[openstack-keystone/f19] Force simple Bind for authentication CVE-2013-2157
Alan Pevec
apevec at fedoraproject.org
Sat Jun 22 15:16:12 UTC 2013
commit d26b30e54bf3169dcb8309935ac387a34a0a5d35
Author: Alan Pevec <apevec at redhat.com>
Date: Sat Jun 22 16:56:26 2013 +0200
Force simple Bind for authentication CVE-2013-2157
0001-Force-simple-Bind-for-authentication.patch | 83 +++++++++++++++++++++++
openstack-keystone.spec | 7 ++-
2 files changed, 89 insertions(+), 1 deletions(-)
---
diff --git a/0001-Force-simple-Bind-for-authentication.patch b/0001-Force-simple-Bind-for-authentication.patch
new file mode 100644
index 0000000..2848290
--- /dev/null
+++ b/0001-Force-simple-Bind-for-authentication.patch
@@ -0,0 +1,83 @@
+From d86c69705a4c7fdbb1f4f2f28cfe485046542d7d Mon Sep 17 00:00:00 2001
+From: Jose Castro Leon <jose.castro.leon at cern.ch>
+Date: Tue, 4 Jun 2013 11:59:35 -0400
+Subject: [PATCH] Force simple Bind for authentication
+
+The authentication code was using a common code path with
+other LDAP code that got an LDAP connection. If the system
+was configured to do Anonymous binding, users could by pass
+the authentication check.
+
+This patch forces the authentication code to do a simple_bind.
+
+Change-Id: Id0c19f09d615446927db1ba074561b129329b5c8
+(cherry picked from c100fd2f1fe024cb2f731bfdd283cee36259e6e3)
+CVE-2013-2157
+---
+ keystone/identity/backends/ldap/core.py | 14 ++------------
+ tests/test_backend_ldap.py | 20 ++++++++++++++++++++
+ 2 files changed, 22 insertions(+), 12 deletions(-)
+
+diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py
+index 9b1b034..5337f2f 100644
+--- a/keystone/identity/backends/ldap/core.py
++++ b/keystone/identity/backends/ldap/core.py
+@@ -53,18 +53,6 @@ class Identity(identity.Driver):
+ self.role = RoleApi(CONF)
+ self.group = GroupApi(CONF)
+
+- def get_connection(self, user=None, password=None):
+- if self.LDAP_URL.startswith('fake://'):
+- conn = fakeldap.FakeLdap(self.LDAP_URL)
+- else:
+- conn = common_ldap.LdapWrapper(self.LDAP_URL)
+- if user is None:
+- user = self.LDAP_USER
+- if password is None:
+- password = self.LDAP_PASSWORD
+- conn.simple_bind_s(user, password)
+- return conn
+-
+ def _validate_domain(self, ref):
+ """Validate that either the default domain or nothing is specified.
+
+@@ -110,6 +98,8 @@ class Identity(identity.Driver):
+ except exception.UserNotFound:
+ raise AssertionError('Invalid user / password')
+
++ if not user_id or not password:
++ raise AssertionError('Invalid user / password')
+ try:
+ conn = self.user.get_connection(self.user._id_to_dn(user_id),
+ password)
+diff --git a/tests/test_backend_ldap.py b/tests/test_backend_ldap.py
+index c4aaff5..d1b3b2a 100644
+--- a/tests/test_backend_ldap.py
++++ b/tests/test_backend_ldap.py
+@@ -577,6 +577,26 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
+ 'name': 'Default',
+ 'enabled': True}])
+
++ def test_authenticate_requires_simple_bind(self):
++ user = {
++ 'id': 'no_meta',
++ 'name': 'NO_META',
++ 'domain_id': test_backend.DEFAULT_DOMAIN_ID,
++ 'password': 'no_meta2',
++ 'enabled': True,
++ }
++ self.identity_man.create_user({}, user['id'], user)
++ self.identity_api.add_user_to_project(self.tenant_baz['id'],
++ user['id'])
++ self.identity_api.user.LDAP_USER = None
++ self.identity_api.user.LDAP_PASSWORD = None
++
++ self.assertRaises(AssertionError,
++ self.identity_api.authenticate,
++ user_id=user['id'],
++ tenant_id=self.tenant_baz['id'],
++ password=None)
++
+
+ class LDAPIdentityEnabledEmulation(LDAPIdentity):
+ def setUp(self):
diff --git a/openstack-keystone.spec b/openstack-keystone.spec
index 4fd0d60..142bf1f 100644
--- a/openstack-keystone.spec
+++ b/openstack-keystone.spec
@@ -7,7 +7,7 @@
Name: openstack-keystone
Version: 2013.1.2
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: OpenStack Identity Service
License: ASL 2.0
@@ -21,6 +21,7 @@ Source5: openstack-keystone-sample-data
#
# patches_base=2013.1.2
#
+Patch0001: 0001-Force-simple-Bind-for-authentication.patch
BuildArch: noarch
BuildRequires: python2-devel
@@ -83,6 +84,7 @@ This package contains documentation for Keystone.
%prep
%setup -q -n keystone-%{version}
+%patch0001 -p1
find . \( -name .gitignore -o -name .placeholder \) -delete
find keystone -name \*.py -exec sed -i '/\/usr\/bin\/env python/d' {} \;
# Remove bundled egg-info
@@ -201,6 +203,9 @@ fi
%endif
%changelog
+* Sat Jun 22 2013 apevec at redhat.com 2013.1.2-2
+- Force simple Bind for authentication CVE-2013-2157
+
* Fri Jun 07 2013 Alan Pevec <apevec at redhat.com> 2013.1.2-1
- updated to stable grizzly 2013.1.2 release
More information about the scm-commits
mailing list