Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package swift. This new version fixes CVE-2012-4406 / #686812. Debdiff attached: it only adds upstream patch as see here: https://github.com/openstack/swift/commit/e1ff51c04554d51616d2845f92ab726cb0e5831a Pleaes unblock swift/1.4.8-2, Cheers, Thomas Goirand (zigo)
diff -Nru swift-1.4.8/debian/changelog swift-1.4.8/debian/changelog --- swift-1.4.8/debian/changelog 2012-03-23 07:11:47.000000000 +0000 +++ swift-1.4.8/debian/changelog 2012-09-06 08:45:21.000000000 +0000 @@ -1,3 +1,10 @@ +swift (1.4.8-2) unstable; urgency=high + + * CVE-2012-4406: Do not use pickle for serialization in memcache, but JSON + (Closes: #686812). + + -- Thomas Goirand <z...@debian.org> Thu, 06 Sep 2012 08:40:18 +0000 + swift (1.4.8-1) unstable; urgency=low * New upstream release. diff -Nru swift-1.4.8/debian/patches/CVE-2012-4406_Do-not-use-pickle-for-serialization-in-memcache-but-JSON.patch swift-1.4.8/debian/patches/CVE-2012-4406_Do-not-use-pickle-for-serialization-in-memcache-but-JSON.patch --- swift-1.4.8/debian/patches/CVE-2012-4406_Do-not-use-pickle-for-serialization-in-memcache-but-JSON.patch 1970-01-01 00:00:00.000000000 +0000 +++ swift-1.4.8/debian/patches/CVE-2012-4406_Do-not-use-pickle-for-serialization-in-memcache-but-JSON.patch 2012-09-06 08:45:21.000000000 +0000 @@ -0,0 +1,321 @@ +Description: Do not use pickle for serialization in memcache, but JSON + We don't want to use pickle as it can execute arbitrary code. JSON is + safer. However, note that it supports serialization for only some + specific subset of object types; this should be enough for what we need, + though. + . + To avoid issues on upgrades (unability to read pickled values, and cache + poisoning for old servers not understanding JSON), we add a + memcache_serialization_support configuration option, with the following + values: + . + 0 = older, insecure pickle serialization + 1 = json serialization but pickles can still be read (still insecure) + 2 = json serialization only (secure and the default) + . + To avoid an instant full cache flush, existing installations should + upgrade with 0, then set to 1 and reload, then after some time (24 + hours) set to 2 and reload. Support for 0 and 1 will be removed in + future versions. +Origin: upstream +Bug-Debian: http://bugs.debian.org/686812 +Bug-Ubuntu: https://launchpad.net/bugs/1006414 + +--- swift-1.4.8.orig/etc/memcache.conf-sample ++++ swift-1.4.8/etc/memcache.conf-sample +@@ -3,3 +3,13 @@ + # several other conf files under [filter:cache] for example. You can specify + # multiple servers separated with commas, as in: 10.1.2.3:11211,10.1.2.4:11211 + # memcache_servers = 127.0.0.1:11211 ++# ++# Sets how memcache values are serialized and deserialized: ++# 0 = older, insecure pickle serialization ++# 1 = json serialization but pickles can still be read (still insecure) ++# 2 = json serialization only (secure and the default) ++# To avoid an instant full cache flush, existing installations should ++# upgrade with 0, then set to 1 and reload, then after some time (24 hours) ++# set to 2 and reload. ++# In the future, the ability to use pickle serialization will be removed. ++# memcache_serialization_support = 2 +--- swift-1.4.8.orig/etc/proxy-server.conf-sample ++++ swift-1.4.8/etc/proxy-server.conf-sample +@@ -122,6 +122,18 @@ use = egg:swift#memcache + # default to the value below. You can specify multiple servers separated with + # commas, as in: 10.1.2.3:11211,10.1.2.4:11211 + # memcache_servers = 127.0.0.1:11211 ++# ++# Sets how memcache values are serialized and deserialized: ++# 0 = older, insecure pickle serialization ++# 1 = json serialization but pickles can still be read (still insecure) ++# 2 = json serialization only (secure and the default) ++# If not set here, the value for memcache_serialization_support will be read ++# from /etc/swift/memcache.conf (see memcache.conf-sample). ++# To avoid an instant full cache flush, existing installations should ++# upgrade with 0, then set to 1 and reload, then after some time (24 hours) ++# set to 2 and reload. ++# In the future, the ability to use pickle serialization will be removed. ++# memcache_serialization_support = 2 + + [filter:ratelimit] + use = egg:swift#ratelimit +--- swift-1.4.8.orig/doc/manpages/proxy-server.conf.5 ++++ swift-1.4.8/doc/manpages/proxy-server.conf.5 +@@ -205,6 +205,21 @@ Enables the ability to log request heade + .IP \fBmemcache_servers\fR + The memcache servers that are available. This can be a list separated by commas. The default + is 127.0.0.1:11211. ++.IP \fBmemcache_serialization_support\fR ++This sets how memcache values are serialized and deserialized: ++.RE ++ ++.PD 0 ++.RS 10 ++.IP "0 = older, insecure pickle serialization" ++.IP "1 = json serialization but pickles can still be read (still insecure)" ++.IP "2 = json serialization only (secure and the default)" ++.RE ++ ++.RS 10 ++To avoid an instant full cache flush, existing installations should upgrade with 0, then set to 1 and reload, then after some time (24 hours) set to 2 and reload. In the future, the ability to use pickle serialization will be removed. ++ ++If not set in the configuration file, the value for memcache_serialization_support will be read from /etc/swift/memcache.conf if it exists (see memcache.conf-sample). Otherwise, the default value as indicated above will be used. + .RE + + +--- swift-1.4.8.orig/swift/common/memcached.py ++++ swift-1.4.8/swift/common/memcached.py +@@ -27,11 +27,17 @@ import time + from bisect import bisect + from hashlib import md5 + ++try: ++ import simplejson as json ++except ImportError: ++ import json ++ + DEFAULT_MEMCACHED_PORT = 11211 + + CONN_TIMEOUT = 0.3 + IO_TIMEOUT = 2.0 + PICKLE_FLAG = 1 ++JSON_FLAG = 2 + NODE_WEIGHT = 50 + PICKLE_PROTOCOL = 2 + TRY_COUNT = 3 +@@ -57,7 +63,8 @@ class MemcacheRing(object): + """ + + def __init__(self, servers, connect_timeout=CONN_TIMEOUT, +- io_timeout=IO_TIMEOUT, tries=TRY_COUNT): ++ io_timeout=IO_TIMEOUT, tries=TRY_COUNT, ++ allow_pickle=False, allow_unpickle=False): + self._ring = {} + self._errors = dict(((serv, []) for serv in servers)) + self._error_limited = dict(((serv, 0) for serv in servers)) +@@ -69,6 +76,8 @@ class MemcacheRing(object): + self._client_cache = dict(((server, []) for server in servers)) + self._connect_timeout = connect_timeout + self._io_timeout = io_timeout ++ self._allow_pickle = allow_pickle ++ self._allow_unpickle = allow_unpickle or allow_pickle + + def _exception_occurred(self, server, e, action='talking'): + if isinstance(e, socket.timeout): +@@ -130,16 +139,21 @@ class MemcacheRing(object): + + :param key: key + :param value: value +- :param serialize: if True, value is pickled before sending to memcache ++ :param serialize: if True, value is serialized with JSON before sending ++ to memcache, or with pickle if configured to use ++ pickle instead of JSON (to avoid cache poisoning) + :param timeout: ttl in memcache + """ + key = md5hash(key) + if timeout > 0: + timeout += time.time() + flags = 0 +- if serialize: ++ if serialize and self._allow_pickle: + value = pickle.dumps(value, PICKLE_PROTOCOL) + flags |= PICKLE_FLAG ++ elif serialize: ++ value = json.dumps(value) ++ flags |= JSON_FLAG + for (server, fp, sock) in self._get_conns(key): + try: + sock.sendall('set %s %d %d %s noreply\r\n%s\r\n' % \ +@@ -151,8 +165,9 @@ class MemcacheRing(object): + + def get(self, key): + """ +- Gets the object specified by key. It will also unpickle the object +- before returning if it is pickled in memcache. ++ Gets the object specified by key. It will also unserialize the object ++ before returning if it is serialized in memcache with JSON, or if it ++ is pickled and unpickling is allowed. + + :param key: key + :returns: value of the key in memcache +@@ -168,7 +183,12 @@ class MemcacheRing(object): + size = int(line[3]) + value = fp.read(size) + if int(line[2]) & PICKLE_FLAG: +- value = pickle.loads(value) ++ if self._allow_unpickle: ++ value = pickle.loads(value) ++ else: ++ value = None ++ elif int(line[2]) & JSON_FLAG: ++ value = json.loads(value) + fp.readline() + line = fp.readline().strip().split() + self._return_conn(server, fp, sock) +@@ -258,7 +278,9 @@ class MemcacheRing(object): + :param mapping: dictonary of keys and values to be set in memcache + :param servery_key: key to use in determining which server in the ring + is used +- :param serialize: if True, value is pickled before sending to memcache ++ :param serialize: if True, value is serialized with JSON before sending ++ to memcache, or with pickle if configured to use ++ pickle instead of JSON (to avoid cache poisoning) + :param timeout: ttl for memcache + """ + server_key = md5hash(server_key) +@@ -268,9 +290,12 @@ class MemcacheRing(object): + for key, value in mapping.iteritems(): + key = md5hash(key) + flags = 0 +- if serialize: ++ if serialize and self._allow_pickle: + value = pickle.dumps(value, PICKLE_PROTOCOL) + flags |= PICKLE_FLAG ++ elif serialize: ++ value = json.dumps(value) ++ flags |= JSON_FLAG + msg += ('set %s %d %d %s noreply\r\n%s\r\n' % + (key, flags, timeout, len(value), value)) + for (server, fp, sock) in self._get_conns(server_key): +@@ -302,7 +327,12 @@ class MemcacheRing(object): + size = int(line[3]) + value = fp.read(size) + if int(line[2]) & PICKLE_FLAG: +- value = pickle.loads(value) ++ if self._allow_unpickle: ++ value = pickle.loads(value) ++ else: ++ value = None ++ elif int(line[2]) & JSON_FLAG: ++ value = json.loads(value) + responses[line[1]] = value + fp.readline() + line = fp.readline().strip().split() +--- swift-1.4.8.orig/swift/common/middleware/memcache.py ++++ swift-1.4.8/swift/common/middleware/memcache.py +@@ -27,20 +27,36 @@ class MemcacheMiddleware(object): + def __init__(self, app, conf): + self.app = app + self.memcache_servers = conf.get('memcache_servers') +- if not self.memcache_servers: ++ serialization_format = conf.get('memcache_serialization_support') ++ ++ if not self.memcache_servers or serialization_format is None: + path = os.path.join(conf.get('swift_dir', '/etc/swift'), + 'memcache.conf') + memcache_conf = ConfigParser() + if memcache_conf.read(path): +- try: +- self.memcache_servers = \ +- memcache_conf.get('memcache', 'memcache_servers') +- except (NoSectionError, NoOptionError): +- pass ++ if not self.memcache_servers: ++ try: ++ self.memcache_servers = \ ++ memcache_conf.get('memcache', 'memcache_servers') ++ except (NoSectionError, NoOptionError): ++ pass ++ if serialization_format is None: ++ try: ++ serialization_format = \ ++ memcache_conf.get('memcache', ++ 'memcache_serialization_support') ++ except (NoSectionError, NoOptionError): ++ pass ++ + if not self.memcache_servers: + self.memcache_servers = '127.0.0.1:11211' ++ if serialization_format is None: ++ serialization_format = 2 ++ + self.memcache = MemcacheRing( +- [s.strip() for s in self.memcache_servers.split(',') if s.strip()]) ++ [s.strip() for s in self.memcache_servers.split(',') if s.strip()], ++ allow_pickle=(serialization_format == 0), ++ allow_unpickle=(serialization_format <= 1)) + + def __call__(self, env, start_response): + env['swift.cache'] = self.memcache +--- swift-1.4.8.orig/test/unit/common/test_memcached.py ++++ swift-1.4.8/test/unit/common/test_memcached.py +@@ -1,3 +1,4 @@ ++ # -*- coding: utf8 -*- + # Copyright (c) 2010-2012 OpenStack, LLC. + # + # Licensed under the Apache License, Version 2.0 (the "License"); +@@ -166,6 +167,9 @@ class TestMemcached(unittest.TestCase): + self.assertEquals(memcache_client.get('some_key'), [1, 2, 3]) + memcache_client.set('some_key', [4, 5, 6]) + self.assertEquals(memcache_client.get('some_key'), [4, 5, 6]) ++ memcache_client.set('some_key', ['simple str', 'utf8 str éà']) ++ # As per http://wiki.openstack.org/encoding, we should expect to have unicode ++ self.assertEquals(memcache_client.get('some_key'), ['simple str', u'utf8 str éà']) + self.assert_(float(mock.cache.values()[0][1]) == 0) + esttimeout = time.time() + 10 + memcache_client.set('some_key', [1, 2, 3], timeout=10) +@@ -244,6 +248,24 @@ class TestMemcached(unittest.TestCase): + self.assertEquals(memcache_client.get_multi(('some_key2', 'some_key1', + 'not_exists'), 'multi_key'), [[4, 5, 6], [1, 2, 3], None]) + ++ def test_serialization(self): ++ memcache_client = memcached.MemcacheRing(['1.2.3.4:11211'], ++ allow_pickle=True) ++ mock = MockMemcached() ++ memcache_client._client_cache['1.2.3.4:11211'] = [(mock, mock)] * 2 ++ memcache_client.set('some_key', [1, 2, 3]) ++ self.assertEquals(memcache_client.get('some_key'), [1, 2, 3]) ++ memcache_client._allow_pickle = False ++ memcache_client._allow_unpickle = True ++ self.assertEquals(memcache_client.get('some_key'), [1, 2, 3]) ++ memcache_client._allow_unpickle = False ++ self.assertEquals(memcache_client.get('some_key'), None) ++ memcache_client.set('some_key', [1, 2, 3]) ++ self.assertEquals(memcache_client.get('some_key'), [1, 2, 3]) ++ memcache_client._allow_unpickle = True ++ self.assertEquals(memcache_client.get('some_key'), [1, 2, 3]) ++ memcache_client._allow_pickle = True ++ self.assertEquals(memcache_client.get('some_key'), [1, 2, 3]) + + if __name__ == '__main__': + unittest.main() +--- swift-1.4.8.orig/test/unit/common/middleware/test_memcache.py ++++ swift-1.4.8/test/unit/common/middleware/test_memcache.py +@@ -47,6 +47,8 @@ class SetConfigParser(object): + if section == 'memcache': + if option == 'memcache_servers': + return '1.2.3.4:5' ++ elif option == 'memcache_serialization_support': ++ return '2' + else: + raise NoOptionError(option) + else: +@@ -86,7 +88,8 @@ class TestCacheMiddleware(unittest.TestC + exc = None + try: + app = memcache.MemcacheMiddleware( +- FakeApp(), {'memcache_servers': '1.2.3.4:5'}) ++ FakeApp(), {'memcache_servers': '1.2.3.4:5', ++ 'memcache_serialization_support': '2'}) + except Exception, err: + exc = err + finally: diff -Nru swift-1.4.8/debian/patches/series swift-1.4.8/debian/patches/series --- swift-1.4.8/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ swift-1.4.8/debian/patches/series 2012-09-06 08:45:21.000000000 +0000 @@ -0,0 +1 @@ +CVE-2012-4406_Do-not-use-pickle-for-serialization-in-memcache-but-JSON.patch
