[openstack-keystone] Force simple Bind for authentication CVE-2013-2157
Alan Pevec
apevec at fedoraproject.org
Sat Jun 22 14:50:07 UTC 2013
commit 0156f3150fb619c6bc86a5c3e4adda6f04a25d94
Author: Alan Pevec <apevec at redhat.com>
Date: Sat Jun 22 12:29:45 2013 +0200
Force simple Bind for authentication CVE-2013-2157
0001-Force-simple-Bind-for-authentication.patch | 91 +++++++++++++++++++++++
openstack-keystone.spec | 8 ++-
2 files changed, 97 insertions(+), 2 deletions(-)
---
diff --git a/0001-Force-simple-Bind-for-authentication.patch b/0001-Force-simple-Bind-for-authentication.patch
new file mode 100644
index 0000000..baaf6d4
--- /dev/null
+++ b/0001-Force-simple-Bind-for-authentication.patch
@@ -0,0 +1,91 @@
+From bd52bc1f7272a9c9fb5a2dc87a1b4dce813dec04 Mon Sep 17 00:00:00 2001
+From: Jose Castro Leon <jose.castro.leon at cern.ch>
+Date: Tue, 4 Jun 2013 11:59:35 -0400
+Subject: [PATCH] Force simple Bind for authentication
+
+The authentication code was using a common code path with
+other LDAP code that got an LDAP connection. If the system
+was configured to do Anonymous binding, users could by pass
+the authentication check.
+
+This patch forces the authentication code to do a simple_bind.
+
+Change-Id: Id0c19f09d615446927db1ba074561b129329b5c8
+(cherry picked from 6fc4c4e78a6c281505e4c5f542542c8c2cb1f66a)
+CVE-2013-2157
+---
+ keystone/identity/backends/ldap/core.py | 16 ++--------------
+ tests/test_backend_ldap.py | 19 +++++++++++++++++++
+ 2 files changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py
+index 6533014..a630831 100644
+--- a/keystone/identity/backends/ldap/core.py
++++ b/keystone/identity/backends/ldap/core.py
+@@ -20,7 +20,6 @@ import ldap
+
+ from keystone import clean
+ from keystone.common import ldap as common_ldap
+-from keystone.common.ldap import fakeldap
+ from keystone.common import logging
+ from keystone.common import models
+ from keystone.common import utils
+@@ -52,18 +51,6 @@ class Identity(identity.Driver):
+ self.role = RoleApi(CONF)
+ self.group = GroupApi(CONF)
+
+- def get_connection(self, user=None, password=None):
+- if self.LDAP_URL.startswith('fake://'):
+- conn = fakeldap.FakeLdap(self.LDAP_URL)
+- else:
+- conn = common_ldap.LdapWrapper(self.LDAP_URL)
+- if user is None:
+- user = self.LDAP_USER
+- if password is None:
+- password = self.LDAP_PASSWORD
+- conn.simple_bind_s(user, password)
+- return conn
+-
+ def _validate_domain(self, ref):
+ """Validate that either the default domain or nothing is specified.
+
+@@ -108,7 +95,8 @@ class Identity(identity.Driver):
+ user_ref = self._get_user(user_id)
+ except exception.UserNotFound:
+ raise AssertionError('Invalid user / password')
+-
++ if not user_id or not password:
++ raise AssertionError('Invalid user / password')
+ try:
+ conn = self.user.get_connection(self.user._id_to_dn(user_id),
+ password)
+diff --git a/tests/test_backend_ldap.py b/tests/test_backend_ldap.py
+index 6121400..21aed74 100644
+--- a/tests/test_backend_ldap.py
++++ b/tests/test_backend_ldap.py
+@@ -596,6 +596,25 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
+ 'name': 'Default',
+ 'enabled': True}])
+
++ def test_authenticate_requires_simple_bind(self):
++ user = {
++ 'id': 'no_meta',
++ 'name': 'NO_META',
++ 'domain_id': test_backend.DEFAULT_DOMAIN_ID,
++ 'password': 'no_meta2',
++ 'enabled': True,
++ }
++ self.identity_man.create_user({}, user['id'], user)
++ self.identity_api.add_user_to_project(self.tenant_baz['id'],
++ user['id'])
++ self.identity_api.user.LDAP_USER = None
++ self.identity_api.user.LDAP_PASSWORD = None
++
++ self.assertRaises(AssertionError,
++ self.identity_api.authenticate_user,
++ user_id=user['id'],
++ password=None)
++
+
+ class LDAPIdentityEnabledEmulation(LDAPIdentity):
+ def setUp(self):
diff --git a/openstack-keystone.spec b/openstack-keystone.spec
index 5c3757b..b15dbe5 100644
--- a/openstack-keystone.spec
+++ b/openstack-keystone.spec
@@ -2,14 +2,13 @@
# This is 2013.2 havana-1 milestone
#
%global release_name havana
-%global release_letter h
%global milestone 1
%global with_doc %{!?_without_doc:1}%{?_without_doc:0}
Name: openstack-keystone
Version: 2013.2
-Release: 0.1.%{release_letter}%{milestone}%{?dist}
+Release: 0.2.b%{milestone}%{?dist}
Summary: OpenStack Identity Service
License: ASL 2.0
@@ -24,6 +23,7 @@ Source5: openstack-keystone-sample-data
#
# patches_base=2013.2.b1
#
+Patch0001: 0001-Force-simple-Bind-for-authentication.patch
BuildArch: noarch
BuildRequires: python2-devel
@@ -90,6 +90,7 @@ This package contains documentation for Keystone.
%prep
%setup -q -n keystone-%{version}.b%{milestone}
+%patch0001 -p1
sed -i 's/%{version}.b%{milestone}/%{version}/' PKG-INFO
find . \( -name .gitignore -o -name .placeholder \) -delete
@@ -212,6 +213,9 @@ fi
%endif
%changelog
+* Sat Jun 22 2013 apevec at redhat.com 2013.2-0.2.b1
+- Force simple Bind for authentication CVE-2013-2157
+
* Fri Jun 07 2013 Alan Pevec <apevec at redhat.com> 2013.2-0.1.h1
- havana-1 milestone
More information about the scm-commits
mailing list