4.4.3-7

- Fixes #1413137 CVE-2017-2590 ipa: Insufficient permission check for ca-del, ca-disable and ca-enable commands
2017-02-27 14:21:48 +01:00 · 2017-02-27 14:21:48 +01:00 · 09bdd29080
commit 09bdd29080
parent 3f4b03b412
2 changed files with 66 additions and 1 deletions
--- a/0005-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
+++ b/0005-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
@ -0,0 +1,60 @@
 From e9840aee2b1290db7f0f8ec785b338b17d57b569 Mon Sep 17 00:00:00 2001
 From: Fraser Tweedale <ftweedal@redhat.com>
 Date: Fri, 13 Jan 2017 20:33:45 +1000
 Subject: [PATCH] ca: correctly authorise ca-del, ca-enable and ca-disable
 CAs consist of a FreeIPA and a corresponding Dogtag object.  When
 executing ca-del, ca-enable and ca-disable, changes are made to the
 Dogtag object.  In the case of ca-del, the corresponding FreeIPA
 object is deleted after the Dogtag CA is deleted.
 These operations were not correctly authorised; the FreeIPA
 permissions are not checked before the Dogtag operations are
 executed.  This allows any user to delete, enable or disable a
 lightweight CA (except the main IPA CA, for which there are
 additional check to prevent deletion or disablement).
 Add the proper authorisation checks to the ca-del, ca-enable and
 ca-disable commands.
 ---
 ipaserver/plugins/ca.py | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)
 diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
 index d9ae8c81fdca51cbfee34e83cbb9ca6873ebad0b..227b08e0e1e9f7f48c4133da77093d58559562d9 100644
 --- a/ipaserver/plugins/ca.py
 +++ b/ipaserver/plugins/ca.py
@@ -213,6 +213,12 @@ class ca_del(LDAPDelete):
     def pre_callback(self, ldap, dn, *keys, **options):
         ca_enabled_check()
 +        # ensure operator has permission to delete CA
 +        # before contacting Dogtag
 +        if not ldap.can_delete(dn):
 +            raise errors.ACIError(info=_(
 +                "Insufficient privilege to delete a CA."))
 +
         if keys[0] == IPA_CA_CN:
             raise errors.ProtectedEntryError(
                 label=_("CA"),
@@ -251,9 +257,15 @@ class CAQuery(LDAPQuery):
     def execute(self, cn, **options):
         ca_enabled_check()
 -        ca_id = self.api.Command.ca_show(cn)['result']['ipacaid'][0]
 +        ca_obj = self.api.Command.ca_show(cn)['result']
 +
 +        # ensure operator has permission to modify CAs
 +        if not self.api.Backend.ldap2.can_write(ca_obj['dn'], 'description'):
 +            raise errors.ACIError(info=_(
 +                "Insufficient privilege to modify a CA."))
 +
         with self.api.Backend.ra_lightweight_ca as ca_api:
 -            self.perform_action(ca_api, ca_id)
 +            self.perform_action(ca_api, ca_obj['ipacaid'][0])
         return dict(
             result=True,
 -- 
 2.9.3
--- a/freeipa.spec
+++ b/freeipa.spec
@ -38,7 +38,7 @@
 Name:           freeipa
 Version:        %{VERSION}
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        The Identity, Policy and Audit system
 Group:          System Environment/Base
@ -51,6 +51,7 @@ Patch0001:      0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
 Patch0002:      0002-Support-DAL-version-5-and-version-6.patch
 Patch0003:      0003-bind-dyndb-ldap-DNS-fixes.patch
 Patch0004:      0004-ipa-kdb-support-KDB-DAL-version-6.1.patch
 Patch0005:      0005-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
 %if ! %{ONLY_CLIENT}
 BuildRequires:  389-ds-base-devel >= 1.3.5.6
@ -1480,6 +1481,10 @@ fi
 %endif # ONLY_CLIENT
 %changelog
 * Mon Feb 27 2017 Tomas Krizek <tkrizek@redhat.com> - 4.4.3-7
 - Fixes #1413137 CVE-2017-2590 ipa: Insufficient permission check for
  ca-del, ca-disable and ca-enable commands
 * Mon Feb 27 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.4.3-6
 - Rebuild to pick up system-python dependency change
 - Fixes #1426847 - Cannot upgrade freeipa-client on rawhide