Bug#685741: unblock: qpid-cpp/0.16-7

[Cajus Pollmeier <pollmeier@gonicus.de>]

Subject: unblock: qpid-cpp/0.16-7
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package qpid-cpp

This upload fixes a security problem inside of qpid client handlings
(CVE-2012-3467). Please see

http://www.openwall.com/lists/oss-security/2012/08/09/6

for more information.

unblock qpid-cpp/0.16-7

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-3-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru qpid-cpp-0.16/debian/changelog qpid-cpp-0.16/debian/changelog
--- qpid-cpp-0.16/debian/changelog	2012-06-05 09:40:01.000000000 +0200
+++ qpid-cpp-0.16/debian/changelog	2012-08-10 21:04:14.000000000 +0200
@@ -1,3 +1,10 @@
+qpid-cpp (0.16-7) unstable; urgency=low
+
+  * Fixes security issue CVE-2012-3467 which may allow bypassing the
+    broker authentication mechanism. Closes: #684456.
+
+ -- Cajus Pollmeier <cajus@debian.org>  Fri, 10 Aug 2012 20:39:06 +0200
+
 qpid-cpp (0.16-6) unstable; urgency=low
 
   * Included a few additional headers to make the rhmessaging
diff -Nru qpid-cpp-0.16/debian/patches/CVE-2012-3467.patch qpid-cpp-0.16/debian/patches/CVE-2012-3467.patch
--- qpid-cpp-0.16/debian/patches/CVE-2012-3467.patch	1970-01-01 01:00:00.000000000 +0100
+++ qpid-cpp-0.16/debian/patches/CVE-2012-3467.patch	2012-08-10 21:04:14.000000000 +0200
@@ -0,0 +1,243 @@
+--- a/src/qpid/broker/Connection.cpp
++++ b/src/qpid/broker/Connection.cpp
+@@ -87,10 +87,14 @@
+                        bool link_,
+                        uint64_t objectId_,
+                        bool shadow_,
+-                       bool delayManagement) :
++                       bool delayManagement,
++                       bool authenticated_
++) :
+     ConnectionState(out_, broker_),
+     securitySettings(external),
+-    adapter(*this, link_, shadow_),
++    shadow(shadow_),
++    authenticated(authenticated_),
++    adapter(*this, link_),
+     link(link_),
+     mgmtClosing(false),
+     mgmtId(mgmtId_),
+@@ -100,7 +104,6 @@
+     timer(broker_.getTimer()),
+     errorListener(0),
+     objectId(objectId_),
+-    shadow(shadow_),
+     outboundTracker(*this)
+ {
+     outboundTracker.wrap(out);
+--- a/src/qpid/broker/Connection.h
++++ b/src/qpid/broker/Connection.h
+@@ -86,7 +86,8 @@
+                bool isLink = false,
+                uint64_t objectId = 0,
+                bool shadow=false,
+-               bool delayManagement = false);
++               bool delayManagement = false,
++               bool authenticated=true);
+ 
+     ~Connection ();
+ 
+@@ -146,6 +147,9 @@
+     /** True if this is a shadow connection in a cluster. */
+     bool isShadow() { return shadow; }
+ 
++    /** True if this connection is authenticated */
++    bool isAuthenticated() const { return authenticated; }
++
+     // Used by cluster to update connection status
+     sys::AggregateOutput& getOutputTasks() { return outputTasks; }
+ 
+@@ -174,6 +178,8 @@
+ 
+     ChannelMap channels;
+     qpid::sys::SecuritySettings securitySettings;
++    bool shadow;
++    bool authenticated;
+     ConnectionHandler adapter;
+     const bool link;
+     bool mgmtClosing;
+@@ -188,7 +194,6 @@
+     boost::intrusive_ptr<ConnectionTimeoutTask> timeoutTimer;
+     ErrorListener* errorListener;
+     uint64_t objectId;
+-    bool shadow;
+     framing::FieldTable clientProperties;
+ 
+     /**
+--- a/src/qpid/broker/ConnectionHandler.cpp
++++ b/src/qpid/broker/ConnectionHandler.cpp
+@@ -102,9 +102,10 @@
+     handler->secured = secured;
+ }
+ 
+-ConnectionHandler::ConnectionHandler(Connection& connection, bool isClient, bool isShadow)  : handler(new Handler(connection, isClient, isShadow)) {}
++ConnectionHandler::ConnectionHandler(Connection& connection, bool isClient)  :
++    handler(new Handler(connection, isClient)) {}
+ 
+-ConnectionHandler::Handler::Handler(Connection& c, bool isClient, bool isShadow) :
++ConnectionHandler::Handler::Handler(Connection& c, bool isClient) :
+     proxy(c.getOutput()),
+     connection(c), serverMode(!isClient), secured(0),
+     isOpen(false)
+@@ -115,14 +116,13 @@
+ 
+         properties.setString(QPID_FED_TAG, connection.getBroker().getFederationTag());
+ 
+-        authenticator = SaslAuthenticator::createAuthenticator(c, isShadow);
++	authenticator = SaslAuthenticator::createAuthenticator(c);
+         authenticator->getMechanisms(mechanisms);
+ 
+         Array locales(0x95);
+         boost::shared_ptr<FieldValue> l(new Str16Value(en_US));
+         locales.add(l);
+         proxy.start(properties, mechanisms, locales);
+-        
+     }
+ 
+     maxFrameSize = (64 * 1024) - 1;
+--- a/src/qpid/broker/ConnectionHandler.h
++++ b/src/qpid/broker/ConnectionHandler.h
+@@ -61,7 +61,7 @@
+         SecureConnection* secured;
+         bool isOpen;
+ 
+-        Handler(Connection& connection, bool isClient, bool isShadow=false);
++        Handler(Connection& connection, bool isClient);
+         ~Handler();
+         void startOk(const qpid::framing::ConnectionStartOkBody& body);
+         void startOk(const qpid::framing::FieldTable& clientProperties,
+@@ -99,7 +99,7 @@
+ 
+     bool handle(const qpid::framing::AMQMethodBody& method);
+   public:
+-    ConnectionHandler(Connection& connection, bool isClient, bool isShadow=false );
++    ConnectionHandler(Connection& connection, bool isClient );
+     void close(framing::connection::CloseCode code, const std::string& text);
+     void heartbeat();
+     void handle(framing::AMQFrame& frame);
+--- a/src/qpid/broker/SaslAuthenticator.cpp
++++ b/src/qpid/broker/SaslAuthenticator.cpp
+@@ -163,13 +163,17 @@
+ 
+ #endif
+ 
+-std::auto_ptr<SaslAuthenticator> SaslAuthenticator::createAuthenticator(Connection& c, bool isShadow )
++std::auto_ptr<SaslAuthenticator> SaslAuthenticator::createAuthenticator(Connection& c)
+ {
+     if (c.getBroker().getOptions().auth) {
+-        if ( isShadow )
+-            return std::auto_ptr<SaslAuthenticator>(new NullAuthenticator(c, c.getBroker().getOptions().requireEncrypted));
++        // The cluster creates non-authenticated connections for internal shadow connections
++        // that are never connected to an external client.
++        if ( !c.isAuthenticated() )
++            return std::auto_ptr<SaslAuthenticator>(
++                new NullAuthenticator(c, c.getBroker().getOptions().requireEncrypted));
+         else 
+-            return std::auto_ptr<SaslAuthenticator>(new CyrusAuthenticator(c, c.getBroker().getOptions().requireEncrypted));
++            return std::auto_ptr<SaslAuthenticator>(
++                new CyrusAuthenticator(c, c.getBroker().getOptions().requireEncrypted));
+     } else {
+         QPID_LOG(debug, "SASL: No Authentication Performed");
+         return std::auto_ptr<SaslAuthenticator>(new NullAuthenticator(c, c.getBroker().getOptions().requireEncrypted));
+--- a/src/qpid/broker/SaslAuthenticator.h
++++ b/src/qpid/broker/SaslAuthenticator.h
+@@ -54,7 +54,7 @@
+     static void init(const std::string& saslName, std::string const & saslConfigPath );
+     static void fini(void);
+ 
+-    static std::auto_ptr<SaslAuthenticator> createAuthenticator(Connection& connection, bool isShadow);
++    static std::auto_ptr<SaslAuthenticator> createAuthenticator(Connection& connection);
+ 
+     virtual void callUserIdCallbacks() { }
+ };
+--- a/src/qpid/cluster/Connection.cpp
++++ b/src/qpid/cluster/Connection.cpp
+@@ -82,7 +82,9 @@
+                        const std::string& mgmtId,
+                        const ConnectionId& id, const qpid::sys::SecuritySettings& external)
+     : cluster(c), self(id), catchUp(false), announced(false), output(*this, out),
+-      connectionCtor(&output, cluster.getBroker(), mgmtId, external, false, 0, true),
++      connectionCtor(&output, cluster.getBroker(), mgmtId, external,
++                     false/*isLink*/, 0/*objectId*/, true/*shadow*/, false/*delayManagement*/,
++                     false/*authenticated*/),
+       expectProtocolHeader(false),
+       mcastFrameHandler(cluster.getMulticast(), self),
+       updateIn(c.getUpdateReceiver()),
+@@ -99,9 +101,10 @@
+                    external,
+                    isLink,
+                    isCatchUp ? ++catchUpId : 0,
+-                   // The first catch-up connection is not considered a shadow
+-                   // as it needs to be authenticated.
+-                   isCatchUp && self.second > 1),
++                   // The first catch-up connection is not a shadow
++                   isCatchUp && self.second > 1,
++                   false,       // delayManagement
++                   true),       // catch up connecytions are authenticated
+     expectProtocolHeader(isLink),
+     mcastFrameHandler(cluster.getMulticast(), self),
+     updateIn(c.getUpdateReceiver()),
+--- a/src/qpid/cluster/Connection.h
++++ b/src/qpid/cluster/Connection.h
+@@ -226,6 +226,7 @@
+         uint64_t objectId;
+         bool shadow;
+         bool delayManagement;
++        bool authenticated;
+ 
+         ConnectionCtor(
+             sys::ConnectionOutputHandler* out_,
+@@ -235,17 +236,18 @@
+             bool isLink_=false,
+             uint64_t objectId_=0,
+             bool shadow_=false,
+-            bool delayManagement_=false
++            bool delayManagement_=false,
++            bool authenticated_=true
+         ) : out(out_), broker(broker_), mgmtId(mgmtId_), external(external_),
+             isLink(isLink_), objectId(objectId_), shadow(shadow_),
+-            delayManagement(delayManagement_)
++            delayManagement(delayManagement_), authenticated(authenticated_)
+         {}
+ 
+         std::auto_ptr<broker::Connection> construct() {
+             return std::auto_ptr<broker::Connection>(
+                 new broker::Connection(
+                     out, broker, mgmtId, external, isLink, objectId,
+-                    shadow, delayManagement)
++                    shadow, delayManagement, authenticated)
+             );
+         }
+     };
+--- a/src/tests/cluster_tests.py
++++ b/src/tests/cluster_tests.py
+@@ -227,6 +227,18 @@
+         self.assertEqual("x", cluster[0].get_message("q").content)
+         self.assertEqual("y", cluster[1].get_message("q").content)
+ 
++    def test_other_mech(self):
++        """Test using a mechanism other than PLAIN/ANONYMOUS for cluster update  authentication.
++        Regression test for https://issues.apache.org/jira/browse/QPID-3849""";
++        sasl_config=os.path.join(self.rootdir, "sasl_config")
++        cluster = self.cluster(2, args=["--auth", "yes", "--sasl-config", sasl_config,
++                                        "--cluster-username=zig",
++                                        "--cluster-password=zig",
++                                        "--cluster-mechanism=DIGEST-MD5"])
++        cluster[0].connect()
++        cluster.start()         # Before the fix this broker falied to join the cluster.
++        cluster[2].connect()
++
+     def test_link_events(self):
+         """Regression test for https://bugzilla.redhat.com/show_bug.cgi?id=611543""";
+         args = ["--mgmt-pub-interval", 1] # Publish management information every second.
+--- a/src/tests/sasl_test_setup.sh
++++ b/src/tests/sasl_test_setup.sh
+@@ -30,7 +30,7 @@
+ auxprop_plugin: sasldb
+ sasldb_path: $PWD/sasl_config/qpidd.sasldb
+ sql_select: dummy select
+-mech_list: ANONYMOUS PLAIN DIGEST-MD5 EXTERNAL
++mech_list: ANONYMOUS PLAIN DIGEST-MD5 EXTERNAL CRAM-MD5
+ EOF
+ 
+ # Populate temporary sasl db.
diff -Nru qpid-cpp-0.16/debian/patches/series qpid-cpp-0.16/debian/patches/series
--- qpid-cpp-0.16/debian/patches/series	2012-05-24 13:08:09.000000000 +0200
+++ qpid-cpp-0.16/debian/patches/series	2012-08-10 21:04:14.000000000 +0200
@@ -1,3 +1,4 @@
+CVE-2012-3467.patch
 disable-ssl-test.patch
 CVE-2012-2145.patch
 autotools.patch

Attachment: signature.asc
Description: This is a digitally signed message part.