=============== A security bug in SSSD 1.10 and later ============== = = Subject: A memory leak was found in SSSD's PAC processing plugin = = CVE ID#: CVE-2015-5292 = = Summary: When SSSD's PAC responder is configured and a user login = triggers parsing of the PAC blob (typically a GSSAPI = password-less login), a small amount of memory is leaked = in the context of the Kerberized application. This can = eventually lead to memory exhaustion. = = Impact: Low = = Acknowledgements: This bug was found by Thomas Oulevey from CERN = = Affects default = configuration: Only for the IPA provider = = Introduced with: 1.10.0 beta2 = ===============================================================

==== DESCRIPTION ==== When SSSD's PAC responder is configured and a user login triggers parsing of the PAC blob (typically a GSSAPI password-less login), a small amount of memory is leaked in the context of the Kerberized application. This can eventually lead to memory exhaustion.

The affected configration would include "pac" in the list of services in the the "[sssd]" section of the /etc/sssd/sssd.conf config file. Please note that SSSD automatically starts the PAC responder in case the provider type is set to IPA.

Also note that the most widely deployed application with this configuration is OpenSSH, where the bug is not noticeable because, the leak happens in a short-lived child process, not the long-running deamon.

The fix was delivered as part of the 1.13.1 release. However, the security implications of the bug were only determined later.

The bug is being tracked in the following Red Hat Bugzilla report: https://bugzilla.redhat.com/show_bug.cgi?id=1267580

==== PATCH AVAILABILITY ==== The patch is available at: https://git.fedorahosted.org/cgit/sssd.git/commit/?id=b4c44ebb8997d3debb3360...