ed508b4be8
- Resolves: RHEL-73022 A slow HSM can cause IPA server installation to fail setting up certificate tracking [rhel-9] - Resolves: RHEL-71261 [RHEL-9.6] Include latest fixes in python3-ipatests package - Resolves: RHEL-67191 CVE-2024-11029 ipa: Administrative user data leaked through systemd journal [rhel-9.6] - Resolves: RHEL-59040 KRA installation failure caused by a certificate mismatch in NSS DB and configuration file. Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
76 lines
2.6 KiB
Diff
76 lines
2.6 KiB
Diff
From d857fcfcc21481cdf06b8cce1685e141921d2fbf Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Wed, 27 Nov 2024 12:16:09 +0100
|
|
Subject: [PATCH] ipa-otpd: use oidc_child's --client-secret-stdin option
|
|
|
|
To remove the client secret from the command line where it would be
|
|
visible e.g. when calling ps it is now passed via stdin to oidc_child.
|
|
|
|
Fixes: CVE-2024-11029
|
|
|
|
Signed-off-by: Sumit Bose <sbose@redhat.com>
|
|
---
|
|
daemons/ipa-otpd/oauth2.c | 24 ++++++++++++++----------
|
|
1 file changed, 14 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/daemons/ipa-otpd/oauth2.c b/daemons/ipa-otpd/oauth2.c
|
|
index a33cf51715ca2a3e7a0cef871aed5cfbbd037598..52d7d7c9cb6c410bdbaa2e5eddccfea2204d3e69 100644
|
|
--- a/daemons/ipa-otpd/oauth2.c
|
|
+++ b/daemons/ipa-otpd/oauth2.c
|
|
@@ -31,6 +31,7 @@
|
|
#include <unistd.h>
|
|
#include <fcntl.h>
|
|
#include <sys/random.h>
|
|
+#include <sys/uio.h>
|
|
|
|
#include "internal.h"
|
|
|
|
@@ -93,6 +94,7 @@ static void oauth2_on_child_writable(verto_ctx *vctx, verto_ev *ev)
|
|
(void)vctx; /* Unused */
|
|
ssize_t io;
|
|
struct child_ctx *child_ctx;
|
|
+ struct iovec iov[3];
|
|
|
|
child_ctx = verto_get_private(ev);
|
|
if (child_ctx == NULL) {
|
|
@@ -102,15 +104,18 @@ static void oauth2_on_child_writable(verto_ctx *vctx, verto_ev *ev)
|
|
}
|
|
|
|
if (child_ctx->oauth2_state == OAUTH2_GET_DEVICE_CODE) {
|
|
- /* no input needed */
|
|
- verto_del(ev);
|
|
- return;
|
|
- }
|
|
-
|
|
+ io = write(verto_get_fd(ev), child_ctx->item->idp.ipaidpClientSecret,
|
|
+ strlen(child_ctx->item->idp.ipaidpClientSecret));
|
|
+ } else {
|
|
+ iov[0].iov_base = child_ctx->item->idp.ipaidpClientSecret;
|
|
+ iov[0].iov_len = strlen(child_ctx->item->idp.ipaidpClientSecret);
|
|
+ iov[1].iov_base = "\n";
|
|
+ iov[1].iov_len = 1;
|
|
+ iov[2].iov_base = child_ctx->saved_item->oauth2.device_code_reply;
|
|
+ iov[2].iov_len = strlen(child_ctx->saved_item->oauth2.device_code_reply);
|
|
|
|
- io = write(verto_get_fd(ev),
|
|
- child_ctx->saved_item->oauth2.device_code_reply,
|
|
- strlen(child_ctx->saved_item->oauth2.device_code_reply));
|
|
+ io = writev(verto_get_fd(ev), iov, 3);
|
|
+ }
|
|
otpd_queue_item_free(child_ctx->saved_item);
|
|
|
|
if (io < 0) {
|
|
@@ -429,8 +434,7 @@ int oauth2(struct otpd_queue_item **item, enum oauth2_state oauth2_state)
|
|
args[args_idx++] = (*item)->idp.ipaidpClientID;
|
|
|
|
if ((*item)->idp.ipaidpClientSecret) {
|
|
- args[args_idx++] = "--client-secret";
|
|
- args[args_idx++] = (*item)->idp.ipaidpClientSecret;
|
|
+ args[args_idx++] = "--client-secret-stdin";
|
|
}
|
|
|
|
if ((*item)->idp.ipaidpScope) {
|
|
--
|
|
2.47.1
|
|
|