sssd: fix CVE-2021-3621

Backport patch to fix CVE-2021-3621. CVE: CVE-2021-3621 Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Kai Kang <kai.kang@windriver.com> 2021-09-10 16:36:46 +0800
committer: Armin Kuster <akuster808@gmail.com> 2021-09-10 07:23:59 -0700
commit: 16c68aae0fdfc20c7ce5cf4da0a9fff8bdd75769 (patch)
tree: 0bb28aabb43bf06d21b186f225d71b3f49ebf4ba
parent: 0e22db3c20d5235155ac8ad5aad5122166d5d372 (diff)
download: meta-security-16c68aae0fdfc20c7ce5cf4da0a9fff8bdd75769.tar.gz
2 files changed, 292 insertions, 0 deletions
diff --git a/recipes-security/sssd/files/CVE-2021-3621.patch b/recipes-security/sssd/files/CVE-2021-3621.patch
new file mode 100644
index 0000000..3d2c707
--- /dev/null
+++ b/recipes-security/sssd/files/CVE-2021-3621.patch
@@ -0,0 +1,291 @@
+Backport patch to fix CVE-2021-3621.
+Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/b4b3267]
+CVE: CVE-2021-3621
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+From b4b32677a886bc26d60ce0171505aa3ab0c82c8a Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Fri, 30 Jul 2021 19:05:31 +0200
+Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of
+ user supplied command
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+:relnote: A flaw was found in SSSD, where the sssctl command was
+vulnerable to shell command injection via the logs-fetch and
+cache-expire subcommands. This flaw allows an attacker to trick
+the root user into running a specially crafted sssctl command,
+such as via sudo, to gain root access. The highest threat from this
+vulnerability is to confidentiality, integrity, as well as system
+availability.
+This patch fixes a flaw by replacing system() with execvp().
+:fixes: CVE-2021-3621
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/tools/sssctl/sssctl.c      | 40 +++++++++++++++++-------
+ src/tools/sssctl/sssctl.h      |  2 +-
+ src/tools/sssctl/sssctl_data.c | 57 +++++++++++-----------------------
+ src/tools/sssctl/sssctl_logs.c | 31 ++++++++++++++----
+ 4 files changed, 73 insertions(+), 57 deletions(-)
+diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
+index afaa84bc0..403c89c35 100644
+--- a/src/tools/sssctl/sssctl.c
+++ b/src/tools/sssctl/sssctl.c
+@@ -97,22 +97,37 @@ sssctl_prompt(const char *message,
+     return SSSCTL_PROMPT_ERROR;
+ }
+ 
+-errno_t sssctl_run_command(const char *command)
+errno_t sssctl_run_command(const char *const argv[])
+ {
+     int ret;
+    int wstatus;
+ 
+-    DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command);
+    DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]);
+ 
+-    ret = system(command);
+    ret = fork();
+     if (ret == -1) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command);
+         fprintf(stderr, _("Error while executing external command\n"));
+         return EFAULT;
+-    } else if (WEXITSTATUS(ret) != 0) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n",
+-              command, WEXITSTATUS(ret));
+    }
+
+    if (ret == 0) {
+        /* cast is safe - see
+        https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
+        "The statement about argv[] and envp[] being constants ... "
+        */
+        execvp(argv[0], discard_const_p(char * const, argv));
+         fprintf(stderr, _("Error while executing external command\n"));
+-        return EIO;
+        _exit(1);
+    } else {
+        if (waitpid(ret, &wstatus, 0) == -1) {
+            fprintf(stderr,
+                    _("Error while executing external command '%s'\n"), argv[0]);
+            return EFAULT;
+        } else if (WEXITSTATUS(wstatus) != 0) {
+            fprintf(stderr,
+                    _("Command '%s' failed with [%d]\n"), argv[0], WEXITSTATUS(wstatus));
+            return EIO;
+        }
+     }
+ 
+     return EOK;
+@@ -132,11 +147,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action)
+ #elif defined(HAVE_SERVICE)
+     switch (action) {
+     case SSSCTL_SVC_START:
+-        return sssctl_run_command(SERVICE_PATH" sssd start");
+        return sssctl_run_command(
+                      (const char *[]){SERVICE_PATH, "sssd", "start", NULL});
+     case SSSCTL_SVC_STOP:
+-        return sssctl_run_command(SERVICE_PATH" sssd stop");
+        return sssctl_run_command(
+                      (const char *[]){SERVICE_PATH, "sssd", "stop", NULL});
+     case SSSCTL_SVC_RESTART:
+-        return sssctl_run_command(SERVICE_PATH" sssd restart");
+        return sssctl_run_command(
+                      (const char *[]){SERVICE_PATH, "sssd", "restart", NULL});
+     }
+ #endif
+ 
+diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
+index 70fc19eff..71f798b2a 100644
+--- a/src/tools/sssctl/sssctl.h
+++ b/src/tools/sssctl/sssctl.h
+@@ -42,7 +42,7 @@ enum sssctl_prompt_result
+ sssctl_prompt(const char *message,
+               enum sssctl_prompt_result defval);
+ 
+-errno_t sssctl_run_command(const char *command);
+errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */
+ bool sssctl_start_sssd(bool force);
+ bool sssctl_stop_sssd(bool force);
+ bool sssctl_restart_sssd(bool force);
+diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
+index cc46cafbf..8a042664c 100644
+--- a/src/tools/sssctl/sssctl_data.c
+++ b/src/tools/sssctl/sssctl_data.c
+@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force)
+         }
+     }
+ 
+-    ret = sssctl_run_command("sss_override user-export "
+-                             SSS_BACKUP_USER_OVERRIDES);
+    ret = sssctl_run_command((const char *[]){"sss_override", "user-export",
+                                              SSS_BACKUP_USER_OVERRIDES, NULL});
+     if (ret != EOK) {
+         fprintf(stderr, _("Unable to export user overrides\n"));
+         return ret;
+     }
+ 
+-    ret = sssctl_run_command("sss_override group-export "
+-                             SSS_BACKUP_GROUP_OVERRIDES);
+    ret = sssctl_run_command((const char *[]){"sss_override", "group-export",
+                                              SSS_BACKUP_GROUP_OVERRIDES, NULL});
+     if (ret != EOK) {
+         fprintf(stderr, _("Unable to export group overrides\n"));
+         return ret;
+@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
+     }
+ 
+     if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
+-        ret = sssctl_run_command("sss_override user-import "
+-                                 SSS_BACKUP_USER_OVERRIDES);
+        ret = sssctl_run_command((const char *[]){"sss_override", "user-import",
+                                                  SSS_BACKUP_USER_OVERRIDES, NULL});
+         if (ret != EOK) {
+             fprintf(stderr, _("Unable to import user overrides\n"));
+             return ret;
+@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
+     }
+ 
+     if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
+-        ret = sssctl_run_command("sss_override group-import "
+-                                 SSS_BACKUP_GROUP_OVERRIDES);
+        ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
+                                                  SSS_BACKUP_GROUP_OVERRIDES, NULL});
+         if (ret != EOK) {
+             fprintf(stderr, _("Unable to import group overrides\n"));
+             return ret;
+@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline,
+                             void *pvt)
+ {
+     errno_t ret;
+-    char *cmd_args = NULL;
+-    const char *cachecmd = SSS_CACHE;
+-    char *cmd = NULL;
+-    int i;
+-
+-    if (cmdline->argc == 0) {
+-        ret = sssctl_run_command(cachecmd);
+-        goto done;
+-    }
+ 
+-    cmd_args = talloc_strdup(tool_ctx, "");
+-    if (cmd_args == NULL) {
+-        ret = ENOMEM;
+-        goto done;
+    const char **args = talloc_array_size(tool_ctx,
+                                          sizeof(char *),
+                                          cmdline->argc + 2);
+    if (!args) {
+        return ENOMEM;
+     }
+    memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc);
+    args[0] = SSS_CACHE;
+    args[cmdline->argc + 1] = NULL;
+ 
+-    for (i = 0; i < cmdline->argc; i++) {
+-        cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]);
+-        if (i != cmdline->argc - 1) {
+-            cmd_args = talloc_strdup_append(cmd_args, " ");
+-        }
+-    }
+-
+-    cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args);
+-    if (cmd == NULL) {
+-        ret = ENOMEM;
+-        goto done;
+-    }
+-
+-    ret = sssctl_run_command(cmd);
+-
+-done:
+-    talloc_free(cmd_args);
+-    talloc_free(cmd);
+    ret = sssctl_run_command(args);
+ 
+    talloc_free(args);
+     return ret;
+ }
+diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
+index aca988c05..c85cc7a4b 100644
+--- a/src/tools/sssctl/sssctl_logs.c
+++ b/src/tools/sssctl/sssctl_logs.c
+@@ -32,6 +32,7 @@
+ #include <popt.h>
+ #include <stdio.h>
+ #include <signal.h>
+#include <glob.h>
+ 
+ #include "util/util.h"
+ #include "tools/common/sss_process.h"
+@@ -231,6 +232,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
+ {
+     struct sssctl_logs_opts opts = {0};
+     errno_t ret;
+    glob_t globbuf;
+ 
+     /* Parse command line. */
+     struct poptOption options[] = {
+@@ -254,8 +256,19 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
+ 
+         sss_signal(SIGHUP);
+     } else {
+        globbuf.gl_offs = 4;
+        ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
+        if (ret != 0) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
+            return ret;
+        }
+        globbuf.gl_pathv[0] = discard_const_p(char, "truncate");
+        globbuf.gl_pathv[2] = discard_const_p(char, "--size");
+        globbuf.gl_pathv[3] = discard_const_p(char, "0");
+
+         printf(_("Truncating log files...\n"));
+-        ret = sssctl_run_command("truncate --size 0 " LOG_FILES);
+        ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
+        globfree(&globbuf);
+         if (ret != EOK) {
+             fprintf(stderr, _("Unable to truncate log files\n"));
+             return ret;
+@@ -270,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
+                           void *pvt)
+ {
+     const char *file;
+-    const char *cmd;
+     errno_t ret;
+    glob_t globbuf;
+ 
+     /* Parse command line. */
+     ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL,
+@@ -281,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
+         return ret;
+     }
+ 
+-    cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES);
+-    if (cmd == NULL) {
+-        fprintf(stderr, _("Out of memory!"));
+    globbuf.gl_offs = 3;
+    ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
+    if (ret != 0) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
+        return ret;
+     }
+    globbuf.gl_pathv[0] = discard_const_p(char, "tar");
+    globbuf.gl_pathv[1] = discard_const_p(char, "-czf");
+    globbuf.gl_pathv[2] = discard_const_p(char, file);
+ 
+     printf(_("Archiving log files into %s...\n"), file);
+-    ret = sssctl_run_command(cmd);
+    ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
+    globfree(&globbuf);
+     if (ret != EOK) {
+         fprintf(stderr, _("Unable to archive log files\n"));
+         return ret;
+-- 
+2.33.0
diff --git a/recipes-security/sssd/sssd_1.16.5.bb b/recipes-security/sssd/sssd_1.16.5.bb
index 9784ec7..02d0837 100644
--- a/recipes-security/sssd/sssd_1.16.5.bb
+++ b/recipes-security/sssd/sssd_1.16.5.bb
@@ -22,6 +22,7 @@ SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz \
           file://0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch \
           file://0001-nss-Collision-with-external-nss-symbol.patch \
           file://0002-Provide-missing-defines-which-otherwise-are-availabl.patch \
+           file://CVE-2021-3621.patch \
           "
 SRC_URI[sha256sum] = "2e1a7bf036b583f686d35164f2d79bdf4857b98f51fe8b0d17aa0fa756e4d0c0"
author	Kai Kang <kai.kang@windriver.com>	2021-09-10 16:36:46 +0800
committer	Armin Kuster <akuster808@gmail.com>	2021-09-10 07:23:59 -0700
commit	16c68aae0fdfc20c7ce5cf4da0a9fff8bdd75769 (patch)
tree	0bb28aabb43bf06d21b186f225d71b3f49ebf4ba
parent	0e22db3c20d5235155ac8ad5aad5122166d5d372 (diff)
download	meta-security-16c68aae0fdfc20c7ce5cf4da0a9fff8bdd75769.tar.gz

diff --git a/recipes-security/sssd/files/CVE-2021-3621.patch b/recipes-security/sssd/files/CVE-2021-3621.patch new file mode 100644 index 0000000..3d2c707 --- /dev/null +++ b/recipes-security/sssd/files/CVE-2021-3621.patch
@@ -0,0 +1,291 @@
		1	Backport patch to fix CVE-2021-3621.
		2
		3	Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/b4b3267]
		4	CVE: CVE-2021-3621
		5
		6	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		7
		8	From b4b32677a886bc26d60ce0171505aa3ab0c82c8a Mon Sep 17 00:00:00 2001
		9	From: Alexey Tikhonov <atikhono@redhat.com>
		10	Date: Fri, 30 Jul 2021 19:05:31 +0200
		11	Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of
		12	user supplied command
		13	MIME-Version: 1.0
		14	Content-Type: text/plain; charset=UTF-8
		15	Content-Transfer-Encoding: 8bit
		16
		17	:relnote: A flaw was found in SSSD, where the sssctl command was
		18	vulnerable to shell command injection via the logs-fetch and
		19	cache-expire subcommands. This flaw allows an attacker to trick
		20	the root user into running a specially crafted sssctl command,
		21	such as via sudo, to gain root access. The highest threat from this
		22	vulnerability is to confidentiality, integrity, as well as system
		23	availability.
		24	This patch fixes a flaw by replacing system() with execvp().
		25
		26	:fixes: CVE-2021-3621
		27
		28	Reviewed-by: Pavel Březina <pbrezina@redhat.com>
		29	---
		30	src/tools/sssctl/sssctl.c \| 40 +++++++++++++++++-------
		31	src/tools/sssctl/sssctl.h \| 2 +-
		32	src/tools/sssctl/sssctl_data.c \| 57 +++++++++++-----------------------
		33	src/tools/sssctl/sssctl_logs.c \| 31 ++++++++++++++----
		34	4 files changed, 73 insertions(+), 57 deletions(-)
		35
		36	diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
		37	index afaa84bc0..403c89c35 100644
		38	--- a/src/tools/sssctl/sssctl.c
		39	+++ b/src/tools/sssctl/sssctl.c
		40	@@ -97,22 +97,37 @@ sssctl_prompt(const char *message,
		41	return SSSCTL_PROMPT_ERROR;
		42	}
		43
		44	-errno_t sssctl_run_command(const char *command)
		45	+errno_t sssctl_run_command(const char *const argv[])
		46	{
		47	int ret;
		48	+ int wstatus;
		49
		50	- DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command);
		51	+ DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]);
		52
		53	- ret = system(command);
		54	+ ret = fork();
		55	if (ret == -1) {
		56	- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command);
		57	fprintf(stderr, _("Error while executing external command\n"));
		58	return EFAULT;
		59	- } else if (WEXITSTATUS(ret) != 0) {
		60	- DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n",
		61	- command, WEXITSTATUS(ret));
		62	+ }
		63	+
		64	+ if (ret == 0) {
		65	+ /* cast is safe - see
		66	+ https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
		67	+ "The statement about argv[] and envp[] being constants ... "
		68	+ */
		69	+ execvp(argv[0], discard_const_p(char * const, argv));
		70	fprintf(stderr, _("Error while executing external command\n"));
		71	- return EIO;
		72	+ _exit(1);
		73	+ } else {
		74	+ if (waitpid(ret, &wstatus, 0) == -1) {
		75	+ fprintf(stderr,
		76	+ _("Error while executing external command '%s'\n"), argv[0]);
		77	+ return EFAULT;
		78	+ } else if (WEXITSTATUS(wstatus) != 0) {
		79	+ fprintf(stderr,
		80	+ _("Command '%s' failed with [%d]\n"), argv[0], WEXITSTATUS(wstatus));
		81	+ return EIO;
		82	+ }
		83	}
		84
		85	return EOK;
		86	@@ -132,11 +147,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action)
		87	#elif defined(HAVE_SERVICE)
		88	switch (action) {
		89	case SSSCTL_SVC_START:
		90	- return sssctl_run_command(SERVICE_PATH" sssd start");
		91	+ return sssctl_run_command(
		92	+ (const char *[]){SERVICE_PATH, "sssd", "start", NULL});
		93	case SSSCTL_SVC_STOP:
		94	- return sssctl_run_command(SERVICE_PATH" sssd stop");
		95	+ return sssctl_run_command(
		96	+ (const char *[]){SERVICE_PATH, "sssd", "stop", NULL});
		97	case SSSCTL_SVC_RESTART:
		98	- return sssctl_run_command(SERVICE_PATH" sssd restart");
		99	+ return sssctl_run_command(
		100	+ (const char *[]){SERVICE_PATH, "sssd", "restart", NULL});
		101	}
		102	#endif
		103
		104	diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
		105	index 70fc19eff..71f798b2a 100644
		106	--- a/src/tools/sssctl/sssctl.h
		107	+++ b/src/tools/sssctl/sssctl.h
		108	@@ -42,7 +42,7 @@ enum sssctl_prompt_result
		109	sssctl_prompt(const char *message,
		110	enum sssctl_prompt_result defval);
		111
		112	-errno_t sssctl_run_command(const char *command);
		113	+errno_t sssctl_run_command(const char const argv[]); / argv[0] - command */
		114	bool sssctl_start_sssd(bool force);
		115	bool sssctl_stop_sssd(bool force);
		116	bool sssctl_restart_sssd(bool force);
		117	diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
		118	index cc46cafbf..8a042664c 100644
		119	--- a/src/tools/sssctl/sssctl_data.c
		120	+++ b/src/tools/sssctl/sssctl_data.c
		121	@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force)
		122	}
		123	}
		124
		125	- ret = sssctl_run_command("sss_override user-export "
		126	- SSS_BACKUP_USER_OVERRIDES);
		127	+ ret = sssctl_run_command((const char *[]){"sss_override", "user-export",
		128	+ SSS_BACKUP_USER_OVERRIDES, NULL});
		129	if (ret != EOK) {
		130	fprintf(stderr, _("Unable to export user overrides\n"));
		131	return ret;
		132	}
		133
		134	- ret = sssctl_run_command("sss_override group-export "
		135	- SSS_BACKUP_GROUP_OVERRIDES);
		136	+ ret = sssctl_run_command((const char *[]){"sss_override", "group-export",
		137	+ SSS_BACKUP_GROUP_OVERRIDES, NULL});
		138	if (ret != EOK) {
		139	fprintf(stderr, _("Unable to export group overrides\n"));
		140	return ret;
		141	@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
		142	}
		143
		144	if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
		145	- ret = sssctl_run_command("sss_override user-import "
		146	- SSS_BACKUP_USER_OVERRIDES);
		147	+ ret = sssctl_run_command((const char *[]){"sss_override", "user-import",
		148	+ SSS_BACKUP_USER_OVERRIDES, NULL});
		149	if (ret != EOK) {
		150	fprintf(stderr, _("Unable to import user overrides\n"));
		151	return ret;
		152	@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
		153	}
		154
		155	if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
		156	- ret = sssctl_run_command("sss_override group-import "
		157	- SSS_BACKUP_GROUP_OVERRIDES);
		158	+ ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
		159	+ SSS_BACKUP_GROUP_OVERRIDES, NULL});
		160	if (ret != EOK) {
		161	fprintf(stderr, _("Unable to import group overrides\n"));
		162	return ret;
		163	@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline,
		164	void *pvt)
		165	{
		166	errno_t ret;
		167	- char *cmd_args = NULL;
		168	- const char *cachecmd = SSS_CACHE;
		169	- char *cmd = NULL;
		170	- int i;
		171	-
		172	- if (cmdline->argc == 0) {
		173	- ret = sssctl_run_command(cachecmd);
		174	- goto done;
		175	- }
		176
		177	- cmd_args = talloc_strdup(tool_ctx, "");
		178	- if (cmd_args == NULL) {
		179	- ret = ENOMEM;
		180	- goto done;
		181	+ const char **args = talloc_array_size(tool_ctx,
		182	+ sizeof(char *),
		183	+ cmdline->argc + 2);
		184	+ if (!args) {
		185	+ return ENOMEM;
		186	}
		187	+ memcpy(&args[1], cmdline->argv, sizeof(char ) cmdline->argc);
		188	+ args[0] = SSS_CACHE;
		189	+ args[cmdline->argc + 1] = NULL;
		190
		191	- for (i = 0; i < cmdline->argc; i++) {
		192	- cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]);
		193	- if (i != cmdline->argc - 1) {
		194	- cmd_args = talloc_strdup_append(cmd_args, " ");
		195	- }
		196	- }
		197	-
		198	- cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args);
		199	- if (cmd == NULL) {
		200	- ret = ENOMEM;
		201	- goto done;
		202	- }
		203	-
		204	- ret = sssctl_run_command(cmd);
		205	-
		206	-done:
		207	- talloc_free(cmd_args);
		208	- talloc_free(cmd);
		209	+ ret = sssctl_run_command(args);
		210
		211	+ talloc_free(args);
		212	return ret;
		213	}
		214	diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
		215	index aca988c05..c85cc7a4b 100644
		216	--- a/src/tools/sssctl/sssctl_logs.c
		217	+++ b/src/tools/sssctl/sssctl_logs.c
		218	@@ -32,6 +32,7 @@
		219	#include <popt.h>
		220	#include <stdio.h>
		221	#include <signal.h>
		222	+#include <glob.h>
		223
		224	#include "util/util.h"
		225	#include "tools/common/sss_process.h"
		226	@@ -231,6 +232,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
		227	{
		228	struct sssctl_logs_opts opts = {0};
		229	errno_t ret;
		230	+ glob_t globbuf;
		231
		232	/* Parse command line. */
		233	struct poptOption options[] = {
		234	@@ -254,8 +256,19 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
		235
		236	sss_signal(SIGHUP);
		237	} else {
		238	+ globbuf.gl_offs = 4;
		239	+ ret = glob(LOG_PATH"/*.log", GLOB_ERR\|GLOB_DOOFFS, NULL, &globbuf);
		240	+ if (ret != 0) {
		241	+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
		242	+ return ret;
		243	+ }
		244	+ globbuf.gl_pathv[0] = discard_const_p(char, "truncate");
		245	+ globbuf.gl_pathv[2] = discard_const_p(char, "--size");
		246	+ globbuf.gl_pathv[3] = discard_const_p(char, "0");
		247	+
		248	printf(_("Truncating log files...\n"));
		249	- ret = sssctl_run_command("truncate --size 0 " LOG_FILES);
		250	+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
		251	+ globfree(&globbuf);
		252	if (ret != EOK) {
		253	fprintf(stderr, _("Unable to truncate log files\n"));
		254	return ret;
		255	@@ -270,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
		256	void *pvt)
		257	{
		258	const char *file;
		259	- const char *cmd;
		260	errno_t ret;
		261	+ glob_t globbuf;
		262
		263	/* Parse command line. */
		264	ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL,
		265	@@ -281,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
		266	return ret;
		267	}
		268
		269	- cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES);
		270	- if (cmd == NULL) {
		271	- fprintf(stderr, _("Out of memory!"));
		272	+ globbuf.gl_offs = 3;
		273	+ ret = glob(LOG_PATH"/*.log", GLOB_ERR\|GLOB_DOOFFS, NULL, &globbuf);
		274	+ if (ret != 0) {
		275	+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
		276	+ return ret;
		277	}
		278	+ globbuf.gl_pathv[0] = discard_const_p(char, "tar");
		279	+ globbuf.gl_pathv[1] = discard_const_p(char, "-czf");
		280	+ globbuf.gl_pathv[2] = discard_const_p(char, file);
		281
		282	printf(_("Archiving log files into %s...\n"), file);
		283	- ret = sssctl_run_command(cmd);
		284	+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
		285	+ globfree(&globbuf);
		286	if (ret != EOK) {
		287	fprintf(stderr, _("Unable to archive log files\n"));
		288	return ret;
		289	--
		290	2.33.0
		291


diff --git a/recipes-security/sssd/sssd_1.16.5.bb b/recipes-security/sssd/sssd_1.16.5.bb index 9784ec7..02d0837 100644 --- a/recipes-security/sssd/sssd_1.16.5.bb +++ b/recipes-security/sssd/sssd_1.16.5.bb
@@ -22,6 +22,7 @@ SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz \
22	file://0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch \	22	file://0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch \
23	file://0001-nss-Collision-with-external-nss-symbol.patch \	23	file://0001-nss-Collision-with-external-nss-symbol.patch \
24	file://0002-Provide-missing-defines-which-otherwise-are-availabl.patch \	24	file://0002-Provide-missing-defines-which-otherwise-are-availabl.patch \
		25	file://CVE-2021-3621.patch \
25	"	26	"
26		27
27	SRC_URI[sha256sum] = "2e1a7bf036b583f686d35164f2d79bdf4857b98f51fe8b0d17aa0fa756e4d0c0"	28	SRC_URI[sha256sum] = "2e1a7bf036b583f686d35164f2d79bdf4857b98f51fe8b0d17aa0fa756e4d0c0"