CVE-2018-10852

NameCVE-2018-10852
DescriptionThe UNIX pipe which sudo uses to contact SSSD and read the available sudo rules from SSSD has too wide permissions, which means that anyone who can send a message using the same raw protocol that sudo and SSSD use can read the sudo rules available for any user. This affects versions of SSSD before 1.16.3.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1429-1
NVD severitymedium (attack range: remote)
Debian Bugs902860

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sssd (PTS)jessie1.11.7-3vulnerable
jessie (security)1.11.7-3+deb8u1fixed
stretch1.15.0-3vulnerable
buster, sid1.16.3-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sssdsource(unstable)(unfixed)medium902860
sssdsourcejessie1.11.7-3+deb8u1mediumDLA-1429-1

Notes

https://pagure.io/SSSD/sssd/issue/3766

Search for package or bug name: Reporting problems