SSSD erroneously downloaded the “member” attribute from the server and
then attempted to use it in the cache verbatim. Consequently, the cache
attempted to use the “member” attribute values as if they were pointing to
the local cache which was CPU intensive. The member attribute when
processing host groups is no longer downloaded and processed. Moreover,
the login process is reasonably fast even with large host groups.


– Scientific Linux Development Team