bup for CVE-2014-3520, no vulnerable left in tree

Package-Manager: portage-2.2.8-r1/cvs/Linux x86_64 Manifest-Sign-Key: 0x2471EB3E40AC5AC3
author: Matt Thode <prometheanfire@gentoo.org> 2014-07-02 17:12:41 +0000
committer: Matt Thode <prometheanfire@gentoo.org> 2014-07-02 17:12:41 +0000
commit: 65713d43eab09ff5b8b9ac0b38525acf127c62fd (patch)
tree: e724454c249d82ef3f95ab1db95b82863f850eba /sys-auth/keystone
parent: New upstream release as per Oliver Jaksch; reduced T202 default to legal mini... (diff)
download: historical-65713d43eab09ff5b8b9ac0b38525acf127c62fd.tar.gz
historical-65713d43eab09ff5b8b9ac0b38525acf127c62fd.tar.bz2
historical-65713d43eab09ff5b8b9ac0b38525acf127c62fd.zip
5 files changed, 120 insertions, 82 deletions
diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog
index 71243ad11b0c..1649d6f34380 100644
--- a/sys-auth/keystone/ChangeLog
+++ b/sys-auth/keystone/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for sys-auth/keystone
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.73 2014/06/30 01:30:42 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.74 2014/07/02 17:12:34 prometheanfire Exp $
+
+*keystone-2014.1.1-r2 (02 Jul 2014)
+
+  02 Jul 2014; Matthew Thode <prometheanfire@gentoo.org>
+  +files/2014.1.1-CVE-2014-3250.patch, +keystone-2014.1.1-r2.ebuild,
+  -files/CVE-2014-2828-2013.2.3.patch, -keystone-2014.1.1-r1.ebuild:
+  bup for CVE-2014-3520, no vulnerable left in tree
 
 *keystone-2014.1.1-r1 (30 Jun 2014)
 
diff --git a/sys-auth/keystone/Manifest b/sys-auth/keystone/Manifest
index 8fbff99e2c9c..11596893c407 100644
--- a/sys-auth/keystone/Manifest
+++ b/sys-auth/keystone/Manifest
@@ -1,31 +1,31 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256
 
+AUX 2014.1.1-CVE-2014-3250.patch 4199 SHA256 c2bf10df39df4bc993c4a68491734c177428da21a2fc6bcd4673f8864910d6d8 SHA512 6dfe72e051eeabafb2fcf5f91fc6422de363420cad68c8cd6700db54507fcd7138b2a90077d772a8f9fd378ab889eeaad62c95f7a1db04f70811f2d2dab0a87d WHIRLPOOL e748dce4f854ec1b5c5663efd2ffa673c4a79d3dca98891a761c3ead266536eb72b2a98be63e664236650db08ca6f33591d441f10f6aee9238a9e4d98ab82679
 AUX 2014.1.1-CVE-2014-3476.patch 11956 SHA256 c7680ffdb145253f5dfa3bf5ca499ea675199bf1b7cb26d3fdb99d9123c909b7 SHA512 bf364409a14415aa2ce5ff2dea4af1fab4f433d704d88d7fc3b831a020136b1ad70a32ce95010747ffe75167a94006fa337a3973ef3f2868fb77b3a2dcc6522f WHIRLPOOL dfc3831f47ab35258e1c68bd1c9ffbc5e24fc9a816e3d4d976ccd76eeec76910daf14dc4639a7be0d1ad60ebd8e9a3db797ea28449ab88a1f00d8aac48beeced
-AUX CVE-2014-2828-2013.2.3.patch 2518 SHA256 25ab1d0d633e087d6b8e9ac0aca3be53011abf59d67cd42dc4781df6f3a16247 SHA512 29d08b69226b2e0130b621991ef37f74ef41b0acdcf09e7ab7b991ebf423d999d906ea4e7be4672fb9786f129f6f015246a57c1de36d7321c90b8a87a96ca4e5 WHIRLPOOL 67d27a94110545c02685b769b2b2f2bd291dd7c6c893bfa010e1e36143f485783a9bea27a56347c256f9ad0b6a693f63c9fb7bade60a6a35efe79dc5bf878f6d
 AUX keystone.confd 124 SHA256 50daa09c5922190a6663e36a32e9b6e5c512672e5be776fcc9b0805da40b6e8d SHA512 1cf50ddcd55421481f8b34f91f35787299b2f9044bcc0a63c70ffff372d740cb84c399d31e52d708fdacad3455d77867d02b438ec2fb39b35ac2e106a2c9e0ad WHIRLPOOL e6c2b76131846cd0ce86e8d766d3f5bbd0d8cd0643de9100d7946afa44c3f13500719feca3ee4ea49644f6881fa34bdc17c08d65a001841ae8f40fc820d334fc
 AUX keystone.initd 674 SHA256 fc556365de7198de035ebf083b10f59043aa3266270d3ab708d613311f1a719a SHA512 10066c2197973aeee2444ae1bff0ffc3d2a7360a632b55b9c2f66bf064285491e698721ec1525a22b18c0b74a8a6c5c4b84d2cf73812a0f93b2dbfffba799718 WHIRLPOOL 7969003cec68ca8017de003e6a5cfb4bd239a149b06dd9304c9ba8200b4fedfe8ae7e8d3c443e741d1c19cedc5d67150f1d236eef565685a64aa4a998c1ec509
 AUX no_admin_token_auth-paste.ini 2646 SHA256 f98d9151f222d2143820bdc98727ce0cf3f4450a4dbdc54f1fb6e36bb63bf2df SHA512 c855dd2bb05e765c6594359f55b76f7f6e0649c8e8f4517b274c7432f136e51c408168ec24e0074f4ebc49eb641d658acfda205aef97fe68fe8fc016be4cb08d WHIRLPOOL faad0f98d0684cf206e2f2afb5fba6c6aab73f97bcf63e38038be49a2ae1303e8cb5434d8fab34492888c666462dcd751c678c04cd0039d9024fd42ddde30646
 DIST keystone-2014.1.1.tar.gz 1429884 SHA256 3da9908541776470dd7f22ec27f6e77ce7e20fb8761cbbc11e99e782f39e5b73 SHA512 86bdb09f906a6b6d7d084a5efe38ad55b9b57731680635c89fc90387ce1bd3eded7fb0534d8301fef42191422e2a42f2761953906800f742eebb16f8512e466b WHIRLPOOL 3c0f271c00e4adfb26cb4a57afa255783201fef8b5c3f29809a90323deb20cff0f263ffa2aeef82b312dd0267f82adb9baededc9b9a4b75435168131ac8491f5
-EBUILD keystone-2014.1.1-r1.ebuild 5167 SHA256 821c19fa789fe65bb0580d18490716cada75b27ab4a9556100d03e40950c9fb4 SHA512 c8502b034f7d75ad3833d35a006141ecc6b8e605a735a286c3267bf323d8f047dcc8991fdefa7843fc08e6eb90a3217b6256708ee3efc38f74e805470a5a698e WHIRLPOOL 9a1892175863ee1125228a905aa73ff560c09aca243a5be323e3acf08ba0ea40e3bd760ab78e384e31b472318fbb3b49c5802f6a4ed88bff84295167cf09e8b2
+EBUILD keystone-2014.1.1-r2.ebuild 5211 SHA256 d0c54b22cc4031dcf08042a07d30eb6f310d7fc8112c565228026bf5eefc1bed SHA512 7ad93e8d2a92b93aec59424e32d9d7574e0f70265a3edb9de29915d49f9f42b24b761c67e0b4ec96840b17e049560d7ea6e980ae099fb23d59ea53b610f415b1 WHIRLPOOL c693c4e471139ff421b925f1d0a4112719ff9bc4cb7c38151cb07f841cab2bac3b73b306407c8ec352c97fcdfbd481d90ef142eae3bdc753ab027636effd15e9
 EBUILD keystone-2014.1.9999.ebuild 5199 SHA256 8bab51ed4d86978db859fde3e713c35ae763860b4aaaf70dfc325bef6caefdf6 SHA512 c452e45b737c2040c623970173dcf656b92fc0f16da4f89ed25576722586d88dfb551f7e07969bd420241bbc12bc876025ec7e9e37f97cdd86e1eca5c0f464ae WHIRLPOOL 5bdf251c7837d9d4a8e97249a7286449ce46889e8be2006922ee7a40635467695129ce6cf19f172070e69ba6ee0daa784be634646b6bac62fd724c8aa704f75e
 EBUILD keystone-9999.ebuild 4580 SHA256 aed9fa6c212bb87479db6ef53944b05f975015b682f2a29d0499525f3957abc3 SHA512 36d6156ffeb2f67e0ab25c2a674b6b6d0c56eb1713320da2831683c53bfaed5af6dba94a352ef36da7885e3d2a5dba2c9c3213af26b73a40bb2476714dcca52b WHIRLPOOL 98740bb1cdb3bc232c13031c9aad9ac2c2cd9981da6afe83ff06715162d0c8772505f6b2d4bc893da6395db369f452285318cc69326e8137dbfa3de3ad92d4e6
-MISC ChangeLog 15888 SHA256 2d0ce98fc934ede814996a5777599cefccf6453ef420307d5ccdf36ce563682f SHA512 83ead598a6fc2d497958cf90654b11c67ebc9713264289f7f859bd37164fabb752e83ffd4105bd7768a85c1bb3d606566e99a15450fdafc725913fadf917e0c3 WHIRLPOOL b45871b2ee93110907cadaf4451ef53851d2076da0bf0561a33ebb04649492551fc7cc8a9991b6b866d3bd64e56a5b265a60cb60e3f865edbad6238ef84d3fbc
+MISC ChangeLog 16173 SHA256 0eb1df0ad2457c612deb0f19cd1ef8abaa4a3d67b5a8e1406951970fb1e529f2 SHA512 60d3d4336a26c66c04bcb417f45bd88ed407825d51a11db3e822bd245e73a9fc4f75922d8dd16194fef5c95b4b19eaf3fd8255c43f56128b1c52676a9d55270a WHIRLPOOL 4438b8eda986de41a16148e7ada30f0c6c40586c29a09b2965bd019e56582f04820afd586f8b1fa71f7702fd83e4eb62d07132b760db13a418b355c9a4e5c79e
 MISC metadata.xml 424 SHA256 c89c0232e90df5d811d17941c1594e4c4c45db48c2b6240a3c62b232caad4e84 SHA512 9d7fcca89a6f35a93f1a57790103249cdc25424cbdb374bf26b691e81b27182dc3380a8ff67b77e7aabf4ce944e4a813d619838d4bc97086b4208e5312d76f11 WHIRLPOOL 4ec9d4c5ff5c484c341b06fe77fcac8e6fdd0e0b651dbd58b6f2d5aecd05db5bf70218b94733eb749ced7436f9df5ba5c93496bae06c0ff9a62b91ecb53ab77a
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
-iQIcBAEBCAAGBQJTsL3LAAoJECRx6z5ArFrDVgQQANp/FjL6uMpvH+hMMuHIGTHU
-kqiasQJVCxEksMe79b7NWgMLYK6yA4C09eieWey6ClvbS5MjYdg50IKT3fBoJH/E
-TDnAHPWP7qZRanrTk4n9FYJ7yWX/uTzASCMLIgiWwxxBQNTwroD8kvi/n4jlxa61
-Ee44oHoSMIrS0KQaOuiFyAPo1pK1EVIEYXQivKm2suJkPPX6GtvVKos9hJ8ab9e8
-GZB+MR7NSsYBMth4Lg/HMA++866fKBfcBqfMMqQbECwsHDeLL2s9UaZBLtXEZT5c
-Omz/FCL5yNWPCSm9DrQ1lIlCFTI9HA+z6LDBUR7l776xNrF4zsnctokxXp7o4xPu
-WQmMUug6SV5GT1/qP40U3j4ytelkX1ZNA/In91laWI0NDUXeyHNzm8gOw1W5Crq3
-jQ8ubBZB/axdPNt2Yf5C4z9Zc5VQiTQsouFPwycPrzKD7I6yb3V0yn5KNpplrvjb
-KWWbdjbNdrRf3qmnywItCWWLeuPBZwPWzotYrhjBXYAGhZyRaC/sCMR5SYA7PJI8
-XU2E3YlBINj56CYOZkFi7guOWYD363LINCtk9nMFllxipVpX9wdUhEYZN+9fslMf
-FqAOFYgLFjPLCPoyAZ9nyX0/KvsYCM9vYjvivqM4hkd7tmj39Cc6pfW1xg3+CiGu
-zn+mnLC9Vn2DwHRJErog
-=DVtS
+iQIcBAEBCAAGBQJTtD2MAAoJECRx6z5ArFrDQJkP/0OZIanzUczW0nBEzI+Nu0Pd
+ko6QXU7bCoWMI3cgBp0MfUfi+lgflPdnGTiBpIRn4MBSoWUlZ0YPTHKYAoEtqqms
+hnBv7uNV8aRESw2xS3thgXIoR020xB+zxTG5U4DonBToaV4L4xSH4Om2bPxj2vh1
+8y5mkmtvEfXfwOBfAoAZGoBxIDB2MeUex03uYJV16VY1V/7uNfLB8hjjK/kLAdlc
+DPcIq9Nh0HRzuIy/YInis2YcYS4V9z81IQaxRwunaQ8vBPNWN2o5/dMYS12TzLbz
+HICxay1fyHynbzOe1Wx0Gzd8f0c6Ispnykn2wzF/BBdhPynmG/ipFv9lD7E6qCZD
+H5Di6kk5j5Ocee1KD1D603P+UIclaH48giyqWDc42Ph2wwKPNd+yRRCKuSpZWX0s
+ZkcvGUJFP/X5Hl1h9LhEYqbjBrlRkWpeTI8hJ1PJeeTB+FUdPPYO2Ei2VC87MI+0
+y/MTTTS+k8q1ifGgJw/enyzlTBQiYjWJVS5EkSNrZ+WUUDZcc9+PMNjKg+6FdGpo
+N8uKKUV6VoNYWfTso8Bi/8eY2lQJwnBcR6hHvRyq9lY/tfGF0Y2f6zqoDv0XRfqE
+CUerw7CbTkY82KQ+bzDMjjjxJ9ug5i3XiArp4O8L2bsN2JlBi475TcUAOJFWewMw
+PSA0t+soxQVJNSmpTdX3
+=iZli
 -----END PGP SIGNATURE-----
diff --git a/sys-auth/keystone/files/2014.1.1-CVE-2014-3250.patch b/sys-auth/keystone/files/2014.1.1-CVE-2014-3250.patch
new file mode 100644
index 000000000000..0bf2bb6e2a2c
--- /dev/null
+++ b/sys-auth/keystone/files/2014.1.1-CVE-2014-3250.patch
@@ -0,0 +1,94 @@
+From 8ac8484e1daadfda3f36b3135a8f6de56fc41795 Mon Sep 17 00:00:00 2001
+From: Jamie Lennox <jamielennox@redhat.com>
+Date: Thu, 19 Jun 2014 14:41:22 +1000
+Subject: [PATCH] Ensure that in v2 auth tenant_id matches trust
+
+Previously if a trustee requests a trust scoped token for a project that
+is different to the one in the trust, however the trustor has the
+appropriate roles then a token would be issued.
+
+Ensure that the trust that was given matches the project that was
+specified in the scope.
+
+(cherry picked from commit 1556faec2f65dba60584f0a9657d5b717a6ede3a)
+
+Change-Id: I00ad783bcb93cea9e5622965f81b91c80f4570cc
+Closes-Bug: #1331912
+---
+ keystone/tests/test_auth.py   | 15 +++++++++++++--
+ keystone/token/controllers.py |  6 +++++-
+ 2 files changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/keystone/tests/test_auth.py b/keystone/tests/test_auth.py
+index 6d93e7f..4d9d9da 100644
+--- a/keystone/tests/test_auth.py
++++ b/keystone/tests/test_auth.py
+@@ -693,13 +693,15 @@ class AuthWithTrust(AuthTest):
+         self.new_trust = self.trust_controller.create_trust(
+             context, trust=trust_data)['trust']
+ 
+-    def build_v2_token_request(self, username, password):
++    def build_v2_token_request(self, username, password, tenant_id=None):
++        if not tenant_id:
++            tenant_id = self.tenant_bar['id']
+         body_dict = _build_user_auth(username=username, password=password)
+         self.unscoped_token = self.controller.authenticate({}, body_dict)
+         unscoped_token_id = self.unscoped_token['access']['token']['id']
+         request_body = _build_user_auth(token={'id': unscoped_token_id},
+                                         trust_id=self.new_trust['id'],
+-                                        tenant_id=self.tenant_bar['id'])
++                                        tenant_id=tenant_id)
+         return request_body
+ 
+     def test_create_trust_bad_data_fails(self):
+@@ -782,6 +784,15 @@ class AuthWithTrust(AuthTest):
+             exception.Forbidden,
+             self.controller.authenticate, {}, request_body)
+ 
++    def test_token_from_trust_wrong_project_fails(self):
++        for assigned_role in self.assigned_roles:
++            self.assignment_api.add_role_to_user_and_project(
++                self.trustor['id'], self.tenant_baz['id'], assigned_role)
++        request_body = self.build_v2_token_request('TWO', 'two2',
++                                                   self.tenant_baz['id'])
++        self.assertRaises(exception.Forbidden, self.controller.authenticate,
++                          {}, request_body)
++
+     def fetch_v2_token_from_trust(self):
+         request_body = self.build_v2_token_request('TWO', 'two2')
+         auth_response = self.controller.authenticate({}, request_body)
+diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py
+index bcae12c..be16145 100644
+--- a/keystone/token/controllers.py
++++ b/keystone/token/controllers.py
+@@ -164,6 +164,8 @@ class Auth(controller.V2Controller):
+ 
+         user_ref = old_token_ref['user']
+         user_id = user_ref['id']
++        tenant_id = self._get_project_id_from_auth(auth)
++
+         if not CONF.trust.enabled and 'trust_id' in auth:
+             raise exception.Forbidden('Trusts are disabled.')
+         elif CONF.trust.enabled and 'trust_id' in auth:
+@@ -172,6 +174,9 @@ class Auth(controller.V2Controller):
+                 raise exception.Forbidden()
+             if user_id != trust_ref['trustee_user_id']:
+                 raise exception.Forbidden()
++            if (trust_ref['project_id'] and
++                    tenant_id != trust_ref['project_id']):
++                raise exception.Forbidden()
+             if ('expires' in trust_ref) and (trust_ref['expires']):
+                 expiry = trust_ref['expires']
+                 if expiry < timeutils.parse_isotime(timeutils.isotime()):
+@@ -196,7 +201,6 @@ class Auth(controller.V2Controller):
+             current_user_ref = self.identity_api.get_user(user_id)
+ 
+         metadata_ref = {}
+-        tenant_id = self._get_project_id_from_auth(auth)
+         tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref(
+             user_id, tenant_id)
+ 
+-- 
+1.9.3
+
+
diff --git a/sys-auth/keystone/files/CVE-2014-2828-2013.2.3.patch b/sys-auth/keystone/files/CVE-2014-2828-2013.2.3.patch
deleted file mode 100644
index 950696125f23..000000000000
--- a/sys-auth/keystone/files/CVE-2014-2828-2013.2.3.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From e364ba5b12de8e4c11bd80bcca903f9615dcfc2e Mon Sep 17 00:00:00 2001
-From: Florent Flament <florent.flament-ext@cloudwatt.com>
-Date: Tue, 1 Apr 2014 12:48:22 +0000
-Subject: [PATCH] Sanitizes authentication methods received in requests.
-
-When a user authenticates against Identity V3 API, he can specify
-multiple authentication methods. This patch removes duplicates, which
-could have been used to achieve DoS attacks.
-
-Closes-Bug: 1300274
-(cherry picked from commit ef868ad92c00e23a4a5e9eb71e3e0bf5ae2fff0c)
-Cherry-pick from https://review.openstack.org/#/c/84425/
-
-Change-Id: I6e60324309baa094a5e54b012fb0fc528fea72ab
----
- keystone/auth/controllers.py   |  8 +++++++-
- keystone/tests/test_v3_auth.py | 12 ++++++++++++
- 2 files changed, 19 insertions(+), 1 deletion(-)
-
-diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py
-index c3399df..4944316 100644
---- a/keystone/auth/controllers.py
-+++ b/keystone/auth/controllers.py
-@@ -225,7 +225,13 @@ def get_method_names(self):
-         :returns: list of auth method names
- 
-         """
--        return self.auth['identity']['methods'] or []
-+        # Sanitizes methods received in request's body
-+        # Filters out duplicates, while keeping elements' order.
-+        method_names = []
-+        for method in self.auth['identity']['methods']:
-+            if method not in method_names:
-+                method_names.append(method)
-+        return method_names
- 
-     def get_method_data(self, method):
-         """Get the auth method payload.
-diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py
-index d07e6ae..e89e29f 100644
---- a/keystone/tests/test_v3_auth.py
-+++ b/keystone/tests/test_v3_auth.py
-@@ -81,6 +81,18 @@ def test_both_project_and_domain_in_scope(self):
-                           None,
-                           auth_data)
- 
-+    def test_get_method_names_duplicates(self):
-+        auth_data = self.build_authentication_request(
-+            token='test',
-+            user_id='test',
-+            password='test')['auth']
-+        auth_data['identity']['methods'] = ['password', 'token',
-+                                            'password', 'password']
-+        context = None
-+        auth_info = auth.controllers.AuthInfo(context, auth_data)
-+        self.assertEqual(auth_info.get_method_names(),
-+                         ['password', 'token'])
-+
-     def test_get_method_data_invalid_method(self):
-         auth_data = self.build_authentication_request(
-             user_id='test',
--- 
-1.9.1
-
diff --git a/sys-auth/keystone/keystone-2014.1.1-r1.ebuild b/sys-auth/keystone/keystone-2014.1.1-r2.ebuild
index 9396507ff2d7..3e1486547baf 100644
--- a/sys-auth/keystone/keystone-2014.1.1-r1.ebuild
+++ b/sys-auth/keystone/keystone-2014.1.1-r2.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2014.1.1-r1.ebuild,v 1.1 2014/06/30 01:30:42 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2014.1.1-r2.ebuild,v 1.1 2014/07/02 17:12:34 prometheanfire Exp $
 
 EAPI=5
 
@@ -79,6 +79,7 @@ RDEPEND=">=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}]
 
 PATCHES=(
 	"${FILESDIR}/2014.1.1-CVE-2014-3476.patch"
+	"${FILESDIR}/2014.1.1-CVE-2014-3250.patch"
 )
 
 pkg_setup() {
author	Matt Thode <prometheanfire@gentoo.org>	2014-07-02 17:12:41 +0000
committer	Matt Thode <prometheanfire@gentoo.org>	2014-07-02 17:12:41 +0000
commit	65713d43eab09ff5b8b9ac0b38525acf127c62fd (patch)
tree	e724454c249d82ef3f95ab1db95b82863f850eba /sys-auth/keystone
parent	New upstream release as per Oliver Jaksch; reduced T202 default to legal mini... (diff)
download	historical-65713d43eab09ff5b8b9ac0b38525acf127c62fd.tar.gz historical-65713d43eab09ff5b8b9ac0b38525acf127c62fd.tar.bz2 historical-65713d43eab09ff5b8b9ac0b38525acf127c62fd.zip