commit: f4d9fe6d319b3b53175aeaf39ea596b4eef68a7f Author: Matthew Thode <prometheanfire <AT> gentoo <DOT> org> AuthorDate: Wed May 18 15:09:12 2016 +0000 Commit: Matt Thode <prometheanfire <AT> gentoo <DOT> org> CommitDate: Wed May 18 15:09:12 2016 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4d9fe6d
sys-auth/keystone: fix CVE-2016-4911 bug 583392 Package-Manager: portage-2.2.28 sys-auth/keystone/files/CVE-2016-4911_9.0.0.patch | 103 +++++++++++++++++++++ ...stone-9.0.0.ebuild => keystone-9.0.0-r1.ebuild} | 5 +- 2 files changed, 106 insertions(+), 2 deletions(-) diff --git a/sys-auth/keystone/files/CVE-2016-4911_9.0.0.patch b/sys-auth/keystone/files/CVE-2016-4911_9.0.0.patch new file mode 100644 index 0000000..0ea6cd8 --- /dev/null +++ b/sys-auth/keystone/files/CVE-2016-4911_9.0.0.patch @@ -0,0 +1,103 @@ +From ee1dc941042d1f71699971c5c30566af1b348572 Mon Sep 17 00:00:00 2001 +From: Lance Bragstad <[email protected]> +Date: Mon, 2 May 2016 19:16:11 +0000 +Subject: Fix fernet audit ids for v2.0 + +The fernet token provider was doing some weird things with audit ids that +caused token rescoping to not work because audit ids were never pulled from the +original token. This commit also enables some tests for v2.0 authentication +with the Fernet as the token provider. + +Closes-Bug: 1577558 +Change-Id: Iffbaf505ef50a6c6d97c5340645acb2f6fda7e0e +(cherry picked from commit 0d376025bae61bf5ee19d992c7f336b99ac69240) +--- + keystone/tests/unit/test_auth.py | 22 ++++++++++++++++++++++ + keystone/token/controllers.py | 3 ++- + keystone/token/providers/fernet/core.py | 9 ++------- + 3 files changed, 26 insertions(+), 8 deletions(-) + +diff --git a/keystone/tests/unit/test_auth.py b/keystone/tests/unit/test_auth.py +index b09d9ac..6f44b31 100644 +--- a/keystone/tests/unit/test_auth.py ++++ b/keystone/tests/unit/test_auth.py +@@ -33,6 +33,7 @@ from keystone import exception + from keystone.models import token_model + from keystone.tests import unit + from keystone.tests.unit import default_fixtures ++from keystone.tests.unit import ksfixtures + from keystone.tests.unit.ksfixtures import database + from keystone import token + from keystone.token import provider +@@ -671,6 +672,27 @@ class AuthWithToken(AuthTest): + token_id=token_2_id) + + ++class FernetAuthWithToken(AuthWithToken): ++ def config_overrides(self): ++ super(FernetAuthWithToken, self).config_overrides() ++ self.config_fixture.config(group='token', provider='fernet') ++ self.useFixture(ksfixtures.KeyRepository(self.config_fixture)) ++ ++ def test_token_auth_with_binding(self): ++ self.config_fixture.config(group='token', bind=['kerberos']) ++ body_dict = _build_user_auth() ++ self.assertRaises(exception.NotImplemented, ++ self.controller.authenticate, ++ self.context_with_remote_user, ++ body_dict) ++ ++ def test_revoke_with_no_audit_info(self): ++ self.skipTest('Fernet with v2.0 and revocation is broken') ++ ++ def test_deleting_role_revokes_token(self): ++ self.skipTest('Fernet with v2.0 and revocation is broken') ++ ++ + class AuthWithPasswordCredentials(AuthTest): + def test_auth_invalid_user(self): + """Verify exception is raised if invalid user.""" +diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py +index f610fc4..6eeb23e 100644 +--- a/keystone/token/controllers.py ++++ b/keystone/token/controllers.py +@@ -180,7 +180,8 @@ class Auth(controller.V2Controller): + try: + token_model_ref = token_model.KeystoneToken( + token_id=old_token, +- token_data=self.token_provider_api.validate_token(old_token)) ++ token_data=self.token_provider_api.validate_v2_token(old_token) ++ ) + except exception.NotFound as e: + raise exception.Unauthorized(e) + +diff --git a/keystone/token/providers/fernet/core.py b/keystone/token/providers/fernet/core.py +index 8042aab..ff6fe9c 100644 +--- a/keystone/token/providers/fernet/core.py ++++ b/keystone/token/providers/fernet/core.py +@@ -15,7 +15,6 @@ from oslo_config import cfg + from keystone.common import dependency + from keystone.common import utils as ks_utils + from keystone.federation import constants as federation_constants +-from keystone.token import provider + from keystone.token.providers import common + from keystone.token.providers.fernet import token_formatters as tf + +@@ -145,12 +144,8 @@ class Provider(common.BaseProvider): + expires_at = token_data['access']['token']['expires'] + audit_ids = token_data['access']['token'].get('audit_ids') + methods = ['password'] +- if audit_ids: +- parent_audit_id = token_data['access']['token'].get( +- 'parent_audit_id') +- audit_ids = provider.audit_info(parent_audit_id) +- if parent_audit_id: +- methods.append('token') ++ if len(audit_ids) > 1: ++ methods.append('token') + project_id = token_data['access']['token'].get('tenant', {}).get('id') + domain_id = None + trust_id = None +-- +cgit v0.11.2 + diff --git a/sys-auth/keystone/keystone-9.0.0.ebuild b/sys-auth/keystone/keystone-9.0.0-r1.ebuild similarity index 99% rename from sys-auth/keystone/keystone-9.0.0.ebuild rename to sys-auth/keystone/keystone-9.0.0-r1.ebuild index cacbdbc..e6b6635 100644 --- a/sys-auth/keystone/keystone-9.0.0.ebuild +++ b/sys-auth/keystone/keystone-9.0.0-r1.ebuild @@ -98,8 +98,9 @@ RDEPEND=" www-servers/gunicorn[${PYTHON_USEDEP}] )" -#PATCHES=( -#) +PATCHES=( + "${FILESDIR}/CVE-2016-4911_9.0.0.patch" +) pkg_setup() { enewgroup keystone
