Bug 1120089 - (CVE-2018-16883) VUL-1: CVE-2018-16883: sssd: Information leak in infopipe due to an improper uid restriction
VUL-1: CVE-2018-16883: sssd: Information leak in infopipe due to an improper ...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P4 - Low : Minor
: ---
Assigned To: Samuel Cabrero
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2018-12-20 14:44 UTC by Alexandros Toptsoglou
Modified: 2020-06-25 09:28 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2018-12-20 14:44:08 UTC

It was discovered that sssd versions prior to 2.0.0 did not properly restrict access to the infopipe according to the "allowed_uids" parameter.  If sensitive information were stored in the user directory, this could be inadvertently disclosed to local attackers.

Comment 1 Alexandros Toptsoglou 2018-12-20 14:54:41 UTC
For this bug no commit is yet available but only a description and some comments. According to the description only version between 1.13.0 and before 2.0.0 are affected. The bug is fixed from version 2.0.0 and on due to code refactoring. Additionally, it is mentioned that it is only exposed if the infopipe (ifp) service is enabled. 

After an investigation it was found that:

SUSE:SLE-11-SP3:Update --> 1.9.4 (not affected --> <1.13.0)
SUSE:SLE-12:Update --> 1.11.5 (not affected --> 1.13.0)
SUSE:SLE-12-SP2:Update --> 1.13.4 (not affected --> no ifp is provided)

SUSE:SLE-12-SP4:Update --> 1.16.1 affected
SUSE:SLE-15:Update --> 1.16.1 affected
Comment 2 Samuel Cabrero 2019-11-15 09:19:37 UTC
Upstream rejected to fix this issue. From https://pagure.io/SSSD/sssd/issue/4105:

> This is fixed since 2.0. The security impact is low (by default only posix
> attributes are available) and we could break users applications that relies on
> the fact that the data is available to everyone therefore we should not fix it
> in 1.16 where such change is unacceptable.

@security-team, do we agree with this statement and proceed to close this bug as WONTFIX, or fix it in our own?
Comment 3 James McDonough 2020-01-22 16:27:21 UTC
@security-team: ping
Comment 4 Marcus Meissner 2020-01-22 16:35:07 UTC
As upstream did not consider this as security issue , we concur and will currently not proceed towards fixing it.

It will be fixed in 2.0.