IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into master-next

Browse Source
This commit is contained in:
Timo Aaltonen
2016-12-03 01:05:42 +02:00
parent d1b501999f 4445bc06ea
commit 2189b630ec
4 changed files with 248 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
debian/changelog vendored
View File

@@ -27,6 +27,15 @@ freeipa (4.4.2-1) UNRELEASED; urgency=medium
-- Timo Aaltonen <tjaalton@debian.org> Thu, 01 Dec 2016 08:25:03 +0200
freeipa (4.3.2-5) unstable; urgency=medium
* fix-cve-2016-5404.diff: Fix permission check bypass (Closes: #835131)
- CVE-2016-5404
* ipa-kdb-support-dal-version-5-and-6.diff: Support mit-krb5 1.15.
(Closes: #844114)
-- Timo Aaltonen <tjaalton@debian.org> Sat, 03 Dec 2016 01:02:40 +0200
freeipa (4.3.2-4) unstable; urgency=medium
* freeipa-client.post*: Use /var/log/ipaclient-upgrade.log instead of

109
debian/patches/fix-cve-2016-5404.diff vendored Normal file
View File

@@ -0,0 +1,109 @@
commit 7eb1502863408d869dc2e706a5e194ad122997bf
Author: Fraser Tweedale <ftweedal@redhat.com>
Date: Thu Jun 30 10:21:01 2016 +1000
cert-revoke: fix permission check bypass (CVE-2016-5404)
The 'cert_revoke' command checks the 'revoke certificate'
permission, however, if an ACIError is raised, it then invokes the
'cert_show' command. The rational was to re-use a "host manages
certificate" check that is part of the 'cert_show' command, however,
it is sufficient that 'cert_show' executes successfully for
'cert_revoke' to recover from the ACIError continue. Therefore,
anyone with 'retrieve certificate' permission can revoke *any*
certificate and cause various kinds of DoS.
Fix the problem by extracting the "host manages certificate" check
to its own method and explicitly calling it from 'cert_revoke'.
Fixes: https://fedorahosted.org/freeipa/ticket/6232
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index b4ea2fe..f257088 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -243,6 +243,25 @@ def caacl_check(principal_type, principal_string, ca, profile_id):
)
)
+
+def bind_principal_can_manage_cert(cert):
+ """Check that the bind principal can manage the given cert.
+
+ ``cert``
+ An NSS certificate object.
+
+ """
+ bind_principal = getattr(context, 'principal')
+ if not bind_principal.startswith('host/'):
+ return False
+
+ hostname = get_host_from_principal(bind_principal)
+
+ # If we have a hostname we want to verify that the subject
+ # of the certificate matches it.
+ return hostname == cert.subject.common_name #pylint: disable=E1101
+
+
@register()
class cert_request(VirtualCommand):
__doc__ = _('Submit a certificate signing request.')
@@ -608,29 +627,23 @@ class cert_show(VirtualCommand):
def execute(self, serial_number, **options):
ca_enabled_check()
- hostname = None
+
+ result=self.Backend.ra.get_certificate(serial_number)
+ cert = x509.load_certificate(result['certificate'])
+
try:
self.check_access()
except errors.ACIError as acierr:
self.debug("Not granted by ACI to retrieve certificate, looking at principal")
- bind_principal = getattr(context, 'principal')
- if not bind_principal.startswith('host/'):
- raise acierr
- hostname = get_host_from_principal(bind_principal)
+ if not bind_principal_can_manage_cert(cert):
+ raise acierr # pylint: disable=E0702
- result=self.Backend.ra.get_certificate(serial_number)
- cert = x509.load_certificate(result['certificate'])
result['subject'] = unicode(cert.subject)
result['issuer'] = unicode(cert.issuer)
result['valid_not_before'] = unicode(cert.valid_not_before_str)
result['valid_not_after'] = unicode(cert.valid_not_after_str)
result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
- if hostname:
- # If we have a hostname we want to verify that the subject
- # of the certificate matches it, otherwise raise an error
- if hostname != cert.subject.common_name: #pylint: disable=E1101
- raise acierr
return dict(result=result)
@@ -676,17 +689,17 @@ class cert_revoke(VirtualCommand):
def execute(self, serial_number, **kw):
ca_enabled_check()
- hostname = None
try:
self.check_access()
except errors.ACIError as acierr:
self.debug("Not granted by ACI to revoke certificate, looking at principal")
try:
- # Let cert_show() handle verifying that the subject of the
- # cert we're dealing with matches the hostname in the principal
result = api.Command['cert_show'](unicode(serial_number))['result']
+ cert = x509.load_certificate(result['certificate'])
+ if not bind_principal_can_manage_cert(cert):
+ raise acierr
except errors.NotImplementedError:
- pass
+ raise acierr
revocation_reason = kw['revocation_reason']
if revocation_reason == 7:
raise errors.CertificateOperationError(error=_('7 is not a valid revocation reason'))

125
debian/patches/ipa-kdb-support-dal-version-5-and-6.diff vendored Normal file
View File

@@ -0,0 +1,125 @@
commit 2775042787be4ea236c0b99dd75337414e24b89d
Author: Simo Sorce <simo@redhat.com>
Date: Tue Nov 1 15:13:14 2016 -0400
Support DAL version 5 and version 6
https://fedorahosted.org/freeipa/ticket/6466
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index fbcb03b..e96353f 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -625,45 +625,69 @@ static void ipadb_free(krb5_context context, void *ptr)
/* KDB Virtual Table */
+#if KRB5_KDB_DAL_MAJOR_VERSION == 5
kdb_vftabl kdb_function_table = {
- KRB5_KDB_DAL_MAJOR_VERSION, /* major version number */
- 0, /* minor version number */
- ipadb_init_library, /* init_library */
- ipadb_fini_library, /* fini_library */
- ipadb_init_module, /* init_module */
- ipadb_fini_module, /* fini_module */
- ipadb_create, /* create */
- NULL, /* destroy */
- ipadb_get_age, /* get_age */
- NULL, /* lock */
- NULL, /* unlock */
- ipadb_get_principal, /* get_principal */
- ipadb_free_principal, /* free_principal */
- ipadb_put_principal, /* put_principal */
- ipadb_delete_principal, /* delete_principal */
- ipadb_iterate, /* iterate */
- ipadb_create_pwd_policy, /* create_policy */
- ipadb_get_pwd_policy, /* get_policy */
- ipadb_put_pwd_policy, /* put_policy */
- ipadb_iterate_pwd_policy, /* iter_policy */
- ipadb_delete_pwd_policy, /* delete_policy */
- ipadb_free_pwd_policy, /* free_policy */
- ipadb_alloc, /* alloc */
- ipadb_free, /* free */
- ipadb_fetch_master_key, /* fetch_master_key */
- NULL, /* fetch_master_key_list */
- ipadb_store_master_key_list, /* store_master_key_list */
- NULL, /* dbe_search_enctype */
- ipadb_change_pwd, /* change_pwd */
- NULL, /* promote_db */
- NULL, /* decrypt_key_data */
- NULL, /* encrypt_key_data */
- ipadb_sign_authdata, /* sign_authdata */
- ipadb_check_transited_realms, /* check_transited_realms */
- ipadb_check_policy_as, /* check_policy_as */
- NULL, /* check_policy_tgs */
- ipadb_audit_as_req, /* audit_as_req */
- NULL, /* refresh_config */
- ipadb_check_allowed_to_delegate /* check_allowed_to_delegate */
+ .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
+ .min_ver = 0,
+ .init_library = ipadb_init_library,
+ .fini_library = ipadb_fini_library,
+ .init_module = ipadb_init_module,
+ .fini_module = ipadb_fini_module,
+ .create = ipadb_create,
+ .get_age = ipadb_get_age,
+ .get_principal = ipadb_get_principal,
+ .free_principal = ipadb_free_principal,
+ .put_principal = ipadb_put_principal,
+ .delete_principal = ipadb_delete_principal,
+ .iterate = ipadb_iterate,
+ .create_policy = ipadb_create_pwd_policy,
+ .get_policy = ipadb_get_pwd_policy,
+ .put_policy = ipadb_put_pwd_policy,
+ .iter_policy = ipadb_iterate_pwd_policy,
+ .delete_policy = ipadb_delete_pwd_policy,
+ .free_policy = ipadb_free_pwd_policy,
+ .alloc = ipadb_alloc,
+ .free = ipadb_free,
+ .fetch_master_key = ipadb_fetch_master_key,
+ .store_master_key_list = ipadb_store_master_key_list,
+ .change_pwd = ipadb_change_pwd,
+ .sign_authdata = ipadb_sign_authdata,
+ .check_transited_realms = ipadb_check_transited_realms,
+ .check_policy_as = ipadb_check_policy_as,
+ .audit_as_req = ipadb_audit_as_req,
+ .check_allowed_to_delegate = ipadb_check_allowed_to_delegate
};
+#elif KRB5_KDB_DAL_MAJOR_VERSION == 6
+kdb_vftabl kdb_function_table = {
+ .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
+ .min_ver = 0,
+ .init_library = ipadb_init_library,
+ .fini_library = ipadb_fini_library,
+ .init_module = ipadb_init_module,
+ .fini_module = ipadb_fini_module,
+ .create = ipadb_create,
+ .get_age = ipadb_get_age,
+ .get_principal = ipadb_get_principal,
+ .put_principal = ipadb_put_principal,
+ .delete_principal = ipadb_delete_principal,
+ .iterate = ipadb_iterate,
+ .create_policy = ipadb_create_pwd_policy,
+ .get_policy = ipadb_get_pwd_policy,
+ .put_policy = ipadb_put_pwd_policy,
+ .iter_policy = ipadb_iterate_pwd_policy,
+ .delete_policy = ipadb_delete_pwd_policy,
+ .fetch_master_key = ipadb_fetch_master_key,
+ .store_master_key_list = ipadb_store_master_key_list,
+ .change_pwd = ipadb_change_pwd,
+ .sign_authdata = ipadb_sign_authdata,
+ .check_transited_realms = ipadb_check_transited_realms,
+ .check_policy_as = ipadb_check_policy_as,
+ .audit_as_req = ipadb_audit_as_req,
+ .check_allowed_to_delegate = ipadb_check_allowed_to_delegate
+};
+
+#else
+#error unsupported DAL major version
+#endif
+

5
debian/patches/series vendored
View File

@@ -1,3 +1,8 @@
# upstreamed
ipa-kdb-support-dal-version-5-and-6.diff
fix-cve-2016-5404.diff
configure-apache-from-installer.diff
# not upstreamable
prefix.patch
hack-libarch.diff