diff --git a/openwsman-2.6.5-http-unauthorized-improve.patch b/openwsman-2.6.5-http-unauthorized-improve.patch new file mode 100644 index 0000000..e9f7537 --- /dev/null +++ b/openwsman-2.6.5-http-unauthorized-improve.patch @@ -0,0 +1,56 @@ +diff -up openwsman-2.6.5/src/lib/wsman-curl-client-transport.c.orig openwsman-2.6.5/src/lib/wsman-curl-client-transport.c +--- openwsman-2.6.5/src/lib/wsman-curl-client-transport.c.orig 2022-09-08 10:36:46.265107915 +0200 ++++ openwsman-2.6.5/src/lib/wsman-curl-client-transport.c 2022-09-08 10:36:46.273107919 +0200 +@@ -452,6 +452,7 @@ wsmc_handler( WsManClient *cl, + long http_code; + long auth_avail = 0; + char *_user = NULL, *_pass = NULL; ++ int _no_auth = 0; /* 0 if authentication is used, 1 if no authentication was used */ + u_buf_t *response = NULL; + //char *soapaction; + char *tmp_str = NULL; +@@ -551,6 +552,7 @@ wsmc_handler( WsManClient *cl, + _user = wsmc_get_user(cl); + _pass = wsmc_get_password(cl); + if (_user && _pass && cl->data.auth_set) { ++ _no_auth = 0; + r = curl_easy_setopt(curl, CURLOPT_HTTPAUTH, cl->data.auth_set); + if (r != CURLE_OK) { + cl->fault_string = u_strdup(curl_easy_strerror(r)); +@@ -571,6 +573,11 @@ wsmc_handler( WsManClient *cl, + curl_err("curl_easy_setopt(curl, CURLOPT_USERPWD, ..) failed"); + goto DONE; + } ++ } else { ++ /* request without user credentials, remember this for ++ * later use when it might become necessary to print an error message ++ */ ++ _no_auth = 1; + } + + if (wsman_debug_level_debugged(DEBUG_LEVEL_MESSAGE)) { +@@ -603,6 +610,24 @@ wsmc_handler( WsManClient *cl, + break; + case 401: + // The server requires authentication. ++ /* RFC 2616 states: ++ * ++ * If the request already included Authorization credentials, then the 401 ++ * response indicates that authorization has been refused for those ++ * credentials. If the 401 response contains the same challenge as the ++ * prior response, and the user agent has already attempted ++ * authentication at least once, then the user SHOULD be presented the ++ * entity that was given in the response, since that entity might ++ * include relevant diagnostic information. ++ */ ++ if (_no_auth == 0) { ++ /* no authentication credentials were used. It is only ++ * possible to write a message about the current situation. There ++ * is no information about the last attempt to access the resource. ++ * Maybe at a later point in time I will implement more state information. ++ */ ++ fprintf(stdout,"Authentication failed, please retry\n"); ++ } + break; + default: + // The status code does not indicate success. diff --git a/openwsman.spec b/openwsman.spec index 0b54272..733bc36 100644 --- a/openwsman.spec +++ b/openwsman.spec @@ -3,7 +3,7 @@ Name: openwsman Version: 2.6.5 -Release: 7%{?dist} +Release: 8%{?dist} Summary: Open source Implementation of WS-Management License: BSD @@ -23,6 +23,7 @@ Patch5: openwsman-2.6.5-fix-set-cipher-list-retval-check.patch Patch6: openwsman-2.6.5-CVE-2019-3816.patch # Patch7: fixes CVE-2019-3833, rhbz#1687865 Patch7: openwsman-2.6.5-CVE-2019-3833.patch +Patch8: openwsman-2.6.5-http-unauthorized-improve.patch BuildRequires: swig BuildRequires: libcurl-devel libxml2-devel pam-devel sblim-sfcc-devel BuildRequires: python3 python3-devel ruby ruby-devel rubygems-devel perl-interpreter @@ -131,6 +132,7 @@ You can use it to send shell commands to a remote Windows hosts. %patch5 -p1 -b .fix-set-cipher-list-retval-check %patch6 -p1 -b .CVE-2019-3816 %patch7 -p1 -b .CVE-2019-3833 +%patch8 -p1 -b .http-unauthorized-improve %build # Removing executable permissions on .c and .h files to fix rpmlint warnings. @@ -287,6 +289,10 @@ rm -f /var/log/wsmand.log %{_bindir}/winrs %changelog +* Thu Sep 08 2022 Vitezslav Crhonek - 2.6.5-8 +- Improve handling of HTTP 401 Unauthorized + Resolves: #2124893 + * Mon May 11 2020 Vitezslav Crhonek - 2.6.5-7 - Fix CVE-2019-3833 Resolves: #1687865