Bug#796108: CVE-2015-5694 CVE-2015-5695

Wed, 19 Aug 2015 07:52:51 -0700 

Reworked patch, minus the tests.
The OpenStack/Designate project during icehouse did not cap requirements, causing the unit tests to fail to run. 


I would recommend ensuring the tests pass given the set of dependencies 
in Jessie before applying and pushing.


Thanks,
Kiall

On 19/08/15 09:36, Kiall Mac Innes wrote:

Hey - Upstream Designate maintainer here.


Icehouse - aka 2014.1 - is partially affected by CVE-2015-5695, 
failure to enforce recordset quotas.



This was the less severe of the two CVEs, which we treated as a 
feature not implemented rather than a security issue initially. 
Additionally, the issue could only be exploited through the disabled 
by default + marked experimental V2 API.



Regardless - The patch at [1] should be easy enough to re-work for 
Icehouse.


Thanks,
Kiall


[1]: 
https://launchpadlibrarian.net/211525408/bug-1471161-quotas-kilo.patch


On 19/08/15 09:11, Moritz Muehlenhoff wrote:

Source: designate
Severity: grave
Tags: security

Hi,
please see the thread starting here:
https://marc.info/?l=oss-security&m=143810184926097&w=2

Can you please check with upstream whether 2014.1 from jessie
is affected, if so we should fix it.

Cheers,
         Moritz







>From d2c10b9a87e17e1e09ddb8058c8da0aef676a44d Mon Sep 17 00:00:00 2001
From: Kiall Mac Innes <ki...@macinnes.ie>
Date: Wed, 19 Aug 2015 09:39:49 -0500
Subject: [PATCH] Ensure RecordSet quotas are enforced

Implement RecordSet's per domain, and Records per RecordSet
quota enforcement.

Change-Id: If7afc70cd1ebe2e18864859de51c6ccd15c6a43c
Partial-Bug: 1471161
---
 designate/central/service.py | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/designate/central/service.py b/designate/central/service.py
index 564da48..25367b6 100644
--- a/designate/central/service.py
+++ b/designate/central/service.py
@@ -255,8 +255,12 @@ class Service(rpc_service.Service):
         self.quota.limit_check(context, tenant_id, domains=count)
 
     def _enforce_recordset_quota(self, context, domain):
-        # TODO(kiall): Enforce RRSet Quotas
-        pass
+        # Ensure the recordsets per domain quota is OK
+        criterion = {'domain_id': domain['id']}
+        count = self.storage.count_recordsets(context, criterion)
+
+        self.quota.limit_check(
+            context, domain['tenant_id'], domain_recordsets=count)
 
     def _enforce_record_quota(self, context, domain, recordset):
         # Ensure the records per domain quota is OK
@@ -266,7 +270,12 @@ class Service(rpc_service.Service):
         self.quota.limit_check(context, domain['tenant_id'],
                                domain_records=count)
 
-        # TODO(kiall): Enforce Records per RRSet Quotas
+        # Ensure the records per recordset quota is OK
+        criterion = {'recordset_id': recordset['id']}
+        count = self.storage.count_records(context, criterion)
+
+        self.quota.limit_check(context, domain['tenant_id'],
+                               recordset_records=count)
 
     # Misc Methods
     def get_absolute_limits(self, context):
-- 
2.1.4























					Reply via email to