[openstack-keystone/f18] Updated patches from f18-patches
Alan Pevec
apevec at fedoraproject.org
Sat Feb 23 17:32:28 UTC 2013
commit 8050fdde4f3493c20d5df4848314b163b623037d
Author: Alan Pevec <apevec at redhat.com>
Date: Sat Feb 23 18:29:33 2013 +0100
Updated patches from f18-patches
- ensure user and tenant are enabled CVE-2013-0282
- disable XML entity parsing CVE-2013-1664, CVE-2013-1665
0007-Disable-XML-entity-parsing.patch | 53 +++++++++++++
0008-Ensure-user-and-tenant-enabled-in-EC2.patch | 92 ++++++++++++++++++++++
openstack-keystone.spec | 10 ++-
3 files changed, 154 insertions(+), 1 deletions(-)
---
diff --git a/0007-Disable-XML-entity-parsing.patch b/0007-Disable-XML-entity-parsing.patch
new file mode 100644
index 0000000..6e007a0
--- /dev/null
+++ b/0007-Disable-XML-entity-parsing.patch
@@ -0,0 +1,53 @@
+From 6dc036193040c04cb71611f4d826c6ee027da6b0 Mon Sep 17 00:00:00 2001
+From: Dolph Mathews <dolph.mathews at gmail.com>
+Date: Tue, 19 Feb 2013 09:04:11 -0600
+Subject: [PATCH] Disable XML entity parsing
+
+Fixes bug 1100282 and bug 1100279.
+
+Change-Id: Ibf2d73bca17b689cfa2dfd29eb15ea6e7458a123
+(cherry picked from commit 8a2274595ac628b2373eab0cb14690f866b7a024)
+---
+ keystone/common/serializer.py | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/keystone/common/serializer.py b/keystone/common/serializer.py
+index 734f7d1..72fe7f1 100644
+--- a/keystone/common/serializer.py
++++ b/keystone/common/serializer.py
+@@ -29,6 +29,16 @@ import re
+ DOCTYPE = '<?xml version="1.0" encoding="UTF-8"?>'
+ XMLNS = 'http://docs.openstack.org/identity/api/v2.0'
+
++PARSER = etree.XMLParser(
++ resolve_entities=False,
++ remove_comments=True,
++ remove_pis=True)
++
++# NOTE(dolph): lxml.etree.Entity() is just a callable that currently returns an
++# lxml.etree._Entity instance, which doesn't appear to be part of the
++# public API, so we discover the type dynamically to be safe
++ENTITY_TYPE = type(etree.Entity('x'))
++
+
+ def from_xml(xml):
+ """Deserialize XML to a dictionary."""
+@@ -51,7 +61,7 @@ def to_xml(d, xmlns=None):
+ class XmlDeserializer(object):
+ def __call__(self, xml_str):
+ """Returns a dictionary populated by decoding the given xml string."""
+- dom = etree.fromstring(xml_str.strip())
++ dom = etree.fromstring(xml_str.strip(), PARSER)
+ return self.walk_element(dom)
+
+ @staticmethod
+@@ -87,7 +97,8 @@ class XmlDeserializer(object):
+ # current spec does not have attributes on an element with text
+ values = values or text or {}
+
+- for child in [self.walk_element(x) for x in element]:
++ for child in [self.walk_element(x) for x in element
++ if not isinstance(x, ENTITY_TYPE)]:
+ values = dict(values.items() + child.items())
+
+ return {XmlDeserializer._tag_name(element.tag): values}
diff --git a/0008-Ensure-user-and-tenant-enabled-in-EC2.patch b/0008-Ensure-user-and-tenant-enabled-in-EC2.patch
new file mode 100644
index 0000000..6391c20
--- /dev/null
+++ b/0008-Ensure-user-and-tenant-enabled-in-EC2.patch
@@ -0,0 +1,92 @@
+From 05a62580ee53137028cf6d2925b6f3d455c76c48 Mon Sep 17 00:00:00 2001
+From: Nathanael Burton <nathanael.i.burton.work at gmail.com>
+Date: Tue, 19 Feb 2013 09:27:04 -0600
+Subject: [PATCH] Ensure user and tenant enabled in EC2
+
+Fixes bug 1121494.
+
+Change-Id: Icc90d581691b5aa63754e076ce983dfa2885a1dc
+(cherry picked from commit f0b4d300db5cc61d4f079f8bce9da8e8bea1081a)
+---
+ keystone/contrib/ec2/core.py | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/keystone/contrib/ec2/core.py b/keystone/contrib/ec2/core.py
+index 064474c..ffc0eee 100644
+--- a/keystone/contrib/ec2/core.py
++++ b/keystone/contrib/ec2/core.py
+@@ -37,6 +37,7 @@ glance to list images needed to perform the requested task.
+ import uuid
+
+ from keystone import catalog
++from keystone.common import logging
+ from keystone.common import manager
+ from keystone.common import utils
+ from keystone.common import wsgi
+@@ -49,6 +50,7 @@ from keystone import token
+
+
+ CONF = config.CONF
++LOG = logging.getLogger(__name__)
+
+
+ class Manager(manager.Manager):
+@@ -117,9 +119,9 @@ class Ec2Controller(wsgi.Application):
+ credentials['host'] = hostname
+ signature = signer.generate(credentials)
+ if not utils.auth_str_equal(credentials.signature, signature):
+- raise exception.Unauthorized(message='Invalid EC2 signature.')
++ raise exception.Unauthorized()
+ else:
+- raise exception.Unauthorized(message='EC2 signature not supplied.')
++ raise exception.Unauthorized()
+
+ def authenticate(self, context, credentials=None, ec2Credentials=None):
+ """Validate a signed EC2 request and provide a token.
+@@ -149,7 +151,7 @@ class Ec2Controller(wsgi.Application):
+ credentials = ec2Credentials
+
+ if not 'access' in credentials:
+- raise exception.Unauthorized(message='EC2 signature not supplied.')
++ raise exception.Unauthorized()
+
+ creds_ref = self._get_credentials(context,
+ credentials['access'])
+@@ -161,9 +163,19 @@ class Ec2Controller(wsgi.Application):
+ tenant_ref = self.identity_api.get_tenant(
+ context=context,
+ tenant_id=creds_ref['tenant_id'])
++ # If the tenant is disabled don't allow them to authenticate
++ if tenant_ref and not tenant_ref.get('enabled', True):
++ msg = 'Tenant %s is disabled' % tenant_ref['id']
++ LOG.warning(msg)
++ raise exception.Unauthorized()
+ user_ref = self.identity_api.get_user(
+ context=context,
+ user_id=creds_ref['user_id'])
++ # If the user is disabled don't allow them to authenticate
++ if not user_ref.get('enabled', True):
++ msg = 'User %s is disabled' % user_ref['id']
++ LOG.warning(msg)
++ raise exception.Unauthorized()
+ metadata_ref = self.identity_api.get_metadata(
+ context=context,
+ user_id=user_ref['id'],
+@@ -174,7 +186,7 @@ class Ec2Controller(wsgi.Application):
+ # fill out the roles in the metadata
+ roles = metadata_ref.get('roles', [])
+ if not roles:
+- raise exception.Unauthorized(message='User not valid for tenant.')
++ raise exception.Unauthorized()
+ roles_ref = [self.identity_api.get_role(context, role_id)
+ for role_id in roles]
+
+@@ -279,7 +291,7 @@ class Ec2Controller(wsgi.Application):
+ creds = self.ec2_api.get_credential(context,
+ credential_id)
+ if not creds:
+- raise exception.Unauthorized(message='EC2 access key not found.')
++ raise exception.Unauthorized()
+ return creds
+
+ def _assert_identity(self, context, user_id):
diff --git a/openstack-keystone.spec b/openstack-keystone.spec
index ad4c879..ec754d9 100644
--- a/openstack-keystone.spec
+++ b/openstack-keystone.spec
@@ -7,7 +7,7 @@
Name: openstack-keystone
Version: 2012.2.3
-Release: 2%{?dist}
+Release: 3%{?dist}
#Release: 0.1.%{release_letter}%{milestone}%{?dist}
Summary: OpenStack Identity Service
@@ -29,6 +29,8 @@ Patch0003: 0003-add-Swift-endpoint-in-sample-data.patch
Patch0004: 0004-notify-calling-process-we-are-ready-to-serve.patch
Patch0005: 0005-Fix-default-port-for-identity.internalURL.patch
Patch0006: 0006-Add-size-validations-for-tokens.patch
+Patch0007: 0007-Disable-XML-entity-parsing.patch
+Patch0008: 0008-Ensure-user-and-tenant-enabled-in-EC2.patch
BuildArch: noarch
BuildRequires: python2-devel
@@ -104,6 +106,8 @@ This package contains documentation for Keystone.
%patch0004 -p1
%patch0005 -p1
%patch0006 -p1
+%patch0007 -p1
+%patch0008 -p1
find . \( -name .gitignore -o -name .placeholder \) -delete
find keystone -name \*.py -exec sed -i '/\/usr\/bin\/env python/d' {} \;
@@ -218,6 +222,10 @@ fi
%endif
%changelog
+* Sat Feb 23 2013 Alan Pevec <apevec at redhat.com> 2012.2.3-3
+- ensure user and tenant are enabled CVE-2013-0282
+- disable XML entity parsing CVE-2013-1664, CVE-2013-1665
+
* Fri Feb 08 2013 Alan Pevec <apevec at redhat.com> 2012.2.3-2
- limit parameters and tokens size CVE-2013-0247
More information about the scm-commits
mailing list