subject:"Bug#1008634\: condor\: CVE\-2022\-26110 \/ HTCONDOR\-2022\-0003"

Bug#1008634: condor: CVE-2022-26110 / HTCONDOR-2022-0003

2022-05-22 Thread Markus Koschany

Control: tags -1 patch

Please find attached the patches to address CVE-2022-26110 for version
8.6.8~dfsg.1-2, also applied in Debian 10 "Buster".

Markus
From: Markus Koschany 
Date: Fri, 20 May 2022 14:09:15 +0200
Subject: CVE-2022-26110_1

Origin: https://github.com/htcondor/htcondor/commit/1cae7601d796725e7f5dd73fedf37f6fbbe379ca
---
 src/condor_daemon_core.V6/daemon_command.cpp | 40 
 src/condor_includes/condor_attributes.h  |  1 +
 2 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/src/condor_daemon_core.V6/daemon_command.cpp b/src/condor_daemon_core.V6/daemon_command.cpp
index daa86ec..83d4082 100644
--- a/src/condor_daemon_core.V6/daemon_command.cpp
+++ b/src/condor_daemon_core.V6/daemon_command.cpp
@@ -1408,11 +1408,41 @@ DaemonCommandProtocol::CommandProtocolResult DaemonCommandProtocol::VerifyComman
 			m_perm = USER_AUTH_FAILURE;
 		}
 		else {
-			m_perm = daemonCore->Verify(
-		  command_desc.Value(),
-		  m_comTable[m_cmd_index].perm,
-		  m_sock->peer_addr(),
-		  m_user.Value() );
+// Authentication methods can limit the authorizations associated with
+// a given identity (at time of coding, only TOKEN does this); apply
+// these limits if present.
+			std::string authz_policy;
+			bool can_attempt = true;
+			if (m_policy && m_policy->EvaluateAttrString(ATTR_SEC_LIMIT_AUTHORIZATION, authz_policy)) {
+StringList authz_limits(authz_policy.c_str());
+authz_limits.rewind();
+const char *perm_cstr = PermString(m_comTable[m_cmd_index].perm);
+const char *authz_name;
+bool found_limit = false;
+while ( (authz_name = authz_limits.next()) ) {
+	if (!strcmp(perm_cstr, authz_name)) {
+		found_limit = true;
+		break;
+	}
+}
+bool has_allow_perm = !strcmp(perm_cstr, "ALLOW");
+if (!found_limit && !has_allow_perm) {
+	can_attempt = false;
+}
+			}
+			if (can_attempt) {
+m_perm = daemonCore->Verify(
+	command_desc.Value(),
+	m_comTable[m_cmd_index].perm,
+	m_sock->peer_addr(),
+	m_user.Value() );
+			} else {
+dprintf(D_ALWAYS, "DC_AUTHENTICATE: authentication of %s was successful but resulted in a limited authorization which did not include this command (%d %s), so aborting.\n",
+	m_sock->peer_description(),
+	m_req,
+	m_comTable[m_cmd_index].command_descrip);
+m_perm = USER_AUTH_FAILURE;
+			}
 		}
 
 	} else {
diff --git a/src/condor_includes/condor_attributes.h b/src/condor_includes/condor_attributes.h
index 7de9120..d230fb3 100644
--- a/src/condor_includes/condor_attributes.h
+++ b/src/condor_includes/condor_attributes.h
@@ -839,6 +839,7 @@ extern const char ATTR_SEC_AUTHENTICATED_USER [];
 #define ATTR_SEC_TRIED_AUTHENTICATION  "TriedAuthentication"
 #define ATTR_SEC_AUTHORIZATION_SUCCEEDED  "AuthorizationSucceeded"
 #define ATTR_SEC_RETURN_CODE  "ReturnCode"
+#define ATTR_SEC_LIMIT_AUTHORIZATION "LimitAuthorization"
 
 #define ATTR_MULTIPLE_TASKS_PER_PVMD  "MultipleTasksPerPvmd"
 
From: Markus Koschany 
Date: Fri, 20 May 2022 14:09:31 +0200
Subject: CVE-2022-26110_2

Origin: https://github.com/htcondor/htcondor/commit/8568e8ba65c9490f30a1089b6d4f8910e4bfbd6b
---
 src/condor_daemon_core.V6/daemon_command.cpp | 17 +
 1 file changed, 17 insertions(+)

diff --git a/src/condor_daemon_core.V6/daemon_command.cpp b/src/condor_daemon_core.V6/daemon_command.cpp
index 83d4082..4f2ddac 100644
--- a/src/condor_daemon_core.V6/daemon_command.cpp
+++ b/src/condor_daemon_core.V6/daemon_command.cpp
@@ -1141,6 +1141,23 @@ DaemonCommandProtocol::CommandProtocolResult DaemonCommandProtocol::Authenticate
 
 	if ( method_used ) {
 		m_policy->Assign(ATTR_SEC_AUTHENTICATION_METHODS, method_used);
+
+		// For CLAIMTOBE, explicitly limit the authorized permission
+		// levels to that of the current command and any implied ones.
+		if ( !strcasecmp(method_used, "CLAIMTOBE") ) {
+			std::string perm_list;
+			DCpermissionHierarchy hierarchy( m_comTable[m_cmd_index].perm );
+			DCpermission const *perms = hierarchy.getImpliedPerms();
+
+			// iterate through a list of this perm and all perms implied by it
+			for (DCpermission perm = *(perms++); perm != LAST_PERM; perm = *(perms++)) {
+if (!perm_list.empty()) {
+	perm_list += ',';
+}
+perm_list += PermString(perm);
+			}
+			m_policy->Assign(ATTR_SEC_LIMIT_AUTHORIZATION, perm_list);
+		}
 	}
 	if ( m_sock->getAuthenticatedName() ) {
 		m_policy->Assign(ATTR_SEC_AUTHENTICATED_NAME, m_sock->getAuthenticatedName() );


signature.asc
Description: This is a digitally signed message part

Bug#1008634: condor: CVE-2022-26110 / HTCONDOR-2022-0003

2022-03-29 Thread Salvatore Bonaccorso

Source: condor
Version: 8.6.8~dfsg.1-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team 

Hi,

The following vulnerability was published for condor.

CVE-2022-26110[0], HTCONDOR-2022-0003

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-26110
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26110
[1] https://htcondor.org/security/vulnerabilities/HTCONDOR-2022-0003

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Bug#1008634: condor: CVE-2022-26110 / HTCONDOR-2022-0003

Bug#1008634: condor: CVE-2022-26110 / HTCONDOR-2022-0003

2 matches

Site Navigation

Mail list logo

Footer information