diff --git a/SOURCES/0206-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch b/SOURCES/0206-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch
new file mode 100644
index 0000000..8c70116
--- /dev/null
+++ b/SOURCES/0206-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch
@@ -0,0 +1,115 @@
+From a35c267ec03a56d02c5f86294d6ed16f0ee9ae57 Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Thu, 30 Jun 2016 10:21:01 +1000
+Subject: [PATCH] cert-revoke: fix permission check bypass (CVE-2016-5404)
+
+The 'cert_revoke' command checks the 'revoke certificate'
+permission, however, if an ACIError is raised, it then invokes the
+'cert_show' command. The rational was to re-use a "host manages
+certificate" check that is part of the 'cert_show' command, however,
+it is sufficient that 'cert_show' executes successfully for
+'cert_revoke' to recover from the ACIError continue. Therefore,
+anyone with 'retrieve certificate' permission can revoke *any*
+certificate and cause various kinds of DoS.
+
+Fix the problem by extracting the "host manages certificate" check
+to its own method and explicitly calling it from 'cert_revoke'.
+
+Fixes: https://fedorahosted.org/freeipa/ticket/6232
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipalib/plugins/cert.py | 47 ++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 30 insertions(+), 17 deletions(-)
+
+diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
+index 7a07039a8488cc11d9bf05ef23642b8059d5921e..42dc4f571b9274f45bd6c20910362cf676764f3a 100644
+--- a/ipalib/plugins/cert.py
++++ b/ipalib/plugins/cert.py
+@@ -236,6 +236,25 @@ def caacl_check(principal_type, principal_string, ca, profile_id):
+ )
+ )
+
++
++def bind_principal_can_manage_cert(cert):
++ """Check that the bind principal can manage the given cert.
++
++ ``cert``
++ An NSS certificate object.
++
++ """
++ bind_principal = getattr(context, 'principal')
++ if not bind_principal.startswith('host/'):
++ return False
++
++ hostname = get_host_from_principal(bind_principal)
++
++ # If we have a hostname we want to verify that the subject
++ # of the certificate matches it.
++ return hostname == cert.subject.common_name #pylint: disable=E1101
++
++
+ @register()
+ class cert_request(VirtualCommand):
+ __doc__ = _('Submit a certificate signing request.')
+@@ -601,29 +620,23 @@ class cert_show(VirtualCommand):
+
+ def execute(self, serial_number, **options):
+ ca_enabled_check()
+- hostname = None
++
++ result=self.Backend.ra.get_certificate(serial_number)
++ cert = x509.load_certificate(result['certificate'])
++
+ try:
+ self.check_access()
+- except errors.ACIError, acierr:
++ except errors.ACIError as acierr:
+ self.debug("Not granted by ACI to retrieve certificate, looking at principal")
+- bind_principal = getattr(context, 'principal')
+- if not bind_principal.startswith('host/'):
+- raise acierr
+- hostname = get_host_from_principal(bind_principal)
++ if not bind_principal_can_manage_cert(cert):
++ raise acierr # pylint: disable=E0702
+
+- result=self.Backend.ra.get_certificate(serial_number)
+- cert = x509.load_certificate(result['certificate'])
+ result['subject'] = unicode(cert.subject)
+ result['issuer'] = unicode(cert.issuer)
+ result['valid_not_before'] = unicode(cert.valid_not_before_str)
+ result['valid_not_after'] = unicode(cert.valid_not_after_str)
+ result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
+ result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
+- if hostname:
+- # If we have a hostname we want to verify that the subject
+- # of the certificate matches it, otherwise raise an error
+- if hostname != cert.subject.common_name: #pylint: disable=E1101
+- raise acierr
+
+ return dict(result=result)
+
+@@ -669,17 +682,17 @@ class cert_revoke(VirtualCommand):
+
+ def execute(self, serial_number, **kw):
+ ca_enabled_check()
+- hostname = None
+ try:
+ self.check_access()
+ except errors.ACIError, acierr:
+ self.debug("Not granted by ACI to revoke certificate, looking at principal")
+ try:
+- # Let cert_show() handle verifying that the subject of the
+- # cert we're dealing with matches the hostname in the principal
+ result = api.Command['cert_show'](unicode(serial_number))['result']
++ cert = x509.load_certificate(result['certificate'])
++ if not bind_principal_can_manage_cert(cert):
++ raise acierr
+ except errors.NotImplementedError:
+- pass
++ raise acierr
+ revocation_reason = kw['revocation_reason']
+ if revocation_reason == 7:
+ raise errors.CertificateOperationError(error=_('7 is not a valid revocation reason'))
+--
+2.9.3
+
diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch
deleted file mode 100644
index 673cd2f..0000000
--- a/SOURCES/ipa-centos-branding.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001
-From: Jim Perrin <jperrin@centos.org>
-Date: Wed, 11 Mar 2015 10:37:03 -0500
-Subject: [PATCH] update for new ntp server method
-
----
- ipaplatform/base/paths.py | 1 +
- ipaserver/install/ntpinstance.py | 2 ++
- 2 files changed, 3 insertions(+)
-
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index af50262..5090062 100644
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -99,6 +99,7 @@ class BasePathNamespace(object):
- PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/"
- PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
- ETC_REDHAT_RELEASE = "/etc/redhat-release"
-+ ETC_CENTOS_RELEASE = "/etc/centos-release"
- RESOLV_CONF = "/etc/resolv.conf"
- SAMBA_KEYTAB = "/etc/samba/samba.keytab"
- SMB_CONF = "/etc/samba/smb.conf"
-diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py
-index c653525..4b0578b 100644
---- a/ipaserver/install/ntpinstance.py
-+++ b/ipaserver/install/ntpinstance.py
-@@ -44,6 +44,8 @@ class NTPInstance(service.Service):
- os = ""
- if ipautil.file_exists(paths.ETC_FEDORA_RELEASE):
- os = "fedora"
-+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE):
-+ os = "centos"
- elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
- os = "rhel"
-
---
-1.8.3.1
-
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 72e60e0..0e9ed0e 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -35,7 +35,7 @@
Name: ipa
Version: 4.2.0
-Release: 15%{?dist}.18
+Release: 15%{?dist}.19
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -43,10 +43,10 @@ License: GPLv3+
URL: http://www.freeipa.org/
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity-Management
-#Source1: header-logo.png
-#Source2: login-screen-background.jpg
-#Source3: login-screen-logo.png
-#Source4: product-name.png
+Source1: header-logo.png
+Source2: login-screen-background.jpg
+Source3: login-screen-logo.png
+Source4: product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity-Management
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -256,6 +256,7 @@ Patch0202: 0202-Prevent-replica-install-from-overwriting-cert-profil.patch
Patch0203: 0203-Detect-and-repair-incorrect-caIPAserviceCert-config.patch
Patch0204: 0204-replica-install-do-not-set-CA-renewal-master-flag.patch
Patch0205: 0205-mod_auth_gssapi-enable-unique-credential-caches-name.patch
+Patch0206: 0206-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch
Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002: 1002-Remove-pkinit-plugin.patch
@@ -267,7 +268,6 @@ Patch1007: 1007-Do-not-build-tests.patch
Patch1008: 1008-RCUE.patch
Patch1009: 1009-Do-not-allow-installation-in-FIPS-mode.patch
Patch1010: 1010-WebUI-add-API-browser-is-experimental-warning.patch
-Patch1011: ipa-centos-branding.patch
# RHEL spec file only: END
%if ! %{ONLY_CLIENT}
@@ -402,7 +402,7 @@ Requires: systemd-python
Requires: %{etc_systemd_dir}
Requires: gzip
# RHEL spec file only: START
-# Requires: redhat-access-plugin-ipa
+Requires: redhat-access-plugin-ipa
# RHEL spec file only: END
Conflicts: %{alt_name}-server
@@ -611,10 +611,10 @@ for p in %patches ; do
done
# Red Hat's Identity Management branding
-#cp %SOURCE1 install/ui/images/header-logo.png
-#cp %SOURCE2 install/ui/images/login-screen-background.jpg
-#cp %SOURCE3 install/ui/images/login-screen-logo.png
-#cp %SOURCE4 install/ui/images/product-name.png
+cp %SOURCE1 install/ui/images/header-logo.png
+cp %SOURCE2 install/ui/images/login-screen-background.jpg
+cp %SOURCE3 install/ui/images/login-screen-logo.png
+cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END
%build
@@ -1211,8 +1211,10 @@ fi
# RHEL spec file only: DELETED: Do not build tests
%changelog
-* Tue Aug 02 2016 CentOS Sources <bugs@centos.org> - 4.2.0-15.el7.centos.18
-- Roll in CentOS Branding
+* Mon Aug 22 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.19
+- Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in
+ certificate revocation
+ - cert-revoke: fix permission check bypass (CVE-2016-5404)
* Mon Jun 27 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.18
- Resolves: #1350305 Multiple clients cannot join domain simultaneously: