[openstack-keystone/f19] Force simple Bind for authentication CVE-2013-2157

Alan Pevec apevec at fedoraproject.org
Sat Jun 22 15:16:12 UTC 2013 

commit d26b30e54bf3169dcb8309935ac387a34a0a5d35
Author: Alan Pevec <apevec at redhat.com>
Date:   Sat Jun 22 16:56:26 2013 +0200

    Force simple Bind for authentication CVE-2013-2157

 0001-Force-simple-Bind-for-authentication.patch |   83 +++++++++++++++++++++++
 openstack-keystone.spec                         |    7 ++-
 2 files changed, 89 insertions(+), 1 deletions(-)
---
diff --git a/0001-Force-simple-Bind-for-authentication.patch b/0001-Force-simple-Bind-for-authentication.patch
new file mode 100644
index 0000000..2848290
--- /dev/null
+++ b/0001-Force-simple-Bind-for-authentication.patch
@@ -0,0 +1,83 @@
+From d86c69705a4c7fdbb1f4f2f28cfe485046542d7d Mon Sep 17 00:00:00 2001
+From: Jose Castro Leon <jose.castro.leon at cern.ch>
+Date: Tue, 4 Jun 2013 11:59:35 -0400
+Subject: [PATCH] Force simple Bind for authentication
+
+The authentication code was using a common code path with
+other LDAP code that got an LDAP connection.  If the system
+was configured to do Anonymous binding, users could by pass
+the authentication check.
+
+This patch forces the authentication code to do a simple_bind.
+
+Change-Id: Id0c19f09d615446927db1ba074561b129329b5c8
+(cherry picked from c100fd2f1fe024cb2f731bfdd283cee36259e6e3)
+CVE-2013-2157
+---
+ keystone/identity/backends/ldap/core.py | 14 ++------------
+ tests/test_backend_ldap.py              | 20 ++++++++++++++++++++
+ 2 files changed, 22 insertions(+), 12 deletions(-)
+
+diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py
+index 9b1b034..5337f2f 100644
+--- a/keystone/identity/backends/ldap/core.py
++++ b/keystone/identity/backends/ldap/core.py
+@@ -53,18 +53,6 @@ class Identity(identity.Driver):
+         self.role = RoleApi(CONF)
+         self.group = GroupApi(CONF)
+ 
+-    def get_connection(self, user=None, password=None):
+-        if self.LDAP_URL.startswith('fake://'):
+-            conn = fakeldap.FakeLdap(self.LDAP_URL)
+-        else:
+-            conn = common_ldap.LdapWrapper(self.LDAP_URL)
+-        if user is None:
+-            user = self.LDAP_USER
+-        if password is None:
+-            password = self.LDAP_PASSWORD
+-        conn.simple_bind_s(user, password)
+-        return conn
+-
+     def _validate_domain(self, ref):
+         """Validate that either the default domain or nothing is specified.
+ 
+@@ -110,6 +98,8 @@ class Identity(identity.Driver):
+         except exception.UserNotFound:
+             raise AssertionError('Invalid user / password')
+ 
++        if not user_id or not password:
++            raise AssertionError('Invalid user / password')
+         try:
+             conn = self.user.get_connection(self.user._id_to_dn(user_id),
+                                             password)
+diff --git a/tests/test_backend_ldap.py b/tests/test_backend_ldap.py
+index c4aaff5..d1b3b2a 100644
+--- a/tests/test_backend_ldap.py
++++ b/tests/test_backend_ldap.py
+@@ -577,6 +577,26 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
+               'name': 'Default',
+               'enabled': True}])
+ 
++    def test_authenticate_requires_simple_bind(self):
++        user = {
++            'id': 'no_meta',
++            'name': 'NO_META',
++            'domain_id': test_backend.DEFAULT_DOMAIN_ID,
++            'password': 'no_meta2',
++            'enabled': True,
++        }
++        self.identity_man.create_user({}, user['id'], user)
++        self.identity_api.add_user_to_project(self.tenant_baz['id'],
++                                              user['id'])
++        self.identity_api.user.LDAP_USER = None
++        self.identity_api.user.LDAP_PASSWORD = None
++
++        self.assertRaises(AssertionError,
++                          self.identity_api.authenticate,
++                          user_id=user['id'],
++                          tenant_id=self.tenant_baz['id'],
++                          password=None)
++
+ 
+ class LDAPIdentityEnabledEmulation(LDAPIdentity):
+     def setUp(self):
diff --git a/openstack-keystone.spec b/openstack-keystone.spec
index 4fd0d60..142bf1f 100644
--- a/openstack-keystone.spec
+++ b/openstack-keystone.spec
@@ -7,7 +7,7 @@
 
 Name:           openstack-keystone
 Version:        2013.1.2
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        OpenStack Identity Service
 
 License:        ASL 2.0
@@ -21,6 +21,7 @@ Source5:        openstack-keystone-sample-data
 #
 # patches_base=2013.1.2
 #
+Patch0001: 0001-Force-simple-Bind-for-authentication.patch
 
 BuildArch:      noarch
 BuildRequires:  python2-devel
@@ -83,6 +84,7 @@ This package contains documentation for Keystone.
 %prep
 %setup -q -n keystone-%{version}
 
+%patch0001 -p1
 find . \( -name .gitignore -o -name .placeholder \) -delete
 find keystone -name \*.py -exec sed -i '/\/usr\/bin\/env python/d' {} \;
 # Remove bundled egg-info
@@ -201,6 +203,9 @@ fi
 %endif
 
 %changelog
+* Sat Jun 22 2013 apevec at redhat.com 2013.1.2-2
+- Force simple Bind for authentication CVE-2013-2157
+
 * Fri Jun 07 2013 Alan Pevec <apevec at redhat.com> 2013.1.2-1
 - updated to stable grizzly 2013.1.2 release

More information about the scm-commits mailing list