Bug#929283: zookeeper: CVE-2019-0201: information disclosure vulnerability
[adding 929...@bugs.debian.org to CC] Hi Moritz, > > Sure. Here's my updated patch: Uploaded zookeeper_3.4.9-3+deb9u2_amd64.changes to security-master. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Bug#929283: zookeeper: CVE-2019-0201: information disclosure vulnerability
On Fri, May 31, 2019 at 09:01:12AM +0200, Salvatore Bonaccorso wrote: > Hi Tony, > > On Thu, May 30, 2019 at 06:47:33AM -0700, tony mancill wrote: > > On Mon, May 27, 2019 at 10:07:38PM -0700, tony mancill wrote: > > > On Sun, May 26, 2019 at 08:58:29PM +0200, Moritz Mühlenhoff wrote: > > > > Looks fine, but can you please also include the test case upstream > > > > added? > > > > Given that it's quite complex to reconstruct the specific affected ZK > > > > setup, > > > > we should at least ship/run the test case. > > > > > > I will prepare an upload for 3.4.13 in testing/unstable soon - should be > > > in the next day or so. > > > > As an update... > > > > Regarding the upload of a patched 3.4.13 for buster and unstable, > > cherry-picking and adapting the upstream patch from the 3.4.14 branch is > > straight-forward and complete [1]. The package is building, etc. > > > > The delay is that the tests for the Debian package aren't in a state > > where they are easy to run. This predates this issue, going back to the > > changes made when netty 3.9 was removed from Debian. Since the changes > > to the packaging and patches to re-enable tests would be extensive (I am > > still working through them), I'm not certain that they will be suitable > > for an upload during the freeze. At a minimum, I intend to get them > > working locally and push a branch so that others can verify, as well as > > run the updated ZK through some local smoke-testing that validates the > > ACL change. > > Thanks for giving an update on the state! Hi Salvatore - Apologies again for the delay. The zookeeper package tests are in rough shape and I wasn't able to get all tests passing even after installing libjetty-3.9-java in a local chroot and some hacking. The work-in-progress 3.4.13-2+test branch is on Salsa [1], but getting the tests into good working order will be a goal for buster. However, I did verify the following before uploading: - the test results between 3.4.13-1 and 3.4.13-2 are the same, meaning no regressions - the newly added FinalRequestProcessorTest in 3.4.13-2 passes - I could reproduce the ACL information disclosure on 3.4.13-1 - 3.4.13-2 no longer freely shares ACLs on nodes with ACLs that prevent unauthorized reading I have just uploaded to unstable [2] and will request an unblock for buster. Thank you, tony [1] https://salsa.debian.org/java-team/zookeeper/tree/3.4.13-2+test signature.asc Description: PGP signature
Bug#929283: zookeeper: CVE-2019-0201: information disclosure vulnerability
Hi Moritz, > > Thanks. Here is my diff: > > Looks fine, but can you please also include the test case upstream added? > Given that it's quite complex to reconstruct the specific affected ZK setup, > we should at least ship/run the test case. Sure. Here's my updated patch: diffstat for zookeeper-3.4.9 zookeeper-3.4.9 changelog|8 + patches/CVE-2019-11579.patch | 290 +++ patches/series |1 3 files changed, 299 insertions(+) diff -Nru zookeeper-3.4.9/debian/changelog zookeeper-3.4.9/debian/changelog --- zookeeper-3.4.9/debian/changelog2018-05-23 21:34:43.0 +0100 +++ zookeeper-3.4.9/debian/changelog2019-05-24 08:57:53.0 +0100 @@ -1,3 +1,11 @@ +zookeeper (3.4.9-3+deb9u2) stretch-security; urgency=high + + * CVE-2019-0201: Prevent an information disclosure vulnerability where users +who were not authorised to read data were able to view the access control +list. (Closes: #929283) + + -- Chris Lamb Fri, 24 May 2019 08:57:53 +0100 + zookeeper (3.4.9-3+deb9u1) stretch-security; urgency=high * Team upload. diff -Nru zookeeper-3.4.9/debian/patches/CVE-2019-11579.patch zookeeper-3.4.9/debian/patches/CVE-2019-11579.patch --- zookeeper-3.4.9/debian/patches/CVE-2019-11579.patch 1970-01-01 01:00:00.0 +0100 +++ zookeeper-3.4.9/debian/patches/CVE-2019-11579.patch 2019-05-24 08:57:53.0 +0100 @@ -0,0 +1,290 @@ +--- zookeeper-3.4.9.orig/src/java/main/org/apache/zookeeper/server/FinalRequestProcessor.java zookeeper-3.4.9/src/java/main/org/apache/zookeeper/server/FinalRequestProcessor.java +@@ -20,6 +20,7 @@ package org.apache.zookeeper.server; + + import java.io.IOException; + import java.nio.ByteBuffer; ++import java.util.ArrayList; + import java.util.List; + + import org.apache.jute.Record; +@@ -32,6 +33,7 @@ import org.apache.zookeeper.KeeperExcept + import org.apache.zookeeper.KeeperException.SessionMovedException; + import org.apache.zookeeper.ZooDefs.OpCode; + import org.apache.zookeeper.data.ACL; ++import org.apache.zookeeper.data.Id; + import org.apache.zookeeper.data.Stat; + import org.apache.zookeeper.proto.CreateResponse; + import org.apache.zookeeper.proto.ExistsRequest; +@@ -308,10 +310,35 @@ public class FinalRequestProcessor imple + GetACLRequest getACLRequest = new GetACLRequest(); + ByteBufferInputStream.byteBuffer2Record(request.request, + getACLRequest); ++DataNode n = zks.getZKDatabase().getNode(getACLRequest.getPath()); ++if (n == null) { ++throw new KeeperException.NoNodeException(); ++} ++PrepRequestProcessor.checkACL(zks, zks.getZKDatabase().aclForNode(n), ++ZooDefs.Perms.READ | ZooDefs.Perms.ADMIN, ++request.authInfo); ++ + Stat stat = new Stat(); +-List acl = +-zks.getZKDatabase().getACL(getACLRequest.getPath(), stat); +-rsp = new GetACLResponse(acl, stat); ++List acl = ++zks.getZKDatabase().getACL(getACLRequest.getPath(), stat); ++try { ++PrepRequestProcessor.checkACL(zks, zks.getZKDatabase().aclForNode(n), ++ZooDefs.Perms.ADMIN, ++request.authInfo); ++rsp = new GetACLResponse(acl, stat); ++} catch (KeeperException.NoAuthException e) { ++List acl1 = new ArrayList(acl.size()); ++for (ACL a : acl) { ++if ("digest".equals(a.getId().getScheme())) { ++Id id = a.getId(); ++Id id1 = new Id(id.getScheme(), id.getId().replaceAll(":.*", ":x")); ++acl1.add(new ACL(a.getPerms(), id1)); ++} else { ++acl1.add(a); ++} ++} ++rsp = new GetACLResponse(acl1, stat); ++} + break; + } + case OpCode.getChildren: { +--- /dev/null zookeeper-3.4.9/src/java/test/org/apache/zookeeper/test/FinalRequestProcessorTest.java +@@ -0,0 +1,230 @@ ++/** ++ * Licensed to the Apache Software Foundation (ASF) under one ++ * or more contributor license agreements. See the NOTICE file ++ * distributed with this work for additional information ++ * regarding copyright ownership. The ASF licenses this file ++ * to you under the Apache License, Version 2.0 (the ++ * "License"); you may not use this file except in compliance ++ * with the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under
Bug#929283: zookeeper: CVE-2019-0201: information disclosure vulnerability
Hi Tony, On Thu, May 30, 2019 at 06:47:33AM -0700, tony mancill wrote: > On Mon, May 27, 2019 at 10:07:38PM -0700, tony mancill wrote: > > On Sun, May 26, 2019 at 08:58:29PM +0200, Moritz Mühlenhoff wrote: > > > Looks fine, but can you please also include the test case upstream added? > > > Given that it's quite complex to reconstruct the specific affected ZK > > > setup, > > > we should at least ship/run the test case. > > > > I will prepare an upload for 3.4.13 in testing/unstable soon - should be > > in the next day or so. > > As an update... > > Regarding the upload of a patched 3.4.13 for buster and unstable, > cherry-picking and adapting the upstream patch from the 3.4.14 branch is > straight-forward and complete [1]. The package is building, etc. > > The delay is that the tests for the Debian package aren't in a state > where they are easy to run. This predates this issue, going back to the > changes made when netty 3.9 was removed from Debian. Since the changes > to the packaging and patches to re-enable tests would be extensive (I am > still working through them), I'm not certain that they will be suitable > for an upload during the freeze. At a minimum, I intend to get them > working locally and push a branch so that others can verify, as well as > run the updated ZK through some local smoke-testing that validates the > ACL change. Thanks for giving an update on the state! Regards, Salvatore
Bug#929283: zookeeper: CVE-2019-0201: information disclosure vulnerability
On Mon, May 27, 2019 at 10:07:38PM -0700, tony mancill wrote: > On Sun, May 26, 2019 at 08:58:29PM +0200, Moritz Mühlenhoff wrote: > > Looks fine, but can you please also include the test case upstream added? > > Given that it's quite complex to reconstruct the specific affected ZK setup, > > we should at least ship/run the test case. > > I will prepare an upload for 3.4.13 in testing/unstable soon - should be > in the next day or so. As an update... Regarding the upload of a patched 3.4.13 for buster and unstable, cherry-picking and adapting the upstream patch from the 3.4.14 branch is straight-forward and complete [1]. The package is building, etc. The delay is that the tests for the Debian package aren't in a state where they are easy to run. This predates this issue, going back to the changes made when netty 3.9 was removed from Debian. Since the changes to the packaging and patches to re-enable tests would be extensive (I am still working through them), I'm not certain that they will be suitable for an upload during the freeze. At a minimum, I intend to get them working locally and push a branch so that others can verify, as well as run the updated ZK through some local smoke-testing that validates the ACL change. Cheers, tony [1] https://salsa.debian.org/java-team/zookeeper/commit/41265b610149bd708232e40faf945f3c79b60b85 signature.asc Description: PGP signature
Bug#929283: zookeeper: CVE-2019-0201: information disclosure vulnerability
On Sun, May 26, 2019 at 08:58:29PM +0200, Moritz Mühlenhoff wrote: > On Fri, May 24, 2019 at 09:19:00AM +0100, Chris Lamb wrote: > > tags 929283 + patch > > thanks > > > > Hi Moritz, > > > > > > > zookeeper: CVE-2019-0201: information disclosure vulnerability > > > > > > > > Happy to prepare an update for stretch; I plan to do one for jessie > > > > LTS (which, helpfully, has the same version...) > > > > > > Sounds good, we should fix that in Stretch. I've just added the reference > > > to the upstream commit in the 3.4 branch to the Security Tracker. > > > > Thanks. Here is my diff: > > Looks fine, but can you please also include the test case upstream added? > Given that it's quite complex to reconstruct the specific affected ZK setup, > we should at least ship/run the test case. I will prepare an upload for 3.4.13 in testing/unstable soon - should be in the next day or so. signature.asc Description: PGP signature
Bug#929283: zookeeper: CVE-2019-0201: information disclosure vulnerability
On Fri, May 24, 2019 at 09:19:00AM +0100, Chris Lamb wrote: > tags 929283 + patch > thanks > > Hi Moritz, > > > > > zookeeper: CVE-2019-0201: information disclosure vulnerability > > > > > > Happy to prepare an update for stretch; I plan to do one for jessie > > > LTS (which, helpfully, has the same version...) > > > > Sounds good, we should fix that in Stretch. I've just added the reference > > to the upstream commit in the 3.4 branch to the Security Tracker. > > Thanks. Here is my diff: Looks fine, but can you please also include the test case upstream added? Given that it's quite complex to reconstruct the specific affected ZK setup, we should at least ship/run the test case. Cheers, Moritz
Bug#929283: zookeeper: CVE-2019-0201: information disclosure vulnerability
tags 929283 + patch thanks Hi Moritz, > > > zookeeper: CVE-2019-0201: information disclosure vulnerability > > > > Happy to prepare an update for stretch; I plan to do one for jessie > > LTS (which, helpfully, has the same version...) > > Sounds good, we should fix that in Stretch. I've just added the reference > to the upstream commit in the 3.4 branch to the Security Tracker. Thanks. Here is my diff: diff --git a/debian/changelog b/debian/changelog index ea8c13e..6e92313 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +zookeeper (3.4.9-3+deb9u2) stretch-security; urgency=high + + * CVE-2019-0201: Prevent an information disclosure vulnerability where users +who were not authorised to read data were able to view the access control +list. (Closes: #929283) + + -- Chris Lamb Fri, 24 May 2019 08:57:53 +0100 + zookeeper (3.4.9-3+deb9u1) stretch-security; urgency=high * Team upload. diff --git a/debian/patches/CVE-2019-11579.patch b/debian/patches/CVE-2019-11579.patch new file mode 100644 index 000..e4c314c --- /dev/null +++ b/debian/patches/CVE-2019-11579.patch @@ -0,0 +1,57 @@ +--- zookeeper-3.4.9.orig/src/java/main/org/apache/zookeeper/server/FinalRequestProcessor.java zookeeper-3.4.9/src/java/main/org/apache/zookeeper/server/FinalRequestProcessor.java +@@ -20,6 +20,7 @@ package org.apache.zookeeper.server; + + import java.io.IOException; + import java.nio.ByteBuffer; ++import java.util.ArrayList; + import java.util.List; + + import org.apache.jute.Record; +@@ -32,6 +33,7 @@ import org.apache.zookeeper.KeeperExcept + import org.apache.zookeeper.KeeperException.SessionMovedException; + import org.apache.zookeeper.ZooDefs.OpCode; + import org.apache.zookeeper.data.ACL; ++import org.apache.zookeeper.data.Id; + import org.apache.zookeeper.data.Stat; + import org.apache.zookeeper.proto.CreateResponse; + import org.apache.zookeeper.proto.ExistsRequest; +@@ -308,10 +310,35 @@ public class FinalRequestProcessor imple + GetACLRequest getACLRequest = new GetACLRequest(); + ByteBufferInputStream.byteBuffer2Record(request.request, + getACLRequest); ++DataNode n = zks.getZKDatabase().getNode(getACLRequest.getPath()); ++if (n == null) { ++throw new KeeperException.NoNodeException(); ++} ++PrepRequestProcessor.checkACL(zks, zks.getZKDatabase().aclForNode(n), ++ZooDefs.Perms.READ | ZooDefs.Perms.ADMIN, ++request.authInfo); ++ + Stat stat = new Stat(); +-List acl = +-zks.getZKDatabase().getACL(getACLRequest.getPath(), stat); +-rsp = new GetACLResponse(acl, stat); ++List acl = ++zks.getZKDatabase().getACL(getACLRequest.getPath(), stat); ++try { ++PrepRequestProcessor.checkACL(zks, zks.getZKDatabase().aclForNode(n), ++ZooDefs.Perms.ADMIN, ++request.authInfo); ++rsp = new GetACLResponse(acl, stat); ++} catch (KeeperException.NoAuthException e) { ++List acl1 = new ArrayList(acl.size()); ++for (ACL a : acl) { ++if ("digest".equals(a.getId().getScheme())) { ++Id id = a.getId(); ++Id id1 = new Id(id.getScheme(), id.getId().replaceAll(":.*", ":x")); ++acl1.add(new ACL(a.getPerms(), id1)); ++} else { ++acl1.add(a); ++} ++} ++rsp = new GetACLResponse(acl1, stat); ++} + break; + } + case OpCode.getChildren: { diff --git a/debian/patches/series b/debian/patches/series index 9dd03d0..c0b9747 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -9,3 +9,4 @@ 09-spell-check.patch 10-CVE-2017-5637.patch CVE-2018-8012.patch +CVE-2019-11579.patch Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Bug#929283: zookeeper: CVE-2019-0201: information disclosure vulnerability
On Thu, May 23, 2019 at 07:04:43AM +0100, Chris Lamb wrote: > [Adding t...@security.debian.org to CC] > > Hi, > > > zookeeper: CVE-2019-0201: information disclosure vulnerability > > Happy to prepare an update for stretch; I plan to do one for jessie > LTS (which, helpfully, has the same version...) Sounds good, we should fix that in Stretch. I've just added the reference to the upstream commit in the 3.4 branch to the Security Tracker. Cheers, Moritz
Bug#929283: zookeeper: CVE-2019-0201: information disclosure vulnerability
[Adding t...@security.debian.org to CC] Hi, > zookeeper: CVE-2019-0201: information disclosure vulnerability Happy to prepare an update for stretch; I plan to do one for jessie LTS (which, helpfully, has the same version...) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#929283: zookeeper: CVE-2019-0201: information disclosure vulnerability
Source: zookeeper Version: 3.4.13-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://issues.apache.org/jira/browse/ZOOKEEPER-1392 Control: found -1 3.4.9-3+deb9u1 Control: found -1 3.4.9-1 Hi, The following vulnerability was published for zookeeper. CVE-2019-0201[0]: Information disclosure vulnerability If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-0201 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0201 [1] https://issues.apache.org/jira/browse/ZOOKEEPER-1392 [2] https://www.openwall.com/lists/oss-security/2019/05/20/1 Regards, Salvatore