Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Please unblock package keystone. This fixes CVE-2012-4413. Debdiff is attached. Note that I am well aware of #687311 (I was the one who reported it), but I would like to fix this one later on, using urgency=low, so it has more time for testing before migration. Please let me know if I should lower the severity of #687311 for the package to migrate, or if the release team has some magic way to let it migrate anyway. Cheers, Thomas Goirand
diff -Nru keystone-2012.1.1/debian/changelog keystone-2012.1.1/debian/changelog --- keystone-2012.1.1/debian/changelog 2012-08-30 18:37:58.000000000 +0000 +++ keystone-2012.1.1/debian/changelog 2012-09-12 16:33:13.000000000 +0000 @@ -1,3 +1,10 @@ +keystone (2012.1.1-6) unstable; urgency=high + + * CVE-2012-4413: Revoking a role does not affect existing tokens + (Closes: #687428). + + -- Thomas Goirand <[email protected]> Sun, 09 Sep 2012 02:21:11 +0000 + keystone (2012.1.1-5) unstable; urgency=low * CVE-2012-3542: Fixes lack of authorization for adding users to tenants diff -Nru keystone-2012.1.1/debian/patches/CVE-2012-4413_Revoking-a-role-does-not-affect-existing-tokens.patch keystone-2012.1.1/debian/patches/CVE-2012-4413_Revoking-a-role-does-not-affect-existing-tokens.patch --- keystone-2012.1.1/debian/patches/CVE-2012-4413_Revoking-a-role-does-not-affect-existing-tokens.patch 1970-01-01 00:00:00.000000000 +0000 +++ keystone-2012.1.1/debian/patches/CVE-2012-4413_Revoking-a-role-does-not-affect-existing-tokens.patch 2012-09-12 16:33:13.000000000 +0000 @@ -0,0 +1,128 @@ +Description: CVE-2012-4413: Revoking a role does not affect existing tokens + Dolph Mathews reported a vulnerability in Keystone. Granting and + revoking roles from a user is not reflected upon token validation for + pre-existing tokens. Pre-existing tokens continue to be valid for the + original set of roles for the remainder of the token's lifespan, or + until explicitly invalidated. This fix invalidates all tokens held by + a user upon role grant/revoke to circumvent the issue. +Author: Dolph Mathews +Origin: upstream +Bug-Debian: http://bugs.debian.org/687428 + +--- keystone-2012.1.1.orig/tests/test_keystoneclient.py ++++ keystone-2012.1.1/tests/test_keystoneclient.py +@@ -722,15 +722,15 @@ class KcMasterTestCase(CompatTestCase, K + def test_tenant_add_and_remove_user(self): + client = self.get_client(admin=True) + client.roles.add_user_role(tenant=self.tenant_baz['id'], +- user=self.user_foo['id'], ++ user=self.user_two['id'], + role=self.role_useless['id']) + user_refs = client.tenants.list_users(tenant=self.tenant_baz['id']) +- self.assert_(self.user_foo['id'] in [x.id for x in user_refs]) ++ self.assert_(self.user_two['id'] in [x.id for x in user_refs]) + client.roles.remove_user_role(tenant=self.tenant_baz['id'], +- user=self.user_foo['id'], ++ user=self.user_two['id'], + role=self.role_useless['id']) + user_refs = client.tenants.list_users(tenant=self.tenant_baz['id']) +- self.assert_(self.user_foo['id'] not in [x.id for x in user_refs]) ++ self.assert_(self.user_two['id'] not in [x.id for x in user_refs]) + + def test_user_role_add_404(self): + from keystoneclient import exceptions as client_exceptions +@@ -843,16 +843,16 @@ class KcEssex3TestCase(CompatTestCase, K + def test_tenant_add_and_remove_user(self): + client = self.get_client(admin=True) + client.roles.add_user_to_tenant(tenant_id=self.tenant_baz['id'], +- user_id=self.user_foo['id'], ++ user_id=self.user_two['id'], + role_id=self.role_useless['id']) + role_refs = client.roles.get_user_role_refs( +- user_id=self.user_foo['id']) ++ user_id=self.user_two['id']) + self.assert_(self.tenant_baz['id'] in [x.tenantId for x in role_refs]) + + # get the "role_refs" so we get the proper id, this is how the clients + # do it + roleref_refs = client.roles.get_user_role_refs( +- user_id=self.user_foo['id']) ++ user_id=self.user_two['id']) + for roleref_ref in roleref_refs: + if (roleref_ref.roleId == self.role_useless['id'] + and roleref_ref.tenantId == self.tenant_baz['id']): +@@ -860,11 +860,11 @@ class KcEssex3TestCase(CompatTestCase, K + break + + client.roles.remove_user_from_tenant(tenant_id=self.tenant_baz['id'], +- user_id=self.user_foo['id'], ++ user_id=self.user_two['id'], + role_id=roleref_ref.id) + + role_refs = client.roles.get_user_role_refs( +- user_id=self.user_foo['id']) ++ user_id=self.user_two['id']) + self.assert_(self.tenant_baz['id'] not in + [x.tenantId for x in role_refs]) + +--- keystone-2012.1.1.orig/keystone/token/core.py ++++ keystone-2012.1.1/keystone/token/core.py +@@ -38,6 +38,10 @@ class Manager(manager.Manager): + def __init__(self): + super(Manager, self).__init__(CONF.token.driver) + ++ def revoke_tokens(self, context, user_id): ++ for token_id in self.list_tokens(context, user_id): ++ self.delete_token(context, token_id) ++ + + class Driver(object): + """Interface description for a Token driver.""" +@@ -97,6 +101,13 @@ class Driver(object): + """ + raise exception.NotImplemented() + ++ def revoke_tokens(self, user_id): ++ """Invalidates all tokens held by a user. ++ ++ :raises: keystone.exception.UserNotFound ++ """ ++ raise exception.NotImplemented() ++ + def _get_default_expire_time(self): + """Determine when a token should expire based on the config. + +--- keystone-2012.1.1.orig/keystone/identity/core.py ++++ keystone-2012.1.1/keystone/identity/core.py +@@ -524,6 +524,8 @@ class RoleController(wsgi.Application): + self.identity_api.add_user_to_tenant(context, tenant_id, user_id) + self.identity_api.add_role_to_user_and_tenant( + context, user_id, tenant_id, role_id) ++ self.token_api.revoke_tokens(context, user_id) ++ + role_ref = self.identity_api.get_role(context, role_id) + return {'role': role_ref} + +@@ -554,7 +556,7 @@ class RoleController(wsgi.Application): + if not roles: + self.identity_api.remove_user_from_tenant( + context, tenant_id, user_id) +- return ++ self.token_api.revoke_tokens(context, user_id) + + # COMPAT(diablo): CRUD extension + def get_role_refs(self, context, user_id): +@@ -596,6 +598,8 @@ class RoleController(wsgi.Application): + self.identity_api.add_user_to_tenant(context, tenant_id, user_id) + self.identity_api.add_role_to_user_and_tenant( + context, user_id, tenant_id, role_id) ++ self.token_api.revoke_tokens(context, user_id) ++ + role_ref = self.identity_api.get_role(context, role_id) + return {'role': role_ref} + +@@ -623,3 +627,4 @@ class RoleController(wsgi.Application): + if not roles: + self.identity_api.remove_user_from_tenant( + context, tenant_id, user_id) ++ self.token_api.revoke_tokens(context, user_id) diff -Nru keystone-2012.1.1/debian/patches/series keystone-2012.1.1/debian/patches/series --- keystone-2012.1.1/debian/patches/series 2012-08-30 18:37:58.000000000 +0000 +++ keystone-2012.1.1/debian/patches/series 2012-09-12 16:33:13.000000000 +0000 @@ -3,3 +3,4 @@ default_catalog.patch sql_conn.patch CVE-2012-3542_Lack-of-authorization-for-adding-users-to-tenants.patch +CVE-2012-4413_Revoking-a-role-does-not-affect-existing-tokens.patch
