[PKG-Openstack-devel] Proposed fix for aodh CVE-2017-12440 / #872605

Thomas Goirand zigo at debian.org
Sun Aug 20 23:29:11 UTC 2017


Hi,

Please find attached debdiff for aodh 3.0.0-4+deb9u1.

The built package can be found here:
http://sid.gplhost.com/stretch-proposed-updates/aodh/

Please let me know if it looks good, and if I can upload the fix to
security-master.

Note that we don't plan an upload to Sid just yet, as we're currently
packaging OpenStack Pike.

Cheers,

Thomas Goirand (zigo)
-------------- next part --------------
diff -Nru aodh-3.0.0/debian/changelog aodh-3.0.0/debian/changelog
--- aodh-3.0.0/debian/changelog	2017-04-01 11:11:56.000000000 +0200
+++ aodh-3.0.0/debian/changelog	2017-08-21 00:59:49.000000000 +0200
@@ -1,3 +1,9 @@
+aodh (3.0.0-4+deb9u1) stretch-security; urgency=medium
+
+  * CVE-2017-12440: apply upstream patch (Closes: #872605).
+
+ -- Thomas Goirand <zigo at debian.org>  Mon, 21 Aug 2017 00:59:49 +0200
+
 aodh (3.0.0-4) unstable; urgency=medium
 
   * Team upload.
diff -Nru aodh-3.0.0/debian/patches/CVE-2017-12440_Dont_allow_the_user_to_pass_in_a_trust_ID.patch aodh-3.0.0/debian/patches/CVE-2017-12440_Dont_allow_the_user_to_pass_in_a_trust_ID.patch
--- aodh-3.0.0/debian/patches/CVE-2017-12440_Dont_allow_the_user_to_pass_in_a_trust_ID.patch	1970-01-01 01:00:00.000000000 +0100
+++ aodh-3.0.0/debian/patches/CVE-2017-12440_Dont_allow_the_user_to_pass_in_a_trust_ID.patch	2017-08-21 00:59:49.000000000 +0200
@@ -0,0 +1,42 @@
+Subject: CVE-2017-12440: Don't allow the user to pass in a trust ID
+ Since Aodh uses trust IDs stored in alarm URLs unconditionally - without
+ checking for tenant safety - it is not safe to allow users to pass in their own
+ trust IDs. Forbid this and allow only trusts created by Aodh to be used. It is
+ highly unlikely that there is any (legitimate) use of this feature in the wild,
+ since allowing Aodh to create the trust is easier anyway.
+From: Zane Bitter <zbitter at redhat.com>
+Date: Tue, 15 Aug 2017 10:19:08 +0000 (+0200)
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Faodh.git;a=commitdiff_plain;h=1f954b3b828d7aa25665787b36f4a14bb0c94c76
+Change-Id: I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851
+Bug-Ubuntu: https://bugs.launchpad.net/ossn/+bug/1649333
+Bug-Debian: https://bugs.debian.org/872605
+Origin: upstream, https://review.openstack.org/#/c/493826/
+Last-Update: 2017-08-21
+
+diff --git a/aodh/api/controllers/v2/alarms.py b/aodh/api/controllers/v2/alarms.py
+index af5ce4f..bf89bfe 100644
+--- a/aodh/api/controllers/v2/alarms.py
++++ b/aodh/api/controllers/v2/alarms.py
+@@ -412,6 +412,9 @@ class Alarm(base.Base):
+                             url = list(url)
+                             url[1] = netloc
+                             actions[index] = urlparse.urlunsplit(url)
++                        else:
++                            errmsg = _("trust URL cannot contain a trust ID.")
++                            raise base.ClientSideError(errmsg)
+         if old_alarm:
+             new_actions = list(itertools.chain(
+                 self.ok_actions or [],
+diff --git a/aodh/notifier/trust.py b/aodh/notifier/trust.py
+index c9bbdc3..6da7f48 100644
+--- a/aodh/notifier/trust.py
++++ b/aodh/notifier/trust.py
+@@ -27,7 +27,7 @@ class TrustRestAlarmNotifier(rest.RestAlarmNotifier):
+     keystone authentication. It uses the aodh service user to
+     authenticate using the trust ID provided.
+ 
+-    The URL must be in the form trust+http://trust-id@host/action.
++    The URL must be in the form trust+http://host/action.
+     """
+ 
+     def notify(self, action, alarm_id, alarm_name, severity, previous, current,
diff -Nru aodh-3.0.0/debian/patches/series aodh-3.0.0/debian/patches/series
--- aodh-3.0.0/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ aodh-3.0.0/debian/patches/series	2017-08-21 00:59:49.000000000 +0200
@@ -0,0 +1 @@
+CVE-2017-12440_Dont_allow_the_user_to_pass_in_a_trust_ID.patch


More information about the Openstack-devel mailing list