From 34ae418c2af76642d6ed76fe658da90c7201b516 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jun 03 2021 07:55:03 +0000 Subject: import pki-core-10.10.5-3.module+el8.4.0+11039+635979e4 --- diff --git a/SOURCES/0001-Fix-permission-for-existing-installation-logs.patch b/SOURCES/0001-Fix-permission-for-existing-installation-logs.patch new file mode 100644 index 0000000..d6b5032 --- /dev/null +++ b/SOURCES/0001-Fix-permission-for-existing-installation-logs.patch @@ -0,0 +1,31 @@ +From 82eaf721ea35d7e6ad5bcdb4c1a5f5862aeed59c Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 17 May 2021 17:39:50 -0500 +Subject: [PATCH] Fix permission for existing installation logs + +The spec file has been updated to remove world access +from existing installation logs in /var/log/pki. + +Resolves: CVE-2021-3551 +--- + pki.spec | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/pki.spec b/pki.spec +index a9ea345d8f..64bfd4fe7d 100644 +--- a/pki.spec ++++ b/pki.spec +@@ -991,6 +991,10 @@ fi + ## from EITHER 'sysVinit' OR previous 'systemd' processes to the new + ## PKI deployment process + ++# CVE-2021-3551 ++# Remove world access from existing installation logs ++find /var/log/pki -maxdepth 1 -type f -exec chmod o-rwx {} \; ++ + # Reload systemd daemons on upgrade only + if [ "$1" == "2" ] + then +-- +2.30.2 + diff --git a/SOURCES/0001-Fix-permission-for-new-installation-logs.patch b/SOURCES/0001-Fix-permission-for-new-installation-logs.patch new file mode 100644 index 0000000..5f97ff3 --- /dev/null +++ b/SOURCES/0001-Fix-permission-for-new-installation-logs.patch @@ -0,0 +1,49 @@ +From 7da63502137eb8c111b8ae5b5426aec8f7ebdf6b Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 17 May 2021 15:39:44 -0500 +Subject: [PATCH] Fix permission for new installation logs + +The enable_pki_logger() has been updated to disable +world access for new installation logs to be created +in /var/log/pki. + +Resolves: CVE-2021-3551 +--- + .../python/pki/server/deployment/pkilogging.py | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/pkilogging.py b/base/server/python/pki/server/deployment/pkilogging.py +index 089a292559..0926173700 100644 +--- a/base/server/python/pki/server/deployment/pkilogging.py ++++ b/base/server/python/pki/server/deployment/pkilogging.py +@@ -21,8 +21,12 @@ + # System Imports + from __future__ import absolute_import + import logging ++import os ++import pathlib + import pprint + ++import pki ++ + sensitive_parameters = [] + + # Initialize 'pretty print' for objects +@@ -51,8 +55,12 @@ def enable_pki_logger(filename, name): + console_format = logging.Formatter('%(levelname)s: %(message)s') + console.setFormatter(console_format) + +- # Configure file handler +- log_file = logging.FileHandler(filename, 'w') ++ # Create an empty file with the proper permission ++ pathlib.Path(filename).touch() ++ os.chmod(filename, pki.server.DEFAULT_FILE_MODE) ++ ++ # Configure file handler with append mode to preserve the permission ++ log_file = logging.FileHandler(filename) + file_format = logging.Formatter('%(asctime)s %(levelname)s: %(message)s', + '%Y-%m-%d %H:%M:%S') + log_file.setFormatter(file_format) +-- +2.30.2 + diff --git a/SOURCES/0001-Use-password-file-when-creating-admin-user.patch b/SOURCES/0001-Use-password-file-when-creating-admin-user.patch new file mode 100644 index 0000000..f873dd3 --- /dev/null +++ b/SOURCES/0001-Use-password-file-when-creating-admin-user.patch @@ -0,0 +1,236 @@ +From 5764a80e5edd7fa38323146261c6b4e498d282dd Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 17 May 2021 18:17:26 -0500 +Subject: [PATCH] Use password file when creating admin user + +The pki-server -user-add has been updated to +provide a --password-file option. The deployment tool +has been modified to use this option when creating the +admin user to avoid the password from getting logged in +the debug mode. + +Resolves: CVE-2021-3551 +--- + base/server/python/pki/server/cli/user.py | 9 ++- + .../python/pki/server/deployment/__init__.py | 5 +- + base/server/python/pki/server/subsystem.py | 74 +++++++++++-------- + .../server/cli/SubsystemUserAddCLI.java | 11 +++ + 4 files changed, 66 insertions(+), 33 deletions(-) + +diff --git a/base/server/python/pki/server/cli/user.py b/base/server/python/pki/server/cli/user.py +index c00a1acb50..c5c8d52956 100644 +--- a/base/server/python/pki/server/cli/user.py ++++ b/base/server/python/pki/server/cli/user.py +@@ -47,6 +47,7 @@ class UserAddCLI(pki.cli.CLI): + print(' --full-name Full name') + print(' --email Email') + print(' --password Password') ++ print(' --password-file Password file') + print(' --phone Phone') + print(' --type Type') + print(' --state State') +@@ -59,7 +60,8 @@ class UserAddCLI(pki.cli.CLI): + def execute(self, argv): + try: + opts, args = getopt.gnu_getopt(argv, 'i:v', [ +- 'instance=', 'full-name=', 'email=', 'password=', ++ 'instance=', 'full-name=', 'email=', ++ 'password=', 'password-file=', + 'phone=', 'type=', 'state=', 'tps-profiles=', + 'verbose', 'debug', 'help']) + +@@ -73,6 +75,7 @@ class UserAddCLI(pki.cli.CLI): + full_name = None + email = None + password = None ++ password_file = None + phone = None + user_type = None + state = None +@@ -91,6 +94,9 @@ class UserAddCLI(pki.cli.CLI): + elif o == '--password': + password = a + ++ elif o == '--password-file': ++ password_file = a ++ + elif o == '--phone': + phone = a + +@@ -149,6 +155,7 @@ class UserAddCLI(pki.cli.CLI): + full_name=full_name, + email=email, + password=password, ++ password_file=password_file, + phone=phone, + user_type=user_type, + tps_profiles=tps_profiles, +diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py +index 347ab1acdd..6d5f083b47 100644 +--- a/base/server/python/pki/server/deployment/__init__.py ++++ b/base/server/python/pki/server/deployment/__init__.py +@@ -373,6 +373,8 @@ class PKIDeployer: + + response = client.setupAdmin(request) + ++ # Run the command as current user such that ++ # it can read the temporary password file. + subsystem.add_user( + uid, + full_name=full_name, +@@ -380,7 +382,8 @@ class PKIDeployer: + password=password, + user_type='adminType', + state='1', +- tps_profiles=tps_profiles) ++ tps_profiles=tps_profiles, ++ as_current_user=True) + + admin_groups = subsystem.config['preop.admin.group'] + groups = [x.strip() for x in admin_groups.split(',')] +diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py +index a3ed0c7f3a..41d8d67c2e 100644 +--- a/base/server/python/pki/server/subsystem.py ++++ b/base/server/python/pki/server/subsystem.py +@@ -1335,54 +1335,66 @@ class PKISubsystem(object): + full_name=None, + email=None, + password=None, ++ password_file=None, + phone=None, + user_type=None, + state=None, + tps_profiles=None, + as_current_user=False): + +- cmd = [self.name + '-user-add'] ++ tmpdir = tempfile.mkdtemp() + +- if full_name: +- cmd.append('--full-name') +- cmd.append(full_name) ++ try: ++ if password and not password_file: ++ password_file = os.path.join(tmpdir, 'password.txt') ++ with open(password_file, 'w') as f: ++ f.write(password) + +- if email: +- cmd.append('--email') +- cmd.append(email) ++ cmd = [self.name + '-user-add'] + +- if password: +- cmd.append('--password') +- cmd.append(password) ++ if full_name: ++ cmd.append('--full-name') ++ cmd.append(full_name) + +- if phone: +- cmd.append('--phone') +- cmd.append(phone) ++ if email: ++ cmd.append('--email') ++ cmd.append(email) + +- if user_type: +- cmd.append('--type') +- cmd.append(user_type) ++ if password_file: ++ cmd.append('--password-file') ++ cmd.append(password_file) + +- if state: +- cmd.append('--state') +- cmd.append(state) ++ if phone: ++ cmd.append('--phone') ++ cmd.append(phone) + +- if tps_profiles: +- cmd.append('--tps-profiles') +- cmd.append(','.join(tps_profiles)) ++ if user_type: ++ cmd.append('--type') ++ cmd.append(user_type) + +- if logger.isEnabledFor(logging.DEBUG): +- cmd.append('--debug') ++ if state: ++ cmd.append('--state') ++ cmd.append(state) + +- elif logger.isEnabledFor(logging.INFO): +- cmd.append('--verbose') ++ if tps_profiles: ++ cmd.append('--tps-profiles') ++ cmd.append(','.join(tps_profiles)) + +- cmd.append(user_id) ++ if logger.isEnabledFor(logging.DEBUG): ++ cmd.append('--debug') + +- self.run( +- cmd, +- as_current_user=as_current_user, +- capture_output=True) ++ elif logger.isEnabledFor(logging.INFO): ++ cmd.append('--verbose') ++ ++ cmd.append(user_id) ++ ++ self.run( ++ cmd, ++ as_current_user=as_current_user, ++ capture_output=True) ++ ++ finally: ++ shutil.rmtree(tmpdir) + + def modify_user(self, user_id, add_see_also=None, del_see_also=None, + as_current_user=False): +diff --git a/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java b/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java +index 5a385c359f..04d68de758 100644 +--- a/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java ++++ b/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java +@@ -6,6 +6,8 @@ + package org.dogtagpki.server.cli; + + import java.io.File; ++import java.nio.file.Files; ++import java.nio.file.Paths; + import java.util.Arrays; + import java.util.List; + +@@ -60,6 +62,10 @@ public class SubsystemUserAddCLI extends CommandCLI { + option.setArgName("password"); + options.addOption(option); + ++ option = new Option(null, "password-file", true, "Password file"); ++ option.setArgName("path"); ++ options.addOption(option); ++ + option = new Option(null, "phone", true, "Phone"); + option.setArgName("phone"); + options.addOption(option); +@@ -95,11 +101,16 @@ public class SubsystemUserAddCLI extends CommandCLI { + + String email = cmd.getOptionValue("email"); + String password = cmd.getOptionValue("password"); ++ String passwordFile = cmd.getOptionValue("password-file"); + String phone = cmd.getOptionValue("phone"); + String type = cmd.getOptionValue("type"); + String state = cmd.getOptionValue("state"); + String tpsProfiles = cmd.getOptionValue("tps-profiles"); + ++ if (passwordFile != null) { ++ password = new String(Files.readAllBytes(Paths.get(passwordFile)), "UTF-8").trim(); ++ } ++ + String catalinaBase = System.getProperty("catalina.base"); + + TomcatJSS tomcatjss = TomcatJSS.getInstance(); +-- +2.30.2 + diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index 05309bb..7ff4063 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -13,7 +13,7 @@ License: GPLv2 and LGPLv2 # For development (i.e. unsupported) releases, use x.y.z-0.n.. # For official (i.e. supported) releases, use x.y.z-r where r >=1. Version: 10.10.5 -Release: 2%{?_timestamp}%{?_commit_id}%{?dist} +Release: 3%{?_timestamp}%{?_commit_id}%{?dist} #global _phase -beta1 # To create a tarball from a version tag: @@ -37,6 +37,9 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver # [Errno 111] Connection refused -- Some packages may not be found! Patch1: 0001-Removed-dependency-on-pytest-runner.patch Patch2: 0001-Fix-renewal-profile-approval-process.patch +Patch3: 0001-Use-password-file-when-creating-admin-user.patch +Patch4: 0001-Fix-permission-for-new-installation-logs.patch +Patch5: 0001-Fix-permission-for-existing-installation-logs.patch # md2man isn't available on i686. Additionally, we aren't generally multi-lib # compatible (https://fedoraproject.org/wiki/Packaging:Java) @@ -1021,6 +1024,10 @@ fi ## from EITHER 'sysVinit' OR previous 'systemd' processes to the new ## PKI deployment process +# CVE-2021-3551 +# Remove world access from existing installation logs +find /var/log/pki -maxdepth 1 -type f -exec chmod o-rwx {} \; + # Reload systemd daemons on upgrade only if [ "$1" == "2" ] then @@ -1395,8 +1402,11 @@ fi ################################################################################ %changelog +* Wed May 19 2021 Red Hat PKI Team 10.10.5-3 +- Bug 1960146 - CVE-2021-3551 Dogtag installer "pkispawn" logs admin credentials into a world-readable log file + * Tue Mar 23 2021 Red Hat PKI Team 10.10.5-2 -- Bug 1914396 - CVE-2021-20179 pki-core:10.6/pki-core: Unprivileged users can renew any certificate +- Bug 1914396 - CVE-2021-20179 Unprivileged users can renew any certificate * Tue Feb 23 2021 Red Hat PKI Team 10.10.5-1 - Rebase to PKI 10.10.5