[Pkg-freeipa-devel] freeipa: Changes to 'master'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Fri Dec 2 23:04:24 UTC 2016
debian/changelog | 9 +
debian/patches/fix-cve-2016-5404.diff | 109 +++++++++++++
debian/patches/ipa-kdb-support-dal-version-5-and-6.diff | 125 ++++++++++++++++
debian/patches/series | 2
4 files changed, 245 insertions(+)
New commits:
commit 4445bc06ea008d504d2fb7e981f548f2ad4465b0
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Sat Dec 3 01:03:46 2016 +0200
releasing package freeipa version 4.3.2-5
diff --git a/debian/changelog b/debian/changelog
index 63defe6..f0d4652 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,11 +1,11 @@
-freeipa (4.3.2-5) UNRELEASED; urgency=medium
+freeipa (4.3.2-5) unstable; urgency=medium
* fix-cve-2016-5404.diff: Fix permission check bypass (Closes: #835131)
- CVE-2016-5404
* ipa-kdb-support-dal-version-5-and-6.diff: Support mit-krb5 1.15.
(Closes: #844114)
- -- Timo Aaltonen <tjaalton at debian.org> Sat, 03 Dec 2016 00:45:19 +0200
+ -- Timo Aaltonen <tjaalton at debian.org> Sat, 03 Dec 2016 01:02:40 +0200
freeipa (4.3.2-4) unstable; urgency=medium
commit 991da87b90b876d861ddc3b01c0eb2ecb553ed6e
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Sat Dec 3 01:02:38 2016 +0200
ipa-kdb-support-dal-version-5-and-6.diff: Support mit-krb5 1.15. (Closes: #844114)
diff --git a/debian/changelog b/debian/changelog
index a6986cf..63defe6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,8 @@ freeipa (4.3.2-5) UNRELEASED; urgency=medium
* fix-cve-2016-5404.diff: Fix permission check bypass (Closes: #835131)
- CVE-2016-5404
+ * ipa-kdb-support-dal-version-5-and-6.diff: Support mit-krb5 1.15.
+ (Closes: #844114)
-- Timo Aaltonen <tjaalton at debian.org> Sat, 03 Dec 2016 00:45:19 +0200
diff --git a/debian/patches/ipa-kdb-support-dal-version-5-and-6.diff b/debian/patches/ipa-kdb-support-dal-version-5-and-6.diff
new file mode 100644
index 0000000..8805bb4
--- /dev/null
+++ b/debian/patches/ipa-kdb-support-dal-version-5-and-6.diff
@@ -0,0 +1,125 @@
+commit 2775042787be4ea236c0b99dd75337414e24b89d
+Author: Simo Sorce <simo at redhat.com>
+Date: Tue Nov 1 15:13:14 2016 -0400
+
+ Support DAL version 5 and version 6
+
+ https://fedorahosted.org/freeipa/ticket/6466
+
+ Signed-off-by: Simo Sorce <simo at redhat.com>
+ Reviewed-By: Tomas Krizek <tkrizek at redhat.com>
+ Reviewed-By: Robbie Harwood <rharwood at redhat.com>
+
+diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
+index fbcb03b..e96353f 100644
+--- a/daemons/ipa-kdb/ipa_kdb.c
++++ b/daemons/ipa-kdb/ipa_kdb.c
+@@ -625,45 +625,69 @@ static void ipadb_free(krb5_context context, void *ptr)
+
+ /* KDB Virtual Table */
+
++#if KRB5_KDB_DAL_MAJOR_VERSION == 5
+ kdb_vftabl kdb_function_table = {
+- KRB5_KDB_DAL_MAJOR_VERSION, /* major version number */
+- 0, /* minor version number */
+- ipadb_init_library, /* init_library */
+- ipadb_fini_library, /* fini_library */
+- ipadb_init_module, /* init_module */
+- ipadb_fini_module, /* fini_module */
+- ipadb_create, /* create */
+- NULL, /* destroy */
+- ipadb_get_age, /* get_age */
+- NULL, /* lock */
+- NULL, /* unlock */
+- ipadb_get_principal, /* get_principal */
+- ipadb_free_principal, /* free_principal */
+- ipadb_put_principal, /* put_principal */
+- ipadb_delete_principal, /* delete_principal */
+- ipadb_iterate, /* iterate */
+- ipadb_create_pwd_policy, /* create_policy */
+- ipadb_get_pwd_policy, /* get_policy */
+- ipadb_put_pwd_policy, /* put_policy */
+- ipadb_iterate_pwd_policy, /* iter_policy */
+- ipadb_delete_pwd_policy, /* delete_policy */
+- ipadb_free_pwd_policy, /* free_policy */
+- ipadb_alloc, /* alloc */
+- ipadb_free, /* free */
+- ipadb_fetch_master_key, /* fetch_master_key */
+- NULL, /* fetch_master_key_list */
+- ipadb_store_master_key_list, /* store_master_key_list */
+- NULL, /* dbe_search_enctype */
+- ipadb_change_pwd, /* change_pwd */
+- NULL, /* promote_db */
+- NULL, /* decrypt_key_data */
+- NULL, /* encrypt_key_data */
+- ipadb_sign_authdata, /* sign_authdata */
+- ipadb_check_transited_realms, /* check_transited_realms */
+- ipadb_check_policy_as, /* check_policy_as */
+- NULL, /* check_policy_tgs */
+- ipadb_audit_as_req, /* audit_as_req */
+- NULL, /* refresh_config */
+- ipadb_check_allowed_to_delegate /* check_allowed_to_delegate */
++ .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
++ .min_ver = 0,
++ .init_library = ipadb_init_library,
++ .fini_library = ipadb_fini_library,
++ .init_module = ipadb_init_module,
++ .fini_module = ipadb_fini_module,
++ .create = ipadb_create,
++ .get_age = ipadb_get_age,
++ .get_principal = ipadb_get_principal,
++ .free_principal = ipadb_free_principal,
++ .put_principal = ipadb_put_principal,
++ .delete_principal = ipadb_delete_principal,
++ .iterate = ipadb_iterate,
++ .create_policy = ipadb_create_pwd_policy,
++ .get_policy = ipadb_get_pwd_policy,
++ .put_policy = ipadb_put_pwd_policy,
++ .iter_policy = ipadb_iterate_pwd_policy,
++ .delete_policy = ipadb_delete_pwd_policy,
++ .free_policy = ipadb_free_pwd_policy,
++ .alloc = ipadb_alloc,
++ .free = ipadb_free,
++ .fetch_master_key = ipadb_fetch_master_key,
++ .store_master_key_list = ipadb_store_master_key_list,
++ .change_pwd = ipadb_change_pwd,
++ .sign_authdata = ipadb_sign_authdata,
++ .check_transited_realms = ipadb_check_transited_realms,
++ .check_policy_as = ipadb_check_policy_as,
++ .audit_as_req = ipadb_audit_as_req,
++ .check_allowed_to_delegate = ipadb_check_allowed_to_delegate
+ };
+
++#elif KRB5_KDB_DAL_MAJOR_VERSION == 6
++kdb_vftabl kdb_function_table = {
++ .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
++ .min_ver = 0,
++ .init_library = ipadb_init_library,
++ .fini_library = ipadb_fini_library,
++ .init_module = ipadb_init_module,
++ .fini_module = ipadb_fini_module,
++ .create = ipadb_create,
++ .get_age = ipadb_get_age,
++ .get_principal = ipadb_get_principal,
++ .put_principal = ipadb_put_principal,
++ .delete_principal = ipadb_delete_principal,
++ .iterate = ipadb_iterate,
++ .create_policy = ipadb_create_pwd_policy,
++ .get_policy = ipadb_get_pwd_policy,
++ .put_policy = ipadb_put_pwd_policy,
++ .iter_policy = ipadb_iterate_pwd_policy,
++ .delete_policy = ipadb_delete_pwd_policy,
++ .fetch_master_key = ipadb_fetch_master_key,
++ .store_master_key_list = ipadb_store_master_key_list,
++ .change_pwd = ipadb_change_pwd,
++ .sign_authdata = ipadb_sign_authdata,
++ .check_transited_realms = ipadb_check_transited_realms,
++ .check_policy_as = ipadb_check_policy_as,
++ .audit_as_req = ipadb_audit_as_req,
++ .check_allowed_to_delegate = ipadb_check_allowed_to_delegate
++};
++
++#else
++#error unsupported DAL major version
++#endif
++
diff --git a/debian/patches/series b/debian/patches/series
index 5061160..5357bf8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,4 +1,5 @@
# upstreamed
+ipa-kdb-support-dal-version-5-and-6.diff
fix-cve-2016-5404.diff
configure-apache-from-installer.diff
commit 5297224a8f93e5c441116473b4e92928d5448e75
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Sat Dec 3 00:46:03 2016 +0200
fix-cve-2016-5404.diff: Fix permission check bypass (Closes: #835131)
diff --git a/debian/changelog b/debian/changelog
index c6abeb2..a6986cf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+freeipa (4.3.2-5) UNRELEASED; urgency=medium
+
+ * fix-cve-2016-5404.diff: Fix permission check bypass (Closes: #835131)
+ - CVE-2016-5404
+
+ -- Timo Aaltonen <tjaalton at debian.org> Sat, 03 Dec 2016 00:45:19 +0200
+
freeipa (4.3.2-4) unstable; urgency=medium
* freeipa-client.post*: Use /var/log/ipaclient-upgrade.log instead of
diff --git a/debian/patches/fix-cve-2016-5404.diff b/debian/patches/fix-cve-2016-5404.diff
new file mode 100644
index 0000000..115bdb3
--- /dev/null
+++ b/debian/patches/fix-cve-2016-5404.diff
@@ -0,0 +1,109 @@
+commit 7eb1502863408d869dc2e706a5e194ad122997bf
+Author: Fraser Tweedale <ftweedal at redhat.com>
+Date: Thu Jun 30 10:21:01 2016 +1000
+
+ cert-revoke: fix permission check bypass (CVE-2016-5404)
+
+ The 'cert_revoke' command checks the 'revoke certificate'
+ permission, however, if an ACIError is raised, it then invokes the
+ 'cert_show' command. The rational was to re-use a "host manages
+ certificate" check that is part of the 'cert_show' command, however,
+ it is sufficient that 'cert_show' executes successfully for
+ 'cert_revoke' to recover from the ACIError continue. Therefore,
+ anyone with 'retrieve certificate' permission can revoke *any*
+ certificate and cause various kinds of DoS.
+
+ Fix the problem by extracting the "host manages certificate" check
+ to its own method and explicitly calling it from 'cert_revoke'.
+
+ Fixes: https://fedorahosted.org/freeipa/ticket/6232
+ Reviewed-By: Jan Cholasta <jcholast at redhat.com>
+
+diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
+index b4ea2fe..f257088 100644
+--- a/ipalib/plugins/cert.py
++++ b/ipalib/plugins/cert.py
+@@ -243,6 +243,25 @@ def caacl_check(principal_type, principal_string, ca, profile_id):
+ )
+ )
+
++
++def bind_principal_can_manage_cert(cert):
++ """Check that the bind principal can manage the given cert.
++
++ ``cert``
++ An NSS certificate object.
++
++ """
++ bind_principal = getattr(context, 'principal')
++ if not bind_principal.startswith('host/'):
++ return False
++
++ hostname = get_host_from_principal(bind_principal)
++
++ # If we have a hostname we want to verify that the subject
++ # of the certificate matches it.
++ return hostname == cert.subject.common_name #pylint: disable=E1101
++
++
+ @register()
+ class cert_request(VirtualCommand):
+ __doc__ = _('Submit a certificate signing request.')
+@@ -608,29 +627,23 @@ class cert_show(VirtualCommand):
+
+ def execute(self, serial_number, **options):
+ ca_enabled_check()
+- hostname = None
++
++ result=self.Backend.ra.get_certificate(serial_number)
++ cert = x509.load_certificate(result['certificate'])
++
+ try:
+ self.check_access()
+ except errors.ACIError as acierr:
+ self.debug("Not granted by ACI to retrieve certificate, looking at principal")
+- bind_principal = getattr(context, 'principal')
+- if not bind_principal.startswith('host/'):
+- raise acierr
+- hostname = get_host_from_principal(bind_principal)
++ if not bind_principal_can_manage_cert(cert):
++ raise acierr # pylint: disable=E0702
+
+- result=self.Backend.ra.get_certificate(serial_number)
+- cert = x509.load_certificate(result['certificate'])
+ result['subject'] = unicode(cert.subject)
+ result['issuer'] = unicode(cert.issuer)
+ result['valid_not_before'] = unicode(cert.valid_not_before_str)
+ result['valid_not_after'] = unicode(cert.valid_not_after_str)
+ result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
+ result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
+- if hostname:
+- # If we have a hostname we want to verify that the subject
+- # of the certificate matches it, otherwise raise an error
+- if hostname != cert.subject.common_name: #pylint: disable=E1101
+- raise acierr
+
+ return dict(result=result)
+
+@@ -676,17 +689,17 @@ class cert_revoke(VirtualCommand):
+
+ def execute(self, serial_number, **kw):
+ ca_enabled_check()
+- hostname = None
+ try:
+ self.check_access()
+ except errors.ACIError as acierr:
+ self.debug("Not granted by ACI to revoke certificate, looking at principal")
+ try:
+- # Let cert_show() handle verifying that the subject of the
+- # cert we're dealing with matches the hostname in the principal
+ result = api.Command['cert_show'](unicode(serial_number))['result']
++ cert = x509.load_certificate(result['certificate'])
++ if not bind_principal_can_manage_cert(cert):
++ raise acierr
+ except errors.NotImplementedError:
+- pass
++ raise acierr
+ revocation_reason = kw['revocation_reason']
+ if revocation_reason == 7:
+ raise errors.CertificateOperationError(error=_('7 is not a valid revocation reason'))
diff --git a/debian/patches/series b/debian/patches/series
index 16d988a..5061160 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,4 +1,5 @@
# upstreamed
+fix-cve-2016-5404.diff
configure-apache-from-installer.diff
# not upstreamable
More information about the Pkg-freeipa-devel
mailing list