1 |
prometheanfire 14/07/02 17:12:34 |
2 |
|
3 |
Added: 2014.1.1-CVE-2014-3250.patch |
4 |
Removed: CVE-2014-2828-2013.2.3.patch |
5 |
Log: |
6 |
bup for CVE-2014-3520, no vulnerable left in tree |
7 |
|
8 |
(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3) |
9 |
|
10 |
Revision Changes Path |
11 |
1.1 sys-auth/keystone/files/2014.1.1-CVE-2014-3250.patch |
12 |
|
13 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-auth/keystone/files/2014.1.1-CVE-2014-3250.patch?rev=1.1&view=markup |
14 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-auth/keystone/files/2014.1.1-CVE-2014-3250.patch?rev=1.1&content-type=text/plain |
15 |
|
16 |
Index: 2014.1.1-CVE-2014-3250.patch |
17 |
=================================================================== |
18 |
From 8ac8484e1daadfda3f36b3135a8f6de56fc41795 Mon Sep 17 00:00:00 2001 |
19 |
From: Jamie Lennox <jamielennox@××××××.com> |
20 |
Date: Thu, 19 Jun 2014 14:41:22 +1000 |
21 |
Subject: [PATCH] Ensure that in v2 auth tenant_id matches trust |
22 |
|
23 |
Previously if a trustee requests a trust scoped token for a project that |
24 |
is different to the one in the trust, however the trustor has the |
25 |
appropriate roles then a token would be issued. |
26 |
|
27 |
Ensure that the trust that was given matches the project that was |
28 |
specified in the scope. |
29 |
|
30 |
(cherry picked from commit 1556faec2f65dba60584f0a9657d5b717a6ede3a) |
31 |
|
32 |
Change-Id: I00ad783bcb93cea9e5622965f81b91c80f4570cc |
33 |
Closes-Bug: #1331912 |
34 |
--- |
35 |
keystone/tests/test_auth.py | 15 +++++++++++++-- |
36 |
keystone/token/controllers.py | 6 +++++- |
37 |
2 files changed, 18 insertions(+), 3 deletions(-) |
38 |
|
39 |
diff --git a/keystone/tests/test_auth.py b/keystone/tests/test_auth.py |
40 |
index 6d93e7f..4d9d9da 100644 |
41 |
--- a/keystone/tests/test_auth.py |
42 |
+++ b/keystone/tests/test_auth.py |
43 |
@@ -693,13 +693,15 @@ class AuthWithTrust(AuthTest): |
44 |
self.new_trust = self.trust_controller.create_trust( |
45 |
context, trust=trust_data)['trust'] |
46 |
|
47 |
- def build_v2_token_request(self, username, password): |
48 |
+ def build_v2_token_request(self, username, password, tenant_id=None): |
49 |
+ if not tenant_id: |
50 |
+ tenant_id = self.tenant_bar['id'] |
51 |
body_dict = _build_user_auth(username=username, password=password) |
52 |
self.unscoped_token = self.controller.authenticate({}, body_dict) |
53 |
unscoped_token_id = self.unscoped_token['access']['token']['id'] |
54 |
request_body = _build_user_auth(token={'id': unscoped_token_id}, |
55 |
trust_id=self.new_trust['id'], |
56 |
- tenant_id=self.tenant_bar['id']) |
57 |
+ tenant_id=tenant_id) |
58 |
return request_body |
59 |
|
60 |
def test_create_trust_bad_data_fails(self): |
61 |
@@ -782,6 +784,15 @@ class AuthWithTrust(AuthTest): |
62 |
exception.Forbidden, |
63 |
self.controller.authenticate, {}, request_body) |
64 |
|
65 |
+ def test_token_from_trust_wrong_project_fails(self): |
66 |
+ for assigned_role in self.assigned_roles: |
67 |
+ self.assignment_api.add_role_to_user_and_project( |
68 |
+ self.trustor['id'], self.tenant_baz['id'], assigned_role) |
69 |
+ request_body = self.build_v2_token_request('TWO', 'two2', |
70 |
+ self.tenant_baz['id']) |
71 |
+ self.assertRaises(exception.Forbidden, self.controller.authenticate, |
72 |
+ {}, request_body) |
73 |
+ |
74 |
def fetch_v2_token_from_trust(self): |
75 |
request_body = self.build_v2_token_request('TWO', 'two2') |
76 |
auth_response = self.controller.authenticate({}, request_body) |
77 |
diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py |
78 |
index bcae12c..be16145 100644 |
79 |
--- a/keystone/token/controllers.py |
80 |
+++ b/keystone/token/controllers.py |
81 |
@@ -164,6 +164,8 @@ class Auth(controller.V2Controller): |
82 |
|
83 |
user_ref = old_token_ref['user'] |
84 |
user_id = user_ref['id'] |
85 |
+ tenant_id = self._get_project_id_from_auth(auth) |
86 |
+ |
87 |
if not CONF.trust.enabled and 'trust_id' in auth: |
88 |
raise exception.Forbidden('Trusts are disabled.') |
89 |
elif CONF.trust.enabled and 'trust_id' in auth: |
90 |
@@ -172,6 +174,9 @@ class Auth(controller.V2Controller): |
91 |
raise exception.Forbidden() |
92 |
if user_id != trust_ref['trustee_user_id']: |
93 |
raise exception.Forbidden() |
94 |
+ if (trust_ref['project_id'] and |
95 |
+ tenant_id != trust_ref['project_id']): |
96 |
+ raise exception.Forbidden() |
97 |
if ('expires' in trust_ref) and (trust_ref['expires']): |
98 |
expiry = trust_ref['expires'] |
99 |
if expiry < timeutils.parse_isotime(timeutils.isotime()): |
100 |
@@ -196,7 +201,6 @@ class Auth(controller.V2Controller): |
101 |
current_user_ref = self.identity_api.get_user(user_id) |
102 |
|
103 |
metadata_ref = {} |
104 |
- tenant_id = self._get_project_id_from_auth(auth) |
105 |
tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref( |
106 |
user_id, tenant_id) |
107 |
|
108 |
-- |
109 |
1.9.3 |