From cd974fe3c3d1296327d70c15d7f5cde7b6abca65 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 5 Oct 2017 11:07:38 +0200
Subject: [PATCH] sysdb: sanitize search filter input
This patch sanitizes the input for sysdb seaches by UPN/email, SID and
UUID.
This security issue was assigned CVE-2017-12173
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 843251b3e..853f70a13 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -487,12 +487,20 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx,
const char *def_attrs[] = { SYSDB_NAME, SYSDB_UPN, SYSDB_CANONICAL_UPN,
NULL };
+ char *sanitized;
+
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
ret = ENOMEM;
goto done;
}
+ ret = sss_filter_sanitize(tmp_ctx, upn, &sanitized);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n");
+ goto done;
+ }
+
base_dn = sysdb_base_dn(domain->sysdb, tmp_ctx);
if (base_dn == NULL) {
ret = ENOMEM;
@@ -501,7 +509,7 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx,
ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res,
base_dn, LDB_SCOPE_SUBTREE, attrs ? attrs : def_attrs,
- SYSDB_PWUPN_FILTER, upn, upn);
+ SYSDB_PWUPN_FILTER, sanitized, sanitized);
if (ret != EOK) {
ret = sysdb_error_to_errno(ret);
goto done;
@@ -3677,6 +3685,13 @@ static errno_t sysdb_search_object_by_str_attr(TALLOC_CTX *mem_ctx,
goto done;
}
+ char *sanitized = NULL;
+ ret = sss_filter_sanitize(NULL, str, &sanitized);
+ if (ret != EOK || sanitized == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n");
+ goto done;
+ }
+
ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res,
basedn, LDB_SCOPE_SUBTREE, attrs?attrs:def_attrs,
filter_tmpl, str);
@@ -3705,7 +3720,7 @@ done:
} else if (ret) {
DEBUG(SSSDBG_OP_FAILURE, "Error: %d (%s)\n", ret, strerror(ret));
}
-
+ talloc_free(sanitized);
talloc_zfree(tmp_ctx);
return ret;
}
--
2.14.2
distrib
>
Mageia
>
6
>
armv7hl
>
media
>
core-updates-src
>
by-pkgid
>
655a3b499c6651e9ecbb8a6afc4f0743
>
files
>
7
