diff --git a/README.debrand b/README.debrand deleted file mode 100644 index 01c46d2..0000000 --- a/README.debrand +++ /dev/null @@ -1,2 +0,0 @@ -Warning: This package was configured for automatic debranding, but the changes -failed to apply. diff --git a/SOURCES/0013-Do-not-run-trust-upgrade-code-if-master-lacks-Samba-bindings_1854038_rhbz#1773516.patch b/SOURCES/0013-Do-not-run-trust-upgrade-code-if-master-lacks-Samba-bindings_1854038_rhbz#1773516.patch new file mode 100644 index 0000000..456f839 --- /dev/null +++ b/SOURCES/0013-Do-not-run-trust-upgrade-code-if-master-lacks-Samba-bindings_1854038_rhbz#1773516.patch @@ -0,0 +1,41 @@ +From 18540386230e295087296e58761ced2b781ae4e3 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Nov 21 2019 09:44:37 +0000 +Subject: Do not run trust upgrade code if master lacks Samba bindings + + +If a replica has no Samba bindings but there are trust agreements +configured on some trust controller, skip trust upgrade code on this +replica. + +Resolves: https://pagure.io/freeipa/issue/8001 +Signed-off-by: Alexander Bokovoy +Reviewed-By: Thomas Woerner + +--- + +diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py +index b7bb53f..2a9b4f0 100644 +--- a/ipaserver/install/plugins/adtrust.py ++++ b/ipaserver/install/plugins/adtrust.py +@@ -24,6 +24,8 @@ except ImportError: + def ndr_unpack(x): + raise NotImplementedError + ++ drsblobs = None ++ + logger = logging.getLogger(__name__) + + register = Registry() +@@ -633,6 +635,10 @@ class update_tdo_to_new_layout(Updater): + logger.debug('AD Trusts are not enabled on this server') + return False, [] + ++ # If we have no Samba bindings, this master is not a trust controller ++ if drsblobs is None: ++ return False, [] ++ + ldap = self.api.Backend.ldap2 + gidNumber = get_gidNumber(ldap, self.api.env) + if gidNumber is None: + diff --git a/SOURCES/0014-CVE-2019-10195-and-CVE-2019-14867.patch b/SOURCES/0014-CVE-2019-10195-and-CVE-2019-14867.patch new file mode 100644 index 0000000..9b399a3 --- /dev/null +++ b/SOURCES/0014-CVE-2019-10195-and-CVE-2019-14867.patch @@ -0,0 +1,187 @@ +From e11e73abc101361c0b66b3b958a64c9c8f6c608b Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Mon, 16 Sep 2019 11:12:25 -0400 +Subject: [PATCH 1/2] CVE-2019-14867: Make sure to have storage space for tag + +ber_scanf expects a pointer to a ber_tag_t to return the tag pointed at +by "t", if that is not provided the pointer will be store in whatever +memory location is pointed by the stack at that time causeing a crash. + +It's also possible for unprivileged end users to trigger parsing of the +krbPrincipalKey. + +Fixes #8071: CVE-2019-14867 + +Reported by Todd Lipcon from Cloudera + +Signed-off-by: Simo Sorce +Reviewed-By: Christian Heimes +(cherry picked from commit d2e0d94521893bc5f002a335a8c0b99601e1afd6) +--- + util/ipa_krb5.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c +index a27cd4a4e..c09c3daa5 100644 +--- a/util/ipa_krb5.c ++++ b/util/ipa_krb5.c +@@ -554,7 +554,7 @@ int ber_decode_krb5_key_data(struct berval *encoded, int *m_kvno, + retag = ber_peek_tag(be, &setlen); + if (retag == (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 2)) { + /* not supported yet, skip */ +- retag = ber_scanf(be, "t[x]}"); ++ retag = ber_scanf(be, "t[x]}", &tag); + } else { + retag = ber_scanf(be, "}"); + } +-- +2.23.0 + + +From 39120fa9a4a00983917659e4253446ed82839975 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 2 Jul 2019 13:44:48 -0400 +Subject: [PATCH 2/2] CVE-2019-10195: Don't log passwords embedded in commands + in calls using batch + +A raw batch request was fully logged which could expose parameters +we don't want logged, like passwords. + +Override _repr_iter to use the individual commands to log the +values so that values are properly obscured. + +In case of errors log the full value on when the server is in +debug mode. + +Reported by Jamison Bennett from Cloudera + +Signed-off-by: Rob Crittenden +Reviewed-by: Florence Blanc-Renaud +--- + ipaserver/plugins/batch.py | 96 ++++++++++++++++++++++++++++---------- + 1 file changed, 72 insertions(+), 24 deletions(-) + +diff --git a/ipaserver/plugins/batch.py b/ipaserver/plugins/batch.py +index c9895a8f6..b95944c54 100644 +--- a/ipaserver/plugins/batch.py ++++ b/ipaserver/plugins/batch.py +@@ -93,35 +93,82 @@ class batch(Command): + Output('results', (list, tuple), doc='') + ) + ++ def _validate_request(self, request): ++ """ ++ Check that an individual request in a batch is parseable and the ++ commands exists. ++ """ ++ if 'method' not in request: ++ raise errors.RequirementError(name='method') ++ if 'params' not in request: ++ raise errors.RequirementError(name='params') ++ name = request['method'] ++ if (name not in self.api.Command or ++ isinstance(self.api.Command[name], Local)): ++ raise errors.CommandError(name=name) ++ ++ # If params are not formated as a tuple(list, dict) ++ # the following lines will raise an exception ++ # that triggers an internal server error ++ # Raise a ConversionError instead to report the issue ++ # to the client ++ try: ++ a, kw = request['params'] ++ newkw = dict((str(k), v) for k, v in kw.items()) ++ api.Command[name].args_options_2_params(*a, **newkw) ++ except (AttributeError, ValueError, TypeError): ++ raise errors.ConversionError( ++ name='params', ++ error=_(u'must contain a tuple (list, dict)')) ++ except Exception as e: ++ raise errors.ConversionError( ++ name='params', ++ error=str(e)) ++ ++ def _repr_iter(self, **params): ++ """ ++ Iterate through the request and use the Command _repr_intr so ++ that sensitive information (passwords) is not exposed. ++ ++ In case of a malformatted request redact the entire thing. ++ """ ++ exceptions = False ++ for arg in (params.get('methods', [])): ++ try: ++ self._validate_request(arg) ++ except Exception: ++ # redact the whole request since we don't know what's in it ++ exceptions = True ++ yield u'********' ++ continue ++ ++ name = arg['method'] ++ a, kw = arg['params'] ++ newkw = dict((str(k), v) for k, v in kw.items()) ++ param = api.Command[name].args_options_2_params( ++ *a, **newkw) ++ ++ yield '{}({})'.format( ++ api.Command[name].name, ++ ', '.join(api.Command[name]._repr_iter(**param)) ++ ) ++ ++ if exceptions: ++ logger.debug('batch: %s', ++ ', '.join(super(batch, self)._repr_iter(**params))) ++ + def execute(self, methods=None, **options): + results = [] + for arg in (methods or []): + params = dict() + name = None + try: +- if 'method' not in arg: +- raise errors.RequirementError(name='method') +- if 'params' not in arg: +- raise errors.RequirementError(name='params') ++ self._validate_request(arg) + name = arg['method'] +- if (name not in self.api.Command or +- isinstance(self.api.Command[name], Local)): +- raise errors.CommandError(name=name) +- +- # If params are not formated as a tuple(list, dict) +- # the following lines will raise an exception +- # that triggers an internal server error +- # Raise a ConversionError instead to report the issue +- # to the client +- try: +- a, kw = arg['params'] +- newkw = dict((str(k), v) for k, v in kw.items()) +- params = api.Command[name].args_options_2_params( +- *a, **newkw) +- except (AttributeError, ValueError, TypeError): +- raise errors.ConversionError( +- name='params', +- error=_(u'must contain a tuple (list, dict)')) ++ a, kw = arg['params'] ++ newkw = dict((str(k), v) for k, v in kw.items()) ++ params = api.Command[name].args_options_2_params( ++ *a, **newkw) + newkw.setdefault('version', options['version']) + + result = api.Command[name](*a, **newkw) +@@ -133,8 +180,9 @@ class batch(Command): + ) + result['error']=None + except Exception as e: +- if isinstance(e, errors.RequirementError) or \ +- isinstance(e, errors.CommandError): ++ if (isinstance(e, errors.RequirementError) or ++ isinstance(e, errors.CommandError) or ++ isinstance(e, errors.ConversionError)): + logger.info( + '%s: batch: %s', + context.principal, # pylint: disable=no-member +-- +2.23.0 + diff --git a/SOURCES/9001-Update-ipa.css.patch b/SOURCES/9001-Update-ipa.css.patch deleted file mode 100644 index 8bd3498..0000000 --- a/SOURCES/9001-Update-ipa.css.patch +++ /dev/null @@ -1,31 +0,0 @@ -From a82e5eb637463755642f88fe94badff85d6e50e5 Mon Sep 17 00:00:00 2001 -From: Alain Reguera Delgado -Date: Sat, 23 Nov 2019 18:42:41 -0300 -Subject: [PATCH 9001/9003] Update ipa.css - -- Previously, the CentOS logos doesn't look the same width than CentOS - logos in cockpit ui. So, when you change between them, a visual - difference affects calls the attention (are we using two different - branding?). In order to make these visual transition from one app to - another consistent, changed the logo width to look the same both in - cockpit and ipa ui. ---- - install/ui/ipa.css | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/install/ui/ipa.css b/install/ui/ipa.css -index 2921f43..e56caeb 100644 ---- a/install/ui/ipa.css -+++ b/install/ui/ipa.css -@@ -559,3 +559,8 @@ table.scrollable tbody { - font-weight: bold; - font-size: 1.1em; - } -+ -+/* --- CentOS Logo on the top-right corner --- */ -+#badge img { -+ width: 225px; -+} --- -2.23.0 - diff --git a/SOURCES/9002-Update-login.less.patch b/SOURCES/9002-Update-login.less.patch deleted file mode 100644 index 3c8c3fd..0000000 --- a/SOURCES/9002-Update-login.less.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 25aecc3b5de468ac3c9d1cf80681f2b6625eb50b Mon Sep 17 00:00:00 2001 -From: Alain Reguera Delgado -Date: Sat, 23 Nov 2019 18:46:38 -0300 -Subject: [PATCH 9002/9003] Update login.less - ---- - install/ui/less/login.less | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/install/ui/less/login.less b/install/ui/less/login.less -index 8996560..4c39bec 100644 ---- a/install/ui/less/login.less -+++ b/install/ui/less/login.less -@@ -26,7 +26,7 @@ - - .login-pf-body { - height: 100%; -- background: @login-bg-color url("@{img-path}/@{img-bg-login}") repeat-x 50% 0; -+ background: @login-bg-color url("@{img-path}/@{img-bg-login}") no-repeat 100% 0; - background-size: auto; - color: #fff; - -@@ -50,10 +50,10 @@ - // 768px = @screen-sm-min) - @media (min-width: 768px) { - .login-pf-body { -- background-size: 100% auto; -+ background-size: auto; - } - } - - @media (max-height: 300px) { - .reset-login-pf-height; --} -\ No newline at end of file -+} --- -2.23.0 - diff --git a/SOURCES/9003-Update-variables.less.patch b/SOURCES/9003-Update-variables.less.patch deleted file mode 100644 index 795cd01..0000000 --- a/SOURCES/9003-Update-variables.less.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 8e4746d4b697302b9573dd6f8b2e28f12ca6669b Mon Sep 17 00:00:00 2001 -From: Alain Reguera Delgado -Date: Sat, 23 Nov 2019 18:46:47 -0300 -Subject: [PATCH 9003/9003] Update variables.less - ---- - install/ui/less/variables.less | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/install/ui/less/variables.less b/install/ui/less/variables.less -index 5a7a3ea..ca63d0c 100644 ---- a/install/ui/less/variables.less -+++ b/install/ui/less/variables.less -@@ -1,5 +1,5 @@ - // FreeIPA Less Variables - - @img-path: '../images'; --@img-bg-login: 'login-screen-background.jpg'; --@login-bg-color: #25292d; -\ No newline at end of file -+@img-bg-login: 'login-screen-background.png'; -+@login-bg-color: #101010; --- -2.23.0 - diff --git a/SOURCES/system-logo-icon.png b/SOURCES/system-logo-icon.png deleted file mode 100644 index 6961083..0000000 Binary files a/SOURCES/system-logo-icon.png and /dev/null differ diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index bb85096..a09e435 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -135,7 +135,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 11%{?dist} +Release: 13%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -162,17 +162,12 @@ Patch0009: 0009-extdom-unify-error-code-handling-especially-LDAP_NO_SUCH_OB Patch0010: 0010-Fix-automount-behavior-with-authselect_rhbz#1740167.patch Patch0011: 0011-adtrust-avoid-using-timestamp-in-klist-output_ed1c1626-rhbz#1750242.patch Patch0012: 0012-add-default-access-control-configuration-to-trusted-domain-objects_rhbz#1751707.patch +Patch0013: 0013-Do-not-run-trust-upgrade-code-if-master-lacks-Samba-bindings_1854038_rhbz#1773516.patch +Patch0014: 0014-CVE-2019-10195-and-CVE-2019-14867.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-4.8.0-Remove-csrgen.patch # RHEL spec file only: END -# CentOS spec file only: START -Source9001: system-logo-icon.png -Patch9001: 9001-Update-ipa.css.patch -Patch9002: 9002-Update-login.less.patch -Patch9003: 9003-Update-variables.less.patch -# CentOS spec file only: END - # For the timestamp trick in patch application BuildRequires: diffstat @@ -787,11 +782,6 @@ done # product-name.png # RHEL spec file only: END -# CentOS spec file only: START -# Change favicon using CentOS logo -cp %{SOURCE9001} install/ui/favicon.ico -# CentOS spec file only: END - %build # RHEL spec file only: START autoreconf -i -f @@ -804,8 +794,7 @@ export PYTHON=%{__python3} %configure --with-vendor-suffix=-%{release} \ %{enable_server_option} \ %{with_ipatests_option} \ - %{linter_options} \ - --with-ipaplatform=rhel + %{linter_options} # run build in default dir # -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405 @@ -1406,8 +1395,15 @@ fi %changelog -* Tue Nov 05 2019 CentOS Sources - 4.8.0-11.el8.centos -- Apply debranding changes +* Tue Nov 26 2019 Alexander Bokovoy - 4.8.0-13 +- CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf() + Resolves: RHBZ#1767303 +- CVE-2019-10195: Don't log passwords embedded in commands in calls using batch + Resolves: RHBZ#1728125 + +* Thu Nov 21 2019 Thomas Woerner - 4.8.0-12 +- Do not run trust upgrade code if master lacks Samba bindings + Resolves: RHBZ#1773516 * Mon Sep 23 2019 Thomas Woerner - 4.8.0-11 - Adtrust: avoid using timestamp in klist output