Bug#941901: buster-pu: package octavia/3.0.0-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#941901: buster-pu: package octavia/3.0.0-3
From: Thomas Goirand <zigo@debian.org>
Date: Mon, 07 Oct 2019 14:35:31 +0200
Message-id: <[🔎] 157045173196.29165.16404198820193112364.reportbug@zbuz.infomaniak.ch>
Reply-to: Thomas Goirand <zigo@debian.org>, 941901@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team,

Since Buster was frozen, I worked quite a long time on Octavia, and was
able to make the octavia-agent work properly, as well as building an
Octavia base image using Debian only stuff [1]. It works super well
using the next version of OpenStack, ie: Stein, while Buster has Rocky.

Though I'd like to be able to provide a working Amphorae image using
only stuff from Buster, if possible. This is what this update is about.
The update contains:

- Fix for the vrrp script template.
- Fix for detecting the OS from within Octavia itself.
- Fix for CVE-2019-17134, where the Amphora didn't enforce cert checking.
- Fix for the octavia-agent package init / systemd scripts.

Debdiff is attached. Please allow me to update the Octavia package in
Buster accordingly. Next up, I hope to be able to provide a Debian image
for Octavia through the official cdimage.debian.org repo. I'll do that
through Testing first.

Cheers,

Thomas Goirand (zigo)

[1] If you don't know what Octavia is, it is haproxy as a service, with
a base virtual machine image containing Haproxy and the Octavia Agent.
This image is called "Amphorae", and can be used to provide load balancer
as a service. This is quite nice technology!

diff -Nru octavia-3.0.0/debian/changelog octavia-3.0.0/debian/changelog
--- octavia-3.0.0/debian/changelog	2019-01-21 17:28:54.000000000 +0100
+++ octavia-3.0.0/debian/changelog	2019-04-30 12:07:21.000000000 +0200
@@ -1,3 +1,14 @@
+octavia (3.0.0-3+deb10u1) buster; urgency=medium
+
+  * Fix octavia-agent binary in init/service file, fix the startup.
+  * Add Fix-osutils.py-to-detect-Debian.patch.
+  * CVE-2019-17134: Client certificates aren't checked properly in the Amphora.
+    Applied upstream patch (Closes: #941897):
+    - Add CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch.
+  * Add Fix_template_that_generates_vrrp_check_script.patch.
+
+ -- Thomas Goirand <zigo@debian.org>  Tue, 30 Apr 2019 12:07:21 +0200
+
 octavia (3.0.0-3) unstable; urgency=medium
 
   * Add an octavia-agent package.
diff -Nru octavia-3.0.0/debian/octavia-agent.install octavia-3.0.0/debian/octavia-agent.install
--- octavia-3.0.0/debian/octavia-agent.install	1970-01-01 01:00:00.000000000 +0100
+++ octavia-3.0.0/debian/octavia-agent.install	2019-04-30 12:07:21.000000000 +0200
@@ -0,0 +1,2 @@
+debian/octavia-agent-ramfs-start	/sbin
+debian/octavia-agent-ramfs-stop		/sbin
diff -Nru octavia-3.0.0/debian/octavia-agent.octavia-agent.init.in octavia-3.0.0/debian/octavia-agent.octavia-agent.init.in
--- octavia-3.0.0/debian/octavia-agent.octavia-agent.init.in	2019-01-21 17:28:54.000000000 +0100
+++ octavia-3.0.0/debian/octavia-agent.octavia-agent.init.in	2019-04-30 12:07:21.000000000 +0200
@@ -17,3 +17,5 @@
 NAME=${PROJECT_NAME}-agent
 SYSTEM_USER=root
 SYSTEM_GROUP=root
+CONFIG_FILE=/etc/octavia/amphora-agent.conf
+DAEMON=/usr/bin/amphora-agent
diff -Nru octavia-3.0.0/debian/octavia-agent-ramfs-start octavia-3.0.0/debian/octavia-agent-ramfs-start
--- octavia-3.0.0/debian/octavia-agent-ramfs-start	1970-01-01 01:00:00.000000000 +0100
+++ octavia-3.0.0/debian/octavia-agent-ramfs-start	2019-04-30 12:07:21.000000000 +0200
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+set -e
+
+modprobe brd rd_size=1024000 max_part=2 rd_nr=1
+passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1)
+certs_path=$(grep base_cert_dir /etc/octavia/amphora-agent.conf | awk '{print $3}')
+if [ -z "${certs_path}" ] ; then
+	certs_path=/var/lib/octavia/certs
+fi
+mkdir -p "${certs_path}"
+chown octavia:octavia ${certs_path}
+echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 -
+echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -
+mkfs.ext2 /dev/mapper/certfs-ramfs
+mount /dev/mapper/certfs-ramfs ${certs_path}
+chown octavia:octavia ${certs_path}
diff -Nru octavia-3.0.0/debian/octavia-agent-ramfs-stop octavia-3.0.0/debian/octavia-agent-ramfs-stop
--- octavia-3.0.0/debian/octavia-agent-ramfs-stop	1970-01-01 01:00:00.000000000 +0100
+++ octavia-3.0.0/debian/octavia-agent-ramfs-stop	2019-04-30 12:07:21.000000000 +0200
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+
+certs_path=$(grep base_cert_dir /etc/octavia/amphora-agent.conf | awk '{printf $3}')
+umount "${certs_path}"
+cryptsetup luksClose /dev/mapper/certfs-ramfs
diff -Nru octavia-3.0.0/debian/patches/CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch octavia-3.0.0/debian/patches/CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch
--- octavia-3.0.0/debian/patches/CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch	1970-01-01 01:00:00.000000000 +0100
+++ octavia-3.0.0/debian/patches/CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch	2019-04-30 12:07:21.000000000 +0200
@@ -0,0 +1,73 @@
+Description: [PATCH] Fix urgent amphora two-way auth security bug
+ The value of gunicorn's option 'cert_reqs` for client-cert requirement
+ does not take a boolean, but rather `ssl.CERT_REQUIRED` which is `2`.
+ .
+Story: 2006660
+Task: 36916
+Author: Adam Harwell <flux.adam@gmail.com>
+Date: Fri, 4 Oct 2019 01:04:20 -0700
+SecurityImpact: CVE-2019-17134
+Change-Id: I5619f5e40d7c9a2ee7741bf4664c0d2d08963992
+Bug-Debian: https://bugs.debian.org/941897
+Origin: https://review.opendev.org/#/c/686544/
+Last-Update: 2019-10-07
+
+diff --git a/octavia/cmd/agent.py b/octavia/cmd/agent.py
+index 861ad75..759cf4b 100644
+--- a/octavia/cmd/agent.py
++++ b/octavia/cmd/agent.py
+@@ -15,6 +15,7 @@
+ # make sure PYTHONPATH includes the home directory if you didn't install
+ 
+ import multiprocessing as multiproc
++import ssl
+ import sys
+ 
+ import gunicorn.app.base
+@@ -74,7 +75,7 @@ def main():
+         'timeout': CONF.amphora_agent.agent_request_read_timeout,
+         'certfile': CONF.amphora_agent.agent_server_cert,
+         'ca_certs': CONF.amphora_agent.agent_server_ca,
+-        'cert_reqs': True,
++        'cert_reqs': ssl.CERT_REQUIRED,
+         'preload_app': True,
+         'accesslog': '/var/log/amphora-agent.log',
+         'errorlog': '/var/log/amphora-agent.log',
+diff --git a/octavia/tests/unit/cmd/test_agent.py b/octavia/tests/unit/cmd/test_agent.py
+index 551ab56..22ca4ff 100644
+--- a/octavia/tests/unit/cmd/test_agent.py
++++ b/octavia/tests/unit/cmd/test_agent.py
+@@ -9,6 +9,7 @@
+ #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ #    License for the specific language governing permissions and limitations
+ #    under the License.
++import ssl
+ 
+ import mock
+ 
+@@ -36,5 +37,11 @@ class TestAmphoraAgentCMD(base.TestCase):
+ 
+         agent.main()
+ 
++        # Ensure gunicorn is initialized with the correct cert_reqs option.
++        # This option is what enforces use of a valid client certificate.
++        self.assertEqual(
++            ssl.CERT_REQUIRED,
++            mock_amp.call_args[0][1]['cert_reqs'])
++
+         mock_health_proc.start.assert_called_once_with()
+         mock_amp_instance.run.assert_called_once()
+diff --git a/releasenotes/notes/correct-amp-client-auth-vulnerability-6803f4bac2508e4c.yaml b/releasenotes/notes/correct-amp-client-auth-vulnerability-6803f4bac2508e4c.yaml
+new file mode 100644
+index 0000000..e348b14
+--- /dev/null
++++ b/releasenotes/notes/correct-amp-client-auth-vulnerability-6803f4bac2508e4c.yaml
+@@ -0,0 +1,5 @@
++---
++security:
++  - |
++    Correctly require two-way certificate authentication to connect to the
++    amphora agent API (CVE-2019-17134).
+-- 
+2.7.4
+
diff -Nru octavia-3.0.0/debian/patches/Fix-osutils.py-to-detect-Debian.patch octavia-3.0.0/debian/patches/Fix-osutils.py-to-detect-Debian.patch
--- octavia-3.0.0/debian/patches/Fix-osutils.py-to-detect-Debian.patch	1970-01-01 01:00:00.000000000 +0100
+++ octavia-3.0.0/debian/patches/Fix-osutils.py-to-detect-Debian.patch	2019-04-30 12:07:21.000000000 +0200
@@ -0,0 +1,19 @@
+Description: Fix is_os_name in osutils.py to detect Debian
+ Otherwise, the OCtavia agent just dies...
+Author: Thomas Goirand <zigo@debian.org>
+Forwarded: no
+Last-Update: 2019-04-30
+
+Index: octavia/octavia/amphorae/backends/agent/api_server/osutils.py
+===================================================================
+--- octavia.orig/octavia/amphorae/backends/agent/api_server/osutils.py
++++ octavia/octavia/amphorae/backends/agent/api_server/osutils.py
+@@ -233,7 +233,7 @@ class Ubuntu(BaseOS):
+ 
+     @classmethod
+     def is_os_name(cls, os_name):
+-        return os_name in ['ubuntu']
++        return os_name in ['ubuntu', 'debian']
+ 
+     def cmd_get_version_of_installed_package(self, package_name):
+         name = self._map_package_name(package_name)
diff -Nru octavia-3.0.0/debian/patches/Fix_template_that_generates_vrrp_check_script.patch octavia-3.0.0/debian/patches/Fix_template_that_generates_vrrp_check_script.patch
--- octavia-3.0.0/debian/patches/Fix_template_that_generates_vrrp_check_script.patch	1970-01-01 01:00:00.000000000 +0100
+++ octavia-3.0.0/debian/patches/Fix_template_that_generates_vrrp_check_script.patch	2019-04-30 12:07:21.000000000 +0200
@@ -0,0 +1,30 @@
+Author: Rene Luria <rene.luria@infomaniak.com>
+Subject: [PATCH] Fix template that generates vrrp check script
+ Correct the inline comment to not include an empty new line at the start
+ of generated /var/lib/octavia/vrrp/check_script.sh that leads to this
+ kind of error:
+ .
+ >  Aug 26 11:49:32 amphora-12184e15-1ec3-4d80-98a7-c7d1ddb6716f
+ > Keepalived_vrrp[15265]: Error exec-ing command
+ > '/var/lib/octavia/vrrp/check_script.sh', error 8: Exec format error
+Date: Mon, 26 Aug 2019 13:50:42 +0200
+Change-Id: Icddd2873abeb56a389a35356995df6dde70872b2
+Origin: upstream, https://review.opendev.org/678525
+Last-Update: 2019-08-26
+
+diff --git a/octavia/amphorae/backends/agent/api_server/templates/keepalived_check_script.conf.j2 b/octavia/amphorae/backends/agent/api_server/templates/keepalived_check_script.conf.j2
+index bb1eceb..e2c85c4 100644
+--- a/octavia/amphorae/backends/agent/api_server/templates/keepalived_check_script.conf.j2
++++ b/octavia/amphorae/backends/agent/api_server/templates/keepalived_check_script.conf.j2
+@@ -13,7 +13,7 @@
+ #    License for the specific language governing permissions and limitations
+ #    under the License.
+ #
+-#}
++-#}
+ #!/bin/bash
+ 
+ # Don't try to run the directory when it is empty
+-- 
+2.7.4
+
diff -Nru octavia-3.0.0/debian/patches/series octavia-3.0.0/debian/patches/series
--- octavia-3.0.0/debian/patches/series	2019-01-21 17:28:54.000000000 +0100
+++ octavia-3.0.0/debian/patches/series	2019-04-30 12:07:21.000000000 +0200
@@ -1,2 +1,5 @@
 fix-py36-compatibility.patch
 install-missing-files.patch
+Fix-osutils.py-to-detect-Debian.patch
+CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch
+Fix_template_that_generates_vrrp_check_script.patch

Reply to:

Follow-Ups:
- Bug#941901: buster-pu: package octavia/3.0.0-3, fix for CVE-2019-17134
  - From: Thomas Goirand <zigo@debian.org>

Prev by Date: Bug#940460: marked as done (transition: mutter)
Next by Date: Bug#941907: transition: ocaml
Previous by thread: Bug#940460: marked as done (transition: mutter)
Next by thread: Bug#941901: buster-pu: package octavia/3.0.0-3, fix for CVE-2019-17134
Index(es):
- Date
- Thread