d3389e055a
Fixes 1395311 - CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod Fixes 1370493 - CVE-2016-7030 ipa: DoS attack against kerberized services by abusing password policy
39 lines
1.7 KiB
Diff
39 lines
1.7 KiB
Diff
From cca4741602bf60fbc0589116113dd95646fa2888 Mon Sep 17 00:00:00 2001
|
|
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
Date: Tue, 15 Nov 2016 14:02:54 +1000
|
|
Subject: [PATCH] certprofile-mod: correctly authorise config update
|
|
|
|
Certificate profiles consist of an FreeIPA object, and a
|
|
corresponding Dogtag configuration object. When updating profile
|
|
configuration, changes to the Dogtag configuration are not properly
|
|
authorised, allowing unprivileged operators to modify (but not
|
|
create or delete) profiles. This could result in issuance of
|
|
certificates with fraudulent subject naming information, improper
|
|
key usage, or other badness.
|
|
|
|
Update certprofile-mod to ensure that the operator has permission to
|
|
modify FreeIPA certprofile objects before modifying the Dogtag
|
|
configuration.
|
|
---
|
|
ipaserver/plugins/certprofile.py | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/ipaserver/plugins/certprofile.py b/ipaserver/plugins/certprofile.py
|
|
index f4466077484591c8e941027fa8e4897602384f7c..2bd3311e3b729b768188d537bf7f675a0f9346c2 100644
|
|
--- a/ipaserver/plugins/certprofile.py
|
|
+++ b/ipaserver/plugins/certprofile.py
|
|
@@ -310,6 +310,11 @@ class certprofile_mod(LDAPUpdate):
|
|
raise errors.ProtectedEntryError(label='certprofile', key=keys[0],
|
|
reason=_('Certificate profiles cannot be renamed'))
|
|
if 'file' in options:
|
|
+ # ensure operator has permission to update a certprofile
|
|
+ if not ldap.can_write(dn, 'ipacertprofilestoreissued'):
|
|
+ raise errors.ACIError(info=_(
|
|
+ "Insufficient privilege to modify a certificate profile."))
|
|
+
|
|
with self.api.Backend.ra_certprofile as profile_api:
|
|
profile_api.disable_profile(keys[0])
|
|
try:
|
|
--
|
|
2.7.4
|