Bug#947146: marked as done (buster-pu: package python-mistral-lib/1.0.0-1 CVE-2019-3866)

Sun, 26 Apr 2020 07:00:44 -0700 

Your message dated Sun, 26 Apr 2020 15:56:43 +0200
with message-id <20200426135643.GA7526@chou>
and subject line Re: Bug#947146: buster-pu: package python-mistral-lib/1.0.0-1 
CVE-2019-3866
has caused the Debian Bug report #947146,
regarding buster-pu: package python-mistral-lib/1.0.0-1 CVE-2019-3866
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
947146: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947146
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu

Dear Stable Release team,

I'd like to upgrade python-mistral-lib to address CVE-2019-3866,
which is described in https://bugs.debian.org/946060. Please note
that this patch is only useful if you also approve the upload of
python-oslo.utils which I requested in #947142.

Debdiff containing the patch is attached. Note that there's, as
much as I understand, no need to upgrade Mistral to address this
CVE (probably it would be needed in Stretch though...), as I believe
the issue is fully addressed by the update of python-mistral-lib
(at least, that's my understanding when reading the upstream bug
entry at https://bugs.launchpad.net/tripleo/+bug/1850843).

Note that I've also uploaded the package here, for your convenience:

http://shade.infomaniak.ch/buster-pu/python-mistral-lib/

Please allow me to upload:
python-mistral-lib/1.0.0-1+deb10u1.

Cheers,

Thomas Goirand (zigo)

diff -Nru python-mistral-lib-1.0.0/debian/changelog 
python-mistral-lib-1.0.0/debian/changelog
--- python-mistral-lib-1.0.0/debian/changelog   2018-09-04 00:06:52.000000000 
+0200
+++ python-mistral-lib-1.0.0/debian/changelog   2019-12-21 22:59:56.000000000 
+0100
@@ -1,3 +1,10 @@
+python-mistral-lib (1.0.0-1+deb10u1) buster; urgency=medium
+
+  * CVE-2019-3866: Sensitive information leaked in mistral logs. Apply
+    upstream patch: Ensure we mask sensitive data from Mistral Action logs.
+
+ -- Thomas Goirand <[email protected]>  Sat, 21 Dec 2019 22:59:56 +0100
+
 python-mistral-lib (1.0.0-1) unstable; urgency=medium
 
   [ Ondřej Nový ]
diff -Nru 
python-mistral-lib-1.0.0/debian/patches/CVE-2019-3866_Ensure_we_mask_sensitive_data_from_Mistral_Action_logs.patch
 
python-mistral-lib-1.0.0/debian/patches/CVE-2019-3866_Ensure_we_mask_sensitive_data_from_Mistral_Action_logs.patch
--- 
python-mistral-lib-1.0.0/debian/patches/CVE-2019-3866_Ensure_we_mask_sensitive_data_from_Mistral_Action_logs.patch
  1970-01-01 01:00:00.000000000 +0100
+++ 
python-mistral-lib-1.0.0/debian/patches/CVE-2019-3866_Ensure_we_mask_sensitive_data_from_Mistral_Action_logs.patch
  2019-12-21 22:59:56.000000000 +0100
@@ -0,0 +1,97 @@
+Author: Cédric Jeanneret <[email protected]>
+Date: Fri, 1 Nov 2019 11:47:35 +0100
+Description: CVE-2019-3866 Ensure we mask sensitive data from Mistral Action 
logs
+ Mistral didn't make use of the oslo_utils "mask_password" methods,
+ leading in sensitive data leakage in its logs.
+ .
+ This patch corrects this security issue.
+ Note that it depends on oslo_utils patch adding new patterns, and
+ ensuring it's case-insensitive.
+Change-Id: I544d3c172f2dea02c62c49c311c4b5954413ae15
+Related-Bug: #1850843
+Co-Authored-By: Dougal Matthews <[email protected]>
+Signed-off-by: Cédric Jeanneret <[email protected]>
+Origin: upstream, https://review.opendev.org/692975
+
+diff --git a/mistral_lib/actions/types.py b/mistral_lib/actions/types.py
+index cd8bf28..a77b96f 100644
+--- a/mistral_lib/actions/types.py
++++ b/mistral_lib/actions/types.py
+@@ -32,8 +32,11 @@ class Result(serialization.MistralSerializable):
+         )
+ 
+     def cut_repr(self):
++        _data = utils.mask_data(self.data)
++        _error = utils.mask_data(self.error)
++        _cancel = utils.mask_data(self.cancel)
+         return 'Result [data=%s, error=%s, cancel=%s]' % (
+-            utils.cut(self.data), utils.cut(self.error), str(self.cancel)
++            utils.cut(_data), utils.cut(_error), str(_cancel)
+         )
+ 
+     def is_cancel(self):
+diff --git a/mistral_lib/tests/test_utils.py b/mistral_lib/tests/test_utils.py
+index 599aaac..78ec3ec 100644
+--- a/mistral_lib/tests/test_utils.py
++++ b/mistral_lib/tests/test_utils.py
+@@ -84,3 +84,20 @@ class TestUtils(tests_base.TestCase):
+         s = utils.cut_dict(d, 100)
+ 
+         self.assertIn(s, ["{1: 2, 3: 4}", "{3: 4, 1: 2}"])
++
++    def test_mask_data(self):
++        payload = {'adminPass': 'fooBarBaz'}
++        expected = {'adminPass': '***'}
++        self.assertEqual(expected, utils.mask_data(payload))
++
++        payload = """adminPass='fooBarBaz'"""
++        expected = """adminPass='***'"""
++        self.assertEqual(expected, utils.mask_data(payload))
++
++        payload = [{'adminPass': 'fooBarBaz'}, {"new_pass": "blah"}]
++        expected = [{'adminPass': '***'}, {"new_pass": "***"}]
++        self.assertEqual(expected, utils.mask_data(payload))
++
++        payload = ["adminPass", 'fooBarBaz']
++        expected = ["adminPass", 'fooBarBaz']
++        self.assertEqual(expected, utils.mask_data(payload))
+diff --git a/mistral_lib/utils/__init__.py b/mistral_lib/utils/__init__.py
+index 92dda4e..7f845dc 100644
+--- a/mistral_lib/utils/__init__.py
++++ b/mistral_lib/utils/__init__.py
+@@ -14,6 +14,8 @@
+ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ # License for the specific language governing permissions and limitations
+ # under the License.
++from oslo_utils.strutils import mask_dict_password
++from oslo_utils.strutils import mask_password
+ 
+ 
+ def cut_dict(d, length=100):
+@@ -139,3 +141,12 @@ def cut(data, length=100):
+         return cut_dict(data, length=length)
+ 
+     return cut_string(str(data), length=length)
++
++
++def mask_data(obj):
++    if isinstance(obj, dict):
++        return mask_dict_password(obj)
++    elif isinstance(obj, list):
++        return [mask_data(i) for i in obj]
++    else:
++        return mask_password(obj)
+diff --git a/releasenotes/notes/mask-password-6899d868d213f722.yaml 
b/releasenotes/notes/mask-password-6899d868d213f722.yaml
+new file mode 100644
+index 0000000..5178a04
+--- /dev/null
++++ b/releasenotes/notes/mask-password-6899d868d213f722.yaml
+@@ -0,0 +1,5 @@
++---
++security:
++  - Ensure we mask sensitive data before logging Action return values
++fixes:
++  - https://bugs.launchpad.net/tripleo/+bug/1850843
+-- 
+2.7.4
+
diff -Nru python-mistral-lib-1.0.0/debian/patches/series 
python-mistral-lib-1.0.0/debian/patches/series
--- python-mistral-lib-1.0.0/debian/patches/series      2018-09-04 
00:06:52.000000000 +0200
+++ python-mistral-lib-1.0.0/debian/patches/series      2019-12-21 
22:59:56.000000000 +0100
@@ -1 +1,2 @@
 remove-privacy-branch.patch
+CVE-2019-3866_Ensure_we_mask_sensitive_data_from_Mistral_Action_logs.patch

--- End Message ---
--- Begin Message --- 
On Sun, Dec 22, 2019 at 11:31:21PM +0100, Thomas Goirand wrote:
> On 12/21/19 11:34 PM, Salvatore Bonaccorso wrote:
> > Hi Thomas
> > 
> > [Disclaimer: not part of the stable release managers, so this reply is
> > not authoritative]
> > 
> > Thanks for handling CVE-2019-3866 for unstable and buster.
> > 
> > On Sat, Dec 21, 2019 at 11:12:17PM +0100, Thomas Goirand wrote:
> >> Package: release.debian.org
> >> Severity: normal
> >> Tags: buster
> >> User: [email protected]
> >> Usertags: pu
> >>
> >> Dear Stable Release team,
> >>
> >> I'd like to upgrade python-mistral-lib to address CVE-2019-3866,
> >> which is described in https://bugs.debian.org/946060. Please note
> >> that this patch is only useful if you also approve the upload of
> >> python-oslo.utils which I requested in #947142.
> >>
> >> Debdiff containing the patch is attached. Note that there's, as
> >> much as I understand, no need to upgrade Mistral to address this
> >> CVE (probably it would be needed in Stretch though...), as I believe
> >> the issue is fully addressed by the update of python-mistral-lib
> >> (at least, that's my understanding when reading the upstream bug
> >> entry at https://bugs.launchpad.net/tripleo/+bug/1850843).
> > 
> > Question (which apply as well for the unstable upload which was just
> > done): the python-mistral-lib patch depends on the fixed version of
> > python-oslo.utils. Wouldn't that need a versioned dependency
> > python-oslo.utils?
> > 
> > Regards,
> > Salvatore
> 
> Hi,
> 
> There's currently no dependency at all on python3-oslo.utils, because
> it's not completely needed. It looks like it is needed only some usage
> of Mistral only (like the one TripleO is doing), when calling
> generate_unicode_uuid(), is_valid_uuid() or utc_now_sec() from
> mistral_lib.utils.
> 
> So no, I don't think we should add an artificial hard runtime dependency
> on oslo.utils, as long as upstream isn't doing it in requirements.txt.
> 
> Your thoughts?
> 
It doesn't look artificial to me.  As far as I can tell this patch makes
importing mistral_lib.utils (directly or via mistral_lib.actions.types)
fail without oslo.utils.

Overall I'd say this change on its own doesn't warrant a stable update.
Maybe later if there's a more serious issue to lump it in with.

Cheers,
Julien

--- End Message ---

Reply via email to