[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#947146: marked as done (buster-pu: package python-mistral-lib/1.0.0-1 CVE-2019-3866)

Your message dated Sun, 26 Apr 2020 15:56:43 +0200
with message-id <20200426135643.GA7526@chou>
and subject line Re: Bug#947146: buster-pu: package python-mistral-lib/1.0.0-1 CVE-2019-3866
has caused the Debian Bug report #947146,
regarding buster-pu: package python-mistral-lib/1.0.0-1 CVE-2019-3866
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
947146: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947146
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Dear Stable Release team,

I'd like to upgrade python-mistral-lib to address CVE-2019-3866,
which is described in https://bugs.debian.org/946060. Please note
that this patch is only useful if you also approve the upload of
python-oslo.utils which I requested in #947142.

Debdiff containing the patch is attached. Note that there's, as
much as I understand, no need to upgrade Mistral to address this
CVE (probably it would be needed in Stretch though...), as I believe
the issue is fully addressed by the update of python-mistral-lib
(at least, that's my understanding when reading the upstream bug
entry at https://bugs.launchpad.net/tripleo/+bug/1850843).

Note that I've also uploaded the package here, for your convenience:

http://shade.infomaniak.ch/buster-pu/python-mistral-lib/

Please allow me to upload:
python-mistral-lib/1.0.0-1+deb10u1.

Cheers,

Thomas Goirand (zigo)

diff -Nru python-mistral-lib-1.0.0/debian/changelog python-mistral-lib-1.0.0/debian/changelog
--- python-mistral-lib-1.0.0/debian/changelog	2018-09-04 00:06:52.000000000 +0200
+++ python-mistral-lib-1.0.0/debian/changelog	2019-12-21 22:59:56.000000000 +0100
@@ -1,3 +1,10 @@
+python-mistral-lib (1.0.0-1+deb10u1) buster; urgency=medium
+
+  * CVE-2019-3866: Sensitive information leaked in mistral logs. Apply
+    upstream patch: Ensure we mask sensitive data from Mistral Action logs.
+
+ -- Thomas Goirand <zigo@debian.org>  Sat, 21 Dec 2019 22:59:56 +0100
+
 python-mistral-lib (1.0.0-1) unstable; urgency=medium
 
   [ Ondřej Nový ]
diff -Nru python-mistral-lib-1.0.0/debian/patches/CVE-2019-3866_Ensure_we_mask_sensitive_data_from_Mistral_Action_logs.patch python-mistral-lib-1.0.0/debian/patches/CVE-2019-3866_Ensure_we_mask_sensitive_data_from_Mistral_Action_logs.patch
--- python-mistral-lib-1.0.0/debian/patches/CVE-2019-3866_Ensure_we_mask_sensitive_data_from_Mistral_Action_logs.patch	1970-01-01 01:00:00.000000000 +0100
+++ python-mistral-lib-1.0.0/debian/patches/CVE-2019-3866_Ensure_we_mask_sensitive_data_from_Mistral_Action_logs.patch	2019-12-21 22:59:56.000000000 +0100
@@ -0,0 +1,97 @@
+Author: Cédric Jeanneret <cjeanner@redhat.com>
+Date: Fri, 1 Nov 2019 11:47:35 +0100
+Description: CVE-2019-3866 Ensure we mask sensitive data from Mistral Action logs
+ Mistral didn't make use of the oslo_utils "mask_password" methods,
+ leading in sensitive data leakage in its logs.
+ .
+ This patch corrects this security issue.
+ Note that it depends on oslo_utils patch adding new patterns, and
+ ensuring it's case-insensitive.
+Change-Id: I544d3c172f2dea02c62c49c311c4b5954413ae15
+Related-Bug: #1850843
+Co-Authored-By: Dougal Matthews <dougal@redhat.com>
+Signed-off-by: Cédric Jeanneret <cjeanner@redhat.com>
+Origin: upstream, https://review.opendev.org/692975
+
+diff --git a/mistral_lib/actions/types.py b/mistral_lib/actions/types.py
+index cd8bf28..a77b96f 100644
+--- a/mistral_lib/actions/types.py
++++ b/mistral_lib/actions/types.py
+@@ -32,8 +32,11 @@ class Result(serialization.MistralSerializable):
+         )
+ 
+     def cut_repr(self):
++        _data = utils.mask_data(self.data)
++        _error = utils.mask_data(self.error)
++        _cancel = utils.mask_data(self.cancel)
+         return 'Result [data=%s, error=%s, cancel=%s]' % (
+-            utils.cut(self.data), utils.cut(self.error), str(self.cancel)
++            utils.cut(_data), utils.cut(_error), str(_cancel)
+         )
+ 
+     def is_cancel(self):
+diff --git a/mistral_lib/tests/test_utils.py b/mistral_lib/tests/test_utils.py
+index 599aaac..78ec3ec 100644
+--- a/mistral_lib/tests/test_utils.py
++++ b/mistral_lib/tests/test_utils.py
+@@ -84,3 +84,20 @@ class TestUtils(tests_base.TestCase):
+         s = utils.cut_dict(d, 100)
+ 
+         self.assertIn(s, ["{1: 2, 3: 4}", "{3: 4, 1: 2}"])
++
++    def test_mask_data(self):
++        payload = {'adminPass': 'fooBarBaz'}
++        expected = {'adminPass': '***'}
++        self.assertEqual(expected, utils.mask_data(payload))
++
++        payload = """adminPass='fooBarBaz'"""
++        expected = """adminPass='***'"""
++        self.assertEqual(expected, utils.mask_data(payload))
++
++        payload = [{'adminPass': 'fooBarBaz'}, {"new_pass": "blah"}]
++        expected = [{'adminPass': '***'}, {"new_pass": "***"}]
++        self.assertEqual(expected, utils.mask_data(payload))
++
++        payload = ["adminPass", 'fooBarBaz']
++        expected = ["adminPass", 'fooBarBaz']
++        self.assertEqual(expected, utils.mask_data(payload))
+diff --git a/mistral_lib/utils/__init__.py b/mistral_lib/utils/__init__.py
+index 92dda4e..7f845dc 100644
+--- a/mistral_lib/utils/__init__.py
++++ b/mistral_lib/utils/__init__.py
+@@ -14,6 +14,8 @@
+ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ # License for the specific language governing permissions and limitations
+ # under the License.
++from oslo_utils.strutils import mask_dict_password
++from oslo_utils.strutils import mask_password
+ 
+ 
+ def cut_dict(d, length=100):
+@@ -139,3 +141,12 @@ def cut(data, length=100):
+         return cut_dict(data, length=length)
+ 
+     return cut_string(str(data), length=length)
++
++
++def mask_data(obj):
++    if isinstance(obj, dict):
++        return mask_dict_password(obj)
++    elif isinstance(obj, list):
++        return [mask_data(i) for i in obj]
++    else:
++        return mask_password(obj)
+diff --git a/releasenotes/notes/mask-password-6899d868d213f722.yaml b/releasenotes/notes/mask-password-6899d868d213f722.yaml
+new file mode 100644
+index 0000000..5178a04
+--- /dev/null
++++ b/releasenotes/notes/mask-password-6899d868d213f722.yaml
+@@ -0,0 +1,5 @@
++---
++security:
++  - Ensure we mask sensitive data before logging Action return values
++fixes:
++  - https://bugs.launchpad.net/tripleo/+bug/1850843
+-- 
+2.7.4
+
diff -Nru python-mistral-lib-1.0.0/debian/patches/series python-mistral-lib-1.0.0/debian/patches/series
--- python-mistral-lib-1.0.0/debian/patches/series	2018-09-04 00:06:52.000000000 +0200
+++ python-mistral-lib-1.0.0/debian/patches/series	2019-12-21 22:59:56.000000000 +0100
@@ -1 +1,2 @@
 remove-privacy-branch.patch
+CVE-2019-3866_Ensure_we_mask_sensitive_data_from_Mistral_Action_logs.patch

--- End Message ---
--- Begin Message --- 
On Sun, Dec 22, 2019 at 11:31:21PM +0100, Thomas Goirand wrote:
> On 12/21/19 11:34 PM, Salvatore Bonaccorso wrote:
> > Hi Thomas
> > 
> > [Disclaimer: not part of the stable release managers, so this reply is
> > not authoritative]
> > 
> > Thanks for handling CVE-2019-3866 for unstable and buster.
> > 
> > On Sat, Dec 21, 2019 at 11:12:17PM +0100, Thomas Goirand wrote:
> >> Package: release.debian.org
> >> Severity: normal
> >> Tags: buster
> >> User: release.debian.org@packages.debian.org
> >> Usertags: pu
> >>
> >> Dear Stable Release team,
> >>
> >> I'd like to upgrade python-mistral-lib to address CVE-2019-3866,
> >> which is described in https://bugs.debian.org/946060. Please note
> >> that this patch is only useful if you also approve the upload of
> >> python-oslo.utils which I requested in #947142.
> >>
> >> Debdiff containing the patch is attached. Note that there's, as
> >> much as I understand, no need to upgrade Mistral to address this
> >> CVE (probably it would be needed in Stretch though...), as I believe
> >> the issue is fully addressed by the update of python-mistral-lib
> >> (at least, that's my understanding when reading the upstream bug
> >> entry at https://bugs.launchpad.net/tripleo/+bug/1850843).
> > 
> > Question (which apply as well for the unstable upload which was just
> > done): the python-mistral-lib patch depends on the fixed version of
> > python-oslo.utils. Wouldn't that need a versioned dependency
> > python-oslo.utils?
> > 
> > Regards,
> > Salvatore
> 
> Hi,
> 
> There's currently no dependency at all on python3-oslo.utils, because
> it's not completely needed. It looks like it is needed only some usage
> of Mistral only (like the one TripleO is doing), when calling
> generate_unicode_uuid(), is_valid_uuid() or utc_now_sec() from
> mistral_lib.utils.
> 
> So no, I don't think we should add an artificial hard runtime dependency
> on oslo.utils, as long as upstream isn't doing it in requirements.txt.
> 
> Your thoughts?
> 
It doesn't look artificial to me.  As far as I can tell this patch makes
importing mistral_lib.utils (directly or via mistral_lib.actions.types)
fail without oslo.utils.

Overall I'd say this change on its own doesn't warrant a stable update.
Maybe later if there's a more serious issue to lump it in with.

Cheers,
Julien

--- End Message ---
Reply to: