diff options
Diffstat (limited to 'sys-auth')
-rw-r--r-- | sys-auth/keystone/ChangeLog | 12 | ||||
-rw-r--r-- | sys-auth/keystone/files/keystone-cve-2013-4294-folsom.patch | 143 | ||||
-rw-r--r-- | sys-auth/keystone/files/keystone-cve-2013-4294-grizzly.patch | 139 | ||||
-rw-r--r-- | sys-auth/keystone/keystone-2012.2.4-r7.ebuild (renamed from sys-auth/keystone/keystone-2012.2.4-r6.ebuild) | 3 | ||||
-rw-r--r-- | sys-auth/keystone/keystone-2013.1.3-r1.ebuild (renamed from sys-auth/keystone/keystone-2013.1.3.ebuild) | 3 |
5 files changed, 297 insertions, 3 deletions
diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog index 7999ba7cdc76..ba893f0d6602 100644 --- a/sys-auth/keystone/ChangeLog +++ b/sys-auth/keystone/ChangeLog @@ -1,6 +1,16 @@ # ChangeLog for sys-auth/keystone # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.29 2013/08/19 03:26:04 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.30 2013/09/11 16:01:38 prometheanfire Exp $ + +*keystone-2012.2.4-r7 (11 Sep 2013) +*keystone-2013.1.3-r1 (11 Sep 2013) + + 11 Sep 2013; Matthew Thode <prometheanfire@gentoo.org> + +files/keystone-cve-2013-4294-folsom.patch, + +files/keystone-cve-2013-4294-grizzly.patch, +keystone-2012.2.4-r7.ebuild, + +keystone-2013.1.3-r1.ebuild, -keystone-2012.2.4-r6.ebuild, + -keystone-2013.1.3.ebuild: + updating keystone for cve-2013-4294 19 Aug 2013; Matthew Thode <prometheanfire@gentoo.org> keystone-2013.1.9999.ebuild: diff --git a/sys-auth/keystone/files/keystone-cve-2013-4294-folsom.patch b/sys-auth/keystone/files/keystone-cve-2013-4294-folsom.patch new file mode 100644 index 000000000000..2d9e9b5a1ea4 --- /dev/null +++ b/sys-auth/keystone/files/keystone-cve-2013-4294-folsom.patch @@ -0,0 +1,143 @@ +From 8ef8be4af315d50edd661d8a5e846d260a5a3ce2 Mon Sep 17 00:00:00 2001 +From: Morgan Fainberg <m@metacloud.com> +Date: Fri, 23 Aug 2013 14:10:28 -0700 +Subject: [PATCH] Fix and test token revocation list API + +Change-Id: I07257b3704895a2af2654aa863f0b910122666da +--- + keystone/token/backends/kvs.py | 2 +- + keystone/token/backends/memcache.py | 12 ++++++---- + tests/test_backend.py | 48 +++++++++++++++++++++++++++++++++---- + 3 files changed, 51 insertions(+), 11 deletions(-) + +diff --git a/keystone/token/backends/kvs.py b/keystone/token/backends/kvs.py +index 123e12f..e5e0ee2 100644 +--- a/keystone/token/backends/kvs.py ++++ b/keystone/token/backends/kvs.py +@@ -81,7 +81,7 @@ class Token(kvs.Base, token.Driver): + if not token.startswith('revoked-token-'): + continue + record = {} +- record['id'] = token_ref['id'] ++ record['id'] = token[len('revoked-token-'):] + record['expires'] = token_ref['expires'] + tokens.append(record) + return tokens +diff --git a/keystone/token/backends/memcache.py b/keystone/token/backends/memcache.py +index e4fa69a..815c392 100644 +--- a/keystone/token/backends/memcache.py ++++ b/keystone/token/backends/memcache.py +@@ -82,8 +82,9 @@ class Token(token.Driver): + raise exception.UnexpectedError(msg) + return copy.deepcopy(data_copy) + +- def _add_to_revocation_list(self, data): +- data_json = jsonutils.dumps(data) ++ def _add_to_revocation_list(self, token_id, token_data): ++ data_json = jsonutils.dumps({'id': token_id, ++ 'expires': token_data['expires']}) + if not self.client.append(self.revocation_key, ',%s' % data_json): + if not self.client.add(self.revocation_key, data_json): + if not self.client.append(self.revocation_key, +@@ -93,10 +94,11 @@ class Token(token.Driver): + + def delete_token(self, token_id): + # Test for existence +- data = self.get_token(self.token_to_key(token_id)) +- ptk = self._prefix_token_id(self.token_to_key(token_id)) ++ token_id = self.token_to_key(token_id) ++ data = self.get_token(token_id) ++ ptk = self._prefix_token_id(token_id) + result = self.client.delete(ptk) +- self._add_to_revocation_list(data) ++ self._add_to_revocation_list(token_id, data) + return result + + def list_tokens(self, user_id, tenant_id=None): +diff --git a/tests/test_backend.py b/tests/test_backend.py +index 0a56cdb..3798e37 100644 +--- a/tests/test_backend.py ++++ b/tests/test_backend.py +@@ -14,9 +14,11 @@ + # License for the specific language governing permissions and limitations + # under the License. + ++import copy + import datetime +-import uuid + import default_fixtures ++import hashlib ++import uuid + + from keystone.catalog import core + from keystone import exception +@@ -628,19 +630,29 @@ class IdentityTests(object): + + + class TokenTests(object): ++ def _create_token_id(self): ++ # Token must start with MII here otherwise it fails the asn1 test ++ # and is not hashed in a SQL backend. ++ token_id = "MII" ++ for i in range(1, 20): ++ token_id += uuid.uuid4().hex ++ return token_id ++ + def test_token_crud(self): + token_id = uuid.uuid4().hex + data = {'id': token_id, 'a': 'b', + 'user': {'id': 'testuserid'}} + data_ref = self.token_api.create_token(token_id, data) +- expires = data_ref.pop('expires') ++ data_ref_copy = copy.deepcopy(data_ref) ++ expires = data_ref_copy.pop('expires') + self.assertTrue(isinstance(expires, datetime.datetime)) +- self.assertDictEqual(data_ref, data) ++ self.assertDictEqual(data_ref_copy, data) + + new_data_ref = self.token_api.get_token(token_id) +- expires = new_data_ref.pop('expires') ++ new_data_ref_copy = copy.deepcopy(new_data_ref) ++ expires = new_data_ref_copy.pop('expires') + self.assertTrue(isinstance(expires, datetime.datetime)) +- self.assertEquals(new_data_ref, data) ++ self.assertEquals(new_data_ref_copy, data) + + self.token_api.delete_token(token_id) + self.assertRaises(exception.TokenNotFound, +@@ -758,6 +770,32 @@ class TokenTests(object): + self.check_list_revoked_tokens([self.delete_token() + for x in xrange(2)]) + ++ def test_predictable_revoked_pki_token_id(self): ++ token_id = self._create_token_id() ++ token_id_hash = hashlib.md5(token_id).hexdigest() ++ token = {'user': {'id': uuid.uuid4().hex}} ++ ++ self.token_api.create_token(token_id, token) ++ self.token_api.delete_token(token_id) ++ ++ revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()] ++ self.assertIn(token_id_hash, revoked_ids) ++ self.assertNotIn(token_id, revoked_ids) ++ for t in self.token_api.list_revoked_tokens(): ++ self.assertIn('expires', t) ++ ++ def test_predictable_revoked_uuid_token_id(self): ++ token_id = uuid.uuid4().hex ++ token = {'user': {'id': uuid.uuid4().hex}} ++ ++ self.token_api.create_token(token_id, token) ++ self.token_api.delete_token(token_id) ++ ++ revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()] ++ self.assertIn(token_id, revoked_ids) ++ for t in self.token_api.list_revoked_tokens(): ++ self.assertIn('expires', t) ++ + + class CommonHelperTests(test.TestCase): + def test_format_helper_raises_malformed_on_missing_key(self): +-- +1.8.2.1 (Apple Git-45) + diff --git a/sys-auth/keystone/files/keystone-cve-2013-4294-grizzly.patch b/sys-auth/keystone/files/keystone-cve-2013-4294-grizzly.patch new file mode 100644 index 000000000000..d789ea38443c --- /dev/null +++ b/sys-auth/keystone/files/keystone-cve-2013-4294-grizzly.patch @@ -0,0 +1,139 @@ +From a20dcd159f9bf98e5605a3d13d4ba8de9aa1533e Mon Sep 17 00:00:00 2001 +From: Morgan Fainberg <m@metacloud.com> +Date: Fri, 23 Aug 2013 14:53:26 -0700 +Subject: [PATCH] Fix and test token revocation list API + +Change-Id: I6c60bf2aecc7c9353e837e59a4e09860d049e0f5 +--- + keystone/token/backends/kvs.py | 2 +- + keystone/token/backends/memcache.py | 12 ++++++---- + tests/test_backend.py | 47 +++++++++++++++++++++++++++++++------ + 3 files changed, 48 insertions(+), 13 deletions(-) + +diff --git a/keystone/token/backends/kvs.py b/keystone/token/backends/kvs.py +index 49f15ad..1935b41 100644 +--- a/keystone/token/backends/kvs.py ++++ b/keystone/token/backends/kvs.py +@@ -111,7 +111,7 @@ class Token(kvs.Base, token.Driver): + if not token.startswith('revoked-token-'): + continue + record = {} +- record['id'] = token_ref['id'] ++ record['id'] = token[len('revoked-token-'):] + record['expires'] = token_ref['expires'] + tokens.append(record) + return tokens +diff --git a/keystone/token/backends/memcache.py b/keystone/token/backends/memcache.py +index a62f342..c2c9b51 100644 +--- a/keystone/token/backends/memcache.py ++++ b/keystone/token/backends/memcache.py +@@ -84,8 +84,9 @@ class Token(token.Driver): + raise exception.UnexpectedError(msg) + return copy.deepcopy(data_copy) + +- def _add_to_revocation_list(self, data): +- data_json = jsonutils.dumps(data) ++ def _add_to_revocation_list(self, token_id, token_data): ++ data_json = jsonutils.dumps({'id': token_id, ++ 'expires': token_data['expires']}) + if not self.client.append(self.revocation_key, ',%s' % data_json): + if not self.client.add(self.revocation_key, data_json): + if not self.client.append(self.revocation_key, +@@ -95,10 +96,11 @@ class Token(token.Driver): + + def delete_token(self, token_id): + # Test for existence +- data = self.get_token(token.unique_id(token_id)) +- ptk = self._prefix_token_id(token.unique_id(token_id)) ++ token_id = token.unique_id(token_id) ++ data = self.get_token(token_id) ++ ptk = self._prefix_token_id(token_id) + result = self.client.delete(ptk) +- self._add_to_revocation_list(data) ++ self._add_to_revocation_list(token_id, data) + return result + + def list_tokens(self, user_id, tenant_id=None, trust_id=None): +diff --git a/tests/test_backend.py b/tests/test_backend.py +index 85ac7cf..d4c2e6c 100644 +--- a/tests/test_backend.py ++++ b/tests/test_backend.py +@@ -14,10 +14,11 @@ + # License for the specific language governing permissions and limitations + # under the License. + ++import copy + import datetime + import default_fixtures ++import hashlib + import uuid +-import nose.exc + + from keystone.catalog import core + from keystone import config +@@ -2065,17 +2066,19 @@ class TokenTests(object): + 'trust_id': None, + 'user': {'id': 'testuserid'}} + data_ref = self.token_api.create_token(token_id, data) +- expires = data_ref.pop('expires') +- data_ref.pop('user_id') ++ data_ref_copy = copy.deepcopy(data_ref) ++ expires = data_ref_copy.pop('expires') ++ data_ref_copy.pop('user_id') + self.assertTrue(isinstance(expires, datetime.datetime)) +- self.assertDictEqual(data_ref, data) ++ self.assertDictEqual(data_ref_copy, data) + + new_data_ref = self.token_api.get_token(token_id) +- expires = new_data_ref.pop('expires') +- new_data_ref.pop('user_id') ++ new_data_ref_copy = copy.deepcopy(new_data_ref) ++ expires = new_data_ref_copy.pop('expires') ++ new_data_ref_copy.pop('user_id') + + self.assertTrue(isinstance(expires, datetime.datetime)) +- self.assertEquals(new_data_ref, data) ++ self.assertEquals(new_data_ref_copy, data) + + self.token_api.delete_token(token_id) + self.assertRaises(exception.TokenNotFound, +@@ -2248,6 +2251,36 @@ class TokenTests(object): + self.check_list_revoked_tokens([self.delete_token() + for x in xrange(2)]) + ++ def test_predictable_revoked_pki_token_id(self): ++ # NOTE(dolph): _create_token_id() includes 'MII' as a prefix of the ++ # returned token str in master, but not in grizzly. ++ # revising _create_token_id() in grizzly to include the ++ # previx breaks several other tests here ++ token_id = 'MII' + self._create_token_id() ++ token_id_hash = hashlib.md5(token_id).hexdigest() ++ token = {'user': {'id': uuid.uuid4().hex}} ++ ++ self.token_api.create_token(token_id, token) ++ self.token_api.delete_token(token_id) ++ ++ revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()] ++ self.assertIn(token_id_hash, revoked_ids) ++ self.assertNotIn(token_id, revoked_ids) ++ for t in self.token_api.list_revoked_tokens(): ++ self.assertIn('expires', t) ++ ++ def test_predictable_revoked_uuid_token_id(self): ++ token_id = uuid.uuid4().hex ++ token = {'user': {'id': uuid.uuid4().hex}} ++ ++ self.token_api.create_token(token_id, token) ++ self.token_api.delete_token(token_id) ++ ++ revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()] ++ self.assertIn(token_id, revoked_ids) ++ for t in self.token_api.list_revoked_tokens(): ++ self.assertIn('expires', t) ++ + + class TrustTests(object): + def create_sample_trust(self, new_id): +-- +1.8.2.1 (Apple Git-45) + diff --git a/sys-auth/keystone/keystone-2012.2.4-r6.ebuild b/sys-auth/keystone/keystone-2012.2.4-r7.ebuild index e8eba2575642..33d6a7cff4ea 100644 --- a/sys-auth/keystone/keystone-2012.2.4-r6.ebuild +++ b/sys-auth/keystone/keystone-2012.2.4-r7.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.4-r6.ebuild,v 1.1 2013/07/17 16:30:36 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.4-r7.ebuild,v 1.1 2013/09/11 16:01:38 prometheanfire Exp $ EAPI=5 #test restricted becaues of bad requirements given (old webob for instance) @@ -74,6 +74,7 @@ PATCHES=( "${FILESDIR}/keystone-folsom-4-CVE-2013-1977.patch" "${FILESDIR}/keystone-folsom-4-CVE-2013-2104.patch" "${FILESDIR}/keystone-folsom-4-CVE-2013-2157.patch" + "${FILESDIR}/keystone-cve-2013-4294-folsom.patch" "${FILESDIR}/2012.2.4-upstream-1181157.patch" ) diff --git a/sys-auth/keystone/keystone-2013.1.3.ebuild b/sys-auth/keystone/keystone-2013.1.3-r1.ebuild index 498607be2433..6a6023ca7840 100644 --- a/sys-auth/keystone/keystone-2013.1.3.ebuild +++ b/sys-auth/keystone/keystone-2013.1.3-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.1.3.ebuild,v 1.1 2013/08/11 00:56:17 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.1.3-r1.ebuild,v 1.1 2013/09/11 16:01:37 prometheanfire Exp $ EAPI=5 #test restricted becaues of bad requirements given (old webob for instance) @@ -70,6 +70,7 @@ RDEPEND="${DEPEND} # dev-python/webtest # ) PATCHES=( + "${FILESDIR}/keystone-cve-2013-4294-grizzly.patch" ) # "${FILESDIR}/keystone-grizzly-2-CVE-2013-2157.patch" # |