The Identity, Policy and Audit system
CentOS Sources
2016-09-01 80f8748478bb05c01261d17bfc6c54d870e00966
import ipa-4.2.0-15.el7_2.19
1 files added
1 files deleted
1 files modified
181 ■■■■ changed files
SOURCES/0206-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch 115 ●●●●● patch | view | raw | blame | history
SOURCES/ipa-centos-branding.patch 38 ●●●●● patch | view | raw | blame | history
SPECS/ipa.spec 28 ●●●● patch | view | raw | blame | history
SOURCES/0206-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch
New file
@@ -0,0 +1,115 @@
From a35c267ec03a56d02c5f86294d6ed16f0ee9ae57 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Thu, 30 Jun 2016 10:21:01 +1000
Subject: [PATCH] cert-revoke: fix permission check bypass (CVE-2016-5404)
The 'cert_revoke' command checks the 'revoke certificate'
permission, however, if an ACIError is raised, it then invokes the
'cert_show' command.  The rational was to re-use a "host manages
certificate" check that is part of the 'cert_show' command, however,
it is sufficient that 'cert_show' executes successfully for
'cert_revoke' to recover from the ACIError continue.  Therefore,
anyone with 'retrieve certificate' permission can revoke *any*
certificate and cause various kinds of DoS.
Fix the problem by extracting the "host manages certificate" check
to its own method and explicitly calling it from 'cert_revoke'.
Fixes: https://fedorahosted.org/freeipa/ticket/6232
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipalib/plugins/cert.py | 47 ++++++++++++++++++++++++++++++-----------------
 1 file changed, 30 insertions(+), 17 deletions(-)
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index 7a07039a8488cc11d9bf05ef23642b8059d5921e..42dc4f571b9274f45bd6c20910362cf676764f3a 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -236,6 +236,25 @@ def caacl_check(principal_type, principal_string, ca, profile_id):
             )
         )
+
+def bind_principal_can_manage_cert(cert):
+    """Check that the bind principal can manage the given cert.
+
+    ``cert``
+        An NSS certificate object.
+
+    """
+    bind_principal = getattr(context, 'principal')
+    if not bind_principal.startswith('host/'):
+        return False
+
+    hostname = get_host_from_principal(bind_principal)
+
+    # If we have a hostname we want to verify that the subject
+    # of the certificate matches it.
+    return hostname == cert.subject.common_name  #pylint: disable=E1101
+
+
 @register()
 class cert_request(VirtualCommand):
     __doc__ = _('Submit a certificate signing request.')
@@ -601,29 +620,23 @@ class cert_show(VirtualCommand):
     def execute(self, serial_number, **options):
         ca_enabled_check()
-        hostname = None
+
+        result=self.Backend.ra.get_certificate(serial_number)
+        cert = x509.load_certificate(result['certificate'])
+
         try:
             self.check_access()
-        except errors.ACIError, acierr:
+        except errors.ACIError as acierr:
             self.debug("Not granted by ACI to retrieve certificate, looking at principal")
-            bind_principal = getattr(context, 'principal')
-            if not bind_principal.startswith('host/'):
-                raise acierr
-            hostname = get_host_from_principal(bind_principal)
+            if not bind_principal_can_manage_cert(cert):
+                raise acierr  # pylint: disable=E0702
-        result=self.Backend.ra.get_certificate(serial_number)
-        cert = x509.load_certificate(result['certificate'])
         result['subject'] = unicode(cert.subject)
         result['issuer'] = unicode(cert.issuer)
         result['valid_not_before'] = unicode(cert.valid_not_before_str)
         result['valid_not_after'] = unicode(cert.valid_not_after_str)
         result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
         result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
-        if hostname:
-            # If we have a hostname we want to verify that the subject
-            # of the certificate matches it, otherwise raise an error
-            if hostname != cert.subject.common_name:    #pylint: disable=E1101
-                raise acierr
         return dict(result=result)
@@ -669,17 +682,17 @@ class cert_revoke(VirtualCommand):
     def execute(self, serial_number, **kw):
         ca_enabled_check()
-        hostname = None
         try:
             self.check_access()
         except errors.ACIError, acierr:
             self.debug("Not granted by ACI to revoke certificate, looking at principal")
             try:
-                # Let cert_show() handle verifying that the subject of the
-                # cert we're dealing with matches the hostname in the principal
                 result = api.Command['cert_show'](unicode(serial_number))['result']
+                cert = x509.load_certificate(result['certificate'])
+                if not bind_principal_can_manage_cert(cert):
+                    raise acierr
             except errors.NotImplementedError:
-                pass
+                raise acierr
         revocation_reason = kw['revocation_reason']
         if revocation_reason == 7:
             raise errors.CertificateOperationError(error=_('7 is not a valid revocation reason'))
--
2.9.3
SOURCES/ipa-centos-branding.patch
File was deleted
SPECS/ipa.spec
@@ -35,7 +35,7 @@
Name:           ipa
Version:        4.2.0
Release:        15%{?dist}.18
Release:        15%{?dist}.19
Summary:        The Identity, Policy and Audit system
Group:          System Environment/Base
@@ -43,10 +43,10 @@
URL:            http://www.freeipa.org/
Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity-Management
#Source1:        header-logo.png
#Source2:        login-screen-background.jpg
#Source3:        login-screen-logo.png
#Source4:        product-name.png
Source1:        header-logo.png
Source2:        login-screen-background.jpg
Source3:        login-screen-logo.png
Source4:        product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity-Management
BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -256,6 +256,7 @@
Patch0203:      0203-Detect-and-repair-incorrect-caIPAserviceCert-config.patch
Patch0204:      0204-replica-install-do-not-set-CA-renewal-master-flag.patch
Patch0205:      0205-mod_auth_gssapi-enable-unique-credential-caches-name.patch
Patch0206:      0206-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch
Patch1001:      1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002:      1002-Remove-pkinit-plugin.patch
@@ -267,7 +268,6 @@
Patch1008:      1008-RCUE.patch
Patch1009:      1009-Do-not-allow-installation-in-FIPS-mode.patch
Patch1010:      1010-WebUI-add-API-browser-is-experimental-warning.patch
Patch1011:      ipa-centos-branding.patch
# RHEL spec file only: END
%if ! %{ONLY_CLIENT}
@@ -402,7 +402,7 @@
Requires: %{etc_systemd_dir}
Requires: gzip
# RHEL spec file only: START
# Requires: redhat-access-plugin-ipa
Requires: redhat-access-plugin-ipa
# RHEL spec file only: END
Conflicts: %{alt_name}-server
@@ -611,10 +611,10 @@
done
# Red Hat's Identity Management branding
#cp %SOURCE1 install/ui/images/header-logo.png
#cp %SOURCE2 install/ui/images/login-screen-background.jpg
#cp %SOURCE3 install/ui/images/login-screen-logo.png
#cp %SOURCE4 install/ui/images/product-name.png
cp %SOURCE1 install/ui/images/header-logo.png
cp %SOURCE2 install/ui/images/login-screen-background.jpg
cp %SOURCE3 install/ui/images/login-screen-logo.png
cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END
%build
@@ -1211,8 +1211,10 @@
# RHEL spec file only: DELETED: Do not build tests
%changelog
* Tue Aug 02 2016 CentOS Sources <bugs@centos.org> - 4.2.0-15.el7.centos.18
- Roll in CentOS Branding
* Mon Aug 22 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.19
- Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in
  certificate revocation
  - cert-revoke: fix permission check bypass (CVE-2016-5404)
* Mon Jun 27 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.18
- Resolves: #1350305 Multiple clients cannot join domain simultaneously: