diff options
| author |   Matthew Thode <prometheanfire@gentoo.org> | 2014-04-11 15:28:59 +0000 |
|---|---|---|
| committer | Matthew Thode <prometheanfire@gentoo.org> | 2014-04-11 15:28:59 +0000 |
| commit | b6237db955ae52619e30bb964f6e17dd41230a6c (patch) | |
| tree | d08aea507e189e289af4f8b7ede0909f435f66ab | |
| parent | Fix typing error (DEPEND -> RDEPEND) (diff) | |
| download | gentoo-2-b6237db955ae52619e30bb964f6e17dd41230a6c.tar.gz gentoo-2-b6237db955ae52619e30bb964f6e17dd41230a6c.tar.bz2 gentoo-2-b6237db955ae52619e30bb964f6e17dd41230a6c.zip | |
fix for CVE-2014-2828
(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
| -rw-r--r-- | sys-auth/keystone/ChangeLog | 9 | ||||
| -rw-r--r-- | sys-auth/keystone/files/CVE-2014-2828-2013.2.3.patch | 64 | ||||
| -rw-r--r-- | sys-auth/keystone/keystone-2013.2.3-r1.ebuild (renamed from sys-auth/keystone/keystone-2013.2.3.ebuild) | 3 |
3 files changed, 74 insertions, 2 deletions
diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog index 20c6e3844dbc..ba727aa78dfc 100644 --- a/sys-auth/keystone/ChangeLog +++ b/sys-auth/keystone/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for sys-auth/keystone # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.64 2014/04/06 06:01:38 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.65 2014/04/11 15:28:59 prometheanfire Exp $ + +*keystone-2013.2.3-r1 (11 Apr 2014) + + 11 Apr 2014; Matthew Thode <prometheanfire@gentoo.org> + +files/CVE-2014-2828-2013.2.3.patch, +keystone-2013.2.3-r1.ebuild, + -keystone-2013.2.3.ebuild: + fix for CVE-2014-2828 *keystone-2013.2.3 (06 Apr 2014) diff --git a/sys-auth/keystone/files/CVE-2014-2828-2013.2.3.patch b/sys-auth/keystone/files/CVE-2014-2828-2013.2.3.patch new file mode 100644 index 000000000000..950696125f23 --- /dev/null +++ b/sys-auth/keystone/files/CVE-2014-2828-2013.2.3.patch @@ -0,0 +1,64 @@ +From e364ba5b12de8e4c11bd80bcca903f9615dcfc2e Mon Sep 17 00:00:00 2001 +From: Florent Flament <florent.flament-ext@cloudwatt.com> +Date: Tue, 1 Apr 2014 12:48:22 +0000 +Subject: [PATCH] Sanitizes authentication methods received in requests. + +When a user authenticates against Identity V3 API, he can specify +multiple authentication methods. This patch removes duplicates, which +could have been used to achieve DoS attacks. + +Closes-Bug: 1300274 +(cherry picked from commit ef868ad92c00e23a4a5e9eb71e3e0bf5ae2fff0c) +Cherry-pick from https://review.openstack.org/#/c/84425/ + +Change-Id: I6e60324309baa094a5e54b012fb0fc528fea72ab +--- + keystone/auth/controllers.py | 8 +++++++- + keystone/tests/test_v3_auth.py | 12 ++++++++++++ + 2 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py +index c3399df..4944316 100644 +--- a/keystone/auth/controllers.py ++++ b/keystone/auth/controllers.py +@@ -225,7 +225,13 @@ def get_method_names(self): + :returns: list of auth method names + + """ +- return self.auth['identity']['methods'] or [] ++ # Sanitizes methods received in request's body ++ # Filters out duplicates, while keeping elements' order. ++ method_names = [] ++ for method in self.auth['identity']['methods']: ++ if method not in method_names: ++ method_names.append(method) ++ return method_names + + def get_method_data(self, method): + """Get the auth method payload. +diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py +index d07e6ae..e89e29f 100644 +--- a/keystone/tests/test_v3_auth.py ++++ b/keystone/tests/test_v3_auth.py +@@ -81,6 +81,18 @@ def test_both_project_and_domain_in_scope(self): + None, + auth_data) + ++ def test_get_method_names_duplicates(self): ++ auth_data = self.build_authentication_request( ++ token='test', ++ user_id='test', ++ password='test')['auth'] ++ auth_data['identity']['methods'] = ['password', 'token', ++ 'password', 'password'] ++ context = None ++ auth_info = auth.controllers.AuthInfo(context, auth_data) ++ self.assertEqual(auth_info.get_method_names(), ++ ['password', 'token']) ++ + def test_get_method_data_invalid_method(self): + auth_data = self.build_authentication_request( + user_id='test', +-- +1.9.1 + diff --git a/sys-auth/keystone/keystone-2013.2.3.ebuild b/sys-auth/keystone/keystone-2013.2.3-r1.ebuild index f2f23f5f790f..209c91e14445 100644 --- a/sys-auth/keystone/keystone-2013.2.3.ebuild +++ b/sys-auth/keystone/keystone-2013.2.3-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.2.3.ebuild,v 1.1 2014/04/06 06:01:38 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.2.3-r1.ebuild,v 1.1 2014/04/11 15:28:59 prometheanfire Exp $ EAPI=5 @@ -73,6 +73,7 @@ DEPEND="dev-python/setuptools[${PYTHON_USEDEP}] <dev-python/pbr-1.0[${PYTHON_USEDEP}]" PATCHES=( + "${FILESDIR}/CVE-2014-2828-2013.2.3.patch" ) pkg_setup() { |