diff --git a/SOURCES/0206-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch b/SOURCES/0206-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch new file mode 100644 index 0000000..8c70116 --- /dev/null +++ b/SOURCES/0206-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch @@ -0,0 +1,115 @@ +From a35c267ec03a56d02c5f86294d6ed16f0ee9ae57 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 30 Jun 2016 10:21:01 +1000 +Subject: [PATCH] cert-revoke: fix permission check bypass (CVE-2016-5404) + +The 'cert_revoke' command checks the 'revoke certificate' +permission, however, if an ACIError is raised, it then invokes the +'cert_show' command. The rational was to re-use a "host manages +certificate" check that is part of the 'cert_show' command, however, +it is sufficient that 'cert_show' executes successfully for +'cert_revoke' to recover from the ACIError continue. Therefore, +anyone with 'retrieve certificate' permission can revoke *any* +certificate and cause various kinds of DoS. + +Fix the problem by extracting the "host manages certificate" check +to its own method and explicitly calling it from 'cert_revoke'. + +Fixes: https://fedorahosted.org/freeipa/ticket/6232 +Reviewed-By: Jan Cholasta +--- + ipalib/plugins/cert.py | 47 ++++++++++++++++++++++++++++++----------------- + 1 file changed, 30 insertions(+), 17 deletions(-) + +diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py +index 7a07039a8488cc11d9bf05ef23642b8059d5921e..42dc4f571b9274f45bd6c20910362cf676764f3a 100644 +--- a/ipalib/plugins/cert.py ++++ b/ipalib/plugins/cert.py +@@ -236,6 +236,25 @@ def caacl_check(principal_type, principal_string, ca, profile_id): + ) + ) + ++ ++def bind_principal_can_manage_cert(cert): ++ """Check that the bind principal can manage the given cert. ++ ++ ``cert`` ++ An NSS certificate object. ++ ++ """ ++ bind_principal = getattr(context, 'principal') ++ if not bind_principal.startswith('host/'): ++ return False ++ ++ hostname = get_host_from_principal(bind_principal) ++ ++ # If we have a hostname we want to verify that the subject ++ # of the certificate matches it. ++ return hostname == cert.subject.common_name #pylint: disable=E1101 ++ ++ + @register() + class cert_request(VirtualCommand): + __doc__ = _('Submit a certificate signing request.') +@@ -601,29 +620,23 @@ class cert_show(VirtualCommand): + + def execute(self, serial_number, **options): + ca_enabled_check() +- hostname = None ++ ++ result=self.Backend.ra.get_certificate(serial_number) ++ cert = x509.load_certificate(result['certificate']) ++ + try: + self.check_access() +- except errors.ACIError, acierr: ++ except errors.ACIError as acierr: + self.debug("Not granted by ACI to retrieve certificate, looking at principal") +- bind_principal = getattr(context, 'principal') +- if not bind_principal.startswith('host/'): +- raise acierr +- hostname = get_host_from_principal(bind_principal) ++ if not bind_principal_can_manage_cert(cert): ++ raise acierr # pylint: disable=E0702 + +- result=self.Backend.ra.get_certificate(serial_number) +- cert = x509.load_certificate(result['certificate']) + result['subject'] = unicode(cert.subject) + result['issuer'] = unicode(cert.issuer) + result['valid_not_before'] = unicode(cert.valid_not_before_str) + result['valid_not_after'] = unicode(cert.valid_not_after_str) + result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0]) + result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0]) +- if hostname: +- # If we have a hostname we want to verify that the subject +- # of the certificate matches it, otherwise raise an error +- if hostname != cert.subject.common_name: #pylint: disable=E1101 +- raise acierr + + return dict(result=result) + +@@ -669,17 +682,17 @@ class cert_revoke(VirtualCommand): + + def execute(self, serial_number, **kw): + ca_enabled_check() +- hostname = None + try: + self.check_access() + except errors.ACIError, acierr: + self.debug("Not granted by ACI to revoke certificate, looking at principal") + try: +- # Let cert_show() handle verifying that the subject of the +- # cert we're dealing with matches the hostname in the principal + result = api.Command['cert_show'](unicode(serial_number))['result'] ++ cert = x509.load_certificate(result['certificate']) ++ if not bind_principal_can_manage_cert(cert): ++ raise acierr + except errors.NotImplementedError: +- pass ++ raise acierr + revocation_reason = kw['revocation_reason'] + if revocation_reason == 7: + raise errors.CertificateOperationError(error=_('7 is not a valid revocation reason')) +-- +2.9.3 + diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch deleted file mode 100644 index 673cd2f..0000000 --- a/SOURCES/ipa-centos-branding.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Wed, 11 Mar 2015 10:37:03 -0500 -Subject: [PATCH] update for new ntp server method - ---- - ipaplatform/base/paths.py | 1 + - ipaserver/install/ntpinstance.py | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index af50262..5090062 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -99,6 +99,7 @@ class BasePathNamespace(object): - PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/" - PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" - ETC_REDHAT_RELEASE = "/etc/redhat-release" -+ ETC_CENTOS_RELEASE = "/etc/centos-release" - RESOLV_CONF = "/etc/resolv.conf" - SAMBA_KEYTAB = "/etc/samba/samba.keytab" - SMB_CONF = "/etc/samba/smb.conf" -diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py -index c653525..4b0578b 100644 ---- a/ipaserver/install/ntpinstance.py -+++ b/ipaserver/install/ntpinstance.py -@@ -44,6 +44,8 @@ class NTPInstance(service.Service): - os = "" - if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): - os = "fedora" -+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE): -+ os = "centos" - elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): - os = "rhel" - --- -1.8.3.1 - diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 72e60e0..0e9ed0e 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -35,7 +35,7 @@ Name: ipa Version: 4.2.0 -Release: 15%{?dist}.18 +Release: 15%{?dist}.19 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -43,10 +43,10 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity-Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source3: login-screen-logo.png -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source3: login-screen-logo.png +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity-Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -256,6 +256,7 @@ Patch0202: 0202-Prevent-replica-install-from-overwriting-cert-profil.patch Patch0203: 0203-Detect-and-repair-incorrect-caIPAserviceCert-config.patch Patch0204: 0204-replica-install-do-not-set-CA-renewal-master-flag.patch Patch0205: 0205-mod_auth_gssapi-enable-unique-credential-caches-name.patch +Patch0206: 0206-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch Patch1002: 1002-Remove-pkinit-plugin.patch @@ -267,7 +268,6 @@ Patch1007: 1007-Do-not-build-tests.patch Patch1008: 1008-RCUE.patch Patch1009: 1009-Do-not-allow-installation-in-FIPS-mode.patch Patch1010: 1010-WebUI-add-API-browser-is-experimental-warning.patch -Patch1011: ipa-centos-branding.patch # RHEL spec file only: END %if ! %{ONLY_CLIENT} @@ -402,7 +402,7 @@ Requires: systemd-python Requires: %{etc_systemd_dir} Requires: gzip # RHEL spec file only: START -# Requires: redhat-access-plugin-ipa +Requires: redhat-access-plugin-ipa # RHEL spec file only: END Conflicts: %{alt_name}-server @@ -611,10 +611,10 @@ for p in %patches ; do done # Red Hat's Identity Management branding -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE3 install/ui/images/login-screen-logo.png -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE3 install/ui/images/login-screen-logo.png +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END %build @@ -1211,8 +1211,10 @@ fi # RHEL spec file only: DELETED: Do not build tests %changelog -* Tue Aug 02 2016 CentOS Sources - 4.2.0-15.el7.centos.18 -- Roll in CentOS Branding +* Mon Aug 22 2016 Jan Cholasta - 4.2.0-15.19 +- Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in + certificate revocation + - cert-revoke: fix permission check bypass (CVE-2016-5404) * Mon Jun 27 2016 Jan Cholasta - 4.2.0-15.18 - Resolves: #1350305 Multiple clients cannot join domain simultaneously: