Bug#947146: buster-pu: package python-mistral-lib/1.0.0-1 CVE-2019-3866
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Dear Stable Release team,
I'd like to upgrade python-mistral-lib to address CVE-2019-3866,
which is described in https://bugs.debian.org/946060. Please note
that this patch is only useful if you also approve the upload of
python-oslo.utils which I requested in #947142.
Debdiff containing the patch is attached. Note that there's, as
much as I understand, no need to upgrade Mistral to address this
CVE (probably it would be needed in Stretch though...), as I believe
the issue is fully addressed by the update of python-mistral-lib
(at least, that's my understanding when reading the upstream bug
entry at https://bugs.launchpad.net/tripleo/+bug/1850843).
Note that I've also uploaded the package here, for your convenience:
http://shade.infomaniak.ch/buster-pu/python-mistral-lib/
Please allow me to upload:
python-mistral-lib/1.0.0-1+deb10u1.
Cheers,
Thomas Goirand (zigo)
diff -Nru python-mistral-lib-1.0.0/debian/changelog python-mistral-lib-1.0.0/debian/changelog
--- python-mistral-lib-1.0.0/debian/changelog 2018-09-04 00:06:52.000000000 +0200
+++ python-mistral-lib-1.0.0/debian/changelog 2019-12-21 22:59:56.000000000 +0100
@@ -1,3 +1,10 @@
+python-mistral-lib (1.0.0-1+deb10u1) buster; urgency=medium
+
+ * CVE-2019-3866: Sensitive information leaked in mistral logs. Apply
+ upstream patch: Ensure we mask sensitive data from Mistral Action logs.
+
+ -- Thomas Goirand <zigo@debian.org> Sat, 21 Dec 2019 22:59:56 +0100
+
python-mistral-lib (1.0.0-1) unstable; urgency=medium
[ Ondřej Nový ]
diff -Nru python-mistral-lib-1.0.0/debian/patches/CVE-2019-3866_Ensure_we_mask_sensitive_data_from_Mistral_Action_logs.patch python-mistral-lib-1.0.0/debian/patches/CVE-2019-3866_Ensure_we_mask_sensitive_data_from_Mistral_Action_logs.patch
--- python-mistral-lib-1.0.0/debian/patches/CVE-2019-3866_Ensure_we_mask_sensitive_data_from_Mistral_Action_logs.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-mistral-lib-1.0.0/debian/patches/CVE-2019-3866_Ensure_we_mask_sensitive_data_from_Mistral_Action_logs.patch 2019-12-21 22:59:56.000000000 +0100
@@ -0,0 +1,97 @@
+Author: Cédric Jeanneret <cjeanner@redhat.com>
+Date: Fri, 1 Nov 2019 11:47:35 +0100
+Description: CVE-2019-3866 Ensure we mask sensitive data from Mistral Action logs
+ Mistral didn't make use of the oslo_utils "mask_password" methods,
+ leading in sensitive data leakage in its logs.
+ .
+ This patch corrects this security issue.
+ Note that it depends on oslo_utils patch adding new patterns, and
+ ensuring it's case-insensitive.
+Change-Id: I544d3c172f2dea02c62c49c311c4b5954413ae15
+Related-Bug: #1850843
+Co-Authored-By: Dougal Matthews <dougal@redhat.com>
+Signed-off-by: Cédric Jeanneret <cjeanner@redhat.com>
+Origin: upstream, https://review.opendev.org/692975
+
+diff --git a/mistral_lib/actions/types.py b/mistral_lib/actions/types.py
+index cd8bf28..a77b96f 100644
+--- a/mistral_lib/actions/types.py
++++ b/mistral_lib/actions/types.py
+@@ -32,8 +32,11 @@ class Result(serialization.MistralSerializable):
+ )
+
+ def cut_repr(self):
++ _data = utils.mask_data(self.data)
++ _error = utils.mask_data(self.error)
++ _cancel = utils.mask_data(self.cancel)
+ return 'Result [data=%s, error=%s, cancel=%s]' % (
+- utils.cut(self.data), utils.cut(self.error), str(self.cancel)
++ utils.cut(_data), utils.cut(_error), str(_cancel)
+ )
+
+ def is_cancel(self):
+diff --git a/mistral_lib/tests/test_utils.py b/mistral_lib/tests/test_utils.py
+index 599aaac..78ec3ec 100644
+--- a/mistral_lib/tests/test_utils.py
++++ b/mistral_lib/tests/test_utils.py
+@@ -84,3 +84,20 @@ class TestUtils(tests_base.TestCase):
+ s = utils.cut_dict(d, 100)
+
+ self.assertIn(s, ["{1: 2, 3: 4}", "{3: 4, 1: 2}"])
++
++ def test_mask_data(self):
++ payload = {'adminPass': 'fooBarBaz'}
++ expected = {'adminPass': '***'}
++ self.assertEqual(expected, utils.mask_data(payload))
++
++ payload = """adminPass='fooBarBaz'"""
++ expected = """adminPass='***'"""
++ self.assertEqual(expected, utils.mask_data(payload))
++
++ payload = [{'adminPass': 'fooBarBaz'}, {"new_pass": "blah"}]
++ expected = [{'adminPass': '***'}, {"new_pass": "***"}]
++ self.assertEqual(expected, utils.mask_data(payload))
++
++ payload = ["adminPass", 'fooBarBaz']
++ expected = ["adminPass", 'fooBarBaz']
++ self.assertEqual(expected, utils.mask_data(payload))
+diff --git a/mistral_lib/utils/__init__.py b/mistral_lib/utils/__init__.py
+index 92dda4e..7f845dc 100644
+--- a/mistral_lib/utils/__init__.py
++++ b/mistral_lib/utils/__init__.py
+@@ -14,6 +14,8 @@
+ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ # License for the specific language governing permissions and limitations
+ # under the License.
++from oslo_utils.strutils import mask_dict_password
++from oslo_utils.strutils import mask_password
+
+
+ def cut_dict(d, length=100):
+@@ -139,3 +141,12 @@ def cut(data, length=100):
+ return cut_dict(data, length=length)
+
+ return cut_string(str(data), length=length)
++
++
++def mask_data(obj):
++ if isinstance(obj, dict):
++ return mask_dict_password(obj)
++ elif isinstance(obj, list):
++ return [mask_data(i) for i in obj]
++ else:
++ return mask_password(obj)
+diff --git a/releasenotes/notes/mask-password-6899d868d213f722.yaml b/releasenotes/notes/mask-password-6899d868d213f722.yaml
+new file mode 100644
+index 0000000..5178a04
+--- /dev/null
++++ b/releasenotes/notes/mask-password-6899d868d213f722.yaml
+@@ -0,0 +1,5 @@
++---
++security:
++ - Ensure we mask sensitive data before logging Action return values
++fixes:
++ - https://bugs.launchpad.net/tripleo/+bug/1850843
+--
+2.7.4
+
diff -Nru python-mistral-lib-1.0.0/debian/patches/series python-mistral-lib-1.0.0/debian/patches/series
--- python-mistral-lib-1.0.0/debian/patches/series 2018-09-04 00:06:52.000000000 +0200
+++ python-mistral-lib-1.0.0/debian/patches/series 2019-12-21 22:59:56.000000000 +0100
@@ -1 +1,2 @@
remove-privacy-branch.patch
+CVE-2019-3866_Ensure_we_mask_sensitive_data_from_Mistral_Action_logs.patch
Reply to: