[openstack-neutron/f21] CVE-2014-7821: Fix hostname regex pattern, rhbz#1165886, rhbz#1165887
Ihar Hrachyshka
ihrachyshka at fedoraproject.org
Tue Nov 25 17:27:36 UTC 2014
commit a757fff6cbc819a220939d4353b8d18616a47ae7
Author: Ihar Hrachyshka <ihrachys at redhat.com>
Date: Tue Nov 25 18:26:37 2014 +0100
CVE-2014-7821: Fix hostname regex pattern, rhbz#1165886, rhbz#1165887
Resolves: rhbz#1165886
Resolves: rhbz#1165887
0006-Fix-hostname-regex-pattern.patch | 44 +++++++++++++++++++++++++++++++++
openstack-neutron.spec | 7 ++++-
2 files changed, 50 insertions(+), 1 deletions(-)
---
diff --git a/0006-Fix-hostname-regex-pattern.patch b/0006-Fix-hostname-regex-pattern.patch
new file mode 100644
index 0000000..f602ba0
--- /dev/null
+++ b/0006-Fix-hostname-regex-pattern.patch
@@ -0,0 +1,44 @@
+From 56f9b19f558cde58b63c9b8387039347cb0865d8 Mon Sep 17 00:00:00 2001
+From: John Perkins <john.perkins at rackspace.com>
+Date: Mon, 6 Oct 2014 16:24:57 -0500
+Subject: [PATCH] Fix hostname regex pattern
+
+Current hostname_pattern regex complexity grows exponentially
+when given a string of just digits, which can be exploited to
+cause neutron-server to freeze.
+
+Change-Id: I886c6d883a9cb0acd9908495eec50bf0411d8ba8
+Closes-bug: #1378450
+(cherry picked from commit ab7ea069de5cecf1c26af50996a26e1a7f86def4)
+---
+ neutron/api/v2/attributes.py | 4 ++--
+ neutron/tests/unit/test_attributes.py | 1 +
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/neutron/api/v2/attributes.py b/neutron/api/v2/attributes.py
+index 0487589..8eb2c3a 100644
+--- a/neutron/api/v2/attributes.py
++++ b/neutron/api/v2/attributes.py
+@@ -537,8 +537,8 @@ def convert_to_list(data):
+ return [data]
+
+
+-HOSTNAME_PATTERN = ("(?=^.{1,254}$)(^(?:(?!\d+\.|-)[a-zA-Z0-9_\-]"
+- "{1,63}(?<!-)\.?)+(?:[a-zA-Z]{2,})$)")
++HOSTNAME_PATTERN = ("(?=^.{1,254}$)(^(?:(?!\d+.|-)[a-zA-Z0-9_\-]{1,62}"
++ "[a-zA-Z0-9]\.?)+(?:[a-zA-Z]{2,})$)")
+
+ HEX_ELEM = '[0-9A-Fa-f]'
+ UUID_PATTERN = '-'.join([HEX_ELEM + '{8}', HEX_ELEM + '{4}',
+diff --git a/neutron/tests/unit/test_attributes.py b/neutron/tests/unit/test_attributes.py
+index 0282cdc..61ff20d 100644
+--- a/neutron/tests/unit/test_attributes.py
++++ b/neutron/tests/unit/test_attributes.py
+@@ -283,6 +283,7 @@ class TestAttributes(base.BaseTestCase):
+ ['www.hostname.com', 'www.hostname.com'],
+ ['77.hostname.com'],
+ ['1000.0.0.1'],
++ ['111111111111111111111111111111111111111111111111111111111111'], # noqa
+ None]
+
+ for ns in ns_pools:
diff --git a/openstack-neutron.spec b/openstack-neutron.spec
index 0299170..63096a4 100644
--- a/openstack-neutron.spec
+++ b/openstack-neutron.spec
@@ -2,7 +2,7 @@
Name: openstack-neutron
Version: 2014.1.3
-Release: 4%{?dist}
+Release: 5%{?dist}
Provides: openstack-quantum = %{version}-%{release}
Obsoletes: openstack-quantum < 2013.2-0.4.b3
Summary: OpenStack Networking Service
@@ -70,6 +70,7 @@ Patch0002: 0002-Sync-service-and-systemd-modules-from-oslo-incubator.patch
Patch0003: 0003-Removed-signing_dir-from-neutron.conf.patch
Patch0004: 0004-Remove-kernel-version-check-for-OVS-VXLAN.patch
Patch0005: 0005-Notify-systemd-when-starting-Neutron-server.patch
+Patch0006: 0006-Fix-hostname-regex-pattern.patch
BuildArch: noarch
@@ -493,6 +494,7 @@ IPSec.
%patch0003 -p1
%patch0004 -p1
%patch0005 -p1
+%patch0006 -p1
find neutron -name \*.py -exec sed -i '/\/usr\/bin\/env python/{d;q}' {} +
@@ -1227,6 +1229,9 @@ fi
%changelog
+* Tue Nov 25 2014 Ihar Hrachyshka <ihrachys at redhat.com> 2014.1.3-5
+- CVE-2014-7821: Fix hostname regex pattern, rhbz#1165886, rhbz#1165887
+
* Thu Nov 13 2014 Ihar Hrachyshka <ihrachys at redhat.com> 2014.1.3-4
- Revert to 755 permissions for /var/lib/neutron since dnsmasq drops
'neutron' user and runs as 'nobody' by default, rhbz#1163759
More information about the scm-commits
mailing list