Bug#1034243: marked as done (unblock: heat/19.0.0-2 (fix for CVE-2023-1625 / #1034186))

Tue, 11 Apr 2023 14:10:14 -0700 

Your message dated Tue, 11 Apr 2023 21:04:26 +0000
with message-id <[email protected]>
and subject line unblock heat
has caused the Debian Bug report #1034243,
regarding unblock: heat/19.0.0-2 (fix for CVE-2023-1625 / #1034186)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1034243: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034243
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock

Please unblock package heat

[ Reason ]
This last upload fixes CVE-2023-1625 / #1034186 (information leak in the
Heat API).

[ Impact ]
Before this patch, "openstack stack show" shows parameters that
are supposed to be hidden, like for example passwords (see the
launchpad entry https://launchpad.net/bugs/1999665 that is rather
explicit).

[ Tests ]
Building the package and the Debian CI contains upstream unit tests.
Also, the patch comes directly from upstream that runs functional
tests in their CI, which makes me confident nothing broke with this
patch. See test results at:
https://review.opendev.org/c/openstack/heat/+/873465

[ Risks ]
Not much risks as the patch only affects "stack show".

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

Cheers,

Thomas Goirand (zigo)

unblock heat/19.0.0-2

diff -Nru heat-19.0.0/debian/changelog heat-19.0.0/debian/changelog
--- heat-19.0.0/debian/changelog        2022-10-06 10:14:02.000000000 +0200
+++ heat-19.0.0/debian/changelog        2023-04-11 10:21:00.000000000 +0200
@@ -1,3 +1,12 @@
+heat (1:19.0.0-2) unstable; urgency=high
+
+  * CVE-2023-1625: information leak in API. Added upstream patch:
+    Honor-hidden-parameter-in-stack_environment_show-command.patch
+    (Closes: #1034186).
+  * Removed obsolete depends on lsb-base.
+
+ -- Thomas Goirand <[email protected]>  Tue, 11 Apr 2023 10:21:00 +0200
+
 heat (1:19.0.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru heat-19.0.0/debian/control heat-19.0.0/debian/control
--- heat-19.0.0/debian/control  2022-10-06 10:14:02.000000000 +0200
+++ heat-19.0.0/debian/control  2023-04-11 10:21:00.000000000 +0200
@@ -113,7 +113,6 @@
  python3-pastescript,
  uwsgi-plugin-python3,
  ${misc:Depends},
- ${ostack-lsb-base},
  ${python3:Depends},
 Description: OpenStack orchestration service - API server
  Heat is a service to orchestrate multiple composite cloud applications using
@@ -130,7 +129,6 @@
  python3-pastescript,
  uwsgi-plugin-python3,
  ${misc:Depends},
- ${ostack-lsb-base},
  ${python3:Depends},
 Description: OpenStack orchestration service - CFN API
  Heat is a service to orchestrate multiple composite cloud applications using
@@ -174,7 +172,6 @@
  adduser,
  heat-common (=${binary:Version}),
  ${misc:Depends},
- ${ostack-lsb-base},
  ${python3:Depends},
 Description: OpenStack orchestration service - engine
  Heat is a service to orchestrate multiple composite cloud applications using
diff -Nru heat-19.0.0/debian/debian_control_vars 
heat-19.0.0/debian/debian_control_vars
--- heat-19.0.0/debian/debian_control_vars      2022-10-06 10:14:02.000000000 
+0200
+++ heat-19.0.0/debian/debian_control_vars      1970-01-01 01:00:00.000000000 
+0100
@@ -1 +0,0 @@
-ostack-lsb-base= lsb-base
diff -Nru 
heat-19.0.0/debian/patches/CVE-2023-1625_Honor-hidden-parameter-in-stack_environment_show-command.patch
 
heat-19.0.0/debian/patches/CVE-2023-1625_Honor-hidden-parameter-in-stack_environment_show-command.patch
--- 
heat-19.0.0/debian/patches/CVE-2023-1625_Honor-hidden-parameter-in-stack_environment_show-command.patch
     1970-01-01 01:00:00.000000000 +0100
+++ 
heat-19.0.0/debian/patches/CVE-2023-1625_Honor-hidden-parameter-in-stack_environment_show-command.patch
     2023-04-11 10:21:00.000000000 +0200
@@ -0,0 +1,74 @@
+Description: CVE-2023-1625L Honor hidden parameter in 'stack environment show' 
command
+ Backport note:
+ This includes change I0abbd535aacc03446ada0fa806dfdfdaa4522afe which
+ fixed the wrong explanation in the release note file.
+Author: Chengen Du <[email protected]>
+Date: Tue, 20 Dec 2022 18:00:00 +0800
+Bug: https://launchpad.net/bugs/1999665
+Bug-Debian: https://bugs.debian.org/1034186
+Story: 2010484
+Task: 47052
+Change-Id: Ifc51ff6a4deab05002ccded59383416f9a586aa0
+Origin: upstream, https://review.opendev.org/c/openstack/heat/+/873465
+Last-Update: 2023-04-11
+
+diff --git a/heat/engine/service.py b/heat/engine/service.py
+index fdd4975..9019ddb 100644
+--- a/heat/engine/service.py
++++ b/heat/engine/service.py
+@@ -12,6 +12,7 @@
+ #    under the License.
+ 
+ import collections
++import copy
+ import datetime
+ import functools
+ import itertools
+@@ -1354,7 +1355,16 @@
+         :rtype: dict
+         """
+         s = self._get_stack(cnxt, stack_identity, show_deleted=True)
+-        return s.raw_template.environment
++        tmpl = templatem.Template.load(cnxt, s.raw_template_id, 
s.raw_template)
++        param_schemata = tmpl.all_param_schemata(tmpl.files)
++        env = copy.deepcopy(s.raw_template.environment)
++        for section in [env_fmt.PARAMETERS, env_fmt.PARAMETER_DEFAULTS]:
++            for param_name in env.get(section, {}).keys():
++                if (param_name not in param_schemata
++                        or not param_schemata[param_name].hidden):
++                    continue
++                env[section][param_name] = str('******')
++        return env
+ 
+     @context.request_context
+     def get_files(self, cnxt, stack_identity):
+diff --git a/heat/tests/test_engine_service.py 
b/heat/tests/test_engine_service.py
+index 875d44d..9ce13e3 100644
+--- a/heat/tests/test_engine_service.py
++++ b/heat/tests/test_engine_service.py
+@@ -978,11 +978,12 @@
+         env = {'parameters': {'KeyName': 'EnvKey'}}
+         tmpl = templatem.Template(t)
+         stack = parser.Stack(self.ctx, 'get_env_stack', tmpl)
++        stack.store()
+ 
+         mock_get_stack = self.patchobject(self.eng, '_get_stack')
+         mock_get_stack.return_value = mock.MagicMock()
+         mock_get_stack.return_value.raw_template.environment = env
+-        self.patchobject(parser.Stack, 'load', return_value=stack)
++        self.patchobject(templatem.Template, 'load', return_value=tmpl)
+ 
+         # Test
+         found = self.eng.get_environment(self.ctx, stack.identifier())
+diff --git 
a/releasenotes/notes/honor-hidden-parameter-in-stack-env-show-cmd-062065545dfef82a.yaml
 
b/releasenotes/notes/honor-hidden-parameter-in-stack-env-show-cmd-062065545dfef82a.yaml
+new file mode 100644
+index 0000000..8a3a366
+--- /dev/null
++++ 
b/releasenotes/notes/honor-hidden-parameter-in-stack-env-show-cmd-062065545dfef82a.yaml
+@@ -0,0 +1,6 @@
++---
++fixes:
++  - |
++    Honor ``hidden`` parameter in get stack environment API. Now values passed
++    to hidden parameters are replaced by '******', similarly to the other
++    APIs such as show stack details API.
diff -Nru heat-19.0.0/debian/patches/series heat-19.0.0/debian/patches/series
--- heat-19.0.0/debian/patches/series   2022-10-06 10:14:02.000000000 +0200
+++ heat-19.0.0/debian/patches/series   2023-04-11 10:21:00.000000000 +0200
@@ -1,3 +1,4 @@
 remove-broken-rst.patch
 package-all-files.patch
 add-heat_api_root-configuration-variable.patch
+CVE-2023-1625_Honor-hidden-parameter-in-stack_environment_show-command.patch

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---

Reply via email to