From 7069858231391ef11ae411028f8d77efb1befd68 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Wed, 11 Oct 2017 17:45:52 +0200
Subject: [PATCH] Resolves: rhbz#1499354 - CVE-2017-12173

sssd: unsanitized input when searching in local cache database access on
the sock_file system_bus_socket
---
 0116-sysdb-sanitize-search-filter-input.patch | 139 ++++++++++++++++++
 sssd.spec                                     |   8 +-
 2 files changed, 146 insertions(+), 1 deletion(-)
 create mode 100644 0116-sysdb-sanitize-search-filter-input.patch

diff --git a/0116-sysdb-sanitize-search-filter-input.patch b/0116-sysdb-sanitize-search-filter-input.patch
new file mode 100644
index 0000000..a545069
--- /dev/null
+++ b/0116-sysdb-sanitize-search-filter-input.patch
@@ -0,0 +1,139 @@
+From 1f2662c8f97c9c0fa250055d4b6750abfc6d0835 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 5 Oct 2017 11:07:38 +0200
+Subject: [PATCH] sysdb: sanitize search filter input
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch sanitizes the input for sysdb searches by UPN/email, SID and
+UUID.
+
+This security issue was assigned CVE-2017-12173
+
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+---
+ src/db/sysdb_ops.c      | 43 +++++++++++++++++++++++++++++++++++--------
+ src/tests/sysdb-tests.c |  7 +++++++
+ 2 files changed, 42 insertions(+), 8 deletions(-)
+
+diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
+index 4cfef68239a5f145967c942b1fb6647c5542f019..0e39a629a5823ff49ed02ec4c08a21b66119f06f 100644
+--- a/src/db/sysdb_ops.c
++++ b/src/db/sysdb_ops.c
+@@ -601,6 +601,7 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx,
+     int ret;
+     const char *def_attrs[] = { SYSDB_NAME, SYSDB_UPN, SYSDB_CANONICAL_UPN,
+                                 SYSDB_USER_EMAIL, NULL };
++    char *sanitized;
+ 
+     tmp_ctx = talloc_new(NULL);
+     if (tmp_ctx == NULL) {
+@@ -608,6 +609,12 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx,
+         goto done;
+     }
+ 
++    ret = sss_filter_sanitize(tmp_ctx, upn, &sanitized);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n");
++        goto done;
++    }
++
+     if (domain_scope == true) {
+         base_dn = sysdb_user_base_dn(tmp_ctx, domain);
+     } else {
+@@ -620,7 +627,7 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx,
+ 
+     ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res,
+                      base_dn, LDB_SCOPE_SUBTREE, attrs ? attrs : def_attrs,
+-                     SYSDB_PWUPN_FILTER, upn, upn, upn);
++                     SYSDB_PWUPN_FILTER, sanitized, sanitized, sanitized);
+     if (ret != EOK) {
+         ret = sysdb_error_to_errno(ret);
+         goto done;
+@@ -4823,17 +4830,31 @@ static errno_t sysdb_search_object_by_str_attr(TALLOC_CTX *mem_ctx,
+                                                bool expect_only_one_result,
+                                                struct ldb_result **_res)
+ {
+-    char *filter;
++    char *filter = NULL;
+     errno_t ret;
++    char *sanitized = NULL;
+ 
+-    filter = talloc_asprintf(NULL, filter_tmpl, str);
++    if (str == NULL) {
++        return EINVAL;
++    }
++
++    ret = sss_filter_sanitize(NULL, str, &sanitized);
++    if (ret != EOK || sanitized == NULL) {
++        DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n");
++        goto done;
++    }
++
++    filter = talloc_asprintf(NULL, filter_tmpl, sanitized);
+     if (filter == NULL) {
+-        return ENOMEM;
++        ret = ENOMEM;
++        goto done;
+     }
+ 
+     ret = sysdb_search_object_attr(mem_ctx, domain, filter, attrs,
+                                    expect_only_one_result, _res);
+ 
++done:
++    talloc_free(sanitized);
+     talloc_free(filter);
+     return ret;
+ }
+@@ -4922,7 +4943,8 @@ errno_t sysdb_search_object_by_cert(TALLOC_CTX *mem_ctx,
+                                     struct ldb_result **res)
+ {
+     int ret;
+-    char *user_filter;
++    char *user_filter = NULL;
++    char *filter = NULL;
+ 
+     ret = sss_cert_derb64_to_ldap_filter(mem_ctx, cert, SYSDB_USER_MAPPED_CERT,
+                                          NULL, NULL, &user_filter);
+@@ -4931,10 +4953,15 @@ errno_t sysdb_search_object_by_cert(TALLOC_CTX *mem_ctx,
+         return ret;
+     }
+ 
+-    ret = sysdb_search_object_by_str_attr(mem_ctx, domain,
+-                                          SYSDB_USER_CERT_FILTER,
+-                                          user_filter, attrs, false, res);
++    filter = talloc_asprintf(NULL, SYSDB_USER_CERT_FILTER, user_filter);
+     talloc_free(user_filter);
++    if (filter == NULL) {
++        return ENOMEM;
++    }
++
++    ret = sysdb_search_object_attr(mem_ctx, domain, filter, attrs, false, res);
++
++    talloc_free(filter);
+ 
+     return ret;
+ }
+diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
+index 63572e067b11a7149b872b3a3eae38776e2bcf21..4652661087238c18f7fabb398d054db99f77d6cf 100644
+--- a/src/tests/sysdb-tests.c
++++ b/src/tests/sysdb-tests.c
+@@ -6513,6 +6513,13 @@ START_TEST(test_upn_basic)
+     fail_unless(strcmp(str, UPN_PRINC) == 0,
+                 "Expected [%s], got [%s].", UPN_PRINC, str);
+ 
++    /* check if input is sanitized */
++    ret = sysdb_search_user_by_upn(test_ctx, test_ctx->domain, false,
++                                   "abc@def.ghi)(name="UPN_USER_NAME")(abc=xyz",
++                                   NULL, &msg);
++    fail_unless(ret == ENOENT,
++                "sysdb_search_user_by_upn failed with un-sanitized input.");
++
+     talloc_free(test_ctx);
+ }
+ END_TEST
+-- 
+2.14.2
+
diff --git a/sssd.spec b/sssd.spec
index 54f2b94..7d188a9 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -32,7 +32,7 @@
 
 Name: sssd
 Version: 1.15.3
-Release: 4%{?dist}
+Release: 5%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -155,6 +155,7 @@ Patch0112: 0112-CONTRIB-Add-DP-Request-analysis-script.patch
 Patch0113: 0113-MAN-Add-sssd-systemtap-man-page.patch
 Patch0114: 0114-TESTS-Use-NULL-for-pointer-not-0.patch
 Patch0115: 0115-SUDO-Use-initgr_with_views-when-looking-up-a-sudo-us.patch
+Patch0116: 0116-sysdb-sanitize-search-filter-input.patch
 Patch0502: 0502-SYSTEMD-Use-capabilities.patch
 
 ### Dependencies ###
@@ -1354,6 +1355,11 @@ fi
                                 %{_libdir}/%{name}/modules/libwbclient.so
 
 %changelog
+* Wed Oct 11 2017 Lukas Slebodnik <lslebodn@redhat.com> - 1.15.3-5
+- Resolves: rhbz#1499354 - CVE-2017-12173 sssd: unsanitized input when
+                           searching in local cache database access on
+                           the sock_file system_bus_socket
+
 * Mon Sep 11 2017 Lukas Slebodnik <lslebodn@redhat.com> - 1.15.3-4
 - Resolves: rhbz#1488327 - SELinux is preventing selinux_child from write
                            access on the sock_file system_bus_socket