diff --git a/SOURCES/0001-Fix-permission-for-existing-installation-logs.patch b/SOURCES/0001-Fix-permission-for-existing-installation-logs.patch
new file mode 100644
index 0000000..d6b5032
--- /dev/null
+++ b/SOURCES/0001-Fix-permission-for-existing-installation-logs.patch
@@ -0,0 +1,31 @@
+From 82eaf721ea35d7e6ad5bcdb4c1a5f5862aeed59c Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Mon, 17 May 2021 17:39:50 -0500
+Subject: [PATCH] Fix permission for existing installation logs
+
+The spec file has been updated to remove world access
+from existing installation logs in /var/log/pki.
+
+Resolves: CVE-2021-3551
+---
+ pki.spec | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/pki.spec b/pki.spec
+index a9ea345d8f..64bfd4fe7d 100644
+--- a/pki.spec
++++ b/pki.spec
+@@ -991,6 +991,10 @@ fi
+ ## from EITHER 'sysVinit' OR previous 'systemd' processes to the new
+ ## PKI deployment process
+
++# CVE-2021-3551
++# Remove world access from existing installation logs
++find /var/log/pki -maxdepth 1 -type f -exec chmod o-rwx {} \;
++
+ # Reload systemd daemons on upgrade only
+ if [ "$1" == "2" ]
+ then
+--
+2.30.2
+
diff --git a/SOURCES/0001-Fix-permission-for-new-installation-logs.patch b/SOURCES/0001-Fix-permission-for-new-installation-logs.patch
new file mode 100644
index 0000000..5f97ff3
--- /dev/null
+++ b/SOURCES/0001-Fix-permission-for-new-installation-logs.patch
@@ -0,0 +1,49 @@
+From 7da63502137eb8c111b8ae5b5426aec8f7ebdf6b Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Mon, 17 May 2021 15:39:44 -0500
+Subject: [PATCH] Fix permission for new installation logs
+
+The enable_pki_logger() has been updated to disable
+world access for new installation logs to be created
+in /var/log/pki.
+
+Resolves: CVE-2021-3551
+---
+ .../python/pki/server/deployment/pkilogging.py | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/base/server/python/pki/server/deployment/pkilogging.py b/base/server/python/pki/server/deployment/pkilogging.py
+index 089a292559..0926173700 100644
+--- a/base/server/python/pki/server/deployment/pkilogging.py
++++ b/base/server/python/pki/server/deployment/pkilogging.py
+@@ -21,8 +21,12 @@
+ # System Imports
+ from __future__ import absolute_import
+ import logging
++import os
++import pathlib
+ import pprint
+
++import pki
++
+ sensitive_parameters = []
+
+ # Initialize 'pretty print' for objects
+@@ -51,8 +55,12 @@ def enable_pki_logger(filename, name):
+ console_format = logging.Formatter('%(levelname)s: %(message)s')
+ console.setFormatter(console_format)
+
+- # Configure file handler
+- log_file = logging.FileHandler(filename, 'w')
++ # Create an empty file with the proper permission
++ pathlib.Path(filename).touch()
++ os.chmod(filename, pki.server.DEFAULT_FILE_MODE)
++
++ # Configure file handler with append mode to preserve the permission
++ log_file = logging.FileHandler(filename)
+ file_format = logging.Formatter('%(asctime)s %(levelname)s: %(message)s',
+ '%Y-%m-%d %H:%M:%S')
+ log_file.setFormatter(file_format)
+--
+2.30.2
+
diff --git a/SOURCES/0001-Use-password-file-when-creating-admin-user.patch b/SOURCES/0001-Use-password-file-when-creating-admin-user.patch
new file mode 100644
index 0000000..f873dd3
--- /dev/null
+++ b/SOURCES/0001-Use-password-file-when-creating-admin-user.patch
@@ -0,0 +1,236 @@
+From 5764a80e5edd7fa38323146261c6b4e498d282dd Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Mon, 17 May 2021 18:17:26 -0500
+Subject: [PATCH] Use password file when creating admin user
+
+The pki-server <subsystem>-user-add has been updated to
+provide a --password-file option. The deployment tool
+has been modified to use this option when creating the
+admin user to avoid the password from getting logged in
+the debug mode.
+
+Resolves: CVE-2021-3551
+---
+ base/server/python/pki/server/cli/user.py | 9 ++-
+ .../python/pki/server/deployment/__init__.py | 5 +-
+ base/server/python/pki/server/subsystem.py | 74 +++++++++++--------
+ .../server/cli/SubsystemUserAddCLI.java | 11 +++
+ 4 files changed, 66 insertions(+), 33 deletions(-)
+
+diff --git a/base/server/python/pki/server/cli/user.py b/base/server/python/pki/server/cli/user.py
+index c00a1acb50..c5c8d52956 100644
+--- a/base/server/python/pki/server/cli/user.py
++++ b/base/server/python/pki/server/cli/user.py
+@@ -47,6 +47,7 @@ class UserAddCLI(pki.cli.CLI):
+ print(' --full-name <full name> Full name')
+ print(' --email <email> Email')
+ print(' --password <password> Password')
++ print(' --password-file <path> Password file')
+ print(' --phone <phone> Phone')
+ print(' --type <type> Type')
+ print(' --state <state> State')
+@@ -59,7 +60,8 @@ class UserAddCLI(pki.cli.CLI):
+ def execute(self, argv):
+ try:
+ opts, args = getopt.gnu_getopt(argv, 'i:v', [
+- 'instance=', 'full-name=', 'email=', 'password=',
++ 'instance=', 'full-name=', 'email=',
++ 'password=', 'password-file=',
+ 'phone=', 'type=', 'state=', 'tps-profiles=',
+ 'verbose', 'debug', 'help'])
+
+@@ -73,6 +75,7 @@ class UserAddCLI(pki.cli.CLI):
+ full_name = None
+ email = None
+ password = None
++ password_file = None
+ phone = None
+ user_type = None
+ state = None
+@@ -91,6 +94,9 @@ class UserAddCLI(pki.cli.CLI):
+ elif o == '--password':
+ password = a
+
++ elif o == '--password-file':
++ password_file = a
++
+ elif o == '--phone':
+ phone = a
+
+@@ -149,6 +155,7 @@ class UserAddCLI(pki.cli.CLI):
+ full_name=full_name,
+ email=email,
+ password=password,
++ password_file=password_file,
+ phone=phone,
+ user_type=user_type,
+ tps_profiles=tps_profiles,
+diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
+index 347ab1acdd..6d5f083b47 100644
+--- a/base/server/python/pki/server/deployment/__init__.py
++++ b/base/server/python/pki/server/deployment/__init__.py
+@@ -373,6 +373,8 @@ class PKIDeployer:
+
+ response = client.setupAdmin(request)
+
++ # Run the command as current user such that
++ # it can read the temporary password file.
+ subsystem.add_user(
+ uid,
+ full_name=full_name,
+@@ -380,7 +382,8 @@ class PKIDeployer:
+ password=password,
+ user_type='adminType',
+ state='1',
+- tps_profiles=tps_profiles)
++ tps_profiles=tps_profiles,
++ as_current_user=True)
+
+ admin_groups = subsystem.config['preop.admin.group']
+ groups = [x.strip() for x in admin_groups.split(',')]
+diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py
+index a3ed0c7f3a..41d8d67c2e 100644
+--- a/base/server/python/pki/server/subsystem.py
++++ b/base/server/python/pki/server/subsystem.py
+@@ -1335,54 +1335,66 @@ class PKISubsystem(object):
+ full_name=None,
+ email=None,
+ password=None,
++ password_file=None,
+ phone=None,
+ user_type=None,
+ state=None,
+ tps_profiles=None,
+ as_current_user=False):
+
+- cmd = [self.name + '-user-add']
++ tmpdir = tempfile.mkdtemp()
+
+- if full_name:
+- cmd.append('--full-name')
+- cmd.append(full_name)
++ try:
++ if password and not password_file:
++ password_file = os.path.join(tmpdir, 'password.txt')
++ with open(password_file, 'w') as f:
++ f.write(password)
+
+- if email:
+- cmd.append('--email')
+- cmd.append(email)
++ cmd = [self.name + '-user-add']
+
+- if password:
+- cmd.append('--password')
+- cmd.append(password)
++ if full_name:
++ cmd.append('--full-name')
++ cmd.append(full_name)
+
+- if phone:
+- cmd.append('--phone')
+- cmd.append(phone)
++ if email:
++ cmd.append('--email')
++ cmd.append(email)
+
+- if user_type:
+- cmd.append('--type')
+- cmd.append(user_type)
++ if password_file:
++ cmd.append('--password-file')
++ cmd.append(password_file)
+
+- if state:
+- cmd.append('--state')
+- cmd.append(state)
++ if phone:
++ cmd.append('--phone')
++ cmd.append(phone)
+
+- if tps_profiles:
+- cmd.append('--tps-profiles')
+- cmd.append(','.join(tps_profiles))
++ if user_type:
++ cmd.append('--type')
++ cmd.append(user_type)
+
+- if logger.isEnabledFor(logging.DEBUG):
+- cmd.append('--debug')
++ if state:
++ cmd.append('--state')
++ cmd.append(state)
+
+- elif logger.isEnabledFor(logging.INFO):
+- cmd.append('--verbose')
++ if tps_profiles:
++ cmd.append('--tps-profiles')
++ cmd.append(','.join(tps_profiles))
+
+- cmd.append(user_id)
++ if logger.isEnabledFor(logging.DEBUG):
++ cmd.append('--debug')
+
+- self.run(
+- cmd,
+- as_current_user=as_current_user,
+- capture_output=True)
++ elif logger.isEnabledFor(logging.INFO):
++ cmd.append('--verbose')
++
++ cmd.append(user_id)
++
++ self.run(
++ cmd,
++ as_current_user=as_current_user,
++ capture_output=True)
++
++ finally:
++ shutil.rmtree(tmpdir)
+
+ def modify_user(self, user_id, add_see_also=None, del_see_also=None,
+ as_current_user=False):
+diff --git a/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java b/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java
+index 5a385c359f..04d68de758 100644
+--- a/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java
++++ b/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java
+@@ -6,6 +6,8 @@
+ package org.dogtagpki.server.cli;
+
+ import java.io.File;
++import java.nio.file.Files;
++import java.nio.file.Paths;
+ import java.util.Arrays;
+ import java.util.List;
+
+@@ -60,6 +62,10 @@ public class SubsystemUserAddCLI extends CommandCLI {
+ option.setArgName("password");
+ options.addOption(option);
+
++ option = new Option(null, "password-file", true, "Password file");
++ option.setArgName("path");
++ options.addOption(option);
++
+ option = new Option(null, "phone", true, "Phone");
+ option.setArgName("phone");
+ options.addOption(option);
+@@ -95,11 +101,16 @@ public class SubsystemUserAddCLI extends CommandCLI {
+
+ String email = cmd.getOptionValue("email");
+ String password = cmd.getOptionValue("password");
++ String passwordFile = cmd.getOptionValue("password-file");
+ String phone = cmd.getOptionValue("phone");
+ String type = cmd.getOptionValue("type");
+ String state = cmd.getOptionValue("state");
+ String tpsProfiles = cmd.getOptionValue("tps-profiles");
+
++ if (passwordFile != null) {
++ password = new String(Files.readAllBytes(Paths.get(passwordFile)), "UTF-8").trim();
++ }
++
+ String catalinaBase = System.getProperty("catalina.base");
+
+ TomcatJSS tomcatjss = TomcatJSS.getInstance();
+--
+2.30.2
+
diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec
index 05309bb..7ff4063 100644
--- a/SPECS/pki-core.spec
+++ b/SPECS/pki-core.spec
@@ -13,7 +13,7 @@ License: GPLv2 and LGPLv2
# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
# For official (i.e. supported) releases, use x.y.z-r where r >=1.
Version: 10.10.5
-Release: 2%{?_timestamp}%{?_commit_id}%{?dist}
+Release: 3%{?_timestamp}%{?_commit_id}%{?dist}
#global _phase -beta1
# To create a tarball from a version tag:
@@ -37,6 +37,9 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
# [Errno 111] Connection refused -- Some packages may not be found!
Patch1: 0001-Removed-dependency-on-pytest-runner.patch
Patch2: 0001-Fix-renewal-profile-approval-process.patch
+Patch3: 0001-Use-password-file-when-creating-admin-user.patch
+Patch4: 0001-Fix-permission-for-new-installation-logs.patch
+Patch5: 0001-Fix-permission-for-existing-installation-logs.patch
# md2man isn't available on i686. Additionally, we aren't generally multi-lib
# compatible (https://fedoraproject.org/wiki/Packaging:Java)
@@ -1021,6 +1024,10 @@ fi
## from EITHER 'sysVinit' OR previous 'systemd' processes to the new
## PKI deployment process
+# CVE-2021-3551
+# Remove world access from existing installation logs
+find /var/log/pki -maxdepth 1 -type f -exec chmod o-rwx {} \;
+
# Reload systemd daemons on upgrade only
if [ "$1" == "2" ]
then
@@ -1395,8 +1402,11 @@ fi
################################################################################
%changelog
+* Wed May 19 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.5-3
+- Bug 1960146 - CVE-2021-3551 Dogtag installer "pkispawn" logs admin credentials into a world-readable log file
+
* Tue Mar 23 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.5-2
-- Bug 1914396 - CVE-2021-20179 pki-core:10.6/pki-core: Unprivileged users can renew any certificate
+- Bug 1914396 - CVE-2021-20179 Unprivileged users can renew any certificate
* Tue Feb 23 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.5-1
- Rebase to PKI 10.10.5