fix-cve-2016-5404.diff: Fix permission check bypass (Closes: #835131)

2025-01-12 17:21:55 -06:00 · 2016-12-03 00:46:03 +02:00 · 2016-12-03 00:46:03 +02:00 · 5297224a8f
commit 5297224a8f
parent 1c49e3f02c
3 changed files with 117 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,10 @@
+freeipa (4.3.2-5) UNRELEASED; urgency=medium
+
+  * fix-cve-2016-5404.diff: Fix permission check bypass (Closes: #835131)
+    - CVE-2016-5404
+
+ -- Timo Aaltonen <tjaalton@debian.org>  Sat, 03 Dec 2016 00:45:19 +0200
+
 freeipa (4.3.2-4) unstable; urgency=medium

  * freeipa-client.post*: Use /var/log/ipaclient-upgrade.log instead of
--- a/debian/patches/fix-cve-2016-5404.diff
+++ b/debian/patches/fix-cve-2016-5404.diff
@ -0,0 +1,109 @@
+commit 7eb1502863408d869dc2e706a5e194ad122997bf
+Author: Fraser Tweedale <ftweedal@redhat.com>
+Date:   Thu Jun 30 10:21:01 2016 +1000
+
+    cert-revoke: fix permission check bypass (CVE-2016-5404)
+    
+    The 'cert_revoke' command checks the 'revoke certificate'
+    permission, however, if an ACIError is raised, it then invokes the
+    'cert_show' command.  The rational was to re-use a "host manages
+    certificate" check that is part of the 'cert_show' command, however,
+    it is sufficient that 'cert_show' executes successfully for
+    'cert_revoke' to recover from the ACIError continue.  Therefore,
+    anyone with 'retrieve certificate' permission can revoke *any*
+    certificate and cause various kinds of DoS.
+    
+    Fix the problem by extracting the "host manages certificate" check
+    to its own method and explicitly calling it from 'cert_revoke'.
+    
+    Fixes: https://fedorahosted.org/freeipa/ticket/6232
+    Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+
+diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
+index b4ea2fe..f257088 100644
+--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
+@@ -243,6 +243,25 @@ def caacl_check(principal_type, principal_string, ca, profile_id):
+             )
+         )
+ 
+
+def bind_principal_can_manage_cert(cert):
+    """Check that the bind principal can manage the given cert.
+
+    ``cert``
+        An NSS certificate object.
+
+    """
+    bind_principal = getattr(context, 'principal')
+    if not bind_principal.startswith('host/'):
+        return False
+
+    hostname = get_host_from_principal(bind_principal)
+
+    # If we have a hostname we want to verify that the subject
+    # of the certificate matches it.
+    return hostname == cert.subject.common_name  #pylint: disable=E1101
+
+
+ @register()
+ class cert_request(VirtualCommand):
+     __doc__ = _('Submit a certificate signing request.')
+@@ -608,29 +627,23 @@ class cert_show(VirtualCommand):
+ 
+     def execute(self, serial_number, **options):
+         ca_enabled_check()
+-        hostname = None
+
+        result=self.Backend.ra.get_certificate(serial_number)
+        cert = x509.load_certificate(result['certificate'])
+
+         try:
+             self.check_access()
+         except errors.ACIError as acierr:
+             self.debug("Not granted by ACI to retrieve certificate, looking at principal")
+-            bind_principal = getattr(context, 'principal')
+-            if not bind_principal.startswith('host/'):
+-                raise acierr
+-            hostname = get_host_from_principal(bind_principal)
+            if not bind_principal_can_manage_cert(cert):
+                raise acierr  # pylint: disable=E0702
+ 
+-        result=self.Backend.ra.get_certificate(serial_number)
+-        cert = x509.load_certificate(result['certificate'])
+         result['subject'] = unicode(cert.subject)
+         result['issuer'] = unicode(cert.issuer)
+         result['valid_not_before'] = unicode(cert.valid_not_before_str)
+         result['valid_not_after'] = unicode(cert.valid_not_after_str)
+         result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
+         result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
+-        if hostname:
+-            # If we have a hostname we want to verify that the subject
+-            # of the certificate matches it, otherwise raise an error
+-            if hostname != cert.subject.common_name:    #pylint: disable=E1101
+-                raise acierr
+ 
+         return dict(result=result)
+ 
+@@ -676,17 +689,17 @@ class cert_revoke(VirtualCommand):
+ 
+     def execute(self, serial_number, **kw):
+         ca_enabled_check()
+-        hostname = None
+         try:
+             self.check_access()
+         except errors.ACIError as acierr:
+             self.debug("Not granted by ACI to revoke certificate, looking at principal")
+             try:
+-                # Let cert_show() handle verifying that the subject of the
+-                # cert we're dealing with matches the hostname in the principal
+                 result = api.Command['cert_show'](unicode(serial_number))['result']
+                cert = x509.load_certificate(result['certificate'])
+                if not bind_principal_can_manage_cert(cert):
+                    raise acierr
+             except errors.NotImplementedError:
+-                pass
+                raise acierr
+         revocation_reason = kw['revocation_reason']
+         if revocation_reason == 7:
+             raise errors.CertificateOperationError(error=_('7 is not a valid revocation reason'))
--- a/debian/patches/series
+++ b/debian/patches/series
@ -1,4 +1,5 @@
 # upstreamed
+fix-cve-2016-5404.diff
 configure-apache-from-installer.diff

 # not upstreamable