Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu

Dear release team,

[ Reason ]
This patch fixes the lack of TLS verification with scciclient.

[ Impact ]
Man in the middle attack is possible without this patch.

[ Tests ]
Upstream has a unit test suite that runs 256 tests. This test
suite is ran at build time in this package.

[ Risks ]
IMO, minimal risks, because of the unit tests.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Backport of the upstream patch to add TLS verif.

Please approve this upload for the next point release,
Cheers,

Thomas Goirand (zigo)
diff -Nru python-scciclient-0.8.0/debian/changelog 
python-scciclient-0.8.0/debian/changelog
--- python-scciclient-0.8.0/debian/changelog    2019-07-18 23:52:05.000000000 
+0200
+++ python-scciclient-0.8.0/debian/changelog    2022-11-09 12:46:11.000000000 
+0100
@@ -1,3 +1,11 @@
+python-scciclient (0.8.0-2+deb11u1) buster; urgency=medium
+
+  * Fix CVE-2022-2996: Missing SSL certificate verification
+    (Closes: #1018213). Thanks to Dominik George <naturesha...@debian.org>
+    for his help backporting the patch.
+
+ -- Thomas Goirand <z...@debian.org>  Wed, 09 Nov 2022 12:46:11 +0100
+
 python-scciclient (0.8.0-2) unstable; urgency=medium
 
   [ Ondřej Nový ]
diff -Nru python-scciclient-0.8.0/debian/patches/CVE-2022-2996.patch 
python-scciclient-0.8.0/debian/patches/CVE-2022-2996.patch
--- python-scciclient-0.8.0/debian/patches/CVE-2022-2996.patch  1970-01-01 
01:00:00.000000000 +0100
+++ python-scciclient-0.8.0/debian/patches/CVE-2022-2996.patch  2022-11-09 
12:46:11.000000000 +0100
@@ -0,0 +1,146 @@
+From 274dca0344b65b4ac113d3271d21c17e970a636c Mon Sep 17 00:00:00 2001
+From: Vanou Ishii <ishii.va...@fujitsu.com>
+Date: Wed, 1 Jun 2022 17:40:12 +0900
+Subject: [PATCH] Add parameter to specify certification file
+
+This patch adds functions & methods which have been used to connect
+to iRMC via HTTPS to accept additional parameter.
+With additional parameter, user is able to specify certification file.
+
+Co-authored-by: Kobayashi Daisuke <kobayashi.da...@fujitsu.com>
+Change-Id: I51203e16207f8d3b1448b581942111bff60d0c86
+---
+ scciclient/irmc/elcm.py            |  7 ++++-
+ scciclient/irmc/scci.py            | 48 +++++++++++++++++++++++-------
+ scciclient/tests/irmc/test_scci.py | 26 ++++++++--------
+ 3 files changed, 56 insertions(+), 25 deletions(-)
+
+--- a/scciclient/irmc/elcm.py
++++ b/scciclient/irmc/elcm.py
+@@ -188,6 +188,10 @@
+           'irmc_port': 80 or 443, default is 443,
+           'irmc_auth_method': 'basic' or 'digest', default is 'basic',
+           'irmc_client_timeout': timeout, default is 60,
++          'irmc_verify_ca': Either a boolean, in which case it controls
++                            whether we verify the server's TLS certificate,
++                            or a string, in which case it must be a path to
++                            a CA bundle to use. Defaults to ``True``.
+           ...
+         }
+     :param method: request method such as 'GET', 'POST'
+@@ -203,6 +207,7 @@
+     userid = irmc_info['irmc_username']
+     password = irmc_info['irmc_password']
+     client_timeout = irmc_info.get('irmc_client_timeout', 60)
++    verify = irmc_info.get('irmc_verify_ca', True)
+ 
+     # Request headers, params, and data
+     headers = kwargs.get('headers', {'Accept': 'application/json'})
+@@ -229,7 +234,7 @@
+                              headers=headers,
+                              params=params,
+                              data=data,
+-                             verify=False,
++                             verify=verify,
+                              timeout=client_timeout,
+                              allow_redirects=False,
+                              auth=auth_obj)
+--- a/scciclient/irmc/scci.py
++++ b/scciclient/irmc/scci.py
+@@ -242,7 +242,7 @@
+ 
+ 
+ def scci_cmd(host, userid, password, cmd, port=443, auth_method='basic',
+-             client_timeout=60, do_async=True, **kwargs):
++             client_timeout=60, do_async=True, verify=True, **kwargs):
+     """execute SCCI command
+ 
+     This function calls SCCI server modules
+@@ -254,6 +254,10 @@
+     :param auth_method: irmc_username
+     :param client_timeout: timeout for SCCI operations
+     :param do_async: async call if True, sync call otherwise
++    :param verify: (optional) Either a boolean, in which case it
++                    controls whether we verify the server's TLS certificate,
++                    or a string, in which case it must be a path to
++                    a CA bundle to use. Defaults to ``True``.
+     :returns: requests.Response from SCCI server
+     :raises: SCCIInvalidInputError if port and/or auth_method params
+              are invalid
+@@ -278,7 +282,7 @@
+         r = requests.post(protocol + '://' + host + '/config',
+                           data=cmd,
+                           headers=header,
+-                          verify=False,
++                          verify=verify,
+                           timeout=client_timeout,
+                           allow_redirects=False,
+                           auth=auth_obj)
+@@ -314,7 +318,7 @@
+ 
+ 
+ def get_client(host, userid, password, port=443, auth_method='basic',
+-               client_timeout=60, **kwargs):
++               client_timeout=60, verify=True, **kwargs):
+     """get SCCI command partial function
+ 
+     This function returns SCCI command partial function
+@@ -324,12 +328,17 @@
+     :param port: port number of iRMC
+     :param auth_method: irmc_username
+     :param client_timeout: timeout for SCCI operations
++    :param verify: (optional) Either a boolean, in which case it
++                    controls whether we verify the server's TLS certificate,
++                    or a string, in which case it must be a path to
++                    a CA bundle to use. Defaults to ``True``.
+     :returns: scci_cmd partial function which takes a SCCI command param
+     """
+ 
+     return functools.partial(scci_cmd, host, userid, password,
+                              port=port, auth_method=auth_method,
+-                             client_timeout=client_timeout, **kwargs)
++                             client_timeout=client_timeout,
++                             verify=verify, **kwargs)
+ 
+ 
+ def get_virtual_cd_set_params_cmd(remote_image_server,
+@@ -396,7 +405,7 @@
+ 
+ 
+ def get_report(host, userid, password,
+-               port=443, auth_method='basic', client_timeout=60):
++               port=443, auth_method='basic', client_timeout=60, verify=True):
+     """get iRMC report
+ 
+     This function returns iRMC report in XML format
+@@ -406,6 +415,10 @@
+     :param port: port number of iRMC
+     :param auth_method: irmc_username
+     :param client_timeout: timeout for SCCI operations
++    :param verify: (optional) Either a boolean, in which case it
++                    controls whether we verify the server's TLS certificate,
++                    or a string, in which case it must be a path to
++                    a CA bundle to use. Defaults to ``True``.
+     :returns: root element of SCCI report
+     :raises: ISCCIInvalidInputError if port and/or auth_method params
+              are invalid
+@@ -428,7 +441,7 @@
+ 
+     try:
+         r = requests.get(protocol + '://' + host + '/report.xml',
+-                         verify=False,
++                         verify=verify,
+                          timeout=(10, client_timeout),
+                          allow_redirects=False,
+                          auth=auth_obj)
+--- a/scciclient/tests/irmc/test_scci.py
++++ b/scciclient/tests/irmc/test_scci.py
+@@ -119,7 +119,7 @@
+             'https://' + self.irmc_address + '/config',
+             data=scci.POWER_ON,
+             headers={'Content-type': 'application/x-www-form-urlencoded'},
+-            verify=False,
++            verify=True,
+             timeout=self.irmc_client_timeout,
+             allow_redirects=False,
+             auth=mock_requests.auth.HTTPBasicAuth(self.irmc_username,
diff -Nru python-scciclient-0.8.0/debian/patches/series 
python-scciclient-0.8.0/debian/patches/series
--- python-scciclient-0.8.0/debian/patches/series       1970-01-01 
01:00:00.000000000 +0100
+++ python-scciclient-0.8.0/debian/patches/series       2022-11-09 
12:46:11.000000000 +0100
@@ -0,0 +1 @@
+CVE-2022-2996.patch

Reply via email to