fix for CVE-2014-2828

(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
author: Matthew Thode <prometheanfire@gentoo.org> 2014-04-11 15:28:59 +0000
committer: Matthew Thode <prometheanfire@gentoo.org> 2014-04-11 15:28:59 +0000
commit: b6237db955ae52619e30bb964f6e17dd41230a6c (patch)
tree: d08aea507e189e289af4f8b7ede0909f435f66ab /sys-auth
parent: Fix typing error (DEPEND -> RDEPEND) (diff)
download: gentoo-2-b6237db955ae52619e30bb964f6e17dd41230a6c.tar.gz
gentoo-2-b6237db955ae52619e30bb964f6e17dd41230a6c.tar.bz2
gentoo-2-b6237db955ae52619e30bb964f6e17dd41230a6c.zip
3 files changed, 74 insertions, 2 deletions
diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog
index 20c6e3844dbc..ba727aa78dfc 100644
--- a/sys-auth/keystone/ChangeLog
+++ b/sys-auth/keystone/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for sys-auth/keystone
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.64 2014/04/06 06:01:38 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.65 2014/04/11 15:28:59 prometheanfire Exp $
+
+*keystone-2013.2.3-r1 (11 Apr 2014)
+
+  11 Apr 2014; Matthew Thode <prometheanfire@gentoo.org>
+  +files/CVE-2014-2828-2013.2.3.patch, +keystone-2013.2.3-r1.ebuild,
+  -keystone-2013.2.3.ebuild:
+  fix for CVE-2014-2828
 
 *keystone-2013.2.3 (06 Apr 2014)
 
diff --git a/sys-auth/keystone/files/CVE-2014-2828-2013.2.3.patch b/sys-auth/keystone/files/CVE-2014-2828-2013.2.3.patch
new file mode 100644
index 000000000000..950696125f23
--- /dev/null
+++ b/sys-auth/keystone/files/CVE-2014-2828-2013.2.3.patch
@@ -0,0 +1,64 @@
+From e364ba5b12de8e4c11bd80bcca903f9615dcfc2e Mon Sep 17 00:00:00 2001
+From: Florent Flament <florent.flament-ext@cloudwatt.com>
+Date: Tue, 1 Apr 2014 12:48:22 +0000
+Subject: [PATCH] Sanitizes authentication methods received in requests.
+
+When a user authenticates against Identity V3 API, he can specify
+multiple authentication methods. This patch removes duplicates, which
+could have been used to achieve DoS attacks.
+
+Closes-Bug: 1300274
+(cherry picked from commit ef868ad92c00e23a4a5e9eb71e3e0bf5ae2fff0c)
+Cherry-pick from https://review.openstack.org/#/c/84425/
+
+Change-Id: I6e60324309baa094a5e54b012fb0fc528fea72ab
+---
+ keystone/auth/controllers.py   |  8 +++++++-
+ keystone/tests/test_v3_auth.py | 12 ++++++++++++
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py
+index c3399df..4944316 100644
+--- a/keystone/auth/controllers.py
++++ b/keystone/auth/controllers.py
+@@ -225,7 +225,13 @@ def get_method_names(self):
+         :returns: list of auth method names
+ 
+         """
+-        return self.auth['identity']['methods'] or []
++        # Sanitizes methods received in request's body
++        # Filters out duplicates, while keeping elements' order.
++        method_names = []
++        for method in self.auth['identity']['methods']:
++            if method not in method_names:
++                method_names.append(method)
++        return method_names
+ 
+     def get_method_data(self, method):
+         """Get the auth method payload.
+diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py
+index d07e6ae..e89e29f 100644
+--- a/keystone/tests/test_v3_auth.py
++++ b/keystone/tests/test_v3_auth.py
+@@ -81,6 +81,18 @@ def test_both_project_and_domain_in_scope(self):
+                           None,
+                           auth_data)
+ 
++    def test_get_method_names_duplicates(self):
++        auth_data = self.build_authentication_request(
++            token='test',
++            user_id='test',
++            password='test')['auth']
++        auth_data['identity']['methods'] = ['password', 'token',
++                                            'password', 'password']
++        context = None
++        auth_info = auth.controllers.AuthInfo(context, auth_data)
++        self.assertEqual(auth_info.get_method_names(),
++                         ['password', 'token'])
++
+     def test_get_method_data_invalid_method(self):
+         auth_data = self.build_authentication_request(
+             user_id='test',
+-- 
+1.9.1
+
diff --git a/sys-auth/keystone/keystone-2013.2.3.ebuild b/sys-auth/keystone/keystone-2013.2.3-r1.ebuild
index f2f23f5f790f..209c91e14445 100644
--- a/sys-auth/keystone/keystone-2013.2.3.ebuild
+++ b/sys-auth/keystone/keystone-2013.2.3-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.2.3.ebuild,v 1.1 2014/04/06 06:01:38 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.2.3-r1.ebuild,v 1.1 2014/04/11 15:28:59 prometheanfire Exp $
 
 EAPI=5
 
@@ -73,6 +73,7 @@ DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]
 	<dev-python/pbr-1.0[${PYTHON_USEDEP}]"
 
 PATCHES=(
+		"${FILESDIR}/CVE-2014-2828-2013.2.3.patch"
 )
 
 pkg_setup() {
author	Matthew Thode <prometheanfire@gentoo.org>	2014-04-11 15:28:59 +0000
committer	Matthew Thode <prometheanfire@gentoo.org>	2014-04-11 15:28:59 +0000
commit	b6237db955ae52619e30bb964f6e17dd41230a6c (patch)
tree	d08aea507e189e289af4f8b7ede0909f435f66ab /sys-auth
parent	Fix typing error (DEPEND -> RDEPEND) (diff)
download	gentoo-2-b6237db955ae52619e30bb964f6e17dd41230a6c.tar.gz gentoo-2-b6237db955ae52619e30bb964f6e17dd41230a6c.tar.bz2 gentoo-2-b6237db955ae52619e30bb964f6e17dd41230a6c.zip