[openstack-keystone/f17] Require authz to update user's tenant (CVE-2012-3542)

[Alan Pevec]

commit b037c81d64bfb3766ee1e87705e2ca4c48cc3bd1
Author: Alan Pevec <apevec at redhat.com>
Date:   Fri Aug 31 02:17:26 2012 +0200

    Require authz to update user's tenant (CVE-2012-3542)

 ...authz-to-update-user-s-tenant-bug-1040626.patch |   22 ++++++++++++++++++++
 openstack-keystone.spec                            |    7 +++++-
 2 files changed, 28 insertions(+), 1 deletions(-)
---
diff --git a/0004-Require-authz-to-update-user-s-tenant-bug-1040626.patch b/0004-Require-authz-to-update-user-s-tenant-bug-1040626.patch
new file mode 100644
index 0000000..53d3087
--- /dev/null
+++ b/0004-Require-authz-to-update-user-s-tenant-bug-1040626.patch
@@ -0,0 +1,22 @@
+From ca6c5512983c2059a64aa4bcf0fa4b334a212562 Mon Sep 17 00:00:00 2001
+From: Dolph Mathews <dolph.mathews at gmail.com>
+Date: Thu, 23 Aug 2012 07:39:20 -0500
+Subject: [PATCH] Require authz to update user's tenant (bug 1040626)
+
+Change-Id: I82f80b84af2bc4db00b3dcb87a2ec338816a82e9
+---
+ keystone/identity/core.py |    1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/keystone/identity/core.py b/keystone/identity/core.py
+index a0704f1..db3ce31 100644
+--- a/keystone/identity/core.py
++++ b/keystone/identity/core.py
+@@ -436,6 +436,7 @@ class UserController(wsgi.Application):
+ 
+     def update_user_tenant(self, context, user_id, user):
+         """Update the default tenant."""
++        self.assert_admin(context)
+         # ensure that we're a member of that tenant
+         tenant_id = user.get('tenantId')
+         self.identity_api.add_user_to_tenant(context, tenant_id, user_id)
diff --git a/openstack-keystone.spec b/openstack-keystone.spec
index a72def9..127a5a3 100644
--- a/openstack-keystone.spec
+++ b/openstack-keystone.spec
@@ -9,7 +9,7 @@
 
 Name:           openstack-keystone
 Version:        2012.1.2
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        OpenStack Identity Service
 
 License:        ASL 2.0
@@ -26,6 +26,7 @@ Source5:        openstack-keystone-sample-data
 Patch0001: 0001-fix-man-page-build.patch
 Patch0002: 0002-fix-sphinx-warnings.patch
 Patch0003: 0003-match-egg-and-spec-requires.patch
+Patch0004: 0004-Require-authz-to-update-user-s-tenant-bug-1040626.patch
 
 BuildArch:      noarch
 BuildRequires:  python2-devel
@@ -112,6 +113,7 @@ This package contains documentation for Keystone.
 %patch0001 -p1
 %patch0002 -p1
 %patch0003 -p1
+%patch0004 -p1
 
 find . \( -name .gitignore -o -name .placeholder \) -delete
 find keystone -name \*.py -exec sed -i '/\/usr\/bin\/env python/d' {} \;
@@ -249,6 +251,9 @@ fi
 %endif
 
 %changelog
+* Thu Aug 30 2012 Alan Pevec <apevec at redhat.com> 2012.1.2-2
+- Require authz to update user's tenant (CVE-2012-3542)
+
 * Mon Aug 13 2012 Alan Pevec <apevec at redhat.com> 2012.1.2-1
 - updated to stable essex release 2012.1.2