[openstack-keystone] Force simple Bind for authentication CVE-2013-2157

Alan Pevec apevec at fedoraproject.org
Sat Jun 22 14:50:07 UTC 2013 

commit 0156f3150fb619c6bc86a5c3e4adda6f04a25d94
Author: Alan Pevec <apevec at redhat.com>
Date:   Sat Jun 22 12:29:45 2013 +0200

    Force simple Bind for authentication CVE-2013-2157

 0001-Force-simple-Bind-for-authentication.patch |   91 +++++++++++++++++++++++
 openstack-keystone.spec                         |    8 ++-
 2 files changed, 97 insertions(+), 2 deletions(-)
---
diff --git a/0001-Force-simple-Bind-for-authentication.patch b/0001-Force-simple-Bind-for-authentication.patch
new file mode 100644
index 0000000..baaf6d4
--- /dev/null
+++ b/0001-Force-simple-Bind-for-authentication.patch
@@ -0,0 +1,91 @@
+From bd52bc1f7272a9c9fb5a2dc87a1b4dce813dec04 Mon Sep 17 00:00:00 2001
+From: Jose Castro Leon <jose.castro.leon at cern.ch>
+Date: Tue, 4 Jun 2013 11:59:35 -0400
+Subject: [PATCH] Force simple Bind for authentication
+
+The authentication code was using a common code path with
+other LDAP code that got an LDAP connection.  If the system
+was configured to do Anonymous binding, users could by pass
+the authentication check.
+
+This patch forces the authentication code to do a simple_bind.
+
+Change-Id: Id0c19f09d615446927db1ba074561b129329b5c8
+(cherry picked from 6fc4c4e78a6c281505e4c5f542542c8c2cb1f66a)
+CVE-2013-2157
+---
+ keystone/identity/backends/ldap/core.py | 16 ++--------------
+ tests/test_backend_ldap.py              | 19 +++++++++++++++++++
+ 2 files changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py
+index 6533014..a630831 100644
+--- a/keystone/identity/backends/ldap/core.py
++++ b/keystone/identity/backends/ldap/core.py
+@@ -20,7 +20,6 @@ import ldap
+ 
+ from keystone import clean
+ from keystone.common import ldap as common_ldap
+-from keystone.common.ldap import fakeldap
+ from keystone.common import logging
+ from keystone.common import models
+ from keystone.common import utils
+@@ -52,18 +51,6 @@ class Identity(identity.Driver):
+         self.role = RoleApi(CONF)
+         self.group = GroupApi(CONF)
+ 
+-    def get_connection(self, user=None, password=None):
+-        if self.LDAP_URL.startswith('fake://'):
+-            conn = fakeldap.FakeLdap(self.LDAP_URL)
+-        else:
+-            conn = common_ldap.LdapWrapper(self.LDAP_URL)
+-        if user is None:
+-            user = self.LDAP_USER
+-        if password is None:
+-            password = self.LDAP_PASSWORD
+-        conn.simple_bind_s(user, password)
+-        return conn
+-
+     def _validate_domain(self, ref):
+         """Validate that either the default domain or nothing is specified.
+ 
+@@ -108,7 +95,8 @@ class Identity(identity.Driver):
+             user_ref = self._get_user(user_id)
+         except exception.UserNotFound:
+             raise AssertionError('Invalid user / password')
+-
++        if not user_id or not password:
++            raise AssertionError('Invalid user / password')
+         try:
+             conn = self.user.get_connection(self.user._id_to_dn(user_id),
+                                             password)
+diff --git a/tests/test_backend_ldap.py b/tests/test_backend_ldap.py
+index 6121400..21aed74 100644
+--- a/tests/test_backend_ldap.py
++++ b/tests/test_backend_ldap.py
+@@ -596,6 +596,25 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
+               'name': 'Default',
+               'enabled': True}])
+ 
++    def test_authenticate_requires_simple_bind(self):
++        user = {
++            'id': 'no_meta',
++            'name': 'NO_META',
++            'domain_id': test_backend.DEFAULT_DOMAIN_ID,
++            'password': 'no_meta2',
++            'enabled': True,
++        }
++        self.identity_man.create_user({}, user['id'], user)
++        self.identity_api.add_user_to_project(self.tenant_baz['id'],
++                                              user['id'])
++        self.identity_api.user.LDAP_USER = None
++        self.identity_api.user.LDAP_PASSWORD = None
++
++        self.assertRaises(AssertionError,
++                          self.identity_api.authenticate_user,
++                          user_id=user['id'],
++                          password=None)
++
+ 
+ class LDAPIdentityEnabledEmulation(LDAPIdentity):
+     def setUp(self):
diff --git a/openstack-keystone.spec b/openstack-keystone.spec
index 5c3757b..b15dbe5 100644
--- a/openstack-keystone.spec
+++ b/openstack-keystone.spec
@@ -2,14 +2,13 @@
 # This is 2013.2 havana-1 milestone
 #
 %global release_name havana
-%global release_letter h
 %global milestone 1
 
 %global with_doc %{!?_without_doc:1}%{?_without_doc:0}
 
 Name:           openstack-keystone
 Version:        2013.2
-Release:        0.1.%{release_letter}%{milestone}%{?dist}
+Release:        0.2.b%{milestone}%{?dist}
 Summary:        OpenStack Identity Service
 
 License:        ASL 2.0
@@ -24,6 +23,7 @@ Source5:        openstack-keystone-sample-data
 #
 # patches_base=2013.2.b1
 #
+Patch0001: 0001-Force-simple-Bind-for-authentication.patch
 
 BuildArch:      noarch
 BuildRequires:  python2-devel
@@ -90,6 +90,7 @@ This package contains documentation for Keystone.
 %prep
 %setup -q -n keystone-%{version}.b%{milestone}
 
+%patch0001 -p1
 sed -i 's/%{version}.b%{milestone}/%{version}/' PKG-INFO
 
 find . \( -name .gitignore -o -name .placeholder \) -delete
@@ -212,6 +213,9 @@ fi
 %endif
 
 %changelog
+* Sat Jun 22 2013 apevec at redhat.com 2013.2-0.2.b1
+- Force simple Bind for authentication CVE-2013-2157
+
 * Fri Jun 07 2013 Alan Pevec <apevec at redhat.com> 2013.2-0.1.h1
 - havana-1 milestone

More information about the scm-commits mailing list