SSSD provides a set of daemons to manage access to remote directories and authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources.
A vulnerability has been discovered in SSSD. Please review the CVE identifier referenced below for details.
A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access.
There is no known workaround at this time.
All SSSD users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-auth/sssd-2.5.2-r1"