4.4.3-7

- Fixes #1413137 CVE-2017-2590 ipa: Insufficient permission check for ca-del, ca-disable and ca-enable commands
2017-02-27 14:21:48 +01:00 · 2017-02-27 14:21:48 +01:00 · 09bdd29080
commit 09bdd29080
parent 3f4b03b412
2 changed files with 66 additions and 1 deletions
--- a/0005-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
+++ b/0005-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
@ -0,0 +1,60 @@
+From e9840aee2b1290db7f0f8ec785b338b17d57b569 Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Fri, 13 Jan 2017 20:33:45 +1000
+Subject: [PATCH] ca: correctly authorise ca-del, ca-enable and ca-disable
+
+CAs consist of a FreeIPA and a corresponding Dogtag object.  When
+executing ca-del, ca-enable and ca-disable, changes are made to the
+Dogtag object.  In the case of ca-del, the corresponding FreeIPA
+object is deleted after the Dogtag CA is deleted.
+
+These operations were not correctly authorised; the FreeIPA
+permissions are not checked before the Dogtag operations are
+executed.  This allows any user to delete, enable or disable a
+lightweight CA (except the main IPA CA, for which there are
+additional check to prevent deletion or disablement).
+
+Add the proper authorisation checks to the ca-del, ca-enable and
+ca-disable commands.
+---
+ ipaserver/plugins/ca.py | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
+index d9ae8c81fdca51cbfee34e83cbb9ca6873ebad0b..227b08e0e1e9f7f48c4133da77093d58559562d9 100644
+--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
+@@ -213,6 +213,12 @@ class ca_del(LDAPDelete):
+     def pre_callback(self, ldap, dn, *keys, **options):
+         ca_enabled_check()
+ 
+        # ensure operator has permission to delete CA
+        # before contacting Dogtag
+        if not ldap.can_delete(dn):
+            raise errors.ACIError(info=_(
+                "Insufficient privilege to delete a CA."))
+
+         if keys[0] == IPA_CA_CN:
+             raise errors.ProtectedEntryError(
+                 label=_("CA"),
+@@ -251,9 +257,15 @@ class CAQuery(LDAPQuery):
+     def execute(self, cn, **options):
+         ca_enabled_check()
+ 
+-        ca_id = self.api.Command.ca_show(cn)['result']['ipacaid'][0]
+        ca_obj = self.api.Command.ca_show(cn)['result']
+
+        # ensure operator has permission to modify CAs
+        if not self.api.Backend.ldap2.can_write(ca_obj['dn'], 'description'):
+            raise errors.ACIError(info=_(
+                "Insufficient privilege to modify a CA."))
+
+         with self.api.Backend.ra_lightweight_ca as ca_api:
+-            self.perform_action(ca_api, ca_id)
+            self.perform_action(ca_api, ca_obj['ipacaid'][0])
+ 
+         return dict(
+             result=True,
+-- 
+2.9.3
+
--- a/freeipa.spec
+++ b/freeipa.spec
@ -38,7 +38,7 @@

 Name:           freeipa
 Version:        %{VERSION}
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        The Identity, Policy and Audit system

 Group:          System Environment/Base
@ -51,6 +51,7 @@ Patch0001:      0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
 Patch0002:      0002-Support-DAL-version-5-and-version-6.patch
 Patch0003:      0003-bind-dyndb-ldap-DNS-fixes.patch
 Patch0004:      0004-ipa-kdb-support-KDB-DAL-version-6.1.patch
+Patch0005:      0005-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch

 %if ! %{ONLY_CLIENT}
 BuildRequires:  389-ds-base-devel >= 1.3.5.6
@ -1480,6 +1481,10 @@ fi
 %endif # ONLY_CLIENT

 %changelog
+* Mon Feb 27 2017 Tomas Krizek <tkrizek@redhat.com> - 4.4.3-7
+- Fixes #1413137 CVE-2017-2590 ipa: Insufficient permission check for
+  ca-del, ca-disable and ca-enable commands
+
 * Mon Feb 27 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.4.3-6
 - Rebuild to pick up system-python dependency change
 - Fixes #1426847 - Cannot upgrade freeipa-client on rawhide