diff options
author | Matt Thode <prometheanfire@gentoo.org> | 2013-02-08 15:34:06 +0000 |
---|---|---|
committer | Matt Thode <prometheanfire@gentoo.org> | 2013-02-08 15:34:06 +0000 |
commit | 2c2b69162354200086ab09531e5b76ae9f8dc910 (patch) | |
tree | a3113d15fc0981b92ff9bc38837bf23b552fb505 /sys-auth | |
parent | Add ~sh, wrt bug #449220 (diff) | |
download | historical-2c2b69162354200086ab09531e5b76ae9f8dc910.tar.gz historical-2c2b69162354200086ab09531e5b76ae9f8dc910.tar.bz2 historical-2c2b69162354200086ab09531e5b76ae9f8dc910.zip |
upgrading keystone to 2012.2.3 for bug 456134, CVE-2013-0270
Package-Manager: portage-2.1.11.31/cvs/Linux x86_64
Manifest-Sign-Key: 0x2471EB3E40AC5AC3
Diffstat (limited to 'sys-auth')
-rw-r--r-- | sys-auth/keystone/ChangeLog | 9 | ||||
-rw-r--r-- | sys-auth/keystone/Manifest | 33 | ||||
-rw-r--r-- | sys-auth/keystone/files/keystone-CVE-2013-0270.patch | 230 | ||||
-rw-r--r-- | sys-auth/keystone/keystone-2012.2.3.ebuild (renamed from sys-auth/keystone/keystone-2012.2.ebuild) | 6 |
4 files changed, 259 insertions, 19 deletions
diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog index da3697d3c3b5..8a17611a8abe 100644 --- a/sys-auth/keystone/ChangeLog +++ b/sys-auth/keystone/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for sys-auth/keystone # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.8 2013/01/18 07:34:04 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.9 2013/02/08 15:33:59 prometheanfire Exp $ + +*keystone-2012.2.3 (08 Feb 2013) + + 08 Feb 2013; Matthew Thode <prometheanfire@gentoo.org> + +files/keystone-CVE-2013-0270.patch, +keystone-2012.2.3.ebuild, + -keystone-2012.2.ebuild: + upgrading keystone to 2012.2.3 for bug 456134, CVE-2013-0270 18 Jan 2013; Matthew Thode <prometheanfire@gentoo.org> keystone-2012.2.ebuild, keystone-9999.ebuild: diff --git a/sys-auth/keystone/Manifest b/sys-auth/keystone/Manifest index ba96d50e5fbc..1d4cf1febef2 100644 --- a/sys-auth/keystone/Manifest +++ b/sys-auth/keystone/Manifest @@ -1,28 +1,29 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 +AUX keystone-CVE-2013-0270.patch 9329 SHA256 f6ca6b82a50569f897f8eb68a7d6e2663beade3e45cce04ae3cdd8013491bd13 SHA512 93525ac26022fd21ef94bee8ed7326bc3822f61f349cf9b1b27ef9b446b8feb1ff3e57360c7262c03577dca4a38be7bcb221d7192307700541ae667060114eb4 WHIRLPOOL 89669011b426196fd81157c2f7f1447b4b1028b65e742bf94560a0825ec71b925e88b93fbc224b1eba08cfceafbaf96b380d93092eedf0c3f52d51c86c3d3947 AUX keystone.confd 67 SHA256 8faa32d3354df30b1d1c98cf481be162c27583b84e387f8da57611b689bc2448 SHA512 75b040eda6ef8701e8dac8f34b3dd3c96aedde3b005fac01f20592b3d8afb8bbce57fadc466cda69d7192f96460a5c704d941a16b96d02f3e80f1a3e264c2efe WHIRLPOOL 8e8cb4e8991ca8d8cf1e874bd2286900ca63379c73793bca906ecfc1318ee63a8af6d1f6090e9ef296bfbe5abf018368a5ad6430de1efdea0db626d8c697f3c4 AUX keystone.initd 1177 SHA256 fcf7e532f2f3fad8413455f67d8e9c4c0522ff99e69bd95d4fff49d2dfa243ac SHA512 a0281f5fdd96963d9479a3463e6b5f1947a2c3c8694e464d4d293ef237392bed796ec7b8431e1add7b73334ed5e11158347f35ab562edda5f7aa7bdb9b05e51e WHIRLPOOL d819103e6f2bdd7ca4d5ab2f645f8ca168cc46567ff7c2d00cb2d536c08319aaa472b06b8f98cf2b6de940089f444e7aa752e4c9deeb849a834108394dfe1862 AUX keystone_test-requires.patch 1082 SHA256 6c91814d1a6aea942f23767b13a9ad77fb08ae16255887d974abd9db852c563a SHA512 d6fc133b44555e50895b9d82f9240aff284e1668ef35823a3e82900ccf9e6a7e11a448f4998c1d8f0938f5d45ce1506bd27417f576ee99aa7738ae74424ec343 WHIRLPOOL 0689d244f94a5489c7ca4551c5fb7c436f6012a932b4fb0142a759c734d5ce24a1aa813c9c1a5356dc38f4b4b342c85703413656139085155f9c5ab89dd012c5 -DIST keystone-2012.2.tar.gz 547438 SHA256 1aed5911c00ebffea28cffbc4793921fb2a9c000e9bb967326b7db751c7281cc SHA512 bb6bb4499737474b49012fffffc4a7950a8427adb0b564f40d55bb7a43846e788266810d09ff54707709fba1db07a8b4b8d531e0547399490fe688e7b5d1fd32 WHIRLPOOL 825c9ac7357148cc0f9c732e946c6c07ccdf21ded3cf0f07d25c66615b991c6dcf72d48540c703c33addbf0e3c74c76a72709dd2ab4fe8b90c31addd92373912 -EBUILD keystone-2012.2.ebuild 2465 SHA256 7c62c447cf8a8509e9088ca85b74146531953961f7004606630d4a3f50b9b6a5 SHA512 134c2f1bfd202323fef6a7f6c5c9ee3ca6f106892c72e80c8d28461895b8441f90912b84f76221ee6aab2d9e0a460a0c44b54eb6ab3db630c344dcafd61ae713 WHIRLPOOL c8503b264360ac91bb28be1c6f046718387758470e52ccac6b9412200a255cc3d82884d9b6aa54da93d9e7fbc8a70f7031e2f43b7216664d6023b3487b49c858 +DIST keystone-2012.2.3.tar.gz 550860 SHA256 640349c9319e5eacc60ebdb0fd69239d03fbaf52b4749879d12b66d74678afc8 SHA512 77f5b6cedc9c5b5f6224696e152b2ac5bea9409256857a728dec916cdb70672a4d6a25c5b0e34039977f8efd9c34b02ce1fabd6311ef02c2b78264f36ced4fd0 WHIRLPOOL 5d45e3d56dc3196eb1d8432fa263acef7674a42de27ea826b89c0a39a4f9700ce75a02889930c1d160c24a175b17975dbb64b0d94823e4016f18ea1f0744dd0c +EBUILD keystone-2012.2.3.ebuild 2524 SHA256 e64e47c5c57ca70b772ba30811ee47869b7aedd233994bcc08ed8067de4fd3d6 SHA512 9994d2799972059c20fd9767d11c1bc16128e440a4e46bbdc234440dd21d199ce217bb3eeea4784c8a97337955cdc82b18e5092b048abec4a4ed471105a5b0c5 WHIRLPOOL 6de4a592c38eca0226ffe8f18182c066aaf202b7f7d182605952c119f7c8099125e3c91bfcc547880cecfef403f6a7add531105a1f0f68b202c1f9f8d1ed011c EBUILD keystone-9999.ebuild 2445 SHA256 d216c4989d2491199a6e0e9c4f8ae3c6cf3bb2f63a34f0f746473ec70c988930 SHA512 1d520d8821c14ac371bf834b0c5118206ef0c75994972daec3a4f978291322b60b75672366fed60d3f31d273d6a0f27ba6d55bb5348ebf5fcf057abe8e25ce1a WHIRLPOOL 1634dd93df7014c4ad29428b636bf5af3aea04a74394af6b9a65eda45522aad4d606212923836c4f86e53f095277d8d7134c4ed02b88627c34447d43c92b073f -MISC ChangeLog 1461 SHA256 749f45eff83065664ee288d75695c2fc53056435673ce6eefaef44b1fda60c8c SHA512 5ffe310edbe51ab60fa26f86532b8a29c5ddea51fa19e86e9bae41eb05cbce13c6f612efd02285cd71f0c229551de62a7ba3fec5d8cf854a1ea1195351091676 WHIRLPOOL 5e76c0f2bfa230e18b161f3ef16f310b97c69223b84cb8fd468251eeb6bc96b20d725a9ad7e9bebd3facc5bf2528416ed738aadc6550e8a0c07977e2d196ba13 +MISC ChangeLog 1709 SHA256 e438f2634452e47ef68955a4f0998ecda6d82a94c4411a6cfb4a56a81fea2d05 SHA512 d0a2268469726d8dab1503638206c8504e99f0ab767389c6effbd7888f20b2c90b40979bd14c5fc524aa0ef38a6f1ef854dc6639915559cab9c72a7876c477f3 WHIRLPOOL ce4a8f3067b1a62e4835bff8f9899b78c8c5fa423c536caead478c350489e2f5c76c0535416c1407ffb71520d3d612b7db75e772d6bc815d10ac1dbec3c3746e MISC metadata.xml 399 SHA256 7f8946a43a8187a3901e53e0e3b4293e49bb2a1d1785c472b1d0ffd83e0ba2a8 SHA512 9448005b3be5621b302b4c71d190c621f245163a2c7aa8277a3af8132558543c774e9bb20b39bcb0ad896db5d2feac7649b107d7850f68e437f18214891ab16f WHIRLPOOL b46a5eadc17d5e38d23efed9620772e6d5e2cbd7733e1c0a8d15a506cacc8a31e9b26a354a1b749a7c64bff08722658b2feb651679a6a6054cd3b551839ddb38 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) -iQIcBAEBCAAGBQJQ+PrzAAoJECRx6z5ArFrDDSQQAKnXUZlYr7/8ixmdqLurvlWk -Y44fP9La5F4qzj7D34tWRIuhazHy7fm5n8ct/BIeT81Ct8x4MrLLOAdIuKWmDYop -Gsw9lOEf0lnHWbm5z63Qdm5jxhwD0Dy2yt1+LEPBdEy8UQ3HAJXaUgEE1Un6HlFF -Ux8D2UM6WJllV71Aj4fwEjmqg9v1mPCVKRVLjOaqk6cvWYCBS8fgJGcGkhlNdGHs -FJ8lVO37MrscE4PND3Q/r0qJHVuveRYBtMyjrIcOD2xiFkVd1rH3atZWTsJqSAG+ -u8bR2ZzWJhcsE1YhH+bISKTKfCwhn1vGokbpRAzmLBLpjrWqjv9Gqrw0iyMGlvnH -vRXgVCbQ5cHgmNuLbS9/KPERwjlMOTH0FuA7HKLxV7NK/R9MpLNV8bHbCH9oNckZ -IxBotWuGX6Wroc3XcizS2fXDECNnfbMs45D8+AlI1m9V8clO6zPHvtOuLoaH0lZW -yWZ0hfT+PQLjmZX9yjQ01JmPJkRMIQ18FtA7ET+OdDfP8eoTgo0AKsVLa8tBH30i -DFwR86TaqsSYAjs2UPITHV3E32jUCxvojeZmZ0lOlrbtLi8YNYeHCyfmdLQHAtKk -sI8qMSQODWxgBY7AurZQecvRYUGLfWsz4SPiMpcdEekbyGwExSfNxCtWiopCr4Zl -9WfakJPUmmCGVNpK8w9w -=yLuH +iQIcBAEBCAAGBQJRFRbmAAoJECRx6z5ArFrDqbQP/Reudve69KWxfoRp5Usdp4ui +WWeuIcDDF0QayHffBQDlmiyg370pqVgaW8vf4UixMb72wuPWFGGdXsbUaaCU/s3u +LfBIuWF5Gd+Kg0IlBVuynozKf5y6vZ6GYIN1CutnOfi2kytN82L38bk6D1lqPn/0 +s0tc2XogeZwyMGA/+MEIoxLPrz3QuEc7fJTPEc7TyqlbS+Q5hqwgHKc7ParI1TbC +fsZobt5gtq3YxgalF7oqKqf53XLRsHq+5atKOE6GQY9RSDR/7U5jN1SVH1qrVVId +Thd8iLg3cjW9/VzNXJVHoPRgzS5VUchxcnrp4c0kPTGDNI+un2Bk2FXnI713ozfq +ELGyfb0LnOdcWnZcMBEbi7GgCwrN40frYKHzyktxCKyG7RFC+8cr+4Q0QwwcPYOZ +NW75NybPNVn+2A1tntQSlrTCmh8K0VFydN2VAoXdXBl9U00U1JHSmr0pdSUv2PB/ +/fksQ0sScITCYbtt2QvBjVq89wv+2Gr3Fg2l65y+C3MHYdQdzkxhNJUlHPPLbSg6 +PZBjl1AlS8IEBIsbKpz0KgUMfNtfPqAUjl5FZsTHZRP6qYWxcF6J2fqDab6HGxnt +Zp9PubsJ+IDAgF1dfD6rbvCHFDiQP1DvC014LnoYQQEK8K/KVxH8I/mfPJLTI5gF +pnqOtDIXe0/b7sOSk9Ko +=U3Vs -----END PGP SIGNATURE----- diff --git a/sys-auth/keystone/files/keystone-CVE-2013-0270.patch b/sys-auth/keystone/files/keystone-CVE-2013-0270.patch new file mode 100644 index 000000000000..41b77c571d64 --- /dev/null +++ b/sys-auth/keystone/files/keystone-CVE-2013-0270.patch @@ -0,0 +1,230 @@ +From bb2226f944aaa38beb7fc08ce0a78796e51e2680 Mon Sep 17 00:00:00 2001 +From: Dan Prince <dprince@redhat.com> +Date: Thu, 10 Jan 2013 15:31:28 -0500 +Subject: [PATCH] Add size validations for /tokens. + +Updates /tokens controller so that it explicitly checks the max +size of userId, username, tenantId, tenantname, token, and password +before continuing with a request. + +Previously, when used with the SQL keystone backend an unauthenticated +user could send in *really* large requests which would ultimately +log large SQL exceptions and could thus fill up keystone logs on the +disk. + +Change-Id: I0904d307bf79a3bf851ac052c11101f8380a12a7 +--- + keystone/config.py | 3 ++ + keystone/exception.py | 13 +++++++++ + keystone/service.py | 27 ++++++++++++++++++ + tests/test_service.py | 75 +++++++++++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 118 insertions(+) + +diff --git a/keystone/config.py b/keystone/config.py +index 5fed916..c7d2f79 100644 +--- a/keystone/config.py ++++ b/keystone/config.py +@@ -117,6 +117,9 @@ register_str('admin_port', default=35357) + register_str('public_port', default=5000) + register_str('onready') + register_str('auth_admin_prefix', default='') ++register_int('max_param_size', default=64) ++# we allow tokens to be a bit larger to accomidate PKI ++register_int('max_token_size', default=8192) + + #ssl options + register_bool('enable', group='ssl', default=False) +diff --git a/keystone/exception.py b/keystone/exception.py +index c3b3ec8..bb4da37 100644 +--- a/keystone/exception.py ++++ b/keystone/exception.py +@@ -51,6 +51,19 @@ class ValidationError(Error): + title = 'Bad Request' + + ++class ValidationSizeError(Error): ++ """Request attribute %(attribute)s must be less than or equal to %(size)i. ++ ++ The server could not comply with the request because the attribute ++ size is invalid (too large). ++ ++ The client is assumed to be in error. ++ ++ """ ++ code = 400 ++ title = 'Bad Request' ++ ++ + class Unauthorized(Error): + """The request you have made requires authentication.""" + code = 401 +diff --git a/keystone/service.py b/keystone/service.py +index d54c073..c088986 100644 +--- a/keystone/service.py ++++ b/keystone/service.py +@@ -22,6 +22,7 @@ from keystone import config + from keystone import catalog + from keystone.common import cms + from keystone.common import logging ++from keystone.common import utils + from keystone.common import wsgi + from keystone import exception + from keystone import identity +@@ -31,6 +32,8 @@ from keystone import token + + + LOG = logging.getLogger(__name__) ++MAX_PARAM_SIZE = config.CONF.max_param_size ++MAX_TOKEN_SIZE = config.CONF.max_token_size + + + class AdminRouter(wsgi.ComposingRouter): +@@ -288,9 +291,23 @@ class TokenController(wsgi.Application): + + if 'passwordCredentials' in auth: + user_id = auth['passwordCredentials'].get('userId', None) ++ if user_id and len(user_id) > MAX_PARAM_SIZE: ++ raise exception.ValidationSizeError(attribute='userId', ++ size=MAX_PARAM_SIZE) + username = auth['passwordCredentials'].get('username', '') ++ if len(username) > MAX_PARAM_SIZE: ++ raise exception.ValidationSizeError(attribute='username', ++ size=MAX_PARAM_SIZE) + password = auth['passwordCredentials'].get('password', '') ++ max_pw_size = utils.MAX_PASSWORD_LENGTH ++ if len(password) > max_pw_size: ++ raise exception.ValidationSizeError(attribute='password', ++ size=max_pw_size) ++ + tenant_name = auth.get('tenantName', None) ++ if tenant_name and len(tenant_name) > MAX_PARAM_SIZE: ++ raise exception.ValidationSizeError(attribute='tenantName', ++ size=MAX_PARAM_SIZE) + + if username: + try: +@@ -302,6 +319,9 @@ class TokenController(wsgi.Application): + + # more compat + tenant_id = auth.get('tenantId', None) ++ if tenant_id and len(tenant_id) > MAX_PARAM_SIZE: ++ raise exception.ValidationSizeError(attribute='tenantId', ++ size=MAX_PARAM_SIZE) + if tenant_name: + try: + tenant_ref = self.identity_api.get_tenant_by_name( +@@ -342,7 +362,14 @@ class TokenController(wsgi.Application): + catalog_ref = {} + elif 'token' in auth: + old_token = auth['token'].get('id', None) ++ ++ if len(old_token) > MAX_TOKEN_SIZE: ++ raise exception.ValidationSizeError(attribute='token', ++ size=MAX_TOKEN_SIZE) + tenant_name = auth.get('tenantName') ++ if tenant_name and len(tenant_name) > MAX_PARAM_SIZE: ++ raise exception.ValidationSizeError(attribute='tenantName', ++ size=MAX_PARAM_SIZE) + + try: + old_token_ref = self.token_api.get_token(context=context, +diff --git a/tests/test_service.py b/tests/test_service.py +index 6fb98c6..f48bd9a 100644 +--- a/tests/test_service.py ++++ b/tests/test_service.py +@@ -17,6 +17,7 @@ import time + import default_fixtures + + from keystone import config ++from keystone import exception + from keystone import service + from keystone import test + from keystone.identity.backends import kvs as kvs_identity +@@ -25,6 +26,31 @@ from keystone.identity.backends import kvs as kvs_identity + CONF = config.CONF + + ++def _build_user_auth(token=None, user_id=None, username=None, ++ password=None, tenant_id=None, tenant_name=None): ++ """Build auth dictionary. ++ ++ It will create an auth dictionary based on all the arguments ++ that it receives. ++ """ ++ auth_json = {} ++ if token is not None: ++ auth_json['token'] = token ++ if username or password: ++ auth_json['passwordCredentials'] = {} ++ if username is not None: ++ auth_json['passwordCredentials']['username'] = username ++ if user_id is not None: ++ auth_json['passwordCredentials']['userId'] = user_id ++ if password is not None: ++ auth_json['passwordCredentials']['password'] = password ++ if tenant_name is not None: ++ auth_json['tenantName'] = tenant_name ++ if tenant_id is not None: ++ auth_json['tenantId'] = tenant_id ++ return auth_json ++ ++ + class TokenExpirationTest(test.TestCase): + def setUp(self): + super(TokenExpirationTest, self).setUp() +@@ -75,3 +101,52 @@ class TokenExpirationTest(test.TestCase): + def test_maintain_uuid_token_expiration(self): + self.opt_in_group('signing', token_format='UUID') + self._maintain_token_expiration() ++ ++ ++class AuthTest(test.TestCase): ++ def setUp(self): ++ super(AuthTest, self).setUp() ++ ++ CONF.identity.driver = 'keystone.identity.backends.kvs.Identity' ++ self.load_backends() ++ self.load_fixtures(default_fixtures) ++ self.api = service.TokenController() ++ ++ def test_authenticate_user_id_too_large(self): ++ """Verify sending large 'userId' raises the right exception.""" ++ body_dict = _build_user_auth(user_id='0' * 65, username='FOO', ++ password='foo2') ++ self.assertRaises(exception.ValidationSizeError, self.api.authenticate, ++ {}, body_dict) ++ ++ def test_authenticate_username_too_large(self): ++ """Verify sending large 'username' raises the right exception.""" ++ body_dict = _build_user_auth(username='0' * 65, password='foo2') ++ self.assertRaises(exception.ValidationSizeError, self.api.authenticate, ++ {}, body_dict) ++ ++ def test_authenticate_tenant_id_too_large(self): ++ """Verify sending large 'tenantId' raises the right exception.""" ++ body_dict = _build_user_auth(username='FOO', password='foo2', ++ tenant_id='0' * 65) ++ self.assertRaises(exception.ValidationSizeError, self.api.authenticate, ++ {}, body_dict) ++ ++ def test_authenticate_tenant_name_too_large(self): ++ """Verify sending large 'tenantName' raises the right exception.""" ++ body_dict = _build_user_auth(username='FOO', password='foo2', ++ tenant_name='0' * 65) ++ self.assertRaises(exception.ValidationSizeError, self.api.authenticate, ++ {}, body_dict) ++ ++ def test_authenticate_token_too_large(self): ++ """Verify sending large 'token' raises the right exception.""" ++ body_dict = _build_user_auth(token={'id': '0' * 8193}) ++ self.assertRaises(exception.ValidationSizeError, self.api.authenticate, ++ {}, body_dict) ++ ++ def test_authenticate_password_too_large(self): ++ """Verify sending large 'password' raises the right exception.""" ++ body_dict = _build_user_auth(username='FOO', password='0' * 8193) ++ self.assertRaises(exception.ValidationSizeError, self.api.authenticate, ++ {}, body_dict) +-- +1.7.9.5 + diff --git a/sys-auth/keystone/keystone-2012.2.ebuild b/sys-auth/keystone/keystone-2012.2.3.ebuild index 5f84e89c946a..29f9fd3e7b06 100644 --- a/sys-auth/keystone/keystone-2012.2.ebuild +++ b/sys-auth/keystone/keystone-2012.2.3.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.ebuild,v 1.5 2013/01/18 07:34:03 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.3.ebuild,v 1.1 2013/02/08 15:33:59 prometheanfire Exp $ EAPI=5 #test restricted becaues of bad requirements given (old webob for instance) @@ -10,7 +10,7 @@ PYTHON_COMPAT=( python2_6 python2_7 ) inherit distutils-r1 DESCRIPTION="Keystone is the Openstack authentication, authorization, and -service catalog written in Python" +service catalog written in Python." HOMEPAGE="https://launchpad.net/keystone" SRC_URI="http://launchpad.net/${PN}/folsom/${PV}/+download/${P}.tar.gz" @@ -69,6 +69,8 @@ RDEPEND="${DEPEND} # "${PYTHON}" setup.py nosetests || die #} +PATCHES=( "${FILESDIR}/keystone-CVE-2013-0270.patch" ) + python_install() { distutils-r1_python_install newconfd "${FILESDIR}/keystone.confd" keystone |