Bug#1034243: unblock: heat/19.0.0-2 (fix for CVE-2023-1625 / #1034186)

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1034243: unblock: heat/19.0.0-2 (fix for CVE-2023-1625 / #1034186)
From: Thomas Goirand <zigo@debian.org>
Date: Tue, 11 Apr 2023 10:58:46 +0200
Message-id: <[🔎] 168120352616.1219922.9380815160956310969.reportbug@zbuz.infomaniak.ch>
Reply-to: Thomas Goirand <zigo@debian.org>, 1034243@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package heat

[ Reason ]
This last upload fixes CVE-2023-1625 / #1034186 (information leak in the
Heat API).

[ Impact ]
Before this patch, "openstack stack show" shows parameters that
are supposed to be hidden, like for example passwords (see the
launchpad entry https://launchpad.net/bugs/1999665 that is rather
explicit).

[ Tests ]
Building the package and the Debian CI contains upstream unit tests.
Also, the patch comes directly from upstream that runs functional
tests in their CI, which makes me confident nothing broke with this
patch. See test results at:
https://review.opendev.org/c/openstack/heat/+/873465

[ Risks ]
Not much risks as the patch only affects "stack show".

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

Cheers,

Thomas Goirand (zigo)

unblock heat/19.0.0-2

diff -Nru heat-19.0.0/debian/changelog heat-19.0.0/debian/changelog
--- heat-19.0.0/debian/changelog	2022-10-06 10:14:02.000000000 +0200
+++ heat-19.0.0/debian/changelog	2023-04-11 10:21:00.000000000 +0200
@@ -1,3 +1,12 @@
+heat (1:19.0.0-2) unstable; urgency=high
+
+  * CVE-2023-1625: information leak in API. Added upstream patch:
+    Honor-hidden-parameter-in-stack_environment_show-command.patch
+    (Closes: #1034186).
+  * Removed obsolete depends on lsb-base.
+
+ -- Thomas Goirand <zigo@debian.org>  Tue, 11 Apr 2023 10:21:00 +0200
+
 heat (1:19.0.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru heat-19.0.0/debian/control heat-19.0.0/debian/control
--- heat-19.0.0/debian/control	2022-10-06 10:14:02.000000000 +0200
+++ heat-19.0.0/debian/control	2023-04-11 10:21:00.000000000 +0200
@@ -113,7 +113,6 @@
  python3-pastescript,
  uwsgi-plugin-python3,
  ${misc:Depends},
- ${ostack-lsb-base},
  ${python3:Depends},
 Description: OpenStack orchestration service - API server
  Heat is a service to orchestrate multiple composite cloud applications using
@@ -130,7 +129,6 @@
  python3-pastescript,
  uwsgi-plugin-python3,
  ${misc:Depends},
- ${ostack-lsb-base},
  ${python3:Depends},
 Description: OpenStack orchestration service - CFN API
  Heat is a service to orchestrate multiple composite cloud applications using
@@ -174,7 +172,6 @@
  adduser,
  heat-common (=${binary:Version}),
  ${misc:Depends},
- ${ostack-lsb-base},
  ${python3:Depends},
 Description: OpenStack orchestration service - engine
  Heat is a service to orchestrate multiple composite cloud applications using
diff -Nru heat-19.0.0/debian/debian_control_vars heat-19.0.0/debian/debian_control_vars
--- heat-19.0.0/debian/debian_control_vars	2022-10-06 10:14:02.000000000 +0200
+++ heat-19.0.0/debian/debian_control_vars	1970-01-01 01:00:00.000000000 +0100
@@ -1 +0,0 @@
-ostack-lsb-base= lsb-base
diff -Nru heat-19.0.0/debian/patches/CVE-2023-1625_Honor-hidden-parameter-in-stack_environment_show-command.patch heat-19.0.0/debian/patches/CVE-2023-1625_Honor-hidden-parameter-in-stack_environment_show-command.patch
--- heat-19.0.0/debian/patches/CVE-2023-1625_Honor-hidden-parameter-in-stack_environment_show-command.patch	1970-01-01 01:00:00.000000000 +0100
+++ heat-19.0.0/debian/patches/CVE-2023-1625_Honor-hidden-parameter-in-stack_environment_show-command.patch	2023-04-11 10:21:00.000000000 +0200
@@ -0,0 +1,74 @@
+Description: CVE-2023-1625L Honor hidden parameter in 'stack environment show' command
+ Backport note:
+ This includes change I0abbd535aacc03446ada0fa806dfdfdaa4522afe which
+ fixed the wrong explanation in the release note file.
+Author: Chengen Du <chengen.du@canonical.com>
+Date: Tue, 20 Dec 2022 18:00:00 +0800
+Bug: https://launchpad.net/bugs/1999665
+Bug-Debian: https://bugs.debian.org/1034186
+Story: 2010484
+Task: 47052
+Change-Id: Ifc51ff6a4deab05002ccded59383416f9a586aa0
+Origin: upstream, https://review.opendev.org/c/openstack/heat/+/873465
+Last-Update: 2023-04-11
+
+diff --git a/heat/engine/service.py b/heat/engine/service.py
+index fdd4975..9019ddb 100644
+--- a/heat/engine/service.py
++++ b/heat/engine/service.py
+@@ -12,6 +12,7 @@
+ #    under the License.
+ 
+ import collections
++import copy
+ import datetime
+ import functools
+ import itertools
+@@ -1354,7 +1355,16 @@
+         :rtype: dict
+         """
+         s = self._get_stack(cnxt, stack_identity, show_deleted=True)
+-        return s.raw_template.environment
++        tmpl = templatem.Template.load(cnxt, s.raw_template_id, s.raw_template)
++        param_schemata = tmpl.all_param_schemata(tmpl.files)
++        env = copy.deepcopy(s.raw_template.environment)
++        for section in [env_fmt.PARAMETERS, env_fmt.PARAMETER_DEFAULTS]:
++            for param_name in env.get(section, {}).keys():
++                if (param_name not in param_schemata
++                        or not param_schemata[param_name].hidden):
++                    continue
++                env[section][param_name] = str('******')
++        return env
+ 
+     @context.request_context
+     def get_files(self, cnxt, stack_identity):
+diff --git a/heat/tests/test_engine_service.py b/heat/tests/test_engine_service.py
+index 875d44d..9ce13e3 100644
+--- a/heat/tests/test_engine_service.py
++++ b/heat/tests/test_engine_service.py
+@@ -978,11 +978,12 @@
+         env = {'parameters': {'KeyName': 'EnvKey'}}
+         tmpl = templatem.Template(t)
+         stack = parser.Stack(self.ctx, 'get_env_stack', tmpl)
++        stack.store()
+ 
+         mock_get_stack = self.patchobject(self.eng, '_get_stack')
+         mock_get_stack.return_value = mock.MagicMock()
+         mock_get_stack.return_value.raw_template.environment = env
+-        self.patchobject(parser.Stack, 'load', return_value=stack)
++        self.patchobject(templatem.Template, 'load', return_value=tmpl)
+ 
+         # Test
+         found = self.eng.get_environment(self.ctx, stack.identifier())
+diff --git a/releasenotes/notes/honor-hidden-parameter-in-stack-env-show-cmd-062065545dfef82a.yaml b/releasenotes/notes/honor-hidden-parameter-in-stack-env-show-cmd-062065545dfef82a.yaml
+new file mode 100644
+index 0000000..8a3a366
+--- /dev/null
++++ b/releasenotes/notes/honor-hidden-parameter-in-stack-env-show-cmd-062065545dfef82a.yaml
+@@ -0,0 +1,6 @@
++---
++fixes:
++  - |
++    Honor ``hidden`` parameter in get stack environment API. Now values passed
++    to hidden parameters are replaced by '******', similarly to the other
++    APIs such as show stack details API.
diff -Nru heat-19.0.0/debian/patches/series heat-19.0.0/debian/patches/series
--- heat-19.0.0/debian/patches/series	2022-10-06 10:14:02.000000000 +0200
+++ heat-19.0.0/debian/patches/series	2023-04-11 10:21:00.000000000 +0200
@@ -1,3 +1,4 @@
 remove-broken-rst.patch
 package-all-files.patch
 add-heat_api_root-configuration-variable.patch
+CVE-2023-1625_Honor-hidden-parameter-in-stack_environment_show-command.patch

Reply to:

Follow-Ups:
- Bug#1034243: marked as done (unblock: heat/19.0.0-2 (fix for CVE-2023-1625 / #1034186))
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#1034242: unblock: tirex/0.7.0-3
Next by Date: Processed: unblock (pre-approval): lua-readline/3.2-2
Previous by thread: Bug#1034242: marked as done (unblock: tirex/0.7.0-3)
Next by thread: Bug#1034243: marked as done (unblock: heat/19.0.0-2 (fix for CVE-2023-1625 / #1034186))
Index(es):
- Date
- Thread