[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][upstream] 3 commits: CVE-2019-14867: Make sure to have storage space for tag
Timo Aaltonen
gitlab at salsa.debian.org
Tue Nov 26 18:51:01 GMT 2019
Timo Aaltonen pushed to branch upstream at FreeIPA packaging / freeipa
Commits:
e11e73ab by Simo Sorce at 2019-11-26T13:08:31Z
CVE-2019-14867: Make sure to have storage space for tag
ber_scanf expects a pointer to a ber_tag_t to return the tag pointed at
by "t", if that is not provided the pointer will be store in whatever
memory location is pointed by the stack at that time causeing a crash.
It's also possible for unprivileged end users to trigger parsing of the
krbPrincipalKey.
Fixes #8071: CVE-2019-14867
Reported by Todd Lipcon from Cloudera
Signed-off-by: Simo Sorce <simo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
(cherry picked from commit d2e0d94521893bc5f002a335a8c0b99601e1afd6)
- - - - -
39120fa9 by Rob Crittenden at 2019-11-26T13:14:17Z
CVE-2019-10195: Don't log passwords embedded in commands in calls using batch
A raw batch request was fully logged which could expose parameters
we don't want logged, like passwords.
Override _repr_iter to use the individual commands to log the
values so that values are properly obscured.
In case of errors log the full value on when the server is in
debug mode.
Reported by Jamison Bennett from Cloudera
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-by: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
4a0017df by Alexander Bokovoy at 2019-11-26T13:23:17Z
Become FreeIPA 4.8.3
- - - - -
3 changed files:
- VERSION.m4
- ipaserver/plugins/batch.py
- util/ipa_krb5.c
Changes:
=====================================
VERSION.m4
=====================================
@@ -21,7 +21,7 @@
########################################################
define(IPA_VERSION_MAJOR, 4)
define(IPA_VERSION_MINOR, 8)
-define(IPA_VERSION_RELEASE, 2)
+define(IPA_VERSION_RELEASE, 3)
########################################################
# For 'pre' releases the version will be #
=====================================
ipaserver/plugins/batch.py
=====================================
@@ -93,35 +93,82 @@ class batch(Command):
Output('results', (list, tuple), doc='')
)
+ def _validate_request(self, request):
+ """
+ Check that an individual request in a batch is parseable and the
+ commands exists.
+ """
+ if 'method' not in request:
+ raise errors.RequirementError(name='method')
+ if 'params' not in request:
+ raise errors.RequirementError(name='params')
+ name = request['method']
+ if (name not in self.api.Command or
+ isinstance(self.api.Command[name], Local)):
+ raise errors.CommandError(name=name)
+
+ # If params are not formated as a tuple(list, dict)
+ # the following lines will raise an exception
+ # that triggers an internal server error
+ # Raise a ConversionError instead to report the issue
+ # to the client
+ try:
+ a, kw = request['params']
+ newkw = dict((str(k), v) for k, v in kw.items())
+ api.Command[name].args_options_2_params(*a, **newkw)
+ except (AttributeError, ValueError, TypeError):
+ raise errors.ConversionError(
+ name='params',
+ error=_(u'must contain a tuple (list, dict)'))
+ except Exception as e:
+ raise errors.ConversionError(
+ name='params',
+ error=str(e))
+
+ def _repr_iter(self, **params):
+ """
+ Iterate through the request and use the Command _repr_intr so
+ that sensitive information (passwords) is not exposed.
+
+ In case of a malformatted request redact the entire thing.
+ """
+ exceptions = False
+ for arg in (params.get('methods', [])):
+ try:
+ self._validate_request(arg)
+ except Exception:
+ # redact the whole request since we don't know what's in it
+ exceptions = True
+ yield u'********'
+ continue
+
+ name = arg['method']
+ a, kw = arg['params']
+ newkw = dict((str(k), v) for k, v in kw.items())
+ param = api.Command[name].args_options_2_params(
+ *a, **newkw)
+
+ yield '{}({})'.format(
+ api.Command[name].name,
+ ', '.join(api.Command[name]._repr_iter(**param))
+ )
+
+ if exceptions:
+ logger.debug('batch: %s',
+ ', '.join(super(batch, self)._repr_iter(**params)))
+
def execute(self, methods=None, **options):
results = []
for arg in (methods or []):
params = dict()
name = None
try:
- if 'method' not in arg:
- raise errors.RequirementError(name='method')
- if 'params' not in arg:
- raise errors.RequirementError(name='params')
+ self._validate_request(arg)
name = arg['method']
- if (name not in self.api.Command or
- isinstance(self.api.Command[name], Local)):
- raise errors.CommandError(name=name)
-
- # If params are not formated as a tuple(list, dict)
- # the following lines will raise an exception
- # that triggers an internal server error
- # Raise a ConversionError instead to report the issue
- # to the client
- try:
- a, kw = arg['params']
- newkw = dict((str(k), v) for k, v in kw.items())
- params = api.Command[name].args_options_2_params(
- *a, **newkw)
- except (AttributeError, ValueError, TypeError):
- raise errors.ConversionError(
- name='params',
- error=_(u'must contain a tuple (list, dict)'))
+ a, kw = arg['params']
+ newkw = dict((str(k), v) for k, v in kw.items())
+ params = api.Command[name].args_options_2_params(
+ *a, **newkw)
newkw.setdefault('version', options['version'])
result = api.Command[name](*a, **newkw)
@@ -133,8 +180,9 @@ class batch(Command):
)
result['error']=None
except Exception as e:
- if isinstance(e, errors.RequirementError) or \
- isinstance(e, errors.CommandError):
+ if (isinstance(e, errors.RequirementError) or
+ isinstance(e, errors.CommandError) or
+ isinstance(e, errors.ConversionError)):
logger.info(
'%s: batch: %s',
context.principal, # pylint: disable=no-member
=====================================
util/ipa_krb5.c
=====================================
@@ -554,7 +554,7 @@ int ber_decode_krb5_key_data(struct berval *encoded, int *m_kvno,
retag = ber_peek_tag(be, &setlen);
if (retag == (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 2)) {
/* not supported yet, skip */
- retag = ber_scanf(be, "t[x]}");
+ retag = ber_scanf(be, "t[x]}", &tag);
} else {
retag = ber_scanf(be, "}");
}
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/compare/9dfce7a69c83067f30a31ed9b24c4e9aed51c849...4a0017dfdb272f042e12d30c97a5e21dbc0f6624
--
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/compare/9dfce7a69c83067f30a31ed9b24c4e9aed51c849...4a0017dfdb272f042e12d30c97a5e21dbc0f6624
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20191126/4bcbc871/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list