[openstack-keystone] Require authz to update user's tenant (CVE-2012-3542)

Alan Pevec apevec at fedoraproject.org
Fri Aug 31 00:10:08 UTC 2012 

commit 312b182d380e38b9cc380cdfea070320957f713e
Author: Alan Pevec <apevec at redhat.com>
Date:   Fri Aug 31 01:26:36 2012 +0200

    Require authz to update user's tenant (CVE-2012-3542)

 ...authz-to-update-user-s-tenant-bug-1040626.patch |   22 ++++++++++++++++++++
 openstack-keystone.spec                            |    7 +++++-
 2 files changed, 28 insertions(+), 1 deletions(-)
---
diff --git a/0004-Require-authz-to-update-user-s-tenant-bug-1040626.patch b/0004-Require-authz-to-update-user-s-tenant-bug-1040626.patch
new file mode 100644
index 0000000..3b0b08d
--- /dev/null
+++ b/0004-Require-authz-to-update-user-s-tenant-bug-1040626.patch
@@ -0,0 +1,22 @@
+From d8c71909022fd7110d73ba6ccfbcf1f40187eff9 Mon Sep 17 00:00:00 2001
+From: Dolph Mathews <dolph.mathews at gmail.com>
+Date: Thu, 23 Aug 2012 07:39:20 -0500
+Subject: [PATCH] Require authz to update user's tenant (bug 1040626)
+
+Change-Id: I82f80b84af2bc4db00b3dcb87a2ec338816a82e9
+---
+ keystone/identity/core.py |    1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/keystone/identity/core.py b/keystone/identity/core.py
+index aec0b75..c9c496c 100644
+--- a/keystone/identity/core.py
++++ b/keystone/identity/core.py
+@@ -515,6 +515,7 @@ class UserController(wsgi.Application):
+ 
+     def update_user_tenant(self, context, user_id, user):
+         """Update the default tenant."""
++        self.assert_admin(context)
+         # ensure that we're a member of that tenant
+         tenant_id = user.get('tenantId')
+         self.identity_api.add_user_to_tenant(context, tenant_id, user_id)
diff --git a/openstack-keystone.spec b/openstack-keystone.spec
index b383fec..2f1d10f 100644
--- a/openstack-keystone.spec
+++ b/openstack-keystone.spec
@@ -12,7 +12,7 @@
 
 Name:           openstack-keystone
 Version:        2012.2
-Release:        0.5.%{release_letter}%{milestone}%{?dist}
+Release:        0.6.%{release_letter}%{milestone}%{?dist}
 Summary:        OpenStack Identity Service
 
 License:        ASL 2.0
@@ -31,6 +31,7 @@ Source5:        openstack-keystone-sample-data
 Patch0001: 0001-allow-middleware-configuration-from-app-config.patch
 Patch0002: 0002-match-egg-and-spec-requires.patch
 Patch0003: 0003-Check-for-expected-cfg-impl-bug-1043479.patch
+Patch0004: 0004-Require-authz-to-update-user-s-tenant-bug-1040626.patch
 
 BuildArch:      noarch
 BuildRequires:  python2-devel
@@ -115,6 +116,7 @@ This package contains documentation for Keystone.
 %patch0001 -p1
 %patch0002 -p1
 %patch0003 -p1
+%patch0004 -p1
 
 find . \( -name .gitignore -o -name .placeholder \) -delete
 find keystone -name \*.py -exec sed -i '/\/usr\/bin\/env python/d' {} \;
@@ -256,6 +258,9 @@ fi
 %endif
 
 %changelog
+* Thu Aug 30 2012 Alan Pevec <apevec at redhat.com> 2012.2-0.6.f3
+- Require authz to update user's tenant (CVE-2012-3542)
+
 * Wed Aug 29 2012 Alan Pevec <apevec at redhat.com> 2012.2-0.5.f3
 - allow middleware configuration from app config

More information about the scm-commits mailing list