Bug 660481 - (CVE-2010-4341) VUL-0: CVE-2010-4341: sssd DoS
(CVE-2010-4341)
VUL-0: CVE-2010-4341: sssd DoS
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
.
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-12-20 08:39 UTC by Ludwig Nussel
Modified: 2021-08-11 09:32 UTC (History)
3 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2010-12-20 08:39:25 UTC
Your friendly security team received the following report via vendor-sec.
Please respond ASAP.
This issue is not public yet, please keep any information about it inside SUSE.
Note that build.opensuse.org *cannot* be used to prepare embargoed updates.

CRD 11.1.
CVE-2010-4341

------------------------------------------------------------------------------
Date: Fri, 17 Dec 2010 14:22:49 -0700
From: Vincent Danen <vdanen@redhat.com>
[...]
Sebastian Krahmer discovered that it was possible to make sssd hang
forever inside a loop in the pam_parse_in_data_v2() function of SSSD's
PAM responder by using a carefully crafted packet to sssd.  This could
be exploited by a local attacker to crash sssd and prevent other
legitimate users from logging into the system.
Comment 4 Ralf Haferkamp 2011-01-14 09:31:35 UTC
As this just appeared in the upstream git, I guess this can now be considered public? And I can submit the package to Factory?

I have yet to check if the version we ship in 11.3 is affected by this as well.
Comment 5 Ludwig Nussel 2011-01-14 10:04:22 UTC
it's public, yes.
Comment 6 Ralf Haferkamp 2011-01-14 10:15:33 UTC
11.3 (sssd-1.1.0) seems to be affected as well. Please provide me a Swamp-ID.
Comment 7 Thomas Biege 2011-01-14 10:31:35 UTC
CVE-2010-4341: CVSS v2 Base Score: 2.1 (low) (AV:L/AC:L/Au:N/C:N/I:N/A:P): unknown (unknown)

Swamp-ID will come shortly...
Comment 8 Swamp Workflow Management 2011-01-14 10:34:16 UTC
The SWAMPID for this issue is 38231.
This issue was rated as low.
Please submit fixed packages until 2011-02-11.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 9 Ralf Haferkamp 2011-01-18 10:15:13 UTC
Packages submitted to Factory (SR#58672) and 11.3 (SR#58669)
Comment 10 Swamp Workflow Management 2011-01-19 11:36:18 UTC
Update released for: libcollection-devel, libcollection1, libcollection1-debuginfo, libdhash-devel, libdhash1, libdhash1-debuginfo, libini_config-devel, libini_config1, libini_config1-debuginfo, python-sssd-config, python-sssd-config-debuginfo, sssd, sssd-debuginfo, sssd-debugsource, sssd-ipa-provider, sssd-ipa-provider-debuginfo, sssd-tools, sssd-tools-debuginfo
Products:
openSUSE 11.3 (debug, i586, x86_64)
Comment 11 Sebastian Krahmer 2011-01-19 11:36:47 UTC
done
Comment 12 Bernhard Wiedemann 2017-12-01 15:40:50 UTC
This is an autogenerated message for OBS integration:
This bug (660481) was mentioned in
https://build.opensuse.org/request/show/547139 Factory / sssd