Bug#859819: unblock: nova/14.0.0-4 (CVE-2017-7214)

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#859819: unblock: nova/14.0.0-4 (CVE-2017-7214)
From: Thomas Goirand <zigo@debian.org>
Date: Fri, 07 Apr 2017 18:18:19 +0200
Message-id: <[🔎] 20170407161819.472.54449.reportbug@buzig2.mirantis.com>
Reply-to: Thomas Goirand <zigo@debian.org>, 859819@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package nova

This upload fixes CVE-2017-7214, and bumps openstack-pkg-tools build-depends
to >= 54~, to make sure the nova-api config script doesn't use /sbin/route
and /bin/ip if they aren't available (as they aren't essential packages).

Please unblock nova/14.0.0-4,
Cheers,

Thomas Goirand (zigo)

diff -Nru nova-14.0.0/debian/changelog nova-14.0.0/debian/changelog
--- nova-14.0.0/debian/changelog	2016-12-09 16:40:19.000000000 +0000
+++ nova-14.0.0/debian/changelog	2017-04-02 10:52:50.000000000 +0000
@@ -1,3 +1,14 @@
+nova (2:14.0.0-4) unstable; urgency=medium
+
+  [ David Rabel ]
+  * Team upload.
+  * Bump build dependency on openstack-pkg-tools (Closes: #858708, #858710).
+
+  [ Thomas Goirand ]
+  * CVE-2017-7214: apply upstream patch (Closes: 858568).
+
+ -- Thomas Goirand <zigo@debian.org>  Sun, 02 Apr 2017 12:52:50 +0200
+
 nova (2:14.0.0-3) unstable; urgency=medium
 
   [ Ondřej Nový ]
diff -Nru nova-14.0.0/debian/control nova-14.0.0/debian/control
--- nova-14.0.0/debian/control	2016-12-09 16:40:19.000000000 +0000
+++ nova-14.0.0/debian/control	2017-04-02 10:52:50.000000000 +0000
@@ -7,7 +7,7 @@
 Build-Depends: debhelper (>= 10),
                dh-python,
                dh-systemd,
-               openstack-pkg-tools (>= 52~),
+               openstack-pkg-tools (>= 54~),
                po-debconf,
                python-all,
                python-pbr (>= 1.8),
diff -Nru nova-14.0.0/debian/patches/CVE-2017-7214_do_not_include_context_to_exception_notification.patch nova-14.0.0/debian/patches/CVE-2017-7214_do_not_include_context_to_exception_notification.patch
--- nova-14.0.0/debian/patches/CVE-2017-7214_do_not_include_context_to_exception_notification.patch	1970-01-01 00:00:00.000000000 +0000
+++ nova-14.0.0/debian/patches/CVE-2017-7214_do_not_include_context_to_exception_notification.patch	2017-04-02 10:52:50.000000000 +0000
@@ -0,0 +1,50 @@
+Description: CVE-2017-7214: do not include context to exception notification
+ The wrap_exception decorator optionally emited a notification.
+ Based on the code comments the original intention was not to include the
+ context to that notification due to security reasons. However the
+ implementation did included the context to the payload of the legacy
+ notification.
+ .
+ Recently we saw circural reference errors during the payload serialization
+ of this notification. Based on the logs the only complex data structure
+ that could cause circural reference is the context. So this patch
+ removes the context from the legacy exception notification.
+ .
+ The versioned exception notification is not affected as it does not
+ contain the args of the decorated function.
+Author: Balazs Gibizer <balazs.gibizer@ericsson.com>
+Date: Fri, 17 Mar 2017 10:24:49 +0000 (+0100)
+X-Git-Tag: 14.0.5~1
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fnova.git;a=commitdiff_plain;h=d0ee248bab6727555561c15998c58a0f11a5351b
+Origin: https://review.openstack.org/447072
+Bug-Ubuntu: https://bugs.launchpad.net/nova/+bug/1673569
+Bug-Debian: https://bugs.debian.org/858568
+Change-Id: I1d217620e52d45595a3e0e49ed57b4ab33cd1688
+Last-Update: 2017-04-02
+
+diff --git a/nova/exception_wrapper.py b/nova/exception_wrapper.py
+index 5b74c3b..5051b83 100644
+--- a/nova/exception_wrapper.py
++++ b/nova/exception_wrapper.py
+@@ -86,6 +86,9 @@ def _get_call_dict(function, self, context, *args, **kw):
+     # self can't be serialized and shouldn't be in the
+     # payload
+     call_dict.pop('self', None)
++    # NOTE(gibi) remove context as well as it contains sensitive information
++    # and it can also contain circular references
++    call_dict.pop('context', None)
+     return _cleanse_dict(call_dict)
+ 
+ 
+diff --git a/nova/tests/unit/test_exception.py b/nova/tests/unit/test_exception.py
+index a9bada1..55478a6 100644
+--- a/nova/tests/unit/test_exception.py
++++ b/nova/tests/unit/test_exception.py
+@@ -61,6 +61,7 @@ class WrapExceptionTestCase(test.NoDBTestCase):
+         self.assertEqual(3, notification.payload['args']['extra'])
+         for key in ['exception', 'args']:
+             self.assertIn(key, notification.payload.keys())
++        self.assertNotIn('context', notification.payload['args'].keys())
+ 
+         self.assertEqual(1, len(fake_notifier.VERSIONED_NOTIFICATIONS))
+         notification = fake_notifier.VERSIONED_NOTIFICATIONS[0]
diff -Nru nova-14.0.0/debian/patches/series nova-14.0.0/debian/patches/series
--- nova-14.0.0/debian/patches/series	2016-12-09 16:40:19.000000000 +0000
+++ nova-14.0.0/debian/patches/series	2017-04-02 10:52:50.000000000 +0000
@@ -4,3 +4,4 @@
 fix-requirements.txt.patch
 clean-up-build_requests-table-on-upgrades.patch
 allow-using-sqla-1.1.patch
+CVE-2017-7214_do_not_include_context_to_exception_notification.patch

Reply to:

Follow-Ups:
- Bug#859819: marked as done (unblock: nova/14.0.0-4 (CVE-2017-7214))
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#859820: unblock:cinder/9.0.0-4
Next by Date: Bug#859822: unblock:congress/4.0.0+dfsg1-3
Previous by thread: Bug#859820: marked as done (unblock:cinder/9.0.0-4)
Next by thread: Bug#859819: marked as done (unblock: nova/14.0.0-4 (CVE-2017-7214))
Index(es):
- Date
- Thread