commit: 3930fb660c9d11c546f1959d4a2bdf66dd8f67e2
Author: Matthew Thode <prometheanfire <AT> gentoo <DOT> org>
AuthorDate: Fri Nov 4 14:48:04 2016 +0000
Commit: Matt Thode <prometheanfire <AT> gentoo <DOT> org>
CommitDate: Fri Nov 4 14:48:04 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3930fb66
sys-cluster/heat: fix CVE-2016-9185 bug 598940
Package-Manager: portage-2.3.0
sys-cluster/heat/files/CVE-2016-9185.patch | 53 ++++++++++++++++++++++
.../{heat-7.0.0.ebuild => heat-7.0.0-r1.ebuild} | 5 +-
2 files changed, 56 insertions(+), 2 deletions(-)
diff --git a/sys-cluster/heat/files/CVE-2016-9185.patch
b/sys-cluster/heat/files/CVE-2016-9185.patch
new file mode 100644
index 00000000..7b6bd86
--- /dev/null
+++ b/sys-cluster/heat/files/CVE-2016-9185.patch
@@ -0,0 +1,53 @@
+From 02dfb1a64f8a545a6dfed15245ac54c8ea835b81 Mon Sep 17 00:00:00 2001
+From: Daniel Gonzalez <[email protected]>
+Date: Mon, 17 Oct 2016 10:22:42 +0200
+Subject: Prevent template validate from scanning ports
+
+The template validation method in the heat API allows to specify the
+template to validate using a URL with the 'template_url' parameter.
+
+By entering invalid http URLs, like 'http://localhost:22' it is
+possible to scan ports by evaluating the error message of the request.
+
+For example, the request
+
+curl -H "Content-Type: application/json" -H "X-Auth-Token: <TOKEN>" \
+-X POST -d '{"template_url": "http://localhost:22"}' \
+http://127.0.0.1:8004/v1/<TENANT_ID>/validate
+
+causes the following error message to be returned to the user:
+
+"Could not retrieve template: Failed to retrieve template:
+('Connection aborted.',
+BadStatusLine('SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1\\r\\n',))"
+
+This could be misused by tenants to gain knowledge about the internal
+network the heat API runs in.
+
+To prevent this information leak, this patch alters the error message
+to not include such details when the url scheme is not 'file'.
+
+SecurityImpact
+
+Closes-Bug: #1606500
+
+Change-Id: Id1f86f41c1e6c028d889eca7ccbb9cde67631950
+(cherry picked from commit eab9a33ce760c55695a5beb2e541487588b08c98)
+---
+ heat/common/urlfetch.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/heat/common/urlfetch.py b/heat/common/urlfetch.py
+index 7efd968..8a7deae 100644
+--- a/heat/common/urlfetch.py
++++ b/heat/common/urlfetch.py
+@@ -75,4 +75,5 @@ def get(url, allowed_schemes=('http', 'https')):
+ return result
+
+ except exceptions.RequestException as ex:
+- raise URLFetchError(_('Failed to retrieve template: %s') % ex)
++ LOG.info(_LI('Failed to retrieve template: %s') % ex)
++ raise URLFetchError(_('Failed to retrieve template from %s') % url)
+--
+cgit v0.12
+
diff --git a/sys-cluster/heat/heat-7.0.0.ebuild
b/sys-cluster/heat/heat-7.0.0-r1.ebuild
similarity index 99%
rename from sys-cluster/heat/heat-7.0.0.ebuild
rename to sys-cluster/heat/heat-7.0.0-r1.ebuild
index 9477a14..37461d9 100644
--- a/sys-cluster/heat/heat-7.0.0.ebuild
+++ b/sys-cluster/heat/heat-7.0.0-r1.ebuild
@@ -113,8 +113,9 @@ RDEPEND="
>=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}]
>=dev-python/yaql-1.1.0[${PYTHON_USEDEP}]"
-#PATCHES=(
-#)
+PATCHES=(
+ "${FILESDIR}/CVE-2016-9185.patch"
+)
pkg_setup() {
enewgroup heat
