From e11e73abc101361c0b66b3b958a64c9c8f6c608b Mon Sep 17 00:00:00 2001

From: Simo Sorce <simo@redhat.com>

Date: Mon, 16 Sep 2019 11:12:25 -0400

Subject: [PATCH 1/2] CVE-2019-14867: Make sure to have storage space for tag

ber_scanf expects a pointer to a ber_tag_t to return the tag pointed at

by "t", if that is not provided the pointer will be store in whatever

memory location is pointed by the stack at that time causeing a crash.

It's also possible for unprivileged end users to trigger parsing of the

krbPrincipalKey.

Fixes #8071: CVE-2019-14867

Reported by Todd Lipcon from Cloudera

Signed-off-by: Simo Sorce <simo@redhat.com>

Reviewed-By: Christian Heimes <cheimes@redhat.com>

(cherry picked from commit d2e0d94521893bc5f002a335a8c0b99601e1afd6)

---

 util/ipa_krb5.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c

index a27cd4a4e..c09c3daa5 100644

--- a/util/ipa_krb5.c

+++ b/util/ipa_krb5.c

@@ -554,7 +554,7 @@ int ber_decode_krb5_key_data(struct berval *encoded, int *m_kvno,

         retag = ber_peek_tag(be, &setlen);

         if (retag == (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 2)) {

             /* not supported yet, skip */

-            retag = ber_scanf(be, "t[x]}");

+            retag = ber_scanf(be, "t[x]}", &tag;;

         } else {

             retag = ber_scanf(be, "}");

         }

-- 

2.23.0

From 39120fa9a4a00983917659e4253446ed82839975 Mon Sep 17 00:00:00 2001

From: Rob Crittenden <rcritten@redhat.com>

Date: Tue, 2 Jul 2019 13:44:48 -0400

Subject: [PATCH 2/2] CVE-2019-10195: Don't log passwords embedded in commands

 in calls using batch

A raw batch request was fully logged which could expose parameters

we don't want logged, like passwords.

Override _repr_iter to use the individual commands to log the

values so that values are properly obscured.

In case of errors log the full value on when the server is in

debug mode.

Reported by Jamison Bennett from Cloudera

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

Reviewed-by:  Florence Blanc-Renaud <frenaud@redhat.com>

---

 ipaserver/plugins/batch.py | 96 ++++++++++++++++++++++++++++----------

 1 file changed, 72 insertions(+), 24 deletions(-)

diff --git a/ipaserver/plugins/batch.py b/ipaserver/plugins/batch.py

index c9895a8f6..b95944c54 100644

--- a/ipaserver/plugins/batch.py

+++ b/ipaserver/plugins/batch.py

@@ -93,35 +93,82 @@ class batch(Command):

         Output('results', (list, tuple), doc='')

     )

+    def _validate_request(self, request):

+        """

+        Check that an individual request in a batch is parseable and the

+        commands exists.

+        """

+        if 'method' not in request:

+            raise errors.RequirementError(name='method')

+        if 'params' not in request:

+            raise errors.RequirementError(name='params')

+        name = request['method']

+        if (name not in self.api.Command or

+                isinstance(self.api.Command[name], Local)):

+            raise errors.CommandError(name=name)

+

+        # If params are not formated as a tuple(list, dict)

+        # the following lines will raise an exception

+        # that triggers an internal server error

+        # Raise a ConversionError instead to report the issue

+        # to the client

+        try:

+            a, kw = request['params']

+            newkw = dict((str(k), v) for k, v in kw.items())

+            api.Command[name].args_options_2_params(*a, **newkw)

+        except (AttributeError, ValueError, TypeError):

+            raise errors.ConversionError(

+                name='params',

+                error=_(u'must contain a tuple (list, dict)'))

+        except Exception as e:

+            raise errors.ConversionError(

+                name='params',

+                error=str(e))

+

+    def _repr_iter(self, **params):

+        """

+        Iterate through the request and use the Command _repr_intr so

+        that sensitive information (passwords) is not exposed.

+

+        In case of a malformatted request redact the entire thing.

+        """

+        exceptions = False

+        for arg in (params.get('methods', [])):

+            try:

+                self._validate_request(arg)

+            except Exception:

+                # redact the whole request since we don't know what's in it

+                exceptions = True

+                yield u'********'

+                continue

+

+            name = arg['method']

+            a, kw = arg['params']

+            newkw = dict((str(k), v) for k, v in kw.items())

+            param = api.Command[name].args_options_2_params(

+                *a, **newkw)

+

+            yield '{}({})'.format(

+                api.Command[name].name,

+                ', '.join(api.Command[name]._repr_iter(**param))

+            )

+

+        if exceptions:

+            logger.debug('batch: %s',

+                         ', '.join(super(batch, self)._repr_iter(**params)))

+

     def execute(self, methods=None, **options):

         results = []

         for arg in (methods or []):

             params = dict()

             name = None

             try:

-                if 'method' not in arg:

-                    raise errors.RequirementError(name='method')

-                if 'params' not in arg:

-                    raise errors.RequirementError(name='params')

+                self._validate_request(arg)

                 name = arg['method']

-                if (name not in self.api.Command or

-                        isinstance(self.api.Command[name], Local)):

-                    raise errors.CommandError(name=name)

-

-                # If params are not formated as a tuple(list, dict)

-                # the following lines will raise an exception

-                # that triggers an internal server error

-                # Raise a ConversionError instead to report the issue

-                # to the client

-                try:

-                    a, kw = arg['params']

-                    newkw = dict((str(k), v) for k, v in kw.items())

-                    params = api.Command[name].args_options_2_params(

-                        *a, **newkw)

-                except (AttributeError, ValueError, TypeError):

-                    raise errors.ConversionError(

-                        name='params',

-                        error=_(u'must contain a tuple (list, dict)'))

+                a, kw = arg['params']

+                newkw = dict((str(k), v) for k, v in kw.items())

+                params = api.Command[name].args_options_2_params(

+                    *a, **newkw)

                 newkw.setdefault('version', options['version'])

                 result = api.Command[name](*a, **newkw)

@@ -133,8 +180,9 @@ class batch(Command):

                 )

                 result['error']=None

             except Exception as e:

-                if isinstance(e, errors.RequirementError) or \

-                    isinstance(e, errors.CommandError):

+                if (isinstance(e, errors.RequirementError) or

+                        isinstance(e, errors.CommandError) or

+                        isinstance(e, errors.ConversionError)):

                     logger.info(

                         '%s: batch: %s',

                         context.principal,  # pylint: disable=no-member

-- 

2.23.0