CVE-2015-5292 – sssd: memory leak in the sssd_pac_plugin

https://notcve.org/view.php?id=CVE-2015-5292

Memory leak in the Privilege Attribute Certificate (PAC) responder plugin (sssd_pac_plugin.so) in System Security Services Daemon (SSSD) 1.10 before 1.13.1 allows remote authenticated users to cause a denial of service (memory consumption) via a large number of logins that trigger parsing of PAC blobs during Kerberos authentication. Fuga de memoria en el plugin en Privilege Attribute Certificate (PAC) responder (sssd_pac_plugin.so) en System Security Services Daemon (SSSD) 1.10 en versiones anteriores a 1.13.1 permite a usuarios remotos autenticados provocar una denegación de servicio (consumo de memoria) a través de un gran número de logins que desencadenan análisis gramaticales de blobs de PAC durante la autenticación Kerberos. It was found that SSSD's Privilege Attribute Certificate (PAC) responder plug-in would leak a small amount of memory on each authentication request. A remote attacker could potentially use this flaw to exhaust all available memory on the system by making repeated requests to a Kerberized daemon application configured to authenticate using the PAC responder plug-in. • http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169110.html http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169597.html http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169613.html http://permalink.gmane.org/gmane.linux.redhat.sssd.user/3422 http://rhn.redhat.com/errata/RHSA-2015-2019.html http://rhn.redhat.com/errata/RHSA-2015-2355.html http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html http://www.sec • CWE-399: Resource Management Errors CWE-401: Missing Release of Memory after Effective Lifetime •