[gentoo-commits] repo/gentoo:master commit in: sys-cluster/heat/files/, sys-cluster/heat/ - gentoo-commits

From:	Matt Thode <prometheanfire@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: sys-cluster/heat/files/, sys-cluster/heat/
Date:	Fri, 04 Nov 2016 14:48:38
Message-Id:	`1478270884.3930fb660c9d11c546f1959d4a2bdf66dd8f67e2.prometheanfire@gentoo`

1

commit:     3930fb660c9d11c546f1959d4a2bdf66dd8f67e2

2

Author:     Matthew Thode <prometheanfire <AT> gentoo <DOT> org>

3

AuthorDate: Fri Nov  4 14:48:04 2016 +0000

4

Commit:     Matt Thode <prometheanfire <AT> gentoo <DOT> org>

5

CommitDate: Fri Nov  4 14:48:04 2016 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3930fb66

7

8

sys-cluster/heat: fix CVE-2016-9185 bug 598940

9

10

Package-Manager: portage-2.3.0

11

12

 sys-cluster/heat/files/CVE-2016-9185.patch         | 53 ++++++++++++++++++++++

13

 .../{heat-7.0.0.ebuild => heat-7.0.0-r1.ebuild}    |  5 +-

14

 2 files changed, 56 insertions(+), 2 deletions(-)

15

16

diff --git a/sys-cluster/heat/files/CVE-2016-9185.patch b/sys-cluster/heat/files/CVE-2016-9185.patch

17

new file mode 100644

18

index 00000000..7b6bd86

19

--- /dev/null

20

+++ b/sys-cluster/heat/files/CVE-2016-9185.patch

21

@@ -0,0 +1,53 @@

22

+From 02dfb1a64f8a545a6dfed15245ac54c8ea835b81 Mon Sep 17 00:00:00 2001

23

+From: Daniel Gonzalez <daniel@××××××××××××××××××.de>

24

+Date: Mon, 17 Oct 2016 10:22:42 +0200

25

+Subject: Prevent template validate from scanning ports

26

+

27

+The template validation method in the heat API allows to specify the

28

+template to validate using a URL with the 'template_url' parameter.

29

+

30

+By entering invalid http URLs, like 'http://localhost:22' it is

31

+possible to scan ports by evaluating the error message of the request.

32

+

33

+For example, the request

34

+

35

+curl -H "Content-Type: application/json" -H "X-Auth-Token: <TOKEN>" \

36

+-X POST -d '{"template_url": "http://localhost:22"}' \

37

+http://127.0.0.1:8004/v1/<TENANT_ID>/validate

38

+

39

+causes the following error message to be returned to the user:

40

+

41

+"Could not retrieve template: Failed to retrieve template:

42

+('Connection aborted.',

43

+BadStatusLine('SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1\\r\\n',))"

44

+

45

+This could be misused by tenants to gain knowledge about the internal

46

+network the heat API runs in.

47

+

48

+To prevent this information leak, this patch alters the error message

49

+to not include such details when the url scheme is not 'file'.

50

+

51

+SecurityImpact

52

+

53

+Closes-Bug: #1606500

54

+

55

+Change-Id: Id1f86f41c1e6c028d889eca7ccbb9cde67631950

56

+(cherry picked from commit eab9a33ce760c55695a5beb2e541487588b08c98)

57

+---

58

+ heat/common/urlfetch.py | 3 ++-

59

+ 1 file changed, 2 insertions(+), 1 deletion(-)

60

+

61

+diff --git a/heat/common/urlfetch.py b/heat/common/urlfetch.py

62

+index 7efd968..8a7deae 100644

63

+--- a/heat/common/urlfetch.py

64

++++ b/heat/common/urlfetch.py

65

+@@ -75,4 +75,5 @@ def get(url, allowed_schemes=('http', 'https')):

66

+         return result

67

+

68

+     except exceptions.RequestException as ex:

69

+-        raise URLFetchError(_('Failed to retrieve template: %s') % ex)

70

++        LOG.info(_LI('Failed to retrieve template: %s') % ex)

71

++        raise URLFetchError(_('Failed to retrieve template from %s') % url)

72

+--

73

+cgit v0.12

74

+

75

76

diff --git a/sys-cluster/heat/heat-7.0.0.ebuild b/sys-cluster/heat/heat-7.0.0-r1.ebuild

77

similarity index 99%

78

rename from sys-cluster/heat/heat-7.0.0.ebuild

79

rename to sys-cluster/heat/heat-7.0.0-r1.ebuild

80

index 9477a14..37461d9 100644

81

--- a/sys-cluster/heat/heat-7.0.0.ebuild

82

+++ b/sys-cluster/heat/heat-7.0.0-r1.ebuild

83

@@ -113,8 +113,9 @@ RDEPEND="

84

 	>=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}]

85

 	>=dev-python/yaql-1.1.0[${PYTHON_USEDEP}]"

86

87

-#PATCHES=(

88

-#)

89

+PATCHES=(

90

+	"${FILESDIR}/CVE-2016-9185.patch"

91

+)

92

93

 pkg_setup() {

94

 	enewgroup heat

1	commit: 3930fb660c9d11c546f1959d4a2bdf66dd8f67e2
2	Author: Matthew Thode <prometheanfire <AT> gentoo <DOT> org>
3	AuthorDate: Fri Nov 4 14:48:04 2016 +0000
4	Commit: Matt Thode <prometheanfire <AT> gentoo <DOT> org>
5	CommitDate: Fri Nov 4 14:48:04 2016 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3930fb66
7
8	sys-cluster/heat: fix CVE-2016-9185 bug 598940
9
10	Package-Manager: portage-2.3.0
11
12	sys-cluster/heat/files/CVE-2016-9185.patch \| 53 ++++++++++++++++++++++
13	.../{heat-7.0.0.ebuild => heat-7.0.0-r1.ebuild} \| 5 +-
14	2 files changed, 56 insertions(+), 2 deletions(-)
15
16	diff --git a/sys-cluster/heat/files/CVE-2016-9185.patch b/sys-cluster/heat/files/CVE-2016-9185.patch
17	new file mode 100644
18	index 00000000..7b6bd86
19	--- /dev/null
20	+++ b/sys-cluster/heat/files/CVE-2016-9185.patch
21	@@ -0,0 +1,53 @@
22	+From 02dfb1a64f8a545a6dfed15245ac54c8ea835b81 Mon Sep 17 00:00:00 2001
23	+From: Daniel Gonzalez <daniel@××××××××××××××××××.de>
24	+Date: Mon, 17 Oct 2016 10:22:42 +0200
25	+Subject: Prevent template validate from scanning ports
26	+
27	+The template validation method in the heat API allows to specify the
28	+template to validate using a URL with the 'template_url' parameter.
29	+
30	+By entering invalid http URLs, like 'http://localhost:22' it is
31	+possible to scan ports by evaluating the error message of the request.
32	+
33	+For example, the request
34	+
35	+curl -H "Content-Type: application/json" -H "X-Auth-Token: <TOKEN>" \
36	+-X POST -d '{"template_url": "http://localhost:22"}' \
37	+http://127.0.0.1:8004/v1/<TENANT_ID>/validate
38	+
39	+causes the following error message to be returned to the user:
40	+
41	+"Could not retrieve template: Failed to retrieve template:
42	+('Connection aborted.',
43	+BadStatusLine('SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1\\r\\n',))"
44	+
45	+This could be misused by tenants to gain knowledge about the internal
46	+network the heat API runs in.
47	+
48	+To prevent this information leak, this patch alters the error message
49	+to not include such details when the url scheme is not 'file'.
50	+
51	+SecurityImpact
52	+
53	+Closes-Bug: #1606500
54	+
55	+Change-Id: Id1f86f41c1e6c028d889eca7ccbb9cde67631950
56	+(cherry picked from commit eab9a33ce760c55695a5beb2e541487588b08c98)
57	+---
58	+ heat/common/urlfetch.py \| 3 ++-
59	+ 1 file changed, 2 insertions(+), 1 deletion(-)
60	+
61	+diff --git a/heat/common/urlfetch.py b/heat/common/urlfetch.py
62	+index 7efd968..8a7deae 100644
63	+--- a/heat/common/urlfetch.py
64	++++ b/heat/common/urlfetch.py
65	+@@ -75,4 +75,5 @@ def get(url, allowed_schemes=('http', 'https')):
66	+ return result
67	+
68	+ except exceptions.RequestException as ex:
69	+- raise URLFetchError(_('Failed to retrieve template: %s') % ex)
70	++ LOG.info(_LI('Failed to retrieve template: %s') % ex)
71	++ raise URLFetchError(_('Failed to retrieve template from %s') % url)
72	+--
73	+cgit v0.12
74	+
75
76	diff --git a/sys-cluster/heat/heat-7.0.0.ebuild b/sys-cluster/heat/heat-7.0.0-r1.ebuild
77	similarity index 99%
78	rename from sys-cluster/heat/heat-7.0.0.ebuild
79	rename to sys-cluster/heat/heat-7.0.0-r1.ebuild
80	index 9477a14..37461d9 100644
81	--- a/sys-cluster/heat/heat-7.0.0.ebuild
82	+++ b/sys-cluster/heat/heat-7.0.0-r1.ebuild
83	@@ -113,8 +113,9 @@ RDEPEND="
84	>=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}]
85	>=dev-python/yaql-1.1.0[${PYTHON_USEDEP}]"
86
87	-#PATCHES=(
88	-#)
89	+PATCHES=(
90	+ "${FILESDIR}/CVE-2016-9185.patch"
91	+)
92
93	pkg_setup() {
94	enewgroup heat

Gentoo Archives: gentoo-commits