Bug#859819: marked as done (unblock: nova/14.0.0-4 (CVE-2017-7214))

To: Niels Thykier <niels@thykier.net>
Subject: Bug#859819: marked as done (unblock: nova/14.0.0-4 (CVE-2017-7214))
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 08 Apr 2017 06:12:06 +0000
Message-id: <[🔎] handler.859819.D859819.149163173722781.ackdone@bugs.debian.org>
References: <e4ef922b-3f13-fe4c-adff-9f2a384b64ce@thykier.net> <[🔎] 20170407161819.472.54449.reportbug@buzig2.mirantis.com>

Your message dated Sat, 08 Apr 2017 06:07:00 +0000
with message-id <e4ef922b-3f13-fe4c-adff-9f2a384b64ce@thykier.net>
and subject line Re: Bug#859819: unblock: nova/14.0.0-4 (CVE-2017-7214)
has caused the Debian Bug report #859819,
regarding unblock: nova/14.0.0-4 (CVE-2017-7214)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
859819: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859819
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: nova/14.0.0-4 (CVE-2017-7214)
From: Thomas Goirand <zigo@debian.org>
Date: Fri, 07 Apr 2017 18:18:19 +0200
Message-id: <[🔎] 20170407161819.472.54449.reportbug@buzig2.mirantis.com>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package nova

This upload fixes CVE-2017-7214, and bumps openstack-pkg-tools build-depends
to >= 54~, to make sure the nova-api config script doesn't use /sbin/route
and /bin/ip if they aren't available (as they aren't essential packages).

Please unblock nova/14.0.0-4,
Cheers,

Thomas Goirand (zigo)

diff -Nru nova-14.0.0/debian/changelog nova-14.0.0/debian/changelog
--- nova-14.0.0/debian/changelog	2016-12-09 16:40:19.000000000 +0000
+++ nova-14.0.0/debian/changelog	2017-04-02 10:52:50.000000000 +0000
@@ -1,3 +1,14 @@
+nova (2:14.0.0-4) unstable; urgency=medium
+
+  [ David Rabel ]
+  * Team upload.
+  * Bump build dependency on openstack-pkg-tools (Closes: #858708, #858710).
+
+  [ Thomas Goirand ]
+  * CVE-2017-7214: apply upstream patch (Closes: 858568).
+
+ -- Thomas Goirand <zigo@debian.org>  Sun, 02 Apr 2017 12:52:50 +0200
+
 nova (2:14.0.0-3) unstable; urgency=medium
 
   [ Ondřej Nový ]
diff -Nru nova-14.0.0/debian/control nova-14.0.0/debian/control
--- nova-14.0.0/debian/control	2016-12-09 16:40:19.000000000 +0000
+++ nova-14.0.0/debian/control	2017-04-02 10:52:50.000000000 +0000
@@ -7,7 +7,7 @@
 Build-Depends: debhelper (>= 10),
                dh-python,
                dh-systemd,
-               openstack-pkg-tools (>= 52~),
+               openstack-pkg-tools (>= 54~),
                po-debconf,
                python-all,
                python-pbr (>= 1.8),
diff -Nru nova-14.0.0/debian/patches/CVE-2017-7214_do_not_include_context_to_exception_notification.patch nova-14.0.0/debian/patches/CVE-2017-7214_do_not_include_context_to_exception_notification.patch
--- nova-14.0.0/debian/patches/CVE-2017-7214_do_not_include_context_to_exception_notification.patch	1970-01-01 00:00:00.000000000 +0000
+++ nova-14.0.0/debian/patches/CVE-2017-7214_do_not_include_context_to_exception_notification.patch	2017-04-02 10:52:50.000000000 +0000
@@ -0,0 +1,50 @@
+Description: CVE-2017-7214: do not include context to exception notification
+ The wrap_exception decorator optionally emited a notification.
+ Based on the code comments the original intention was not to include the
+ context to that notification due to security reasons. However the
+ implementation did included the context to the payload of the legacy
+ notification.
+ .
+ Recently we saw circural reference errors during the payload serialization
+ of this notification. Based on the logs the only complex data structure
+ that could cause circural reference is the context. So this patch
+ removes the context from the legacy exception notification.
+ .
+ The versioned exception notification is not affected as it does not
+ contain the args of the decorated function.
+Author: Balazs Gibizer <balazs.gibizer@ericsson.com>
+Date: Fri, 17 Mar 2017 10:24:49 +0000 (+0100)
+X-Git-Tag: 14.0.5~1
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fnova.git;a=commitdiff_plain;h=d0ee248bab6727555561c15998c58a0f11a5351b
+Origin: https://review.openstack.org/447072
+Bug-Ubuntu: https://bugs.launchpad.net/nova/+bug/1673569
+Bug-Debian: https://bugs.debian.org/858568
+Change-Id: I1d217620e52d45595a3e0e49ed57b4ab33cd1688
+Last-Update: 2017-04-02
+
+diff --git a/nova/exception_wrapper.py b/nova/exception_wrapper.py
+index 5b74c3b..5051b83 100644
+--- a/nova/exception_wrapper.py
++++ b/nova/exception_wrapper.py
+@@ -86,6 +86,9 @@ def _get_call_dict(function, self, context, *args, **kw):
+     # self can't be serialized and shouldn't be in the
+     # payload
+     call_dict.pop('self', None)
++    # NOTE(gibi) remove context as well as it contains sensitive information
++    # and it can also contain circular references
++    call_dict.pop('context', None)
+     return _cleanse_dict(call_dict)
+ 
+ 
+diff --git a/nova/tests/unit/test_exception.py b/nova/tests/unit/test_exception.py
+index a9bada1..55478a6 100644
+--- a/nova/tests/unit/test_exception.py
++++ b/nova/tests/unit/test_exception.py
+@@ -61,6 +61,7 @@ class WrapExceptionTestCase(test.NoDBTestCase):
+         self.assertEqual(3, notification.payload['args']['extra'])
+         for key in ['exception', 'args']:
+             self.assertIn(key, notification.payload.keys())
++        self.assertNotIn('context', notification.payload['args'].keys())
+ 
+         self.assertEqual(1, len(fake_notifier.VERSIONED_NOTIFICATIONS))
+         notification = fake_notifier.VERSIONED_NOTIFICATIONS[0]
diff -Nru nova-14.0.0/debian/patches/series nova-14.0.0/debian/patches/series
--- nova-14.0.0/debian/patches/series	2016-12-09 16:40:19.000000000 +0000
+++ nova-14.0.0/debian/patches/series	2017-04-02 10:52:50.000000000 +0000
@@ -4,3 +4,4 @@
 fix-requirements.txt.patch
 clean-up-build_requests-table-on-upgrades.patch
 allow-using-sqla-1.1.patch
+CVE-2017-7214_do_not_include_context_to_exception_notification.patch

--- End Message ---

--- Begin Message ---

To: Thomas Goirand <zigo@debian.org>, 859819-done@bugs.debian.org

Subject: Re: Bug#859819: unblock: nova/14.0.0-4 (CVE-2017-7214)

From: Niels Thykier <niels@thykier.net>

Date: Sat, 08 Apr 2017 06:07:00 +0000

Message-id: <e4ef922b-3f13-fe4c-adff-9f2a384b64ce@thykier.net>

In-reply-to: <[🔎] 20170407161819.472.54449.reportbug@buzig2.mirantis.com>

References: <[🔎] 20170407161819.472.54449.reportbug@buzig2.mirantis.com>
Thomas Goirand:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package nova
> 
> This upload fixes CVE-2017-7214, and bumps openstack-pkg-tools build-depends
> to >= 54~, to make sure the nova-api config script doesn't use /sbin/route
> and /bin/ip if they aren't available (as they aren't essential packages).
> 
> Please unblock nova/14.0.0-4,
> Cheers,
> 
> Thomas Goirand (zigo)
> 

Unblocked, thanks.

~Niels
--- End Message ---

Reply to:

References:
- Bug#859819: unblock: nova/14.0.0-4 (CVE-2017-7214)
  - From: Thomas Goirand <zigo@debian.org>

Prev by Date: Bug#859814: marked as done (unblock: designate/3.0.0-4 (not using net-tools and iproute2 in config script anymore))
Next by Date: Bug#859764: marked as done (unblock: libphysfs/2.0.3-5)
Previous by thread: Bug#859819: unblock: nova/14.0.0-4 (CVE-2017-7214)
Next by thread: Bug#859822: unblock:congress/4.0.0+dfsg1-3
Index(es):
- Date
- Thread