Control: tags -1 patch Please find attached the patches to address CVE-2022-26110 for version 8.6.8~dfsg.1-2, also applied in Debian 10 "Buster".
Markus
From: Markus Koschany <[email protected]> Date: Fri, 20 May 2022 14:09:15 +0200 Subject: CVE-2022-26110_1 Origin: https://github.com/htcondor/htcondor/commit/1cae7601d796725e7f5dd73fedf37f6fbbe379ca --- src/condor_daemon_core.V6/daemon_command.cpp | 40 ++++++++++++++++++++++++---- src/condor_includes/condor_attributes.h | 1 + 2 files changed, 36 insertions(+), 5 deletions(-) diff --git a/src/condor_daemon_core.V6/daemon_command.cpp b/src/condor_daemon_core.V6/daemon_command.cpp index daa86ec..83d4082 100644 --- a/src/condor_daemon_core.V6/daemon_command.cpp +++ b/src/condor_daemon_core.V6/daemon_command.cpp @@ -1408,11 +1408,41 @@ DaemonCommandProtocol::CommandProtocolResult DaemonCommandProtocol::VerifyComman m_perm = USER_AUTH_FAILURE; } else { - m_perm = daemonCore->Verify( - command_desc.Value(), - m_comTable[m_cmd_index].perm, - m_sock->peer_addr(), - m_user.Value() ); + // Authentication methods can limit the authorizations associated with + // a given identity (at time of coding, only TOKEN does this); apply + // these limits if present. + std::string authz_policy; + bool can_attempt = true; + if (m_policy && m_policy->EvaluateAttrString(ATTR_SEC_LIMIT_AUTHORIZATION, authz_policy)) { + StringList authz_limits(authz_policy.c_str()); + authz_limits.rewind(); + const char *perm_cstr = PermString(m_comTable[m_cmd_index].perm); + const char *authz_name; + bool found_limit = false; + while ( (authz_name = authz_limits.next()) ) { + if (!strcmp(perm_cstr, authz_name)) { + found_limit = true; + break; + } + } + bool has_allow_perm = !strcmp(perm_cstr, "ALLOW"); + if (!found_limit && !has_allow_perm) { + can_attempt = false; + } + } + if (can_attempt) { + m_perm = daemonCore->Verify( + command_desc.Value(), + m_comTable[m_cmd_index].perm, + m_sock->peer_addr(), + m_user.Value() ); + } else { + dprintf(D_ALWAYS, "DC_AUTHENTICATE: authentication of %s was successful but resulted in a limited authorization which did not include this command (%d %s), so aborting.\n", + m_sock->peer_description(), + m_req, + m_comTable[m_cmd_index].command_descrip); + m_perm = USER_AUTH_FAILURE; + } } } else { diff --git a/src/condor_includes/condor_attributes.h b/src/condor_includes/condor_attributes.h index 7de9120..d230fb3 100644 --- a/src/condor_includes/condor_attributes.h +++ b/src/condor_includes/condor_attributes.h @@ -839,6 +839,7 @@ extern const char ATTR_SEC_AUTHENTICATED_USER []; #define ATTR_SEC_TRIED_AUTHENTICATION "TriedAuthentication" #define ATTR_SEC_AUTHORIZATION_SUCCEEDED "AuthorizationSucceeded" #define ATTR_SEC_RETURN_CODE "ReturnCode" +#define ATTR_SEC_LIMIT_AUTHORIZATION "LimitAuthorization" #define ATTR_MULTIPLE_TASKS_PER_PVMD "MultipleTasksPerPvmd"
From: Markus Koschany <[email protected]> Date: Fri, 20 May 2022 14:09:31 +0200 Subject: CVE-2022-26110_2 Origin: https://github.com/htcondor/htcondor/commit/8568e8ba65c9490f30a1089b6d4f8910e4bfbd6b --- src/condor_daemon_core.V6/daemon_command.cpp | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/condor_daemon_core.V6/daemon_command.cpp b/src/condor_daemon_core.V6/daemon_command.cpp index 83d4082..4f2ddac 100644 --- a/src/condor_daemon_core.V6/daemon_command.cpp +++ b/src/condor_daemon_core.V6/daemon_command.cpp @@ -1141,6 +1141,23 @@ DaemonCommandProtocol::CommandProtocolResult DaemonCommandProtocol::Authenticate if ( method_used ) { m_policy->Assign(ATTR_SEC_AUTHENTICATION_METHODS, method_used); + + // For CLAIMTOBE, explicitly limit the authorized permission + // levels to that of the current command and any implied ones. + if ( !strcasecmp(method_used, "CLAIMTOBE") ) { + std::string perm_list; + DCpermissionHierarchy hierarchy( m_comTable[m_cmd_index].perm ); + DCpermission const *perms = hierarchy.getImpliedPerms(); + + // iterate through a list of this perm and all perms implied by it + for (DCpermission perm = *(perms++); perm != LAST_PERM; perm = *(perms++)) { + if (!perm_list.empty()) { + perm_list += ','; + } + perm_list += PermString(perm); + } + m_policy->Assign(ATTR_SEC_LIMIT_AUTHORIZATION, perm_list); + } } if ( m_sock->getAuthenticatedName() ) { m_policy->Assign(ATTR_SEC_AUTHENTICATED_NAME, m_sock->getAuthenticatedName() );
signature.asc
Description: This is a digitally signed message part
