[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#685741: marked as done (unblock: qpid-cpp/0.16-7)

Your message dated Mon, 08 Oct 2012 14:35:28 +0200
with message-id <5072C890.70801@dogguy.org>
and subject line Re: Bug#685741: unblock: qpid-cpp/0.16-7
has caused the Debian Bug report #685741,
regarding unblock: qpid-cpp/0.16-7
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
685741: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685741
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Subject: unblock: qpid-cpp/0.16-7
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package qpid-cpp

This upload fixes a security problem inside of qpid client handlings
(CVE-2012-3467). Please see

http://www.openwall.com/lists/oss-security/2012/08/09/6

for more information.

unblock qpid-cpp/0.16-7

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-3-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru qpid-cpp-0.16/debian/changelog qpid-cpp-0.16/debian/changelog
--- qpid-cpp-0.16/debian/changelog	2012-06-05 09:40:01.000000000 +0200
+++ qpid-cpp-0.16/debian/changelog	2012-08-10 21:04:14.000000000 +0200
@@ -1,3 +1,10 @@
+qpid-cpp (0.16-7) unstable; urgency=low
+
+  * Fixes security issue CVE-2012-3467 which may allow bypassing the
+    broker authentication mechanism. Closes: #684456.
+
+ -- Cajus Pollmeier <cajus@debian.org>  Fri, 10 Aug 2012 20:39:06 +0200
+
 qpid-cpp (0.16-6) unstable; urgency=low
 
   * Included a few additional headers to make the rhmessaging
diff -Nru qpid-cpp-0.16/debian/patches/CVE-2012-3467.patch qpid-cpp-0.16/debian/patches/CVE-2012-3467.patch
--- qpid-cpp-0.16/debian/patches/CVE-2012-3467.patch	1970-01-01 01:00:00.000000000 +0100
+++ qpid-cpp-0.16/debian/patches/CVE-2012-3467.patch	2012-08-10 21:04:14.000000000 +0200
@@ -0,0 +1,243 @@
+--- a/src/qpid/broker/Connection.cpp
++++ b/src/qpid/broker/Connection.cpp
+@@ -87,10 +87,14 @@
+                        bool link_,
+                        uint64_t objectId_,
+                        bool shadow_,
+-                       bool delayManagement) :
++                       bool delayManagement,
++                       bool authenticated_
++) :
+     ConnectionState(out_, broker_),
+     securitySettings(external),
+-    adapter(*this, link_, shadow_),
++    shadow(shadow_),
++    authenticated(authenticated_),
++    adapter(*this, link_),
+     link(link_),
+     mgmtClosing(false),
+     mgmtId(mgmtId_),
+@@ -100,7 +104,6 @@
+     timer(broker_.getTimer()),
+     errorListener(0),
+     objectId(objectId_),
+-    shadow(shadow_),
+     outboundTracker(*this)
+ {
+     outboundTracker.wrap(out);
+--- a/src/qpid/broker/Connection.h
++++ b/src/qpid/broker/Connection.h
+@@ -86,7 +86,8 @@
+                bool isLink = false,
+                uint64_t objectId = 0,
+                bool shadow=false,
+-               bool delayManagement = false);
++               bool delayManagement = false,
++               bool authenticated=true);
+ 
+     ~Connection ();
+ 
+@@ -146,6 +147,9 @@
+     /** True if this is a shadow connection in a cluster. */
+     bool isShadow() { return shadow; }
+ 
++    /** True if this connection is authenticated */
++    bool isAuthenticated() const { return authenticated; }
++
+     // Used by cluster to update connection status
+     sys::AggregateOutput& getOutputTasks() { return outputTasks; }
+ 
+@@ -174,6 +178,8 @@
+ 
+     ChannelMap channels;
+     qpid::sys::SecuritySettings securitySettings;
++    bool shadow;
++    bool authenticated;
+     ConnectionHandler adapter;
+     const bool link;
+     bool mgmtClosing;
+@@ -188,7 +194,6 @@
+     boost::intrusive_ptr<ConnectionTimeoutTask> timeoutTimer;
+     ErrorListener* errorListener;
+     uint64_t objectId;
+-    bool shadow;
+     framing::FieldTable clientProperties;
+ 
+     /**
+--- a/src/qpid/broker/ConnectionHandler.cpp
++++ b/src/qpid/broker/ConnectionHandler.cpp
+@@ -102,9 +102,10 @@
+     handler->secured = secured;
+ }
+ 
+-ConnectionHandler::ConnectionHandler(Connection& connection, bool isClient, bool isShadow)  : handler(new Handler(connection, isClient, isShadow)) {}
++ConnectionHandler::ConnectionHandler(Connection& connection, bool isClient)  :
++    handler(new Handler(connection, isClient)) {}
+ 
+-ConnectionHandler::Handler::Handler(Connection& c, bool isClient, bool isShadow) :
++ConnectionHandler::Handler::Handler(Connection& c, bool isClient) :
+     proxy(c.getOutput()),
+     connection(c), serverMode(!isClient), secured(0),
+     isOpen(false)
+@@ -115,14 +116,13 @@
+ 
+         properties.setString(QPID_FED_TAG, connection.getBroker().getFederationTag());
+ 
+-        authenticator = SaslAuthenticator::createAuthenticator(c, isShadow);
++	authenticator = SaslAuthenticator::createAuthenticator(c);
+         authenticator->getMechanisms(mechanisms);
+ 
+         Array locales(0x95);
+         boost::shared_ptr<FieldValue> l(new Str16Value(en_US));
+         locales.add(l);
+         proxy.start(properties, mechanisms, locales);
+-        
+     }
+ 
+     maxFrameSize = (64 * 1024) - 1;
+--- a/src/qpid/broker/ConnectionHandler.h
++++ b/src/qpid/broker/ConnectionHandler.h
+@@ -61,7 +61,7 @@
+         SecureConnection* secured;
+         bool isOpen;
+ 
+-        Handler(Connection& connection, bool isClient, bool isShadow=false);
++        Handler(Connection& connection, bool isClient);
+         ~Handler();
+         void startOk(const qpid::framing::ConnectionStartOkBody& body);
+         void startOk(const qpid::framing::FieldTable& clientProperties,
+@@ -99,7 +99,7 @@
+ 
+     bool handle(const qpid::framing::AMQMethodBody& method);
+   public:
+-    ConnectionHandler(Connection& connection, bool isClient, bool isShadow=false );
++    ConnectionHandler(Connection& connection, bool isClient );
+     void close(framing::connection::CloseCode code, const std::string& text);
+     void heartbeat();
+     void handle(framing::AMQFrame& frame);
+--- a/src/qpid/broker/SaslAuthenticator.cpp
++++ b/src/qpid/broker/SaslAuthenticator.cpp
+@@ -163,13 +163,17 @@
+ 
+ #endif
+ 
+-std::auto_ptr<SaslAuthenticator> SaslAuthenticator::createAuthenticator(Connection& c, bool isShadow )
++std::auto_ptr<SaslAuthenticator> SaslAuthenticator::createAuthenticator(Connection& c)
+ {
+     if (c.getBroker().getOptions().auth) {
+-        if ( isShadow )
+-            return std::auto_ptr<SaslAuthenticator>(new NullAuthenticator(c, c.getBroker().getOptions().requireEncrypted));
++        // The cluster creates non-authenticated connections for internal shadow connections
++        // that are never connected to an external client.
++        if ( !c.isAuthenticated() )
++            return std::auto_ptr<SaslAuthenticator>(
++                new NullAuthenticator(c, c.getBroker().getOptions().requireEncrypted));
+         else 
+-            return std::auto_ptr<SaslAuthenticator>(new CyrusAuthenticator(c, c.getBroker().getOptions().requireEncrypted));
++            return std::auto_ptr<SaslAuthenticator>(
++                new CyrusAuthenticator(c, c.getBroker().getOptions().requireEncrypted));
+     } else {
+         QPID_LOG(debug, "SASL: No Authentication Performed");
+         return std::auto_ptr<SaslAuthenticator>(new NullAuthenticator(c, c.getBroker().getOptions().requireEncrypted));
+--- a/src/qpid/broker/SaslAuthenticator.h
++++ b/src/qpid/broker/SaslAuthenticator.h
+@@ -54,7 +54,7 @@
+     static void init(const std::string& saslName, std::string const & saslConfigPath );
+     static void fini(void);
+ 
+-    static std::auto_ptr<SaslAuthenticator> createAuthenticator(Connection& connection, bool isShadow);
++    static std::auto_ptr<SaslAuthenticator> createAuthenticator(Connection& connection);
+ 
+     virtual void callUserIdCallbacks() { }
+ };
+--- a/src/qpid/cluster/Connection.cpp
++++ b/src/qpid/cluster/Connection.cpp
+@@ -82,7 +82,9 @@
+                        const std::string& mgmtId,
+                        const ConnectionId& id, const qpid::sys::SecuritySettings& external)
+     : cluster(c), self(id), catchUp(false), announced(false), output(*this, out),
+-      connectionCtor(&output, cluster.getBroker(), mgmtId, external, false, 0, true),
++      connectionCtor(&output, cluster.getBroker(), mgmtId, external,
++                     false/*isLink*/, 0/*objectId*/, true/*shadow*/, false/*delayManagement*/,
++                     false/*authenticated*/),
+       expectProtocolHeader(false),
+       mcastFrameHandler(cluster.getMulticast(), self),
+       updateIn(c.getUpdateReceiver()),
+@@ -99,9 +101,10 @@
+                    external,
+                    isLink,
+                    isCatchUp ? ++catchUpId : 0,
+-                   // The first catch-up connection is not considered a shadow
+-                   // as it needs to be authenticated.
+-                   isCatchUp && self.second > 1),
++                   // The first catch-up connection is not a shadow
++                   isCatchUp && self.second > 1,
++                   false,       // delayManagement
++                   true),       // catch up connecytions are authenticated
+     expectProtocolHeader(isLink),
+     mcastFrameHandler(cluster.getMulticast(), self),
+     updateIn(c.getUpdateReceiver()),
+--- a/src/qpid/cluster/Connection.h
++++ b/src/qpid/cluster/Connection.h
+@@ -226,6 +226,7 @@
+         uint64_t objectId;
+         bool shadow;
+         bool delayManagement;
++        bool authenticated;
+ 
+         ConnectionCtor(
+             sys::ConnectionOutputHandler* out_,
+@@ -235,17 +236,18 @@
+             bool isLink_=false,
+             uint64_t objectId_=0,
+             bool shadow_=false,
+-            bool delayManagement_=false
++            bool delayManagement_=false,
++            bool authenticated_=true
+         ) : out(out_), broker(broker_), mgmtId(mgmtId_), external(external_),
+             isLink(isLink_), objectId(objectId_), shadow(shadow_),
+-            delayManagement(delayManagement_)
++            delayManagement(delayManagement_), authenticated(authenticated_)
+         {}
+ 
+         std::auto_ptr<broker::Connection> construct() {
+             return std::auto_ptr<broker::Connection>(
+                 new broker::Connection(
+                     out, broker, mgmtId, external, isLink, objectId,
+-                    shadow, delayManagement)
++                    shadow, delayManagement, authenticated)
+             );
+         }
+     };
+--- a/src/tests/cluster_tests.py
++++ b/src/tests/cluster_tests.py
+@@ -227,6 +227,18 @@
+         self.assertEqual("x", cluster[0].get_message("q").content)
+         self.assertEqual("y", cluster[1].get_message("q").content)
+ 
++    def test_other_mech(self):
++        """Test using a mechanism other than PLAIN/ANONYMOUS for cluster update  authentication.
++        Regression test for https://issues.apache.org/jira/browse/QPID-3849""";
++        sasl_config=os.path.join(self.rootdir, "sasl_config")
++        cluster = self.cluster(2, args=["--auth", "yes", "--sasl-config", sasl_config,
++                                        "--cluster-username=zig",
++                                        "--cluster-password=zig",
++                                        "--cluster-mechanism=DIGEST-MD5"])
++        cluster[0].connect()
++        cluster.start()         # Before the fix this broker falied to join the cluster.
++        cluster[2].connect()
++
+     def test_link_events(self):
+         """Regression test for https://bugzilla.redhat.com/show_bug.cgi?id=611543""";
+         args = ["--mgmt-pub-interval", 1] # Publish management information every second.
+--- a/src/tests/sasl_test_setup.sh
++++ b/src/tests/sasl_test_setup.sh
+@@ -30,7 +30,7 @@
+ auxprop_plugin: sasldb
+ sasldb_path: $PWD/sasl_config/qpidd.sasldb
+ sql_select: dummy select
+-mech_list: ANONYMOUS PLAIN DIGEST-MD5 EXTERNAL
++mech_list: ANONYMOUS PLAIN DIGEST-MD5 EXTERNAL CRAM-MD5
+ EOF
+ 
+ # Populate temporary sasl db.
diff -Nru qpid-cpp-0.16/debian/patches/series qpid-cpp-0.16/debian/patches/series
--- qpid-cpp-0.16/debian/patches/series	2012-05-24 13:08:09.000000000 +0200
+++ qpid-cpp-0.16/debian/patches/series	2012-08-10 21:04:14.000000000 +0200
@@ -1,3 +1,4 @@
+CVE-2012-3467.patch
 disable-ssl-test.patch
 CVE-2012-2145.patch
 autotools.patch

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---
--- Begin Message --- 
On 05/10/2012 07:16, Cajus Pollmeier wrote:
> Hi Moritz,
> 
> there will be time on the week-end. The last two months where a bit "packed" 
> with stuff :-(
> 

FWIW, I approved the upload. Closing now.

and thanks for your work!

-- 
Mehdi Dogguy مهدي الدڤي

--- End Message ---
Reply to: