Bug#689289: marked as done (unblock: keystone/2012.1.1-9 (CVE-2012-445{6,7}, +policy RC fixes))

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 25 Nov 2012 22:05:38 +0100
with message-id <20121125210538.GJ8091@radis.cristau.org>
and subject line Re: Bug#689289: unblock: keystone/2012.1.1-9 (CVE-2012-445{6,7}, +policy RC fixes)
has caused the Debian Bug report #689289,
regarding unblock: keystone/2012.1.1-9 (CVE-2012-445{6,7}, +policy RC fixes)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
689289: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689289
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: keystone/2012.1.1-9 (CVE-2012-445{6,7}, +policy RC fixes)
• From: Thomas Goirand <zigo@debian.org>
• Date: Mon, 01 Oct 2012 15:00:25 +0800
• Message-id: <20121001070025.6908.50083.reportbug@buzig.gplhost.com>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear Release Team,

I have applied upstream patches for CVE-2012-445{6,7} (yes, yet another
CVE in keystone...), and fixed bad handling of /etc/keystone/keystone.conf.
The later modifications have already been investigated by Julien, and I
believe they are into shape now.

If the release team prefers that I first undo keystone.conf changes so
that only the CVE fixes can migrate first, then the keystone.conf handling
gets the standard 10 days testing, that can be done too. I have no problem
doing this in 2 steps, to give more testing time for the keystone.conf
handling. But I believe it should be ok now.

The debdiff is attached. It's unfortunately not so small.

Thanks for your time working on the Wheezy release,
Please unblock keystone/2012.1.1-9,
Cheers,

Thomas Goirand (zigo)

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru keystone-2012.1.1/debian/changelog keystone-2012.1.1/debian/changelog
--- keystone-2012.1.1/debian/changelog	2012-09-12 16:33:13.000000000 +0000
+++ keystone-2012.1.1/debian/changelog	2012-10-01 06:51:43.000000000 +0000
@@ -1,3 +1,28 @@
+keystone (2012.1.1-9) unstable; urgency=high
+
+  * Fixes sometimes failing keystone.postrm (db_get in some conditions can
+  return false), and fixed non-consistant indenting.
+  * Uses /usr/share/keystone/keystone.conf instead of /usr/share/doc/keystone
+  /keystone.conf.sample for temporary storing the conf file (this was a policy
+  violation, as the doc folder should never be required).
+  * Fixes CVE-2012-4457: fails to raise Unauthorized user error for disabled,
+  CVE-2012-4456: fails to validate tokens in Admin API (Closes: #689210).
+
+ -- Thomas Goirand <zigo@debian.org>  Mon, 01 Oct 2012 05:52:23 +0000
+
+keystone (2012.1.1-8) unstable; urgency=low
+
+  * Fixes parsing of the SQL connection in keystone.config.
+
+ -- Thomas Goirand <zigo@debian.org>  Sun, 30 Sep 2012 01:48:50 +0000
+
+keystone (2012.1.1-7) unstable; urgency=low
+
+  * Fixes band handling (eg: policy violation) of keystone.conf which was
+  conffiles, but changed in the posinst (Closes: #687311).
+
+ -- Thomas Goirand <zigo@debian.org>  Wed, 12 Sep 2012 17:09:47 +0000
+
 keystone (2012.1.1-6) unstable; urgency=high
 
   * CVE-2012-4413: Revoking a role does not affect existing tokens
diff -Nru keystone-2012.1.1/debian/keystone.config keystone-2012.1.1/debian/keystone.config
--- keystone-2012.1.1/debian/keystone.config	2012-09-12 16:33:13.000000000 +0000
+++ keystone-2012.1.1/debian/keystone.config	2012-10-01 06:51:43.000000000 +0000
@@ -1,19 +1,79 @@
 #!/bin/sh
+
 set -e
 
 . /usr/share/debconf/confmodule
 
+### Reading of values in the keystone config file       ###
+### and setting default for dbconfig-common accordingly ###
+KEY_CONF=/etc/keystone/keystone.conf
+
+if [ -e "${KEY_CONF}" ] ; then
+	KEY_CONF_AUTH_TOKEN=`grep -E "^([ \t])*admin_token([ \t])*=([ \t])*" ${KEY_CONF} | awk '{print $3}'`
+	if [ -n "${KEY_CONF_AUTH_TOKEN}" ] ; then
+		db_set keystone/auth-token ${KEY_CONF_AUTH_TOKEN}
+	fi
+fi
 db_input low keystone/auth-token || true
 db_input low keystone/configure_db || true
 db_go
+
 db_get keystone/configure_db
-if [ "$RET" = "true" ]; then
-    if [ -f /usr/share/dbconfig-common/dpkg/config ];
-    then
-	dbc_dbtypes="sqlite3, mysql, pgsql"
-	db_authmethod_user="password"
-	dbc_basepath="/var/lib/keystone"
+if [ "$RET" = "true" ] && [ -e "${KEY_CONF}" ] && [ -f /usr/share/dbconfig-common/dpkg/config ] ; then
 	. /usr/share/dbconfig-common/dpkg/config
+	KEY_CONF_DB_CON_INFO=`grep -E "^([ \t])*connection([ \t])*=([ \t])*" ${KEY_CONF} | awk '{print $3}'`
+	KEY_CONF_DB_TYPE=`echo ${KEY_CONF_DB_CON_INFO} | cut -d":" -f1`
+	# If we have an undefined SQL type, we go back to a more sane default (eg: SQLite)
+	if [ "${KEY_CONF_DB_TYPE}" != "sqlite" ] && [ "${KEY_CONF_DB_TYPE}" != "mysql" ] && [ "${KEY_CONF_DB_TYPE}" != "pgsql" ] ; then
+		KEY_CONF_DB_CON_INFO="sqlite:///var/lib/keystone/keystone.sqlite"
+		KEY_CONF_DB_TYPE="sqlite"
+	fi
+	if [ "${KEY_CONF_DB_TYPE}" = "sqlite" ] ; then
+		# This is the invalid default in the etc/keystone.conf in the source package
+		if [ "${KEY_CONF_DB_CON_INFO}" = "sqlite:///keystone.db" ] ; then
+			KEY_CONF_DB_CON_INFO="sqlite:///var/lib/keystone/keystone.sqlite"
+		fi
+
+		KEY_CONF_DB_PATH=`echo "${KEY_CONF_DB_CON_INFO}" | awk '{print substr($0,11)}'`
+		if [ -z "${KEY_CONF_DB_PATH}" ] ; then
+			KEY_CONF_DB_PATH=/var/lib/keystone/keystone.sqlite
+		fi
+		dbc_basepath=`dirname "${KEY_CONF_DB_PATH}"`
+		dbc_dbname=`basename "${KEY_CONF_DB_PATH}"`
+		dbc_dbtypes="sqlite3, mysql, pgsql"
+	else
+		# Later, the postinst does: mysql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname
+		# so we are supposed to parse that if it exists
+		KEY_CONF_ADDR=`echo "${KEY_CONF_DB_CON_INFO}" | awk '{print substr($0,9)}'`
+		KEY_CONF_BEFORE_AT=`echo "${KEY_CONF_ADDR}" | cut -d"@" -f1`
+		KEY_CONF_AFTER_AT=`echo "${KEY_CONF_ADDR}" | cut -d"@" -f2`
+
+		KEY_CONF_USER=`echo "${KEY_CONF_BEFORE_AT}" | cut -d":" -f2`
+		KEY_CONF_USER=`echo "${KEY_CONF_USER}" | cut -d"/" -f3`
+		KEY_CONF_PASS=`echo "${KEY_CONF_BEFORE_AT}" | cut -d":" -f3`
+		KEY_CONF_SERVER_PORT=`echo "${KEY_CONF_AFTER_AT}" | cut -d"/" -f1`
+		KEY_CONF_DB_NAME=`echo "${KEY_CONF_AFTER_AT}" | cut -d"/" -f2`
+
+		KEY_CONF_SERVER=`echo "${KEY_CONF_SERVER_PORT}" | cut -d":" -f1`
+		if echo "${KEY_CONF_SERVER_PORT}" | grep -Eq ":"  ; then
+			KEY_CONF_PORT=`echo "${KEY_CONF_SERVER_PORT}" | cut -d":" -f2`
+		else
+			KEY_CONF_PORT=""
+		fi
+
+		if [ -n "${KEY_CONF_USER}" ] && [ -n "${KEY_CONF_PASS}" ] && [ -n "${KEY_CONF_SERVER}" ] && [ -n "${KEY_CONF_DB_NAME}" ] ; then
+			dbc_dbuser=${KEY_CONF_USER}
+			dbc_dbpass=${KEY_CONF_PASS}
+			dbc_dbserver=${KEY_CONF_SERVER}
+			dbc_dbport=${KEY_CONF_PORT}
+			dbc_dbname=${KEY_CONF_DB_NAME}
+		fi
+		if [ "${KEY_CONF_DB_TYPE}" = "mysql" ] ; then
+			dbc_dbtypes="mysql, pgsql, sqlite3"
+		else
+			dbc_dbtypes="pgsql, mysql, sqlite3"
+		fi
+		db_authmethod_user="password"
+	fi
 	dbc_go keystone $@
-    fi
 fi
diff -Nru keystone-2012.1.1/debian/keystone.install keystone-2012.1.1/debian/keystone.install
--- keystone-2012.1.1/debian/keystone.install	2012-09-12 16:33:13.000000000 +0000
+++ keystone-2012.1.1/debian/keystone.install	2012-10-01 06:51:43.000000000 +0000
@@ -1,2 +1,4 @@
 usr/bin/*
-etc/* etc/keystone
\ No newline at end of file
+etc/default_catalog.templates	/etc/keystone
+etc/logging.conf.sample	/usr/share/doc/keystone
+etc/policy.json		/etc/keystone
diff -Nru keystone-2012.1.1/debian/keystone.postinst keystone-2012.1.1/debian/keystone.postinst
--- keystone-2012.1.1/debian/keystone.postinst	2012-09-12 16:33:13.000000000 +0000
+++ keystone-2012.1.1/debian/keystone.postinst	2012-10-01 06:51:43.000000000 +0000
@@ -1,77 +1,64 @@
 #!/bin/sh
+
 set -e
 
-if [ "$1" = "configure" ]
-then
-    . /usr/share/debconf/confmodule
-    . /usr/share/dbconfig-common/dpkg/postinst
-
-    adduser --system \
-            --home /var/lib/keystone \
-            --no-create-home \
-            --quiet \
-            --disabled-password \
-            --group keystone
-
-
-    db_get keystone/configure_db
-    if [ "$RET" = "true" ]; then
-	db_get keystone/database-type
-	if [ $RET = "sqlite3" ]
-	then
-	    dbc_name="keystone.sqlite"
-	    db_set keystone/db/dbname $dbc_name
+if [ "$1" = "configure" ] ; then
+	. /usr/share/debconf/confmodule
+	. /usr/share/dbconfig-common/dpkg/postinst
+
+	# Create config files if they don't exist
+	KEY_CONF=/etc/keystone/keystone.conf
+	if ! [ -e /etc/keystone ] ; then
+		mkdir /etc/keystone
+	fi
+	if ! [ -e "${KEY_CONF}" ] && [ -r /usr/share/keystone/keystone.conf ] ; then
+		cp -auxf /usr/share/keystone/keystone.conf ${KEY_CONF}
 	fi
-	dbc_dbfile_owner="keystone:keystone"
-
-	dbc_go keystone $@
-
-	if [ "$dbc_install" = "true" ]
-	then
-            case "$dbc_dbtype" in
-		sqlite3)
-                    SQL_CONNECTION="sqlite:///$dbc_basepath/$dbc_dbname"
-                    ;;
-		mysql)
-                    [ -n "$dbc_dbport" ] && dbport=:$dbc_dbport
-                    SQL_CONNECTION="mysql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname"
-                    ;;
-		pgsql)
-                    [ -n "$dbc_dbport" ] && dbport=:$dbc_dbport
-                    SQL_CONNECTION="pgsql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname"
-                    ;;
-		*)
-                    SQL_CONNECTION="sqlite:////var/lib/keystone/$dbc_dbname"
-                    ;;
-            esac
-
-            sed -e "s,^connection\s*=\s*.\+$,connection = $SQL_CONNECTION," -i /etc/keystone/keystone.conf
 
-            if [ "$dbc_upgrade" = "true" ]
-            then
-		keystone-manage db_sync
-            fi
+	adduser --system \
+		--home /var/lib/keystone \
+		--no-create-home \
+		--quiet \
+		--disabled-password \
+		--group keystone
+
+	db_get keystone/configure_db
+	if [ "$RET" = "true" ] ; then
+		db_get keystone/database-type
+		dbc_dbfile_owner="keystone:keystone"
+
+		dbc_go keystone $@
+		if [ "$dbc_install" = "true" ] ; then
+			if [ "$dbc_dbtype" = "mysql" ] || [ "$dbc_dbtype" = "pgsql" ] ; then
+				if [ -n "$dbc_dbport" ] ; then
+					dbport=:$dbc_dbport
+				fi
+				SQL_CONNECTION="$dbc_dbtype://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname"
+			else
+				SQL_CONNECTION="sqlite:///$dbc_basepath/$dbc_dbname"
+			fi
+		fi
+
+		sed -e "s,^connection\s*=\s*.\+$,connection = $SQL_CONNECTION," -i ${KEY_CONF}
+
+		if [ "$dbc_upgrade" = "true" ] ; then
+			keystone-manage db_sync
+		fi
 	fi
-    fi
 
-    if [ -z "$2" ]
-    then
 	db_get keystone/auth-token
 	AUTH_TOKEN=${RET:-ADMIN}
-	sed -s "s,^admin_token = ADMIN,admin_token = $AUTH_TOKEN," -i /etc/keystone/keystone.conf
-    fi
+	sed -ie 's|^[ \t]*admin_token[ \t]*=.*|admin_token = '${AUTH_TOKEN}'|' ${KEY_CONF}
 
-    chown keystone:keystone -R /var/lib/keystone /var/log/keystone /etc/keystone
-    chmod 0750 /etc/keystone
-    chmod 0750 /var/log/keystone
+	chown keystone:keystone -R /var/lib/keystone /var/log/keystone /etc/keystone
+	chmod 0750 /etc/keystone
+	chmod 0750 /var/log/keystone
+	# On first install, create basics configuration and add roles
+	if [ -z "$2" ] ; then
+		keystone-manage db_sync
+	fi
 fi
 
 #DEBHELPER#
 
-# On first install, create basics configuration and add roles
-if [ -z "$2" ]
-then
-   keystone-manage db_sync
-fi
-
 exit 0
diff -Nru keystone-2012.1.1/debian/keystone.postrm keystone-2012.1.1/debian/keystone.postrm
--- keystone-2012.1.1/debian/keystone.postrm	2012-09-12 16:33:13.000000000 +0000
+++ keystone-2012.1.1/debian/keystone.postrm	2012-10-01 06:51:43.000000000 +0000
@@ -2,24 +2,24 @@
 
 set -e
 
-if [ -f /usr/share/debconf/confmodule ]
-then
-    . /usr/share/debconf/confmodule
+if [ -f /usr/share/debconf/confmodule ] ;then
+	. /usr/share/debconf/confmodule
+	db_get keystone/configure_db || true
+	DEBCONF_CONFIGURE_DB=$RET
 fi
 
-db_get keystone/configure_db
-if [ "$RET" = "true" ]; then
-    if [ -f /usr/share/dbconfig-common/dpkg/postrm ]
-    then
-	. /usr/share/dbconfig-common/dpkg/postrm
-	dbc_go keystone $@
-    fi
+if [ "${DEBCONF_CONFIGURE_DB}" = "true" ] ; then
+	if [ -f /usr/share/dbconfig-common/dpkg/postrm ] ; then
+		. /usr/share/dbconfig-common/dpkg/postrm
+		dbc_go keystone $@
+	fi
 fi
 
 case "$1" in
-    purge)
-        rm -rf /var/log/keystone
+purge)
+	rm -rf /var/log/keystone
 	rm -rf /var/lib/keystone
+	rm -rf /etc/keystone
 esac
 
 #DEBHELPER#
diff -Nru keystone-2012.1.1/debian/patches/CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch keystone-2012.1.1/debian/patches/CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch
--- keystone-2012.1.1/debian/patches/CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch	1970-01-01 00:00:00.000000000 +0000
+++ keystone-2012.1.1/debian/patches/CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch	2012-10-01 06:51:43.000000000 +0000
@@ -0,0 +1,131 @@
+Description: Require authz for user role list
+ Jason Xu (yinyangxu@gmail.com) discovered several vulnerabilities in OpenStack
+ Keystone token verification:
+ .
+ The first occurs in the API /v2.0/OS-KSADM/services and
+ /v2.0/OS-KSADM/services/{service_id}, the second occurs in
+ /v2.0/tenants/{tenant_id}/users/{user_id}/roles
+ .
+ In both cases the OpenStack Keystone code fails to check if the tokens are
+ valid. These issues have been addressed by adding checks in the form of
+ test_service_crud_requires_auth() and test_user_role_list_requires_auth().
+Bug-Debian: http://bugs.debian.org/689210
+Bug-Ubuntu: https://bugs.launchpad.net/+bug/1006815
+Author: Dolph Mathews <dolph.mathews@gmail.com>
+Origin: Upstream
+
+Index: keystone/keystone/identity/core.py
+===================================================================
+--- keystone.orig/keystone/identity/core.py	2012-10-01 06:25:52.000000000 +0000
++++ keystone/keystone/identity/core.py	2012-10-01 06:25:52.000000000 +0000
+@@ -458,6 +458,7 @@
+         not implementing them in hopes that the idea will die off.
+ 
+         """
++        self.assert_admin(context)
+         if tenant_id is None:
+             raise exception.NotImplemented(message='User roles not supported: '
+                                                    'tenant ID required')
+Index: keystone/tests/test_content_types.py
+===================================================================
+--- keystone.orig/tests/test_content_types.py	2012-10-01 06:25:48.000000000 +0000
++++ keystone/tests/test_content_types.py	2012-10-01 06:25:52.000000000 +0000
+@@ -16,6 +16,7 @@
+ 
+ import httplib
+ import json
++import uuid
+ 
+ from lxml import etree
+ import nose.exc
+@@ -554,6 +555,49 @@
+     def assertValidVersionResponse(self, r):
+         self.assertValidVersion(r.body.get('version'))
+ 
++    def test_user_role_list_requires_auth(self):
++        """User role list should 401 without an X-Auth-Token (bug 1006815)."""
++        # values here don't matter because we should 401 before they're checked
++        path = '/v2.0/tenants/%(tenant_id)s/users/%(user_id)s/roles' % {
++                'tenant_id': uuid.uuid4().hex,
++                'user_id': uuid.uuid4().hex,
++        }
++
++        r = self.admin_request(path=path, expected_status=401)
++        self.assertValidErrorResponse(r)
++
++    def test_service_crud_requires_auth(self):
++        """Service CRUD should 401 without an X-Auth-Token (bug 1006822)."""
++        # values here don't matter because we should 401 before they're checked
++        service_path = '/v2.0/OS-KSADM/services/%s' % uuid.uuid4().hex
++        service_body = {
++                'OS-KSADM:service': {
++                    'name': uuid.uuid4().hex,
++                    'type': uuid.uuid4().hex,
++                    },
++                }
++
++        r = self.admin_request(method='GET',
++                               path='/v2.0/OS-KSADM/services',
++                               expected_status=401)
++        self.assertValidErrorResponse(r)
++
++        r = self.admin_request(method='POST',
++                               path='/v2.0/OS-KSADM/services',
++                               body=service_body,
++                               expected_status=401)
++        self.assertValidErrorResponse(r)
++
++        r = self.admin_request(method='GET',
++                               path=service_path,
++                               expected_status=401)
++        self.assertValidErrorResponse(r)
++
++        r = self.admin_request(method='DELETE',
++                               path=service_path,
++                               expected_status=401)
++        self.assertValidErrorResponse(r)
++
+ 
+ class XmlTestCase(RestfulTestCase, CoreApiTests):
+     xmlns = 'http://docs.openstack.org/identity/api/v2.0'
+Index: keystone/keystone/catalog/core.py
+===================================================================
+--- keystone.orig/keystone/catalog/core.py	2012-10-01 06:25:48.000000000 +0000
++++ keystone/keystone/catalog/core.py	2012-10-01 06:25:52.000000000 +0000
+@@ -116,29 +116,36 @@
+ class ServiceController(wsgi.Application):
+     def __init__(self):
+         self.catalog_api = Manager()
++        self.identity_api = identity.Manager()
++        self.policy_api = policy.Manager()
++        self.token_api = token.Manager()
+         super(ServiceController, self).__init__()
+ 
+     # CRUD extensions
+     # NOTE(termie): this OS-KSADM stuff is not very consistent
+     def get_services(self, context):
++        self.assert_admin(context)
+         service_list = self.catalog_api.list_services(context)
+         service_refs = [self.catalog_api.get_service(context, x)
+                         for x in service_list]
+         return {'OS-KSADM:services': service_refs}
+ 
+     def get_service(self, context, service_id):
++        self.assert_admin(context)
+         service_ref = self.catalog_api.get_service(context, service_id)
+         if not service_ref:
+             raise exception.ServiceNotFound(service_id=service_id)
+         return {'OS-KSADM:service': service_ref}
+ 
+     def delete_service(self, context, service_id):
++        self.assert_admin(context)
+         service_ref = self.catalog_api.get_service(context, service_id)
+         if not service_ref:
+             raise exception.ServiceNotFound(service_id=service_id)
+         self.catalog_api.delete_service(context, service_id)
+ 
+     def create_service(self, context, OS_KSADM_service):
++        self.assert_admin(context)
+         service_id = uuid.uuid4().hex
+         service_ref = OS_KSADM_service.copy()
+         service_ref['id'] = service_id
diff -Nru keystone-2012.1.1/debian/patches/CVE-2012-4457-Raise_unauthorized_if_tenant_disabled.patch keystone-2012.1.1/debian/patches/CVE-2012-4457-Raise_unauthorized_if_tenant_disabled.patch
--- keystone-2012.1.1/debian/patches/CVE-2012-4457-Raise_unauthorized_if_tenant_disabled.patch	1970-01-01 00:00:00.000000000 +0000
+++ keystone-2012.1.1/debian/patches/CVE-2012-4457-Raise_unauthorized_if_tenant_disabled.patch	2012-10-01 06:51:43.000000000 +0000
@@ -0,0 +1,95 @@
+Description: Raise unauthorized if tenant disabled
+ If the client attempts to explicitly authenticate against a disabled
+ tenant, keystone should return HTTP 401 Unauthorized.
+Bug-Debian: http://bugs.debian.org/689210
+Bug-Ubuntu: https://bugs.launchpad.net/keystone/+bug/988920
+Author: Dolph Mathews <dolph.mathews@gmail.com>
+Origin: upstream
+
+Index: keystone/keystone/service.py
+===================================================================
+--- keystone.orig/keystone/service.py	2012-10-01 06:25:28.000000000 +0000
++++ keystone/keystone/service.py	2012-10-01 06:25:41.000000000 +0000
+@@ -280,6 +280,11 @@
+                 if not user_ref.get('enabled', True):
+                     LOG.warning('User %s is disabled' % user_id)
+                     raise exception.Unauthorized()
++
++                # If the tenant is disabled don't allow them to authenticate
++                if tenant_ref and not tenant_ref.get('enabled', True):
++                    LOG.warning('Tenant %s is disabled' % tenant_id)
++                    raise exception.Unauthorized()
+             except AssertionError as e:
+                 raise exception.Unauthorized(e.message)
+ 
+@@ -333,6 +338,12 @@
+ 
+             tenant_ref = self.identity_api.get_tenant(context=context,
+                                                       tenant_id=tenant_id)
++
++            # If the tenant is disabled don't allow them to authenticate
++            if tenant_ref and not tenant_ref.get('enabled', True):
++                LOG.warning('Tenant %s is disabled' % tenant_id)
++                raise exception.Unauthorized()
++
+             if tenant_ref:
+                 metadata_ref = self.identity_api.get_metadata(
+                         context=context,
+Index: keystone/tests/test_keystoneclient.py
+===================================================================
+--- keystone.orig/tests/test_keystoneclient.py	2012-10-01 06:25:41.000000000 +0000
++++ keystone/tests/test_keystoneclient.py	2012-10-01 06:25:41.000000000 +0000
+@@ -176,6 +176,53 @@
+                           self.get_client,
+                           user_ref)
+ 
++    def test_authenticate_disabled_tenant(self):
++        from keystoneclient import exceptions as client_exceptions
++
++        admin_client = self.get_client(admin=True)
++
++        tenant = {
++            'name': uuid.uuid4().hex,
++            'description': uuid.uuid4().hex,
++            'enabled': False,
++        }
++        tenant_ref = admin_client.tenants.create(
++            tenant_name=tenant['name'],
++            description=tenant['description'],
++            enabled=tenant['enabled'])
++        tenant['id'] = tenant_ref.id
++
++        user = {
++            'name': uuid.uuid4().hex,
++            'password': uuid.uuid4().hex,
++            'email': uuid.uuid4().hex,
++            'tenant_id': tenant['id'],
++        }
++        user_ref = admin_client.users.create(
++            name=user['name'],
++            password=user['password'],
++            email=user['email'],
++            tenant_id=user['tenant_id'])
++        user['id'] = user_ref.id
++
++        # password authentication
++        self.assertRaises(
++            client_exceptions.Unauthorized,
++            self._client,
++            username=user['name'],
++            password=user['password'],
++            tenant_id=tenant['id'])
++
++        # token authentication
++        client = self._client(
++            username=user['name'],
++            password=user['password'])
++        self.assertRaises(
++            client_exceptions.Unauthorized,
++            self._client,
++            token=client.auth_token,
++            tenant_id=tenant['id'])
++
+     # FIXME(ja): this test should require the "keystone:admin" roled
+     #            (probably the role set via --keystone_admin_role flag)
+     # FIXME(ja): add a test that admin endpoint is only sent to admin user
diff -Nru keystone-2012.1.1/debian/patches/series keystone-2012.1.1/debian/patches/series
--- keystone-2012.1.1/debian/patches/series	2012-09-12 16:33:13.000000000 +0000
+++ keystone-2012.1.1/debian/patches/series	2012-10-01 06:51:43.000000000 +0000
@@ -4,3 +4,5 @@
 sql_conn.patch
 CVE-2012-3542_Lack-of-authorization-for-adding-users-to-tenants.patch
 CVE-2012-4413_Revoking-a-role-does-not-affect-existing-tokens.patch
+CVE-2012-4456-Some_actions_in_Keystone_admin_API_do_not_validate_token.patch
+CVE-2012-4457-Raise_unauthorized_if_tenant_disabled.patch
diff -Nru keystone-2012.1.1/debian/rules keystone-2012.1.1/debian/rules
--- keystone-2012.1.1/debian/rules	2012-09-12 16:33:13.000000000 +0000
+++ keystone-2012.1.1/debian/rules	2012-10-01 06:51:43.000000000 +0000
@@ -42,6 +42,11 @@
 	rm -rf debian/python-keystone/usr/lib/python*/*/doc
 	rm -rf debian/python-keystone/usr/lib/python*/*/tools
 	rm -rf debian/python-keystone/usr/lib/python*/*/examples
+	install -D -m 0640 etc/keystone.conf debian/keystone/usr/share/keystone/keystone.conf
+
+override_dh_fixperms:
+	dh_fixperms
+	chmod 0640 debian/keystone/usr/share/keystone/keystone.conf
 
 override_dh_clean:
 	rm -rf $(CURDIR)/build $(CURDIR)/keystone.egg-info $(CURDIR)/.cache

--- End Message ---

--- Begin Message ---

• To: Thomas Goirand <zigo@debian.org>, 689289-done@bugs.debian.org
• Subject: Re: Bug#689289: unblock: keystone/2012.1.1-9 (CVE-2012-445{6,7}, +policy RC fixes)
• From: Julien Cristau <jcristau@debian.org>
• Date: Sun, 25 Nov 2012 22:05:38 +0100
• Message-id: <20121125210538.GJ8091@radis.cristau.org>
• In-reply-to: <20121001070025.6908.50083.reportbug@buzig.gplhost.com>
• References: <20121001070025.6908.50083.reportbug@buzig.gplhost.com>

On Mon, Oct  1, 2012 at 15:00:25 +0800, Thomas Goirand wrote:

> Please unblock keystone/2012.1.1-9,

-10 unblocked.

Cheers,
Julien

Attachment: signature.asc
Description: Digital signature

--- End Message ---