Control: tags -1 patch
Please find attached the patches to address CVE-2022-26110 for version
8.6.8~dfsg.1-2, also applied in Debian 10 "Buster".
Markus
From: Markus Koschany
Date: Fri, 20 May 2022 14:09:15 +0200
Subject: CVE-2022-26110_1
Origin: https://github.com/htcondor/htcondor/commit/1cae7601d796725e7f5dd73fedf37f6fbbe379ca
---
src/condor_daemon_core.V6/daemon_command.cpp | 40
src/condor_includes/condor_attributes.h | 1 +
2 files changed, 36 insertions(+), 5 deletions(-)
diff --git a/src/condor_daemon_core.V6/daemon_command.cpp b/src/condor_daemon_core.V6/daemon_command.cpp
index daa86ec..83d4082 100644
--- a/src/condor_daemon_core.V6/daemon_command.cpp
+++ b/src/condor_daemon_core.V6/daemon_command.cpp
@@ -1408,11 +1408,41 @@ DaemonCommandProtocol::CommandProtocolResult DaemonCommandProtocol::VerifyComman
m_perm = USER_AUTH_FAILURE;
}
else {
- m_perm = daemonCore->Verify(
- command_desc.Value(),
- m_comTable[m_cmd_index].perm,
- m_sock->peer_addr(),
- m_user.Value() );
+// Authentication methods can limit the authorizations associated with
+// a given identity (at time of coding, only TOKEN does this); apply
+// these limits if present.
+ std::string authz_policy;
+ bool can_attempt = true;
+ if (m_policy && m_policy->EvaluateAttrString(ATTR_SEC_LIMIT_AUTHORIZATION, authz_policy)) {
+StringList authz_limits(authz_policy.c_str());
+authz_limits.rewind();
+const char *perm_cstr = PermString(m_comTable[m_cmd_index].perm);
+const char *authz_name;
+bool found_limit = false;
+while ( (authz_name = authz_limits.next()) ) {
+ if (!strcmp(perm_cstr, authz_name)) {
+ found_limit = true;
+ break;
+ }
+}
+bool has_allow_perm = !strcmp(perm_cstr, "ALLOW");
+if (!found_limit && !has_allow_perm) {
+ can_attempt = false;
+}
+ }
+ if (can_attempt) {
+m_perm = daemonCore->Verify(
+ command_desc.Value(),
+ m_comTable[m_cmd_index].perm,
+ m_sock->peer_addr(),
+ m_user.Value() );
+ } else {
+dprintf(D_ALWAYS, "DC_AUTHENTICATE: authentication of %s was successful but resulted in a limited authorization which did not include this command (%d %s), so aborting.\n",
+ m_sock->peer_description(),
+ m_req,
+ m_comTable[m_cmd_index].command_descrip);
+m_perm = USER_AUTH_FAILURE;
+ }
}
} else {
diff --git a/src/condor_includes/condor_attributes.h b/src/condor_includes/condor_attributes.h
index 7de9120..d230fb3 100644
--- a/src/condor_includes/condor_attributes.h
+++ b/src/condor_includes/condor_attributes.h
@@ -839,6 +839,7 @@ extern const char ATTR_SEC_AUTHENTICATED_USER [];
#define ATTR_SEC_TRIED_AUTHENTICATION "TriedAuthentication"
#define ATTR_SEC_AUTHORIZATION_SUCCEEDED "AuthorizationSucceeded"
#define ATTR_SEC_RETURN_CODE "ReturnCode"
+#define ATTR_SEC_LIMIT_AUTHORIZATION "LimitAuthorization"
#define ATTR_MULTIPLE_TASKS_PER_PVMD "MultipleTasksPerPvmd"
From: Markus Koschany
Date: Fri, 20 May 2022 14:09:31 +0200
Subject: CVE-2022-26110_2
Origin: https://github.com/htcondor/htcondor/commit/8568e8ba65c9490f30a1089b6d4f8910e4bfbd6b
---
src/condor_daemon_core.V6/daemon_command.cpp | 17 +
1 file changed, 17 insertions(+)
diff --git a/src/condor_daemon_core.V6/daemon_command.cpp b/src/condor_daemon_core.V6/daemon_command.cpp
index 83d4082..4f2ddac 100644
--- a/src/condor_daemon_core.V6/daemon_command.cpp
+++ b/src/condor_daemon_core.V6/daemon_command.cpp
@@ -1141,6 +1141,23 @@ DaemonCommandProtocol::CommandProtocolResult DaemonCommandProtocol::Authenticate
if ( method_used ) {
m_policy->Assign(ATTR_SEC_AUTHENTICATION_METHODS, method_used);
+
+ // For CLAIMTOBE, explicitly limit the authorized permission
+ // levels to that of the current command and any implied ones.
+ if ( !strcasecmp(method_used, "CLAIMTOBE") ) {
+ std::string perm_list;
+ DCpermissionHierarchy hierarchy( m_comTable[m_cmd_index].perm );
+ DCpermission const *perms = hierarchy.getImpliedPerms();
+
+ // iterate through a list of this perm and all perms implied by it
+ for (DCpermission perm = *(perms++); perm != LAST_PERM; perm = *(perms++)) {
+if (!perm_list.empty()) {
+ perm_list += ',';
+}
+perm_list += PermString(perm);
+ }
+ m_policy->Assign(ATTR_SEC_LIMIT_AUTHORIZATION, perm_list);
+ }
}
if ( m_sock->getAuthenticatedName() ) {
m_policy->Assign(ATTR_SEC_AUTHENTICATED_NAME, m_sock->getAuthenticatedName() );
signature.asc
Description: This is a digitally signed message part