CVE-2018-16883

Name	CVE-2018-16883
Description	sssd versions from 1.13.0 to before 2.0.0 did not properly restrict access to the infopipe according to the "allowed_uids" configuration parameter. If sensitive information were stored in the user directory, this could be inadvertently disclosed to local attackers.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs	916824

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
sssd (PTS)	buster	1.16.3-3.2	vulnerable
	bullseye	2.4.1-2	fixed
	bookworm, sid	2.8.2-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
sssd	source	jessie	(not affected)
sssd	source	(unstable)	2.2.0-1			916824

Notes

[buster] - sssd <no-dsa> (Minor issue)
[stretch] - sssd <no-dsa> (Minor issue)
[jessie] - sssd <not-affected> (Issue got introduced with 1.13.0)
https://bugzilla.redhat.com/show_bug.cgi?id=1659862
Fixed in upstream 2.0.0 while refactoring code
Fixed by https://pagure.io/SSSD/sssd/c/fbe2476a3dd9be83ffa85c29dca26f734618d72d?branch=master