Bugzilla – Bug 1120089
VUL-1: CVE-2018-16883: sssd: Information leak in infopipe due to an improper uid restriction
Last modified: 2020-06-25 09:28:07 UTC
It was discovered that sssd versions prior to 2.0.0 did not properly restrict access to the infopipe according to the "allowed_uids" parameter. If sensitive information were stored in the user directory, this could be inadvertently disclosed to local attackers.
For this bug no commit is yet available but only a description and some comments. According to the description only version between 1.13.0 and before 2.0.0 are affected. The bug is fixed from version 2.0.0 and on due to code refactoring. Additionally, it is mentioned that it is only exposed if the infopipe (ifp) service is enabled.
After an investigation it was found that:
SUSE:SLE-11-SP3:Update --> 1.9.4 (not affected --> <1.13.0)
SUSE:SLE-12:Update --> 1.11.5 (not affected --> 1.13.0)
SUSE:SLE-12-SP2:Update --> 1.13.4 (not affected --> no ifp is provided)
SUSE:SLE-12-SP4:Update --> 1.16.1 affected
SUSE:SLE-15:Update --> 1.16.1 affected
Upstream rejected to fix this issue. From https://pagure.io/SSSD/sssd/issue/4105:
> This is fixed since 2.0. The security impact is low (by default only posix
> attributes are available) and we could break users applications that relies on
> the fact that the data is available to everyone therefore we should not fix it
> in 1.16 where such change is unacceptable.
@security-team, do we agree with this statement and proceed to close this bug as WONTFIX, or fix it in our own?
As upstream did not consider this as security issue , we concur and will currently not proceed towards fixing it.
It will be fixed in 2.0.