From 6b7ae289245776a26402697791510c1eee5e73eb Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Fri, 19 Aug 2016 14:41:05 +0200
Subject: [PATCH] 4.3.2-2: CVE-2016-5404

---
 ...de-do-not-fail-when-DNS-server-did-n.patch |  62 ++++++++++
 ...permission-check-bypass-CVE-2016-540.patch | 115 ++++++++++++++++++
 ...pa-kdb-Allow-to-build-with-samba-4.5.patch |  88 ++++++++++++++
 freeipa.spec                                  |  14 ++-
 4 files changed, 278 insertions(+), 1 deletion(-)
 create mode 100644 0002-DNS-server-upgrade-do-not-fail-when-DNS-server-did-n.patch
 create mode 100644 0003-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch
 create mode 100644 0004-ipa-kdb-Allow-to-build-with-samba-4.5.patch

diff --git a/0002-DNS-server-upgrade-do-not-fail-when-DNS-server-did-n.patch b/0002-DNS-server-upgrade-do-not-fail-when-DNS-server-did-n.patch
new file mode 100644
index 0000000..592ebb4
--- /dev/null
+++ b/0002-DNS-server-upgrade-do-not-fail-when-DNS-server-did-n.patch
@@ -0,0 +1,62 @@
+From 27534f8d7294536364147b18b76ecb2bac67870f Mon Sep 17 00:00:00 2001
+From: Petr Spacek <pspacek@redhat.com>
+Date: Thu, 11 Aug 2016 13:44:29 +0200
+Subject: [PATCH] DNS server upgrade: do not fail when DNS server did not
+ respond
+
+Previously, update_dnsforward_emptyzones failed with an exeception if
+DNS query failed for some reason. Now the error is logged and upgrade
+continues.
+
+I assume that this is okay because the DNS query is used as heuristics
+of last resort in the upgrade logic and failure to do so should not have
+catastrophics consequences: In the worst case, the admin needs to
+manually change forwarding policy from 'first' to 'only'.
+
+In the end I have decided not to auto-start BIND because BIND depends on
+GSSAPI for authentication, which in turn depends on KDC ... Alternative
+like reconfiguring BIND to use LDAPI+EXTERNAL and reconfiguring DS to
+accept LDAP external bind from named user are too complicated.
+
+https://fedorahosted.org/freeipa/ticket/6205
+
+Reviewed-By: Martin Basti <mbasti@redhat.com>
+---
+ ipaserver/install/plugins/dns.py | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py
+index 873dbd0..6f67f98 100644
+--- a/ipaserver/install/plugins/dns.py
++++ b/ipaserver/install/plugins/dns.py
+@@ -17,6 +17,9 @@
+ # You should have received a copy of the GNU General Public License
+ # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ 
++from __future__ import absolute_import
++
++import dns.exception
+ import ldap as _ldap
+ import re
+ import traceback
+@@ -489,8 +492,15 @@ class update_dnsforward_emptyzones(DNSUpdater):
+         self.api.Command['dnsconfig_mod'](ipadnsversion=2)
+ 
+         self.update_zones()
+-        if dnsutil.has_empty_zone_addresses(self.api.env.host):
+-            self.update_global_ldap_forwarder()
++        try:
++            if dnsutil.has_empty_zone_addresses(self.api.env.host):
++                self.update_global_ldap_forwarder()
++        except dns.exception.DNSException as ex:
++            self.log.error('Skipping update of global DNS forwarder in LDAP: '
++                           'Unable to determine if local server is using an '
++                           'IP address belonging to an automatic empty zone. '
++                           'Consider changing forwarding policy to "only". '
++                           'DNS exception: %s', ex)
+ 
+         return False, []
+ 
+-- 
+2.5.5
+
diff --git a/0003-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch b/0003-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch
new file mode 100644
index 0000000..142e2d2
--- /dev/null
+++ b/0003-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch
@@ -0,0 +1,115 @@
+From d68f99203c5bab33e8bc4af6becea57e0736bbc5 Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Thu, 30 Jun 2016 10:21:01 +1000
+Subject: [PATCH] cert-revoke: fix permission check bypass (CVE-2016-5404)
+
+The 'cert_revoke' command checks the 'revoke certificate'
+permission, however, if an ACIError is raised, it then invokes the
+'cert_show' command.  The rational was to re-use a "host manages
+certificate" check that is part of the 'cert_show' command, however,
+it is sufficient that 'cert_show' executes successfully for
+'cert_revoke' to recover from the ACIError continue.  Therefore,
+anyone with 'retrieve certificate' permission can revoke *any*
+certificate and cause various kinds of DoS.
+
+Fix the problem by extracting the "host manages certificate" check
+to its own method and explicitly calling it from 'cert_revoke'.
+
+Fixes: https://fedorahosted.org/freeipa/ticket/6232
+---
+ ipalib/plugins/cert.py | 49 +++++++++++++++++++++++++++++++------------------
+ 1 file changed, 31 insertions(+), 18 deletions(-)
+
+diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
+index b4ea2feae5de9ffc020709092f79791d99472ffc..f257088e2d45a0c991cce68222577dbe212415d9 100644
+--- a/ipalib/plugins/cert.py
++++ b/ipalib/plugins/cert.py
+@@ -243,6 +243,25 @@ def caacl_check(principal_type, principal_string, ca, profile_id):
+             )
+         )
+ 
++
++def bind_principal_can_manage_cert(cert):
++    """Check that the bind principal can manage the given cert.
++
++    ``cert``
++        An NSS certificate object.
++
++    """
++    bind_principal = getattr(context, 'principal')
++    if not bind_principal.startswith('host/'):
++        return False
++
++    hostname = get_host_from_principal(bind_principal)
++
++    # If we have a hostname we want to verify that the subject
++    # of the certificate matches it.
++    return hostname == cert.subject.common_name  #pylint: disable=E1101
++
++
+ @register()
+ class cert_request(VirtualCommand):
+     __doc__ = _('Submit a certificate signing request.')
+@@ -608,29 +627,23 @@ class cert_show(VirtualCommand):
+ 
+     def execute(self, serial_number, **options):
+         ca_enabled_check()
+-        hostname = None
+-        try:
+-            self.check_access()
+-        except errors.ACIError as acierr:
+-            self.debug("Not granted by ACI to retrieve certificate, looking at principal")
+-            bind_principal = getattr(context, 'principal')
+-            if not bind_principal.startswith('host/'):
+-                raise acierr
+-            hostname = get_host_from_principal(bind_principal)
+ 
+         result=self.Backend.ra.get_certificate(serial_number)
+         cert = x509.load_certificate(result['certificate'])
++
++        try:
++            self.check_access()
++        except errors.ACIError as acierr:
++            self.debug("Not granted by ACI to retrieve certificate, looking at principal")
++            if not bind_principal_can_manage_cert(cert):
++                raise acierr  # pylint: disable=E0702
++
+         result['subject'] = unicode(cert.subject)
+         result['issuer'] = unicode(cert.issuer)
+         result['valid_not_before'] = unicode(cert.valid_not_before_str)
+         result['valid_not_after'] = unicode(cert.valid_not_after_str)
+         result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
+         result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
+-        if hostname:
+-            # If we have a hostname we want to verify that the subject
+-            # of the certificate matches it, otherwise raise an error
+-            if hostname != cert.subject.common_name:    #pylint: disable=E1101
+-                raise acierr
+ 
+         return dict(result=result)
+ 
+@@ -676,17 +689,17 @@ class cert_revoke(VirtualCommand):
+ 
+     def execute(self, serial_number, **kw):
+         ca_enabled_check()
+-        hostname = None
+         try:
+             self.check_access()
+         except errors.ACIError as acierr:
+             self.debug("Not granted by ACI to revoke certificate, looking at principal")
+             try:
+-                # Let cert_show() handle verifying that the subject of the
+-                # cert we're dealing with matches the hostname in the principal
+                 result = api.Command['cert_show'](unicode(serial_number))['result']
++                cert = x509.load_certificate(result['certificate'])
++                if not bind_principal_can_manage_cert(cert):
++                    raise acierr
+             except errors.NotImplementedError:
+-                pass
++                raise acierr
+         revocation_reason = kw['revocation_reason']
+         if revocation_reason == 7:
+             raise errors.CertificateOperationError(error=_('7 is not a valid revocation reason'))
+-- 
+2.5.5
+
diff --git a/0004-ipa-kdb-Allow-to-build-with-samba-4.5.patch b/0004-ipa-kdb-Allow-to-build-with-samba-4.5.patch
new file mode 100644
index 0000000..850fc65
--- /dev/null
+++ b/0004-ipa-kdb-Allow-to-build-with-samba-4.5.patch
@@ -0,0 +1,88 @@
+From d5e08d714d47b24da9dcb413cdbbf67d0b66ba45 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Fri, 5 Aug 2016 08:29:27 +0200
+Subject: [PATCH] ipa-kdb: Allow to build with samba 4.5
+
+daemons/ipa-kdb/ipa_kdb_mspac.c: In function 'filter_logon_info':
+daemons/ipa-kdb/ipa_kdb_mspac.c:1536:19: error: 'struct PAC_LOGON_INFO'
+  has no member named 'res_group_dom_sid'
+     if (info->info->res_group_dom_sid != NULL &&
+                   ^~
+daemons/ipa-kdb/ipa_kdb_mspac.c:1537:19: error: 'struct PAC_LOGON_INFO'
+  has no member named 'res_groups'; did you mean 'resource_groups'?
+         info->info->res_groups.count != 0) {
+                   ^~
+mv -f .deps/ipa_kdb_delegation.Tpo .deps/ipa_kdb_delegation.Plo
+Makefile:806: recipe for target 'ipa_kdb_mspac.lo' failed
+make[3]: *** [ipa_kdb_mspac.lo] Error 1
+make[3]: *** Waiting for unfinished jobs....
+
+Related change in samba
+https://github.com/samba-team/samba/commit/4406cf792a599724f55777a45efb6367a9bd92b2
+
+Resolves:
+https://fedorahosted.org/freeipa/ticket/6173
+
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ daemons/configure.ac            | 12 ++++++++++++
+ daemons/ipa-kdb/ipa_kdb_mspac.c |  9 +++++++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/daemons/configure.ac b/daemons/configure.ac
+index f2eebee..9789f68 100644
+--- a/daemons/configure.ac
++++ b/daemons/configure.ac
+@@ -170,6 +170,18 @@ PKG_CHECK_MODULES([SAMBAUTIL], [samba-util])
+ SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba"
+ AC_SUBST(SAMBA40EXTRA_LIBPATH)
+ 
++bck_cflags="$CFLAGS"
++CFLAGS="$NDRPAC_CFLAGS"
++AC_CHECK_MEMBER(
++    [struct PAC_DOMAIN_GROUP_MEMBERSHIP.domain_sid],
++    [AC_DEFINE([HAVE_STRUCT_PAC_DOMAIN_GROUP_MEMBERSHIP], [1],
++               [struct PAC_DOMAIN_GROUP_MEMBERSHIP is available.])],
++    [AC_MSG_NOTICE([struct PAC_DOMAIN_GROUP_MEMBERSHIP is not available])],
++                 [[#include <ndr.h>
++                   #include <gen_ndr/krb5pac.h>]])
++
++CFLAGS="$bck_cflags"
++
+ LIBPDB_NAME=""
+ AC_CHECK_LIB([samba-passdb],
+              [make_pdb_method],
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index 638069e..484479b 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -20,6 +20,8 @@
+  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+  */
+ 
++#include "config.h"
++
+ #include "ipa_kdb.h"
+ #include "ipa_mspac.h"
+ #include <talloc.h>
+@@ -1533,10 +1535,17 @@ krb5_error_code filter_logon_info(krb5_context context,
+ 
+     /* According to MS-KILE, ResourceGroups must be zero, so check
+      * that it is the case here */
++#ifdef HAVE_STRUCT_PAC_DOMAIN_GROUP_MEMBERSHIP
++    if (info->info->resource_groups.domain_sid != NULL &&
++        info->info->resource_groups.groups.count != 0) {
++        return EINVAL;
++    }
++#else
+     if (info->info->res_group_dom_sid != NULL &&
+         info->info->res_groups.count != 0) {
+         return EINVAL;
+     }
++#endif
+ 
+     return 0;
+ }
+-- 
+2.5.5
+
diff --git a/freeipa.spec b/freeipa.spec
index 2fd3d1d..3081514 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -36,7 +36,7 @@
 
 Name:           freeipa
 Version:        %{VERSION}
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -46,6 +46,9 @@ Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 Patch0001:      0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
+Patch0002:      0002-DNS-server-upgrade-do-not-fail-when-DNS-server-did-n.patch
+Patch0003:      0003-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch
+Patch0004:      0004-ipa-kdb-Allow-to-build-with-samba-4.5.patch
 
 %if ! %{ONLY_CLIENT}
 BuildRequires:  389-ds-base-devel >= 1.3.5
@@ -114,6 +117,8 @@ BuildRequires:  dbus-python
 # Build dependencies for unit tests
 BuildRequires:  libcmocka-devel
 BuildRequires:  nss_wrapper
+# Required by ipa_kdb_tests
+BuildRequires:  %{_libdir}/krb5/plugins/kdb/db2.so
 
 %if 0%{?with_python3}
 BuildRequires:  python3-devel
@@ -1467,6 +1472,13 @@ fi
 %endif # ONLY_CLIENT
 
 %changelog
+* Fri Aug 19 2016 Petr Vobornik <pvoborni@redhat.com> - 4.3.2-2
+- Fixes 1365669 - The ipa-server-upgrade command failed when named-pkcs11 does
+  not happen to run during dnf upgrade
+- Fixes 1367883 - CVE-2016-5404 freeipa: ipa: Insufficient privileges check
+  in certificate revocation
+- Fixes 1364338 - Freeipa cannot be build on fedora 25
+
 * Fri Jul 22 2016 Petr Vobornik <pvoborni@redhat.com> - 4.3.2-1
 - Update to upstream 4.3.2 - see http://www.freeipa.org/page/Releases/4.3.2