Subject: unblock: qpid-cpp/0.16-7 Package: release.debian.org User: release.debian....@packages.debian.org Usertags: unblock Severity: normal
Please unblock package qpid-cpp This upload fixes a security problem inside of qpid client handlings (CVE-2012-3467). Please see http://www.openwall.com/lists/oss-security/2012/08/09/6 for more information. unblock qpid-cpp/0.16-7 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 3.2.0-3-686-pae (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru qpid-cpp-0.16/debian/changelog qpid-cpp-0.16/debian/changelog
--- qpid-cpp-0.16/debian/changelog 2012-06-05 09:40:01.000000000 +0200
+++ qpid-cpp-0.16/debian/changelog 2012-08-10 21:04:14.000000000 +0200
@@ -1,3 +1,10 @@
+qpid-cpp (0.16-7) unstable; urgency=low
+
+ * Fixes security issue CVE-2012-3467 which may allow bypassing the
+ broker authentication mechanism. Closes: #684456.
+
+ -- Cajus Pollmeier <ca...@debian.org> Fri, 10 Aug 2012 20:39:06 +0200
+
qpid-cpp (0.16-6) unstable; urgency=low
* Included a few additional headers to make the rhmessaging
diff -Nru qpid-cpp-0.16/debian/patches/CVE-2012-3467.patch qpid-cpp-0.16/debian/patches/CVE-2012-3467.patch
--- qpid-cpp-0.16/debian/patches/CVE-2012-3467.patch 1970-01-01 01:00:00.000000000 +0100
+++ qpid-cpp-0.16/debian/patches/CVE-2012-3467.patch 2012-08-10 21:04:14.000000000 +0200
@@ -0,0 +1,243 @@
+--- a/src/qpid/broker/Connection.cpp
++++ b/src/qpid/broker/Connection.cpp
+@@ -87,10 +87,14 @@
+ bool link_,
+ uint64_t objectId_,
+ bool shadow_,
+- bool delayManagement) :
++ bool delayManagement,
++ bool authenticated_
++) :
+ ConnectionState(out_, broker_),
+ securitySettings(external),
+- adapter(*this, link_, shadow_),
++ shadow(shadow_),
++ authenticated(authenticated_),
++ adapter(*this, link_),
+ link(link_),
+ mgmtClosing(false),
+ mgmtId(mgmtId_),
+@@ -100,7 +104,6 @@
+ timer(broker_.getTimer()),
+ errorListener(0),
+ objectId(objectId_),
+- shadow(shadow_),
+ outboundTracker(*this)
+ {
+ outboundTracker.wrap(out);
+--- a/src/qpid/broker/Connection.h
++++ b/src/qpid/broker/Connection.h
+@@ -86,7 +86,8 @@
+ bool isLink = false,
+ uint64_t objectId = 0,
+ bool shadow=false,
+- bool delayManagement = false);
++ bool delayManagement = false,
++ bool authenticated=true);
+
+ ~Connection ();
+
+@@ -146,6 +147,9 @@
+ /** True if this is a shadow connection in a cluster. */
+ bool isShadow() { return shadow; }
+
++ /** True if this connection is authenticated */
++ bool isAuthenticated() const { return authenticated; }
++
+ // Used by cluster to update connection status
+ sys::AggregateOutput& getOutputTasks() { return outputTasks; }
+
+@@ -174,6 +178,8 @@
+
+ ChannelMap channels;
+ qpid::sys::SecuritySettings securitySettings;
++ bool shadow;
++ bool authenticated;
+ ConnectionHandler adapter;
+ const bool link;
+ bool mgmtClosing;
+@@ -188,7 +194,6 @@
+ boost::intrusive_ptr<ConnectionTimeoutTask> timeoutTimer;
+ ErrorListener* errorListener;
+ uint64_t objectId;
+- bool shadow;
+ framing::FieldTable clientProperties;
+
+ /**
+--- a/src/qpid/broker/ConnectionHandler.cpp
++++ b/src/qpid/broker/ConnectionHandler.cpp
+@@ -102,9 +102,10 @@
+ handler->secured = secured;
+ }
+
+-ConnectionHandler::ConnectionHandler(Connection& connection, bool isClient, bool isShadow) : handler(new Handler(connection, isClient, isShadow)) {}
++ConnectionHandler::ConnectionHandler(Connection& connection, bool isClient) :
++ handler(new Handler(connection, isClient)) {}
+
+-ConnectionHandler::Handler::Handler(Connection& c, bool isClient, bool isShadow) :
++ConnectionHandler::Handler::Handler(Connection& c, bool isClient) :
+ proxy(c.getOutput()),
+ connection(c), serverMode(!isClient), secured(0),
+ isOpen(false)
+@@ -115,14 +116,13 @@
+
+ properties.setString(QPID_FED_TAG, connection.getBroker().getFederationTag());
+
+- authenticator = SaslAuthenticator::createAuthenticator(c, isShadow);
++ authenticator = SaslAuthenticator::createAuthenticator(c);
+ authenticator->getMechanisms(mechanisms);
+
+ Array locales(0x95);
+ boost::shared_ptr<FieldValue> l(new Str16Value(en_US));
+ locales.add(l);
+ proxy.start(properties, mechanisms, locales);
+-
+ }
+
+ maxFrameSize = (64 * 1024) - 1;
+--- a/src/qpid/broker/ConnectionHandler.h
++++ b/src/qpid/broker/ConnectionHandler.h
+@@ -61,7 +61,7 @@
+ SecureConnection* secured;
+ bool isOpen;
+
+- Handler(Connection& connection, bool isClient, bool isShadow=false);
++ Handler(Connection& connection, bool isClient);
+ ~Handler();
+ void startOk(const qpid::framing::ConnectionStartOkBody& body);
+ void startOk(const qpid::framing::FieldTable& clientProperties,
+@@ -99,7 +99,7 @@
+
+ bool handle(const qpid::framing::AMQMethodBody& method);
+ public:
+- ConnectionHandler(Connection& connection, bool isClient, bool isShadow=false );
++ ConnectionHandler(Connection& connection, bool isClient );
+ void close(framing::connection::CloseCode code, const std::string& text);
+ void heartbeat();
+ void handle(framing::AMQFrame& frame);
+--- a/src/qpid/broker/SaslAuthenticator.cpp
++++ b/src/qpid/broker/SaslAuthenticator.cpp
+@@ -163,13 +163,17 @@
+
+ #endif
+
+-std::auto_ptr<SaslAuthenticator> SaslAuthenticator::createAuthenticator(Connection& c, bool isShadow )
++std::auto_ptr<SaslAuthenticator> SaslAuthenticator::createAuthenticator(Connection& c)
+ {
+ if (c.getBroker().getOptions().auth) {
+- if ( isShadow )
+- return std::auto_ptr<SaslAuthenticator>(new NullAuthenticator(c, c.getBroker().getOptions().requireEncrypted));
++ // The cluster creates non-authenticated connections for internal shadow connections
++ // that are never connected to an external client.
++ if ( !c.isAuthenticated() )
++ return std::auto_ptr<SaslAuthenticator>(
++ new NullAuthenticator(c, c.getBroker().getOptions().requireEncrypted));
+ else
+- return std::auto_ptr<SaslAuthenticator>(new CyrusAuthenticator(c, c.getBroker().getOptions().requireEncrypted));
++ return std::auto_ptr<SaslAuthenticator>(
++ new CyrusAuthenticator(c, c.getBroker().getOptions().requireEncrypted));
+ } else {
+ QPID_LOG(debug, "SASL: No Authentication Performed");
+ return std::auto_ptr<SaslAuthenticator>(new NullAuthenticator(c, c.getBroker().getOptions().requireEncrypted));
+--- a/src/qpid/broker/SaslAuthenticator.h
++++ b/src/qpid/broker/SaslAuthenticator.h
+@@ -54,7 +54,7 @@
+ static void init(const std::string& saslName, std::string const & saslConfigPath );
+ static void fini(void);
+
+- static std::auto_ptr<SaslAuthenticator> createAuthenticator(Connection& connection, bool isShadow);
++ static std::auto_ptr<SaslAuthenticator> createAuthenticator(Connection& connection);
+
+ virtual void callUserIdCallbacks() { }
+ };
+--- a/src/qpid/cluster/Connection.cpp
++++ b/src/qpid/cluster/Connection.cpp
+@@ -82,7 +82,9 @@
+ const std::string& mgmtId,
+ const ConnectionId& id, const qpid::sys::SecuritySettings& external)
+ : cluster(c), self(id), catchUp(false), announced(false), output(*this, out),
+- connectionCtor(&output, cluster.getBroker(), mgmtId, external, false, 0, true),
++ connectionCtor(&output, cluster.getBroker(), mgmtId, external,
++ false/*isLink*/, 0/*objectId*/, true/*shadow*/, false/*delayManagement*/,
++ false/*authenticated*/),
+ expectProtocolHeader(false),
+ mcastFrameHandler(cluster.getMulticast(), self),
+ updateIn(c.getUpdateReceiver()),
+@@ -99,9 +101,10 @@
+ external,
+ isLink,
+ isCatchUp ? ++catchUpId : 0,
+- // The first catch-up connection is not considered a shadow
+- // as it needs to be authenticated.
+- isCatchUp && self.second > 1),
++ // The first catch-up connection is not a shadow
++ isCatchUp && self.second > 1,
++ false, // delayManagement
++ true), // catch up connecytions are authenticated
+ expectProtocolHeader(isLink),
+ mcastFrameHandler(cluster.getMulticast(), self),
+ updateIn(c.getUpdateReceiver()),
+--- a/src/qpid/cluster/Connection.h
++++ b/src/qpid/cluster/Connection.h
+@@ -226,6 +226,7 @@
+ uint64_t objectId;
+ bool shadow;
+ bool delayManagement;
++ bool authenticated;
+
+ ConnectionCtor(
+ sys::ConnectionOutputHandler* out_,
+@@ -235,17 +236,18 @@
+ bool isLink_=false,
+ uint64_t objectId_=0,
+ bool shadow_=false,
+- bool delayManagement_=false
++ bool delayManagement_=false,
++ bool authenticated_=true
+ ) : out(out_), broker(broker_), mgmtId(mgmtId_), external(external_),
+ isLink(isLink_), objectId(objectId_), shadow(shadow_),
+- delayManagement(delayManagement_)
++ delayManagement(delayManagement_), authenticated(authenticated_)
+ {}
+
+ std::auto_ptr<broker::Connection> construct() {
+ return std::auto_ptr<broker::Connection>(
+ new broker::Connection(
+ out, broker, mgmtId, external, isLink, objectId,
+- shadow, delayManagement)
++ shadow, delayManagement, authenticated)
+ );
+ }
+ };
+--- a/src/tests/cluster_tests.py
++++ b/src/tests/cluster_tests.py
+@@ -227,6 +227,18 @@
+ self.assertEqual("x", cluster[0].get_message("q").content)
+ self.assertEqual("y", cluster[1].get_message("q").content)
+
++ def test_other_mech(self):
++ """Test using a mechanism other than PLAIN/ANONYMOUS for cluster update authentication.
++ Regression test for https://issues.apache.org/jira/browse/QPID-3849""";
++ sasl_config=os.path.join(self.rootdir, "sasl_config")
++ cluster = self.cluster(2, args=["--auth", "yes", "--sasl-config", sasl_config,
++ "--cluster-username=zig",
++ "--cluster-password=zig",
++ "--cluster-mechanism=DIGEST-MD5"])
++ cluster[0].connect()
++ cluster.start() # Before the fix this broker falied to join the cluster.
++ cluster[2].connect()
++
+ def test_link_events(self):
+ """Regression test for https://bugzilla.redhat.com/show_bug.cgi?id=611543""";
+ args = ["--mgmt-pub-interval", 1] # Publish management information every second.
+--- a/src/tests/sasl_test_setup.sh
++++ b/src/tests/sasl_test_setup.sh
+@@ -30,7 +30,7 @@
+ auxprop_plugin: sasldb
+ sasldb_path: $PWD/sasl_config/qpidd.sasldb
+ sql_select: dummy select
+-mech_list: ANONYMOUS PLAIN DIGEST-MD5 EXTERNAL
++mech_list: ANONYMOUS PLAIN DIGEST-MD5 EXTERNAL CRAM-MD5
+ EOF
+
+ # Populate temporary sasl db.
diff -Nru qpid-cpp-0.16/debian/patches/series qpid-cpp-0.16/debian/patches/series
--- qpid-cpp-0.16/debian/patches/series 2012-05-24 13:08:09.000000000 +0200
+++ qpid-cpp-0.16/debian/patches/series 2012-08-10 21:04:14.000000000 +0200
@@ -1,3 +1,4 @@
+CVE-2012-3467.patch
disable-ssl-test.patch
CVE-2012-2145.patch
autotools.patch
signature.asc
Description: This is a digitally signed message part.
