updating keystone for CVE-2013-1664 CVE-2013-1665 CVE-2013-0282 and bug 458334

(Portage version: 2.1.11.50/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
author: Matthew Thode <prometheanfire@gentoo.org> 2013-02-20 06:09:21 +0000
committer: Matthew Thode <prometheanfire@gentoo.org> 2013-02-20 06:09:21 +0000
commit: 43ecb20b172a0c5e5c1a4311e8e681a83d520640 (patch)
tree: 5bff45f3f72402d82a22cbea88b153712ba6c385 /sys-auth
parent: updating cinder and addressing CVE-2013-1664 from bug 458332 (diff)
download: gentoo-2-43ecb20b172a0c5e5c1a4311e8e681a83d520640.tar.gz
gentoo-2-43ecb20b172a0c5e5c1a4311e8e681a83d520640.tar.bz2
gentoo-2-43ecb20b172a0c5e5c1a4311e8e681a83d520640.zip
4 files changed, 157 insertions, 3 deletions
diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog
index 8a17611a8abe..2500b5477b0f 100644
--- a/sys-auth/keystone/ChangeLog
+++ b/sys-auth/keystone/ChangeLog
@@ -1,6 +1,15 @@
 # ChangeLog for sys-auth/keystone
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.9 2013/02/08 15:33:59 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.10 2013/02/20 06:09:21 prometheanfire Exp $
+
+*keystone-2012.2.3-r1 (20 Feb 2013)
+
+  20 Feb 2013; Matthew Thode <prometheanfire@gentoo.org>
+  -keystone-2012.2.3.ebuild, +keystone-2012.2.3-r1.ebuild,
+  +files/keystone-CVE-2013-0282.patch,
+  +files/keystone-CVE-2013-1664_1665.patch:
+  updating keystone for CVE-2013-1664 CVE-2013-1665 and CVE-2013-0282 from bug
+  458334
 
 *keystone-2012.2.3 (08 Feb 2013)
 
diff --git a/sys-auth/keystone/files/keystone-CVE-2013-0282.patch b/sys-auth/keystone/files/keystone-CVE-2013-0282.patch
new file mode 100644
index 000000000000..d411847c3fe0
--- /dev/null
+++ b/sys-auth/keystone/files/keystone-CVE-2013-0282.patch
@@ -0,0 +1,91 @@
+From: Nathanael Burton <nathanael.i.burton.work@gmail.com>
+Date: Tue, 19 Feb 2013 15:27:04 +0000 (-0600)
+Subject: Ensure user and tenant enabled in EC2
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fkeystone.git;a=commitdiff_plain;h=f0b4d300db5cc61d4f079f8bce9da8e8bea1081a
+
+Ensure user and tenant enabled in EC2
+
+Fixes bug 1121494.
+
+Change-Id: Icc90d581691b5aa63754e076ce983dfa2885a1dc
+---
+
+diff --git a/keystone/contrib/ec2/core.py b/keystone/contrib/ec2/core.py
+index 064474c..ffc0eee 100644
+--- a/keystone/contrib/ec2/core.py
++++ b/keystone/contrib/ec2/core.py
+@@ -37,6 +37,7 @@ glance to list images needed to perform the requested task.
+ import uuid
+ 
+ from keystone import catalog
++from keystone.common import logging
+ from keystone.common import manager
+ from keystone.common import utils
+ from keystone.common import wsgi
+@@ -49,6 +50,7 @@ from keystone import token
+ 
+ 
+ CONF = config.CONF
++LOG = logging.getLogger(__name__)
+ 
+ 
+ class Manager(manager.Manager):
+@@ -117,9 +119,9 @@ class Ec2Controller(wsgi.Application):
+             credentials['host'] = hostname
+             signature = signer.generate(credentials)
+             if not utils.auth_str_equal(credentials.signature, signature):
+-                raise exception.Unauthorized(message='Invalid EC2 signature.')
++                raise exception.Unauthorized()
+         else:
+-            raise exception.Unauthorized(message='EC2 signature not supplied.')
++            raise exception.Unauthorized()
+ 
+     def authenticate(self, context, credentials=None, ec2Credentials=None):
+         """Validate a signed EC2 request and provide a token.
+@@ -149,7 +151,7 @@ class Ec2Controller(wsgi.Application):
+             credentials = ec2Credentials
+ 
+         if not 'access' in credentials:
+-            raise exception.Unauthorized(message='EC2 signature not supplied.')
++            raise exception.Unauthorized()
+ 
+         creds_ref = self._get_credentials(context,
+                                           credentials['access'])
+@@ -161,9 +163,19 @@ class Ec2Controller(wsgi.Application):
+         tenant_ref = self.identity_api.get_tenant(
+             context=context,
+             tenant_id=creds_ref['tenant_id'])
++        # If the tenant is disabled don't allow them to authenticate
++        if tenant_ref and not tenant_ref.get('enabled', True):
++            msg = 'Tenant %s is disabled' % tenant_ref['id']
++            LOG.warning(msg)
++            raise exception.Unauthorized()
+         user_ref = self.identity_api.get_user(
+             context=context,
+             user_id=creds_ref['user_id'])
++        # If the user is disabled don't allow them to authenticate
++        if not user_ref.get('enabled', True):
++            msg = 'User %s is disabled' % user_ref['id']
++            LOG.warning(msg)
++            raise exception.Unauthorized()
+         metadata_ref = self.identity_api.get_metadata(
+             context=context,
+             user_id=user_ref['id'],
+@@ -174,7 +186,7 @@ class Ec2Controller(wsgi.Application):
+         # fill out the roles in the metadata
+         roles = metadata_ref.get('roles', [])
+         if not roles:
+-            raise exception.Unauthorized(message='User not valid for tenant.')
++            raise exception.Unauthorized()
+         roles_ref = [self.identity_api.get_role(context, role_id)
+                      for role_id in roles]
+ 
+@@ -279,7 +291,7 @@ class Ec2Controller(wsgi.Application):
+         creds = self.ec2_api.get_credential(context,
+                                             credential_id)
+         if not creds:
+-            raise exception.Unauthorized(message='EC2 access key not found.')
++            raise exception.Unauthorized()
+         return creds
+ 
+     def _assert_identity(self, context, user_id):
diff --git a/sys-auth/keystone/files/keystone-CVE-2013-1664_1665.patch b/sys-auth/keystone/files/keystone-CVE-2013-1664_1665.patch
new file mode 100644
index 000000000000..e87ca0be3cff
--- /dev/null
+++ b/sys-auth/keystone/files/keystone-CVE-2013-1664_1665.patch
@@ -0,0 +1,52 @@
+From: Dolph Mathews <dolph.mathews@gmail.com>
+Date: Tue, 19 Feb 2013 15:04:11 +0000 (-0600)
+Subject: Disable XML entity parsing
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fkeystone.git;a=commitdiff_plain;h=8a2274595ac628b2373eab0cb14690f866b7a024
+
+Disable XML entity parsing
+
+Fixes bug 1100282 and bug 1100279.
+
+Change-Id: Ibf2d73bca17b689cfa2dfd29eb15ea6e7458a123
+---
+
+diff --git a/keystone/common/serializer.py b/keystone/common/serializer.py
+index 734f7d1..72fe7f1 100644
+--- a/keystone/common/serializer.py
++++ b/keystone/common/serializer.py
+@@ -29,6 +29,16 @@ import re
+ DOCTYPE = '<?xml version="1.0" encoding="UTF-8"?>'
+ XMLNS = 'http://docs.openstack.org/identity/api/v2.0'
+ 
++PARSER = etree.XMLParser(
++    resolve_entities=False,
++    remove_comments=True,
++    remove_pis=True)
++
++# NOTE(dolph): lxml.etree.Entity() is just a callable that currently returns an
++# lxml.etree._Entity instance, which doesn't appear to be part of the
++# public API, so we discover the type dynamically to be safe
++ENTITY_TYPE = type(etree.Entity('x'))
++
+ 
+ def from_xml(xml):
+     """Deserialize XML to a dictionary."""
+@@ -51,7 +61,7 @@ def to_xml(d, xmlns=None):
+ class XmlDeserializer(object):
+     def __call__(self, xml_str):
+         """Returns a dictionary populated by decoding the given xml string."""
+-        dom = etree.fromstring(xml_str.strip())
++        dom = etree.fromstring(xml_str.strip(), PARSER)
+         return self.walk_element(dom)
+ 
+     @staticmethod
+@@ -87,7 +97,8 @@ class XmlDeserializer(object):
+         # current spec does not have attributes on an element with text
+         values = values or text or {}
+ 
+-        for child in [self.walk_element(x) for x in element]:
++        for child in [self.walk_element(x) for x in element
++                      if not isinstance(x, ENTITY_TYPE)]:
+             values = dict(values.items() + child.items())
+ 
+         return {XmlDeserializer._tag_name(element.tag): values}
diff --git a/sys-auth/keystone/keystone-2012.2.3.ebuild b/sys-auth/keystone/keystone-2012.2.3-r1.ebuild
index 29f9fd3e7b06..a4db31f46c88 100644
--- a/sys-auth/keystone/keystone-2012.2.3.ebuild
+++ b/sys-auth/keystone/keystone-2012.2.3-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.3.ebuild,v 1.1 2013/02/08 15:33:59 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.3-r1.ebuild,v 1.1 2013/02/20 06:09:21 prometheanfire Exp $
 
 EAPI=5
 #test restricted becaues of bad requirements given (old webob for instance)
@@ -69,7 +69,9 @@ RDEPEND="${DEPEND}
 #	"${PYTHON}" setup.py nosetests || die
 #}
 
-PATCHES=( "${FILESDIR}/keystone-CVE-2013-0270.patch" )
+PATCHES=( "${FILESDIR}/keystone-CVE-2013-0270.patch"
+		"${FILESDIR}/keystone-CVE-2013-0282.patch"
+		"${FILESDIR}/keystone-CVE-2013-1664_1665.patch" )
 
 python_install() {
 	distutils-r1_python_install
author	Matthew Thode <prometheanfire@gentoo.org>	2013-02-20 06:09:21 +0000
committer	Matthew Thode <prometheanfire@gentoo.org>	2013-02-20 06:09:21 +0000
commit	43ecb20b172a0c5e5c1a4311e8e681a83d520640 (patch)
tree	5bff45f3f72402d82a22cbea88b153712ba6c385 /sys-auth
parent	updating cinder and addressing CVE-2013-1664 from bug 458332 (diff)
download	gentoo-2-43ecb20b172a0c5e5c1a4311e8e681a83d520640.tar.gz gentoo-2-43ecb20b172a0c5e5c1a4311e8e681a83d520640.tar.bz2 gentoo-2-43ecb20b172a0c5e5c1a4311e8e681a83d520640.zip