Bug#687434: unblock: keystone/2012.1.1-6 (fixes: CVE-2012-4413)
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package keystone. This fixes CVE-2012-4413. Debdiff is
attached.
Note that I am well aware of #687311 (I was the one who reported it),
but I would like to fix this one later on, using urgency=low, so it
has more time for testing before migration. Please let me know if I
should lower the severity of #687311 for the package to migrate, or
if the release team has some magic way to let it migrate anyway.
Cheers,
Thomas Goirand
diff -Nru keystone-2012.1.1/debian/changelog keystone-2012.1.1/debian/changelog
--- keystone-2012.1.1/debian/changelog 2012-08-30 18:37:58.000000000 +0000
+++ keystone-2012.1.1/debian/changelog 2012-09-12 16:33:13.000000000 +0000
@@ -1,3 +1,10 @@
+keystone (2012.1.1-6) unstable; urgency=high
+
+ * CVE-2012-4413: Revoking a role does not affect existing tokens
+ (Closes: #687428).
+
+ -- Thomas Goirand <zigo@debian.org> Sun, 09 Sep 2012 02:21:11 +0000
+
keystone (2012.1.1-5) unstable; urgency=low
* CVE-2012-3542: Fixes lack of authorization for adding users to tenants
diff -Nru keystone-2012.1.1/debian/patches/CVE-2012-4413_Revoking-a-role-does-not-affect-existing-tokens.patch keystone-2012.1.1/debian/patches/CVE-2012-4413_Revoking-a-role-does-not-affect-existing-tokens.patch
--- keystone-2012.1.1/debian/patches/CVE-2012-4413_Revoking-a-role-does-not-affect-existing-tokens.patch 1970-01-01 00:00:00.000000000 +0000
+++ keystone-2012.1.1/debian/patches/CVE-2012-4413_Revoking-a-role-does-not-affect-existing-tokens.patch 2012-09-12 16:33:13.000000000 +0000
@@ -0,0 +1,128 @@
+Description: CVE-2012-4413: Revoking a role does not affect existing tokens
+ Dolph Mathews reported a vulnerability in Keystone. Granting and
+ revoking roles from a user is not reflected upon token validation for
+ pre-existing tokens. Pre-existing tokens continue to be valid for the
+ original set of roles for the remainder of the token's lifespan, or
+ until explicitly invalidated. This fix invalidates all tokens held by
+ a user upon role grant/revoke to circumvent the issue.
+Author: Dolph Mathews
+Origin: upstream
+Bug-Debian: http://bugs.debian.org/687428
+
+--- keystone-2012.1.1.orig/tests/test_keystoneclient.py
++++ keystone-2012.1.1/tests/test_keystoneclient.py
+@@ -722,15 +722,15 @@ class KcMasterTestCase(CompatTestCase, K
+ def test_tenant_add_and_remove_user(self):
+ client = self.get_client(admin=True)
+ client.roles.add_user_role(tenant=self.tenant_baz['id'],
+- user=self.user_foo['id'],
++ user=self.user_two['id'],
+ role=self.role_useless['id'])
+ user_refs = client.tenants.list_users(tenant=self.tenant_baz['id'])
+- self.assert_(self.user_foo['id'] in [x.id for x in user_refs])
++ self.assert_(self.user_two['id'] in [x.id for x in user_refs])
+ client.roles.remove_user_role(tenant=self.tenant_baz['id'],
+- user=self.user_foo['id'],
++ user=self.user_two['id'],
+ role=self.role_useless['id'])
+ user_refs = client.tenants.list_users(tenant=self.tenant_baz['id'])
+- self.assert_(self.user_foo['id'] not in [x.id for x in user_refs])
++ self.assert_(self.user_two['id'] not in [x.id for x in user_refs])
+
+ def test_user_role_add_404(self):
+ from keystoneclient import exceptions as client_exceptions
+@@ -843,16 +843,16 @@ class KcEssex3TestCase(CompatTestCase, K
+ def test_tenant_add_and_remove_user(self):
+ client = self.get_client(admin=True)
+ client.roles.add_user_to_tenant(tenant_id=self.tenant_baz['id'],
+- user_id=self.user_foo['id'],
++ user_id=self.user_two['id'],
+ role_id=self.role_useless['id'])
+ role_refs = client.roles.get_user_role_refs(
+- user_id=self.user_foo['id'])
++ user_id=self.user_two['id'])
+ self.assert_(self.tenant_baz['id'] in [x.tenantId for x in role_refs])
+
+ # get the "role_refs" so we get the proper id, this is how the clients
+ # do it
+ roleref_refs = client.roles.get_user_role_refs(
+- user_id=self.user_foo['id'])
++ user_id=self.user_two['id'])
+ for roleref_ref in roleref_refs:
+ if (roleref_ref.roleId == self.role_useless['id']
+ and roleref_ref.tenantId == self.tenant_baz['id']):
+@@ -860,11 +860,11 @@ class KcEssex3TestCase(CompatTestCase, K
+ break
+
+ client.roles.remove_user_from_tenant(tenant_id=self.tenant_baz['id'],
+- user_id=self.user_foo['id'],
++ user_id=self.user_two['id'],
+ role_id=roleref_ref.id)
+
+ role_refs = client.roles.get_user_role_refs(
+- user_id=self.user_foo['id'])
++ user_id=self.user_two['id'])
+ self.assert_(self.tenant_baz['id'] not in
+ [x.tenantId for x in role_refs])
+
+--- keystone-2012.1.1.orig/keystone/token/core.py
++++ keystone-2012.1.1/keystone/token/core.py
+@@ -38,6 +38,10 @@ class Manager(manager.Manager):
+ def __init__(self):
+ super(Manager, self).__init__(CONF.token.driver)
+
++ def revoke_tokens(self, context, user_id):
++ for token_id in self.list_tokens(context, user_id):
++ self.delete_token(context, token_id)
++
+
+ class Driver(object):
+ """Interface description for a Token driver."""
+@@ -97,6 +101,13 @@ class Driver(object):
+ """
+ raise exception.NotImplemented()
+
++ def revoke_tokens(self, user_id):
++ """Invalidates all tokens held by a user.
++
++ :raises: keystone.exception.UserNotFound
++ """
++ raise exception.NotImplemented()
++
+ def _get_default_expire_time(self):
+ """Determine when a token should expire based on the config.
+
+--- keystone-2012.1.1.orig/keystone/identity/core.py
++++ keystone-2012.1.1/keystone/identity/core.py
+@@ -524,6 +524,8 @@ class RoleController(wsgi.Application):
+ self.identity_api.add_user_to_tenant(context, tenant_id, user_id)
+ self.identity_api.add_role_to_user_and_tenant(
+ context, user_id, tenant_id, role_id)
++ self.token_api.revoke_tokens(context, user_id)
++
+ role_ref = self.identity_api.get_role(context, role_id)
+ return {'role': role_ref}
+
+@@ -554,7 +556,7 @@ class RoleController(wsgi.Application):
+ if not roles:
+ self.identity_api.remove_user_from_tenant(
+ context, tenant_id, user_id)
+- return
++ self.token_api.revoke_tokens(context, user_id)
+
+ # COMPAT(diablo): CRUD extension
+ def get_role_refs(self, context, user_id):
+@@ -596,6 +598,8 @@ class RoleController(wsgi.Application):
+ self.identity_api.add_user_to_tenant(context, tenant_id, user_id)
+ self.identity_api.add_role_to_user_and_tenant(
+ context, user_id, tenant_id, role_id)
++ self.token_api.revoke_tokens(context, user_id)
++
+ role_ref = self.identity_api.get_role(context, role_id)
+ return {'role': role_ref}
+
+@@ -623,3 +627,4 @@ class RoleController(wsgi.Application):
+ if not roles:
+ self.identity_api.remove_user_from_tenant(
+ context, tenant_id, user_id)
++ self.token_api.revoke_tokens(context, user_id)
diff -Nru keystone-2012.1.1/debian/patches/series keystone-2012.1.1/debian/patches/series
--- keystone-2012.1.1/debian/patches/series 2012-08-30 18:37:58.000000000 +0000
+++ keystone-2012.1.1/debian/patches/series 2012-09-12 16:33:13.000000000 +0000
@@ -3,3 +3,4 @@
default_catalog.patch
sql_conn.patch
CVE-2012-3542_Lack-of-authorization-for-adding-users-to-tenants.patch
+CVE-2012-4413_Revoking-a-role-does-not-affect-existing-tokens.patch
Reply to: