| 1 |
prometheanfire 14/07/02 17:12:34 |
| 2 |
|
| 3 |
Added: 2014.1.1-CVE-2014-3250.patch |
| 4 |
Removed: CVE-2014-2828-2013.2.3.patch |
| 5 |
Log: |
| 6 |
bup for CVE-2014-3520, no vulnerable left in tree |
| 7 |
|
| 8 |
(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3) |
| 9 |
|
| 10 |
Revision Changes Path |
| 11 |
1.1 sys-auth/keystone/files/2014.1.1-CVE-2014-3250.patch |
| 12 |
|
| 13 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-auth/keystone/files/2014.1.1-CVE-2014-3250.patch?rev=1.1&view=markup |
| 14 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-auth/keystone/files/2014.1.1-CVE-2014-3250.patch?rev=1.1&content-type=text/plain |
| 15 |
|
| 16 |
Index: 2014.1.1-CVE-2014-3250.patch |
| 17 |
=================================================================== |
| 18 |
From 8ac8484e1daadfda3f36b3135a8f6de56fc41795 Mon Sep 17 00:00:00 2001 |
| 19 |
From: Jamie Lennox <jamielennox@××××××.com> |
| 20 |
Date: Thu, 19 Jun 2014 14:41:22 +1000 |
| 21 |
Subject: [PATCH] Ensure that in v2 auth tenant_id matches trust |
| 22 |
|
| 23 |
Previously if a trustee requests a trust scoped token for a project that |
| 24 |
is different to the one in the trust, however the trustor has the |
| 25 |
appropriate roles then a token would be issued. |
| 26 |
|
| 27 |
Ensure that the trust that was given matches the project that was |
| 28 |
specified in the scope. |
| 29 |
|
| 30 |
(cherry picked from commit 1556faec2f65dba60584f0a9657d5b717a6ede3a) |
| 31 |
|
| 32 |
Change-Id: I00ad783bcb93cea9e5622965f81b91c80f4570cc |
| 33 |
Closes-Bug: #1331912 |
| 34 |
--- |
| 35 |
keystone/tests/test_auth.py | 15 +++++++++++++-- |
| 36 |
keystone/token/controllers.py | 6 +++++- |
| 37 |
2 files changed, 18 insertions(+), 3 deletions(-) |
| 38 |
|
| 39 |
diff --git a/keystone/tests/test_auth.py b/keystone/tests/test_auth.py |
| 40 |
index 6d93e7f..4d9d9da 100644 |
| 41 |
--- a/keystone/tests/test_auth.py |
| 42 |
+++ b/keystone/tests/test_auth.py |
| 43 |
@@ -693,13 +693,15 @@ class AuthWithTrust(AuthTest): |
| 44 |
self.new_trust = self.trust_controller.create_trust( |
| 45 |
context, trust=trust_data)['trust'] |
| 46 |
|
| 47 |
- def build_v2_token_request(self, username, password): |
| 48 |
+ def build_v2_token_request(self, username, password, tenant_id=None): |
| 49 |
+ if not tenant_id: |
| 50 |
+ tenant_id = self.tenant_bar['id'] |
| 51 |
body_dict = _build_user_auth(username=username, password=password) |
| 52 |
self.unscoped_token = self.controller.authenticate({}, body_dict) |
| 53 |
unscoped_token_id = self.unscoped_token['access']['token']['id'] |
| 54 |
request_body = _build_user_auth(token={'id': unscoped_token_id}, |
| 55 |
trust_id=self.new_trust['id'], |
| 56 |
- tenant_id=self.tenant_bar['id']) |
| 57 |
+ tenant_id=tenant_id) |
| 58 |
return request_body |
| 59 |
|
| 60 |
def test_create_trust_bad_data_fails(self): |
| 61 |
@@ -782,6 +784,15 @@ class AuthWithTrust(AuthTest): |
| 62 |
exception.Forbidden, |
| 63 |
self.controller.authenticate, {}, request_body) |
| 64 |
|
| 65 |
+ def test_token_from_trust_wrong_project_fails(self): |
| 66 |
+ for assigned_role in self.assigned_roles: |
| 67 |
+ self.assignment_api.add_role_to_user_and_project( |
| 68 |
+ self.trustor['id'], self.tenant_baz['id'], assigned_role) |
| 69 |
+ request_body = self.build_v2_token_request('TWO', 'two2', |
| 70 |
+ self.tenant_baz['id']) |
| 71 |
+ self.assertRaises(exception.Forbidden, self.controller.authenticate, |
| 72 |
+ {}, request_body) |
| 73 |
+ |
| 74 |
def fetch_v2_token_from_trust(self): |
| 75 |
request_body = self.build_v2_token_request('TWO', 'two2') |
| 76 |
auth_response = self.controller.authenticate({}, request_body) |
| 77 |
diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py |
| 78 |
index bcae12c..be16145 100644 |
| 79 |
--- a/keystone/token/controllers.py |
| 80 |
+++ b/keystone/token/controllers.py |
| 81 |
@@ -164,6 +164,8 @@ class Auth(controller.V2Controller): |
| 82 |
|
| 83 |
user_ref = old_token_ref['user'] |
| 84 |
user_id = user_ref['id'] |
| 85 |
+ tenant_id = self._get_project_id_from_auth(auth) |
| 86 |
+ |
| 87 |
if not CONF.trust.enabled and 'trust_id' in auth: |
| 88 |
raise exception.Forbidden('Trusts are disabled.') |
| 89 |
elif CONF.trust.enabled and 'trust_id' in auth: |
| 90 |
@@ -172,6 +174,9 @@ class Auth(controller.V2Controller): |
| 91 |
raise exception.Forbidden() |
| 92 |
if user_id != trust_ref['trustee_user_id']: |
| 93 |
raise exception.Forbidden() |
| 94 |
+ if (trust_ref['project_id'] and |
| 95 |
+ tenant_id != trust_ref['project_id']): |
| 96 |
+ raise exception.Forbidden() |
| 97 |
if ('expires' in trust_ref) and (trust_ref['expires']): |
| 98 |
expiry = trust_ref['expires'] |
| 99 |
if expiry < timeutils.parse_isotime(timeutils.isotime()): |
| 100 |
@@ -196,7 +201,6 @@ class Auth(controller.V2Controller): |
| 101 |
current_user_ref = self.identity_api.get_user(user_id) |
| 102 |
|
| 103 |
metadata_ref = {} |
| 104 |
- tenant_id = self._get_project_id_from_auth(auth) |
| 105 |
tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref( |
| 106 |
user_id, tenant_id) |
| 107 |
|
| 108 |
-- |
| 109 |
1.9.3 |
Archives