--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: CVE-2018-1000872: package python-pykmip/0.5.0-4
- From: Thomas Goirand <zigo@debian.org>
- Date: Tue, 26 Feb 2019 14:14:34 +0100
- Message-id: <155118687411.16243.170724687572812383.reportbug@buzig2.debian.org>
Package: release.debian.org
Severity: important
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
Here's the changelog entry:
+ * CVE-2018-1000872: Resource Management Errors (similar issue to
+ CVE-2015-5262) vulnerability in PyKMIP server that can result in DOS: the
+ server can be made unavailable by one or more clients opening all of the
+ available sockets. Applied upstream patch: Fix a denial-of-service bug by
+ setting the server socket timeout (Closes: #917030).
The security team doesn't think a DSA is needed. Debdiff is attached. The
resulting package is here:
http://sid.gplhost.com/stretch-proposed-updates/python-pykmip/
Please allow me to upload python-pykmip/0.5.0-4+deb9u1 to Stretch-proposed.
Cheers,
Thomas Goirand (zigo)
diff -Nru python-pykmip-0.5.0/debian/changelog python-pykmip-0.5.0/debian/changelog
--- python-pykmip-0.5.0/debian/changelog 2016-12-02 21:49:06.000000000 +0000
+++ python-pykmip-0.5.0/debian/changelog 2019-02-24 16:43:42.000000000 +0000
@@ -1,3 +1,13 @@
+python-pykmip (0.5.0-4+deb9u1) stretch; urgency=medium
+
+ * CVE-2018-1000872: Resource Management Errors (similar issue to
+ CVE-2015-5262) vulnerability in PyKMIP server that can result in DOS: the
+ server can be made unavailable by one or more clients opening all of the
+ available sockets. Applied upstream patch: Fix a denial-of-service bug by
+ setting the server socket timeout (Closes: #917030).
+
+ -- Thomas Goirand <zigo@debian.org> Sun, 24 Feb 2019 17:43:42 +0100
+
python-pykmip (0.5.0-4) unstable; urgency=medium
* Team upload.
diff -Nru python-pykmip-0.5.0/debian/patches/CVE-2018-1000872_Fix_a_denial-of-service_bug_by_setting_the_server_socket_timeout.patch python-pykmip-0.5.0/debian/patches/CVE-2018-1000872_Fix_a_denial-of-service_bug_by_setting_the_server_socket_timeout.patch
--- python-pykmip-0.5.0/debian/patches/CVE-2018-1000872_Fix_a_denial-of-service_bug_by_setting_the_server_socket_timeout.patch 1970-01-01 00:00:00.000000000 +0000
+++ python-pykmip-0.5.0/debian/patches/CVE-2018-1000872_Fix_a_denial-of-service_bug_by_setting_the_server_socket_timeout.patch 2019-02-24 16:43:42.000000000 +0000
@@ -0,0 +1,54 @@
+Description: CVE-2018-1000872: Fix a denial-of-service bug by setting the server socket timeout
+ This change fixes a potential denial-of-service bug with the
+ server, setting a default timeout for all server sockets. This
+ allows the server to drop hung connections without blocking
+ forever. The interrupt triggered during accept calls is expected
+ and is now handled appropriately. Server unit tests have been
+ updated to reflect this change.
+Author: Peter Hamilton <peter.allen.hamilton@gmail.com>
+Date: Tue, 24 Apr 2018 21:57:20 -0400
+Origin: upstream, https://github.com/OpenKMIP/PyKMIP/commit/3a7b880bdf70d295ed8af3a5880bab65fa6b3932
+Bug-Debian: https://bugs.debian.org/917030
+Last-Update: 2019-02-24
+
+Index: python-pykmip/kmip/services/server/server.py
+===================================================================
+--- python-pykmip.orig/kmip/services/server/server.py
++++ python-pykmip/kmip/services/server/server.py
+@@ -176,6 +176,7 @@ class KmipServer(object):
+ self._logger.info("Starting server socket handler.")
+
+ # Create a TCP stream socket and configure it for immediate reuse.
++ socket.setdefaulttimeout(10)
+ self._socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ self._socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+
+@@ -283,6 +284,11 @@ class KmipServer(object):
+ while self._is_serving:
+ try:
+ connection, address = self._socket.accept()
++ except socket.timeout:
++ # Setting the default socket timeout to break hung connections
++ # will cause accept to periodically raise socket.timeout. This
++ # is expected behavior, so ignore it and retry accept.
++ pass
+ except socket.error as e:
+ if e.errno == errno.EINTR:
+ self._logger.warning("Interrupting connection service.")
+Index: python-pykmip/kmip/tests/unit/services/server/test_server.py
+===================================================================
+--- python-pykmip.orig/kmip/tests/unit/services/server/test_server.py
++++ python-pykmip/kmip/tests/unit/services/server/test_server.py
+@@ -342,7 +342,11 @@ class TestKmipServer(testtools.TestCase)
+
+ # Test the expected behavior for a normal server/interrupt sequence
+ s._socket.accept = mock.MagicMock(
+- side_effect=[('connection', 'address'), expected_error]
++ side_effect=[
++ ('connection', 'address'),
++ socket.timeout,
++ expected_error
++ ]
+ )
+
+ s.serve()
diff -Nru python-pykmip-0.5.0/debian/patches/series python-pykmip-0.5.0/debian/patches/series
--- python-pykmip-0.5.0/debian/patches/series 1970-01-01 00:00:00.000000000 +0000
+++ python-pykmip-0.5.0/debian/patches/series 2019-02-24 16:43:42.000000000 +0000
@@ -0,0 +1 @@
+CVE-2018-1000872_Fix_a_denial-of-service_bug_by_setting_the_server_socket_timeout.patch
--- End Message ---