diff --git a/0005-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch b/0005-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch new file mode 100644 index 0000000..bc809f7 --- /dev/null +++ b/0005-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch @@ -0,0 +1,60 @@ +From e9840aee2b1290db7f0f8ec785b338b17d57b569 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 13 Jan 2017 20:33:45 +1000 +Subject: [PATCH] ca: correctly authorise ca-del, ca-enable and ca-disable + +CAs consist of a FreeIPA and a corresponding Dogtag object. When +executing ca-del, ca-enable and ca-disable, changes are made to the +Dogtag object. In the case of ca-del, the corresponding FreeIPA +object is deleted after the Dogtag CA is deleted. + +These operations were not correctly authorised; the FreeIPA +permissions are not checked before the Dogtag operations are +executed. This allows any user to delete, enable or disable a +lightweight CA (except the main IPA CA, for which there are +additional check to prevent deletion or disablement). + +Add the proper authorisation checks to the ca-del, ca-enable and +ca-disable commands. +--- + ipaserver/plugins/ca.py | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py +index d9ae8c81fdca51cbfee34e83cbb9ca6873ebad0b..227b08e0e1e9f7f48c4133da77093d58559562d9 100644 +--- a/ipaserver/plugins/ca.py ++++ b/ipaserver/plugins/ca.py +@@ -213,6 +213,12 @@ class ca_del(LDAPDelete): + def pre_callback(self, ldap, dn, *keys, **options): + ca_enabled_check() + ++ # ensure operator has permission to delete CA ++ # before contacting Dogtag ++ if not ldap.can_delete(dn): ++ raise errors.ACIError(info=_( ++ "Insufficient privilege to delete a CA.")) ++ + if keys[0] == IPA_CA_CN: + raise errors.ProtectedEntryError( + label=_("CA"), +@@ -251,9 +257,15 @@ class CAQuery(LDAPQuery): + def execute(self, cn, **options): + ca_enabled_check() + +- ca_id = self.api.Command.ca_show(cn)['result']['ipacaid'][0] ++ ca_obj = self.api.Command.ca_show(cn)['result'] ++ ++ # ensure operator has permission to modify CAs ++ if not self.api.Backend.ldap2.can_write(ca_obj['dn'], 'description'): ++ raise errors.ACIError(info=_( ++ "Insufficient privilege to modify a CA.")) ++ + with self.api.Backend.ra_lightweight_ca as ca_api: +- self.perform_action(ca_api, ca_id) ++ self.perform_action(ca_api, ca_obj['ipacaid'][0]) + + return dict( + result=True, +-- +2.9.3 + diff --git a/freeipa.spec b/freeipa.spec index 5bf0681..338e832 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -38,7 +38,7 @@ Name: freeipa Version: %{VERSION} -Release: 6%{?dist} +Release: 7%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -51,6 +51,7 @@ Patch0001: 0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch Patch0002: 0002-Support-DAL-version-5-and-version-6.patch Patch0003: 0003-bind-dyndb-ldap-DNS-fixes.patch Patch0004: 0004-ipa-kdb-support-KDB-DAL-version-6.1.patch +Patch0005: 0005-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch %if ! %{ONLY_CLIENT} BuildRequires: 389-ds-base-devel >= 1.3.5.6 @@ -1480,6 +1481,10 @@ fi %endif # ONLY_CLIENT %changelog +* Mon Feb 27 2017 Tomas Krizek - 4.4.3-7 +- Fixes #1413137 CVE-2017-2590 ipa: Insufficient permission check for + ca-del, ca-disable and ca-enable commands + * Mon Feb 27 2017 Alexander Bokovoy - 4.4.3-6 - Rebuild to pick up system-python dependency change - Fixes #1426847 - Cannot upgrade freeipa-client on rawhide