Bug#685728: marked as done (juju: Communication with store.juju.ubuntu.com is not authenticated)

Fri, 24 Aug 2012 16:51:17 -0700 

Your message dated Fri, 24 Aug 2012 23:47:38 +0000
with message-id <[email protected]>
and subject line Bug#685728: fixed in juju 0.5.1-2
has caused the Debian Bug report #685728,
regarding juju: Communication with store.juju.ubuntu.com is not authenticated
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
685728: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685728
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: juju
Version: 0.5.1+bzr563-0juju2~quantal1
Severity: grave
Tags: security patch upstream
Justification: user security hole

This problem with juju has been fixed in upstream trunk and so can be
considered "disclosed".

When using juju with the built in "charm store" at store.juju.ubuntu.com,
the SSL certificate is not verified. This could lead to a man in the
middle attack where an attacker could have trojaned "charms" installed
instead of the official charms.

-- System Information:
Debian Release: wheezy/sid
  APT prefers quantal-updates
  APT policy: (500, 'quantal-updates'), (500, 'quantal-security'), (500, 
'quantal'), (400, 'precise-proposed')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.5.0-10-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages juju depends on:
ii  openssh-client      1:6.0p1-2ubuntu1
ii  python              2.7.3-0ubuntu5
ii  python-oauth        1.0.1-3build1
ii  python-twisted      12.0.0-1ubuntu1
ii  python-txaws        0.2.3-1ubuntu1
ii  python-txzookeeper  0.9.5-1
ii  python-yaml         3.10-4
ii  python2.7           2.7.3-0ubuntu4
ii  tmux                1.6-2

Versions of packages juju recommends:
ii  byobu         5.21-0ubuntu1
ii  python-pydot  1.0.2-1

Versions of packages juju suggests:
ii  apt-cacher-ng  0.7.7-1ubuntu1
ii  libvirt-bin    0.9.13-0ubuntu7
ii  lxc            0.8.0~rc1-4ubuntu24
ii  zookeeper      3.3.6+dfsg-0ubuntu1

-- no debconf information

Origin: http://bazaar.launchpad.net/~juju/juju/trunk/revision/565
Bug: http://pad.lv/992447

=== modified file 'juju/charm/repository.py'
--- a/juju/charm/repository.py	2012-05-03 18:42:09 +0000
+++ b/juju/charm/repository.py	2012-08-23 23:57:09 +0000
@@ -3,11 +3,13 @@
 import os
 import tempfile
 import urllib
+import urlparse
 import yaml
 
 from twisted.internet.defer import fail, inlineCallbacks, returnValue, succeed
 from twisted.web.client import downloadPage, getPage
 from twisted.web.error import Error
+from txaws.client.ssl import VerifyingContextFactory
 
 from juju.charm.provider import get_charm_from_path
 from juju.charm.url import CharmURL
@@ -126,7 +128,8 @@
         url = "%s/charm-info?charms=%s" % (
             self.url_base, urllib.quote(charm_id))
         try:
-            all_info = json.loads((yield getPage(url)))
+            host = urlparse.urlparse(url).hostname
+            all_info = json.loads((yield getPage(url, contextFactory=VerifyingContextFactory(host))))
             charm_info = all_info[charm_id]
             for warning in charm_info.get("warnings", []):
                 log.warning("%s: %s", charm_id, warning)
@@ -147,8 +150,9 @@
             delete=False)
         f.close()
         downloading_path = f.name
+        host = urlparse.urlparse(url).hostname
         try:
-            yield downloadPage(url, downloading_path)
+            yield downloadPage(url, downloading_path, contextFactory=VerifyingContextFactory(host))
         except Error:
             raise CharmNotFound(self.url_base, charm_url)
         os.rename(downloading_path, cache_path)

=== modified file 'juju/charm/tests/test_repository.py'
--- a/juju/charm/tests/test_repository.py	2012-07-01 22:20:22 +0000
+++ b/juju/charm/tests/test_repository.py	2012-08-06 20:06:37 +0000
@@ -5,6 +5,8 @@
 
 from twisted.internet.defer import fail, inlineCallbacks, succeed
 from twisted.web.error import Error
+from txaws.client.ssl import VerifyingContextFactory
+
 
 from juju.charm.directory import CharmDirectory
 from juju.charm.errors import CharmNotFound, CharmURLError, RepositoryNotFound
@@ -16,7 +18,7 @@
 from juju.lib import under
 
 from juju.charm import tests
-from juju.lib.mocker import ANY
+from juju.lib.mocker import ANY, MATCH
 from juju.lib.testing import TestCase
 
 
@@ -280,15 +282,19 @@
         return json.dumps({url_str: info})
 
     def mock_charm_info(self, url, result):
-        self.getPage(url)
+        def match_context(value):
+            return isinstance(value, VerifyingContextFactory)
+        self.getPage(url, contextFactory=MATCH(match_context))
         self.mocker.result(result)
 
     def mock_download(self, url, error=None):
-        self.downloadPage(url, ANY)
+        def match_context(value):
+            return isinstance(value, VerifyingContextFactory)
+        self.downloadPage(url, ANY, contextFactory=MATCH(match_context))
         if error:
             return self.mocker.result(fail(error))
 
-        def download(_, path):
+        def download(_, path, contextFactory):
             self.assertTrue(path.startswith(self.download_path))
             with open(path, "wb") as f:
                 f.write(self.bundle_data)

=== modified file 'juju/control/tests/test_upgrade_charm.py'
--- a/juju/control/tests/test_upgrade_charm.py	2012-05-04 22:43:40 +0000
+++ b/juju/control/tests/test_upgrade_charm.py	2012-08-06 19:29:30 +0000
@@ -12,6 +12,7 @@
 from juju.errors import FileNotFound
 from juju.environment.environment import Environment
 from juju.unit.workflow import UnitWorkflowState
+from juju.lib.mocker import ANY
 
 from .common import MachineControlToolTest
 
@@ -481,7 +482,8 @@
         self.setup_exit(0)
         getPage = self.mocker.replace("twisted.web.client.getPage")
         getPage(
-            CS_STORE_URL + "/charm-info?charms=cs%3Aseries/mysql")
+            CS_STORE_URL + "/charm-info?charms=cs%3Aseries/mysql",
+            contextFactory=ANY)
         self.mocker.result(succeed(json.dumps(
             {"cs:series/mysql": {"revision": 1, "sha256": "whatever"}})))
         self.mocker.replay()
@@ -502,7 +504,8 @@
         self.setup_exit(0)
 
         getPage = self.mocker.replace("twisted.web.client.getPage")
-        getPage(CS_STORE_URL + "/charm-info?charms=cs%3Aseries/mysql")
+        getPage(CS_STORE_URL + "/charm-info?charms=cs%3Aseries/mysql",
+                contextFactory=ANY)
 
         self.mocker.result(succeed(json.dumps(
             {"cs:series/mysql": {"revision": 1, "sha256": "whatever"}})))

--- End Message ---
--- Begin Message --- 
Source: juju
Source-Version: 0.5.1-2

We believe that the bug you reported is fixed in the latest version of
juju, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Clint Byrum <[email protected]> (supplier of updated juju package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 23 Aug 2012 17:41:25 -0700
Source: juju
Binary: juju
Architecture: source all
Version: 0.5.1-2
Distribution: unstable
Urgency: high
Maintainer: Clint Byrum <[email protected]>
Changed-By: Clint Byrum <[email protected]>
Description: 
 juju       - next generation service orchestration system
Closes: 685728
Changes: 
 juju (0.5.1-2) unstable; urgency=high
 .
   * SECURITY UPDATE: d/p/upstream-565.patch: Verify charm store hostname
     matches hostname on SSL certificate. (Closes: #685728)
   * d/p/upstream-566.patch: Fix test suite failure causing FTBFS with
     python 2.7.3.
Checksums-Sha1: 
 9853a25dbb46cfecc65e4a59781e5723fc515127 1513 juju_0.5.1-2.dsc
 9339c4d986156a4d5578c62ccadee95e9ddbb922 17688 juju_0.5.1-2.debian.tar.gz
 f62aa1ca1e7df98ac05d3b0b47c58368c18090ce 526774 juju_0.5.1-2_all.deb
Checksums-Sha256: 
 986326fd4d5397aade6dccbd169d2ac74bb976f118c8e752884127d197e5c470 1513 
juju_0.5.1-2.dsc
 2eb4aeaf9a9e213e72de3b14298dcb12d15ea46b53617c9c01e4eb3914dffc2a 17688 
juju_0.5.1-2.debian.tar.gz
 f0fccc4366bd99b51cc9d30670430d79f147aecf2b1ec47b5b6075a0f1fdb3c8 526774 
juju_0.5.1-2_all.deb
Files: 
 bd4929ef32532cad61c50cc256e39da6 1513 net optional juju_0.5.1-2.dsc
 1ae15de114152346dc517bf683239762 17688 net optional juju_0.5.1-2.debian.tar.gz
 9b65dc0ea4565d921d896d344c3848ef 526774 net optional juju_0.5.1-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJQOBGJAAoJEFOMB2b0vLOOpEoH+wVTtTLe0bGqxhTHs0P2YFru
+Y6kiA8UERjT09FGOCf90u0D9SKsXBadcQYfb1LohXT1hTdomn+t3ltOtATNVpn9
chrzUOKFUndh6a4ZUwx+JElmnNVMzdfnVKccFPKh8qgp+XaENzfhVGGeIDDkkMxY
73C06LwzrEYQF/Kx8ZSwcx1MwFGYCATalMCWjHSpWdVdOeBcz/9rrpRRoVZPGXzw
jOfWROK1GlTlBMaWjISqfShiYqLzA2rtS0d7yDO4b2cyaIDtMQF9ImHTJjwFe3Tn
ov69VhbaMXzMGBWvIUH6Fw3sbYGwtvtk+/0QedOBsr2Mg0ARed8zwn7/oa1pjmE=
=15Wj
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to