rpms
/
pki-core
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:c9
Branches Tags
rpms:i9c-beta
rpms:c9-beta
rpms:i8c-stream-10.6
rpms:c8-stream-10.6
rpms:i9c
rpms:c9
rpms:i8c-beta-stream-10.6
rpms:c8-beta-stream-10.6
...
pull from: rpms:c9-beta
Branches Tags
rpms:i9c-beta
rpms:c9-beta
rpms:i8c-stream-10.6
rpms:c8-stream-10.6
rpms:i9c
rpms:c9
rpms:i8c-beta-stream-10.6
rpms:c8-beta-stream-10.6

No commits in common. 'c9' and 'c9-beta' have entirely different histories.
c9 ... c9-beta

4 changed files with 40 additions and 70 deletions
Show Stats

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/pki-11.5.0.tar.gz SOURCES/pki-11.5.1.tar.gz

2
.pki-core.metadata
Unescape View File

@ -1 +1 @@
dd717a1d8e14cfd558d8772ef37f425db84debee SOURCES/pki-11.5.0.tar.gz d7c0b18bd25d9ae00121f58544ea5dc840b18a8d SOURCES/pki-11.5.1.tar.gz

60
SOURCES/0001-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch
Unescape View File

@ -1,60 +0,0 @@
From 9f9ede3fe2a6ae95230411d48183dc6880ff3c52 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Mon, 11 Sep 2023 15:40:32 -0500
Subject: [PATCH] CVE-2023-4727 Fix token authentication bypass vulnerability
Previously the LDAPSecurityDomainSessionTable.sessionExists()
and getStringValue() were using user-provided session ID as
is in an LDAP filter which could be exploited to bypass token
authentication.
To fix the problem the code has been modified to escape all
special characters in the session ID before using it in the
LDAP filter.
Resolves: CVE-2023-4727
---
.../session/LDAPSecurityDomainSessionTable.java | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
index 7691a98a40..fb627b88cb 100644
--- a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
+++ b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
@@ -29,6 +29,7 @@ import com.netscape.cmscore.apps.CMSEngine;
import com.netscape.cmscore.apps.EngineConfig;
import com.netscape.cmscore.ldapconn.LDAPConfig;
import com.netscape.cmscore.ldapconn.LdapBoundConnFactory;
+import com.netscape.cmsutil.ldap.LDAPUtil;
import netscape.ldap.LDAPAttribute;
import netscape.ldap.LDAPAttributeSet;
@@ -173,7 +174,11 @@ public class LDAPSecurityDomainSessionTable
try {
String basedn = ldapConfig.getBaseDN();
String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
- String filter = "(cn=" + sessionId + ")";
+
+ // CVE-2023-4727
+ // escape session ID in LDAP search filter
+ String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
+
String[] attrs = { "cn" };
conn = mLdapConnFactory.getConn();
@@ -254,7 +259,11 @@ public class LDAPSecurityDomainSessionTable
try {
String basedn = ldapConfig.getBaseDN();
String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
- String filter = "(cn=" + sessionId + ")";
+
+ // CVE-2023-4727
+ // escape session ID in LDAP search filter
+ String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
+
String[] attrs = { attr };
conn = mLdapConnFactory.getConn();
--
2.42.0

46
SPECS/pki-core.spec
Unescape View File

@ -9,12 +9,12 @@ Name: pki-core
# Upstream version number: # Upstream version number:
%global major_version 11 %global major_version 11
%global minor_version 5 %global minor_version 5
%global update_version 0 %global update_version 1
# Downstream release number: # Downstream release number:
# - development/stabilization (unsupported): 0.<n> where n >= 1 # - development/stabilization (unsupported): 0.<n> where n >= 1
# - GA/update (supported): <n> where n >= 1 # - GA/update (supported): <n> where n >= 1
%global release_number 2 %global release_number 1
# Development phase: # Development phase:
# - development (unsupported): alpha<n> where n >= 1 # - development (unsupported): alpha<n> where n >= 1
@ -46,7 +46,6 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?phase:-}%{?phase}
# <version tag> \ # <version tag> \
# > pki-VERSION-RELEASE.patch # > pki-VERSION-RELEASE.patch
# Patch: pki-VERSION-RELEASE.patch # Patch: pki-VERSION-RELEASE.patch
Patch: 0001-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch
%if 0%{?java_arches:1} %if 0%{?java_arches:1}
ExclusiveArch: %{java_arches} ExclusiveArch: %{java_arches}
@ -64,9 +63,27 @@ ExcludeArch: i686
# Java # Java
################################################################################ ################################################################################
%global java_devel java-17-openjdk-devel %if 0%{?rhel}
%global java_headless java-17-openjdk-headless
%global java_home %{_jvmdir}/jre-17-openjdk %define java_devel java-17-openjdk-devel
%define java_headless java-17-openjdk-headless
%define java_home %{_jvmdir}/jre-17-openjdk
%else
# Use Java 21 on Fedora 40+, otherwise use Java 17.
%global java_devel java-devel >= 1:17
%global java_headless java-headless >= 1:17
# Don't use find since it might not work well with local builds.
# find {_jvmdir} -maxdepth 1 | grep "jre-[0-9]\+$"
%global java_home %(
source /usr/share/java-utils/java-functions;
_prefer_jre=true;
set_jvm;
echo $JAVA_HOME)
%endif
################################################################################ ################################################################################
# Application Server # Application Server
@ -1012,6 +1029,7 @@ popd
# Remove all symbol table and relocation information from the executable. # Remove all symbol table and relocation information from the executable.
C_FLAGS="-s" C_FLAGS="-s"
CXX_FLAGS="$CXX_FLAGS -g -fPIE -pie"
%if 0%{?fedora} %if 0%{?fedora}
# https://sourceware.org/annobin/annobin.html/Test-gaps.html # https://sourceware.org/annobin/annobin.html/Test-gaps.html
@ -1022,12 +1040,23 @@ C_FLAGS="$C_FLAGS -fcf-protection=full"
# https://sourceware.org/annobin/annobin.html/Test-optimization.html # https://sourceware.org/annobin/annobin.html/Test-optimization.html
C_FLAGS="$C_FLAGS -O2" C_FLAGS="$C_FLAGS -O2"
CXX_FLAGS="$CXX_FLAGS -O2"
# https://sourceware.org/annobin/annobin.html/Test-glibcxx-assertions.html # https://sourceware.org/annobin/annobin.html/Test-glibcxx-assertions.html
C_FLAGS="$C_FLAGS -D_GLIBCXX_ASSERTIONS" C_FLAGS="$C_FLAGS -D_GLIBCXX_ASSERTIONS"
CXX_FLAGS="$CXX_FLAGS -D_GLIBCXX_ASSERTIONS"
# https://sourceware.org/annobin/annobin.html/Test-lto.html # https://sourceware.org/annobin/annobin.html/Test-lto.html
C_FLAGS="$C_FLAGS -fno-lto" C_FLAGS="$C_FLAGS -fno-lto"
# https://sourceware.org/annobin/annobin.html/Test-fortify.html
C_FLAGS="$C_FLAGS -D_FORTIFY_SOURCE=3"
CXX_FLAGS="$CXX_FLAGS -D_FORTIFY_SOURCE=3"
# https://sourceware.org/annobin/annobin.html/Test-stack-clash.html
C_FLAGS="$C_FLAGS -fstack-clash-protection"
CXX_FLAGS="$CXX_FLAGS -fstack-clash-protection"
%endif %endif
pkgs=base\ pkgs=base\
@ -1061,6 +1090,7 @@ pkgs=base\
--share-dir=%{_datadir} \ --share-dir=%{_datadir} \
--cmake=%{__cmake} \ --cmake=%{__cmake} \
--c-flags="$C_FLAGS" \ --c-flags="$C_FLAGS" \
--cxx-flags="$CXX_FLAGS" \
--java-home=%{java_home} \ --java-home=%{java_home} \
--jni-dir=%{_jnidir} \ --jni-dir=%{_jnidir} \
--unit-dir=%{_unitdir} \ --unit-dir=%{_unitdir} \
@ -1502,8 +1532,8 @@ fi
################################################################################ ################################################################################
%changelog %changelog
* Thu Mar 28 2024 Red Hat PKI Team <rhcs-maint@redhat.com> - 11.5.0-2 * Fri Jun 21 2024 Red Hat PKI Team <rhcs-maint@redhat.com> - 11.5.1-1
- RHEL-9916 CVE-2023-4727 pki-core: dogtag ca: token authentication bypass vulnerability - Rebase to PKI 11.5.1
* Wed Feb 21 2024 Red Hat PKI Team <rhcs-maint@redhat.com> - 11.5.0-1 * Wed Feb 21 2024 Red Hat PKI Team <rhcs-maint@redhat.com> - 11.5.0-1
- Rebase to PKI 11.5.0 - Rebase to PKI 11.5.0

Write Preview
Loading…
Cancel
Save