[openstack-neutron] CVE-2014-7821: Fix hostname regex pattern, rhbz#1165886, rhbz#1165887
Ihar Hrachyshka
ihrachyshka at fedoraproject.org
Tue Nov 25 17:23:43 UTC 2014
commit d863b909af15ffc484c653b58e3e9db4fd52c2c6
Author: Ihar Hrachyshka <ihrachys at redhat.com>
Date: Tue Nov 25 18:21:39 2014 +0100
CVE-2014-7821: Fix hostname regex pattern, rhbz#1165886, rhbz#1165887
Resolves: rhbz#1165886
Resolves: rhbz#1165887
0003-Fix-hostname-regex-pattern.patch | 44 +++++++++++++++++++++++++++++++++
openstack-neutron.spec | 7 ++++-
2 files changed, 50 insertions(+), 1 deletions(-)
---
diff --git a/0003-Fix-hostname-regex-pattern.patch b/0003-Fix-hostname-regex-pattern.patch
new file mode 100644
index 0000000..62ce381
--- /dev/null
+++ b/0003-Fix-hostname-regex-pattern.patch
@@ -0,0 +1,44 @@
+From 5092722e925a395eb2f5bfaa63e4b049668cb992 Mon Sep 17 00:00:00 2001
+From: John Perkins <john.perkins at rackspace.com>
+Date: Mon, 6 Oct 2014 16:24:57 -0500
+Subject: [PATCH] Fix hostname regex pattern
+
+Current hostname_pattern regex complexity grows exponentially
+when given a string of just digits, which can be exploited to
+cause neutron-server to freeze.
+
+Change-Id: I886c6d883a9cb0acd9908495eec50bf0411d8ba8
+Closes-bug: #1378450
+(cherry picked from commit ad6fefcb4d4068b46b69284e277df6ab2ee30105)
+---
+ neutron/api/v2/attributes.py | 4 ++--
+ neutron/tests/unit/test_attributes.py | 1 +
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/neutron/api/v2/attributes.py b/neutron/api/v2/attributes.py
+index 83471f9..21486db 100644
+--- a/neutron/api/v2/attributes.py
++++ b/neutron/api/v2/attributes.py
+@@ -540,8 +540,8 @@ def convert_to_list(data):
+ return [data]
+
+
+-HOSTNAME_PATTERN = ("(?=^.{1,254}$)(^(?:(?!\d+\.|-)[a-zA-Z0-9_\-]"
+- "{1,63}(?<!-)\.?)+(?:[a-zA-Z]{2,})$)")
++HOSTNAME_PATTERN = ("(?=^.{1,254}$)(^(?:(?!\d+.|-)[a-zA-Z0-9_\-]{1,62}"
++ "[a-zA-Z0-9]\.?)+(?:[a-zA-Z]{2,})$)")
+
+ HEX_ELEM = '[0-9A-Fa-f]'
+ UUID_PATTERN = '-'.join([HEX_ELEM + '{8}', HEX_ELEM + '{4}',
+diff --git a/neutron/tests/unit/test_attributes.py b/neutron/tests/unit/test_attributes.py
+index 2fb268d..f8cb462 100644
+--- a/neutron/tests/unit/test_attributes.py
++++ b/neutron/tests/unit/test_attributes.py
+@@ -281,6 +281,7 @@ class TestAttributes(base.BaseTestCase):
+ ['www.hostname.com', 'www.hostname.com'],
+ ['77.hostname.com'],
+ ['1000.0.0.1'],
++ ['111111111111111111111111111111111111111111111111111111111111'], # noqa
+ None]
+
+ for ns in ns_pools:
diff --git a/openstack-neutron.spec b/openstack-neutron.spec
index 9b523c3..de10c09 100644
--- a/openstack-neutron.spec
+++ b/openstack-neutron.spec
@@ -2,7 +2,7 @@
Name: openstack-neutron
Version: 2014.2
-Release: 10%{?dist}
+Release: 11%{?dist}
Provides: openstack-quantum = %{version}-%{release}
Obsoletes: openstack-quantum < 2013.2-0.4.b3
Summary: OpenStack Networking Service
@@ -42,6 +42,7 @@ Source40: neutron-dist.conf
#
Patch0001: 0001-remove-runtime-dependency-on-pbr.patch
Patch0002: 0002-Drop-and-recreate-FK-if-adding-new-PK-to-routerl3bin.patch
+Patch0003: 0003-Fix-hostname-regex-pattern.patch
BuildArch: noarch
@@ -520,6 +521,7 @@ IPSec.
%patch0001 -p1
%patch0002 -p1
+%patch0003 -p1
find neutron -name \*.py -exec sed -i '/\/usr\/bin\/env python/{d;q}' {} +
@@ -976,6 +978,9 @@ exit 0
%changelog
+* Tue Nov 25 2014 Ihar Hrachyshka <ihrachys at redhat.com> 2014.2-11
+- CVE-2014-7821: Fix hostname regex pattern, rhbz#1165886, rhbz#1165887
+
* Tue Nov 25 2014 Alan Pevec <apevec at redhat.com> 2014.2-10
- Drop and recreate FK to support MariaDB 10, rhbz#1157599
- Drop "Create DHCP port for IPv6 subnet" due to regression:
More information about the scm-commits
mailing list