Bug 1121759 - (CVE-2019-3811) VUL-1: CVE-2019-3811: sssd: fallback_homedir returns '/' for empty home directories in passwd file
(CVE-2019-3811)
VUL-1: CVE-2019-3811: sssd: fallback_homedir returns '/' for empty home direc...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Samuel Cabrero
Security Team bot
https://smash.suse.de/issue/222670/
CVSSv3:SUSE:CVE-2019-3811:4.1:(AV:A/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-01-14 07:37 UTC by Karol Babioch
Modified: 2020-06-23 17:16 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2019-01-14 07:37:56 UTC
An issue was found in SSSD. The default option for fallback_homedir returns '/' for empty home directories in the passwd file.

Upstream pull request:
https://github.com/SSSD/sssd/pull/703

Upstream Patch:
https://github.com/SSSD/sssd/pull/703/commits/fa0a6400ebd2f4056a057914355ec2ddefc14fe6
https://github.com/SSSD/sssd/pull/703/commits/fe11bd0d5b7dea9f1723c5a59ba0c47641802797

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1656618
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-3811
Comment 1 Karol Babioch 2019-01-14 08:04:23 UTC
This has been introduced with upstream commit 704cc1c7 and basically affects all released versions.
Comment 4 Swamp Workflow Management 2019-03-05 17:09:56 UTC
SUSE-SU-2019:0542-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (moderate)
Bug References: 1004220,1087320,1120852,1121759,1125277
CVE References: CVE-2019-3811
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    sssd-1.16.1-3.15.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    sssd-1.16.1-3.15.1
Comment 5 Swamp Workflow Management 2019-03-06 14:09:55 UTC
SUSE-SU-2019:0552-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (moderate)
Bug References: 1039567,1082568,1121759,976038,977224
CVE References: CVE-2019-3811
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    sssd-1.11.5.1-10.16.1
Comment 6 Swamp Workflow Management 2019-03-06 14:11:19 UTC
SUSE-SU-2019:0556-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1004220,1087320,1098377,1120852,1121759
CVE References: CVE-2018-10852,CVE-2019-3811
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    sssd-1.16.1-4.3.2
SUSE Linux Enterprise Server 12-SP4 (src):    sssd-1.16.1-4.3.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    sssd-1.16.1-4.3.2
Comment 9 Swamp Workflow Management 2019-03-29 17:12:45 UTC
SUSE-SU-2019:0805-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (moderate)
Bug References: 1109849,1110121,1121759,1125617,1127670
CVE References: CVE-2019-3811
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    sssd-1.13.4-34.31.1
SUSE Linux Enterprise Server 12-SP3 (src):    adcli-0.8.2-1.3.1, sssd-1.13.4-34.31.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    adcli-0.8.2-1.3.1, sssd-1.13.4-34.31.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2019-04-08 13:32:11 UTC
openSUSE-SU-2019:1174-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (moderate)
Bug References: 1109849,1110121,1121759,1125617,1127670
CVE References: CVE-2019-3811
Sources used:
openSUSE Leap 42.3 (src):    sssd-1.13.4-15.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 11 Marcus Meissner 2019-10-29 06:24:54 UTC
released