1 |
commit: 3930fb660c9d11c546f1959d4a2bdf66dd8f67e2 |
2 |
Author: Matthew Thode <prometheanfire <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Nov 4 14:48:04 2016 +0000 |
4 |
Commit: Matt Thode <prometheanfire <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Nov 4 14:48:04 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3930fb66 |
7 |
|
8 |
sys-cluster/heat: fix CVE-2016-9185 bug 598940 |
9 |
|
10 |
Package-Manager: portage-2.3.0 |
11 |
|
12 |
sys-cluster/heat/files/CVE-2016-9185.patch | 53 ++++++++++++++++++++++ |
13 |
.../{heat-7.0.0.ebuild => heat-7.0.0-r1.ebuild} | 5 +- |
14 |
2 files changed, 56 insertions(+), 2 deletions(-) |
15 |
|
16 |
diff --git a/sys-cluster/heat/files/CVE-2016-9185.patch b/sys-cluster/heat/files/CVE-2016-9185.patch |
17 |
new file mode 100644 |
18 |
index 00000000..7b6bd86 |
19 |
--- /dev/null |
20 |
+++ b/sys-cluster/heat/files/CVE-2016-9185.patch |
21 |
@@ -0,0 +1,53 @@ |
22 |
+From 02dfb1a64f8a545a6dfed15245ac54c8ea835b81 Mon Sep 17 00:00:00 2001 |
23 |
+From: Daniel Gonzalez <daniel@××××××××××××××××××.de> |
24 |
+Date: Mon, 17 Oct 2016 10:22:42 +0200 |
25 |
+Subject: Prevent template validate from scanning ports |
26 |
+ |
27 |
+The template validation method in the heat API allows to specify the |
28 |
+template to validate using a URL with the 'template_url' parameter. |
29 |
+ |
30 |
+By entering invalid http URLs, like 'http://localhost:22' it is |
31 |
+possible to scan ports by evaluating the error message of the request. |
32 |
+ |
33 |
+For example, the request |
34 |
+ |
35 |
+curl -H "Content-Type: application/json" -H "X-Auth-Token: <TOKEN>" \ |
36 |
+-X POST -d '{"template_url": "http://localhost:22"}' \ |
37 |
+http://127.0.0.1:8004/v1/<TENANT_ID>/validate |
38 |
+ |
39 |
+causes the following error message to be returned to the user: |
40 |
+ |
41 |
+"Could not retrieve template: Failed to retrieve template: |
42 |
+('Connection aborted.', |
43 |
+BadStatusLine('SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1\\r\\n',))" |
44 |
+ |
45 |
+This could be misused by tenants to gain knowledge about the internal |
46 |
+network the heat API runs in. |
47 |
+ |
48 |
+To prevent this information leak, this patch alters the error message |
49 |
+to not include such details when the url scheme is not 'file'. |
50 |
+ |
51 |
+SecurityImpact |
52 |
+ |
53 |
+Closes-Bug: #1606500 |
54 |
+ |
55 |
+Change-Id: Id1f86f41c1e6c028d889eca7ccbb9cde67631950 |
56 |
+(cherry picked from commit eab9a33ce760c55695a5beb2e541487588b08c98) |
57 |
+--- |
58 |
+ heat/common/urlfetch.py | 3 ++- |
59 |
+ 1 file changed, 2 insertions(+), 1 deletion(-) |
60 |
+ |
61 |
+diff --git a/heat/common/urlfetch.py b/heat/common/urlfetch.py |
62 |
+index 7efd968..8a7deae 100644 |
63 |
+--- a/heat/common/urlfetch.py |
64 |
++++ b/heat/common/urlfetch.py |
65 |
+@@ -75,4 +75,5 @@ def get(url, allowed_schemes=('http', 'https')): |
66 |
+ return result |
67 |
+ |
68 |
+ except exceptions.RequestException as ex: |
69 |
+- raise URLFetchError(_('Failed to retrieve template: %s') % ex) |
70 |
++ LOG.info(_LI('Failed to retrieve template: %s') % ex) |
71 |
++ raise URLFetchError(_('Failed to retrieve template from %s') % url) |
72 |
+-- |
73 |
+cgit v0.12 |
74 |
+ |
75 |
|
76 |
diff --git a/sys-cluster/heat/heat-7.0.0.ebuild b/sys-cluster/heat/heat-7.0.0-r1.ebuild |
77 |
similarity index 99% |
78 |
rename from sys-cluster/heat/heat-7.0.0.ebuild |
79 |
rename to sys-cluster/heat/heat-7.0.0-r1.ebuild |
80 |
index 9477a14..37461d9 100644 |
81 |
--- a/sys-cluster/heat/heat-7.0.0.ebuild |
82 |
+++ b/sys-cluster/heat/heat-7.0.0-r1.ebuild |
83 |
@@ -113,8 +113,9 @@ RDEPEND=" |
84 |
>=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}] |
85 |
>=dev-python/yaql-1.1.0[${PYTHON_USEDEP}]" |
86 |
|
87 |
-#PATCHES=( |
88 |
-#) |
89 |
+PATCHES=( |
90 |
+ "${FILESDIR}/CVE-2016-9185.patch" |
91 |
+) |
92 |
|
93 |
pkg_setup() { |
94 |
enewgroup heat |