Bug#1070739: bookworm-pu: package python-glance-store/4.1.0-4
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: python-glance-store@packages.debian.org
Control: affects -1 + src:python-glance-store
[ Reason ]
I would like to update python-glance-store/4.1.0-4 to
python-glance-store/4.1.1-1+deb12u1 to address CVE-2024-1141
(aka: #1063795).
[ Impact ]
S3 credentials may otherwise continue to be logged in glance's
log if loglevel is set to DEBUG.
[ Tests ]
The package contains and run unit tests at build time, plus
autopkgtest. Upstream runs extensive functional tests, and
so do I, doing a full OpenStack deployment with this package.
No regression has been found.
[ Risks ]
Minimum. Only the S3 backend is impacted.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The point release announcement was published last year:
https://lists.openstack.org/archives/list/release-announce@lists.openstack.org/thread/PY26MG7DBD4UVJDEXWMSIM4TGS52F4VX/
It can be broken down this way:
e9d2509 Add force to os-brick disconnect
3d3467d Fix tox4 error
8034cdc Update TOX_CONSTRAINTS_FILE for stable/zed
c05c7e5 Update .gitreview for stable/zed
Let me explain the commits. e9d2509 contains the fix for CVE-2023-2088
that was already in Bookworm, and that I'm therefore droping. The
other 3 commits are to address internal OpenStack CI and Git infra, and
are not code change. They can therefore be ignore.
So really, this update only contains the fix for CVE-2024-1141 and
nothing else, even though the upstream version bumps.
Last thing: I rewrote the patch header this way (not shown in the
attached debdiff, as I fired-up reporbug -b before realizing the
patch header needed some edits):
Author: lujie <lujie@ict.ac.cn>
Date: Fri, 19 Jan 2024 13:12:20 +0800
Description: CVE-2024-1141: Do not show access_key in s3 driver
Avoid possible leakage of s3 access keys by not including them in log
messages.
.
This patch includes commit d6e531af4821c8466b1e9404f12f89f6216417f2
(change I8dc564bed33d6fc71965f4f573ae9109b410b1d4), which addressed
some more log messages that the original patch had missed.
.
The two commits are squashed here for ease in backporting (and also
to make sure that *both* are always backported).
Change-Id: I9193df38d613259b61bb369fa1040fb2c51a21d7
Origin: upstream, https://review.opendev.org/c/openstack/glance_store/+/907736
Bug: https://launchpad.net/bugs/2047688
Bug-Debian: https://bugs.debian.org/1063795
Last-Update: 2024-05-08
Please allow me to upload python-glance-store to Bookworm for the
next point release.
Cheers,
Thomas Goirand (zigo)
diff -Nru python-glance-store-4.1.0/debian/changelog python-glance-store-4.1.1/debian/changelog
--- python-glance-store-4.1.0/debian/changelog 2023-05-12 08:52:34.000000000 +0200
+++ python-glance-store-4.1.1/debian/changelog 2023-09-01 15:10:49.000000000 +0200
@@ -1,3 +1,13 @@
+python-glance-store (4.1.1-1+deb12u1) bookworm; urgency=medium
+
+ * New upstream release.
+ * Drop CVE-2023-2088_Add_force_to_os-brick_disconnect.patch applied
+ upstream.
+ * CVE-2024-1141: Glance Store access key logged in DEBUG log level. Add
+ upstream patch: Do not show access_key in s3 driver (Closes: #1063795).
+
+ -- Thomas Goirand <zigo@debian.org> Fri, 01 Sep 2023 15:10:49 +0200
+
python-glance-store (4.1.0-4) unstable; urgency=medium
* CVE-2023-2088: Unauthorized volume access through deleted volume
diff -Nru python-glance-store-4.1.0/debian/patches/CVE-2023-2088_Add_force_to_os-brick_disconnect.patch python-glance-store-4.1.1/debian/patches/CVE-2023-2088_Add_force_to_os-brick_disconnect.patch
--- python-glance-store-4.1.0/debian/patches/CVE-2023-2088_Add_force_to_os-brick_disconnect.patch 2023-05-12 08:52:34.000000000 +0200
+++ python-glance-store-4.1.1/debian/patches/CVE-2023-2088_Add_force_to_os-brick_disconnect.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,94 +0,0 @@
-Author: Brian Rosmaita <rosmaita.fossdev@gmail.com>
-Date: Tue, 18 Apr 2023 11:22:27 -0400
-Description: CVE-2023-2088: Add force to os-brick disconnect
- In order to be sure that devices are being removed from the host,
- we should be using the 'force' parameter with os-brick's
- disconnect_volume() method.
-Bug: https://launchpad.net/bugs/2004555
-Change-Id: I63d09ad9ef465bc154c85a9ea125449c039d1b90
-Bug-Debian: https://bugs.debian.org/1035978
-Origin: upstream, https://review.opendev.org/c/openstack/glance_store/+/882853
-Last-Update: 2023-05-12
-
-diff --git a/glance_store/_drivers/cinder.py b/glance_store/_drivers/cinder.py
-index 3509348..7405b7a 100644
---- a/glance_store/_drivers/cinder.py
-+++ b/glance_store/_drivers/cinder.py
-@@ -831,7 +831,10 @@
- client, attachment.id, volume_id, host, conn,
- connection_info, device)
- else:
-- conn.disconnect_volume(connection_info, device)
-+ # Bug #2004555: use force so there aren't any
-+ # leftovers
-+ conn.disconnect_volume(connection_info, device,
-+ force=True)
- except Exception:
- LOG.exception(_LE('Failed to disconnect volume '
- '%(volume_id)s.'),
-diff --git a/glance_store/common/attachment_state_manager.py b/glance_store/common/attachment_state_manager.py
-index 984fcb8..948ebd1 100644
---- a/glance_store/common/attachment_state_manager.py
-+++ b/glance_store/common/attachment_state_manager.py
-@@ -230,7 +230,8 @@
- {'volume_id': volume_id, 'host': host})
-
- if not vol_attachment.in_use():
-- conn.disconnect_volume(connection_info, device)
-+ # Bug #2004555: use force so there aren't any leftovers
-+ conn.disconnect_volume(connection_info, device, force=True)
- del self.volumes[volume_id]
- self.volume_api.attachment_delete(client, attachment_id)
-
-diff --git a/glance_store/tests/unit/common/test_attachment_state_manager.py b/glance_store/tests/unit/common/test_attachment_state_manager.py
-index d8c5189..4d1c26a 100644
---- a/glance_store/tests/unit/common/test_attachment_state_manager.py
-+++ b/glance_store/tests/unit/common/test_attachment_state_manager.py
-@@ -91,7 +91,7 @@
- mock_attach_delete.side_effect = ex()
- self.assertRaises(ex, self._sentinel_detach, conn)
- conn.disconnect_volume.assert_called_once_with(
-- *self.disconnect_vol_call)
-+ *self.disconnect_vol_call, force=True)
-
- @mock.patch.object(cinder_utils.API, 'attachment_create')
- @mock.patch.object(cinder_utils.API, 'attachment_delete')
-@@ -104,7 +104,7 @@
- *self.attach_call_1, **self.attach_call_2)
- self.assertEqual(mock.sentinel.attachment_id, attachment['id'])
- conn.disconnect_volume.assert_called_once_with(
-- *self.disconnect_vol_call)
-+ *self.disconnect_vol_call, force=True)
- mock_attach_delete.assert_called_once_with(
- *self.detach_call)
-
-diff --git a/glance_store/tests/unit/test_cinder_base.py b/glance_store/tests/unit/test_cinder_base.py
-index d7fca2f..d517834 100644
---- a/glance_store/tests/unit/test_cinder_base.py
-+++ b/glance_store/tests/unit/test_cinder_base.py
-@@ -315,7 +315,7 @@
- fake_connector.connect_volume.assert_called_once_with(
- mock.ANY)
- fake_connector.disconnect_volume.assert_called_once_with(
-- mock.ANY, fake_devinfo)
-+ mock.ANY, fake_devinfo, force=True)
- fake_conn_obj.assert_called_once_with(
- mock.ANY, root_helper, conn=mock.ANY,
- use_multipath=multipath_supported)
-diff --git a/releasenotes/notes/bug-2004555-4fd67fce86c07461.yaml b/releasenotes/notes/bug-2004555-4fd67fce86c07461.yaml
-new file mode 100644
-index 0000000..8d982c6
---- /dev/null
-+++ b/releasenotes/notes/bug-2004555-4fd67fce86c07461.yaml
-@@ -0,0 +1,11 @@
-+security:
-+ - |
-+ Cinder glance_store driver: in order to avoid a situation where a
-+ leftover device could be mapped to a different volume than the one
-+ intended, the cinder glance_store driver now instructs the os-brick
-+ library to force detach volumes, which ensures that devices are
-+ removed from the host.
-+
-+ See `Bug #2004555
-+ <https://bugs.launchpad.net/glance-store/+bug/2004555>`_ for more
-+ information about this issue.
diff -Nru python-glance-store-4.1.0/debian/patches/CVE-2024-1141_Do_not_show_access_key_in_s3_driver.patch python-glance-store-4.1.1/debian/patches/CVE-2024-1141_Do_not_show_access_key_in_s3_driver.patch
--- python-glance-store-4.1.0/debian/patches/CVE-2024-1141_Do_not_show_access_key_in_s3_driver.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-glance-store-4.1.1/debian/patches/CVE-2024-1141_Do_not_show_access_key_in_s3_driver.patch 2023-09-01 15:10:49.000000000 +0200
@@ -0,0 +1,64 @@
+From f7f87019adbcdb069ea23ccb7b3e187cb52eaf55 Mon Sep 17 00:00:00 2001
+From: lujie <lujie@ict.ac.cn>
+Date: Fri, 19 Jan 2024 13:12:20 +0800
+Subject: [PATCH] Do not show access_key in s3 driver
+
+Avoid possible leakage of s3 access keys by not including them in log
+messages.
+
+This patch includes commit d6e531af4821c8466b1e9404f12f89f6216417f2
+(change I8dc564bed33d6fc71965f4f573ae9109b410b1d4), which addressed
+some more log messages that the original patch had missed.
+
+The two commits are squashed here for ease in backporting (and also
+to make sure that *both* are always backported).
+
+Closes-Bug: #2047688
+Change-Id: I9193df38d613259b61bb369fa1040fb2c51a21d7
+(cherry picked from commit a5ba027922ba1230b4ae9abb810f36427be6354a)
+(cherry picked from commit 1583aebb69befea3173396ea161cf896b7d51beb)
+(cherry picked from commit 45ad5df01fa7062ba7d3ec99966531623e35ab57)
+---
+
+diff --git a/glance_store/_drivers/s3.py b/glance_store/_drivers/s3.py
+index 1a21ddd..05c7677 100644
+--- a/glance_store/_drivers/s3.py
++++ b/glance_store/_drivers/s3.py
+@@ -504,10 +504,8 @@
+ key = s3_client.get_object(Bucket=bucket, Key=key)
+
+ LOG.debug("Retrieved image object from S3 using s3_host=%(s3_host)s, "
+- "access_key=%(accesskey)s, bucket=%(bucket)s, "
+- "key=%(key)s)",
+- {'s3_host': loc.s3serviceurl, 'accesskey': loc.accesskey,
+- 'bucket': bucket, 'key': key})
++ "bucket=%(bucket)s key=%(key)s)",
++ {'s3_host': loc.s3serviceurl, 'bucket': bucket, 'key': key})
+
+ cs = self.READ_CHUNKSIZE
+
+@@ -587,10 +585,8 @@
+ raise glance_store.BackendException(msg)
+
+ LOG.debug("Adding image object to S3 using (s3_host=%(s3_host)s, "
+- "access_key=%(access_key)s, bucket=%(bucket)s, "
+- "key=%(key)s)",
+- {'s3_host': self.s3_host, 'access_key': loc.accesskey,
+- 'bucket': bucket, 'key': key})
++ "bucket=%(bucket)s, key=%(key)s)",
++ {'s3_host': self.s3_host, 'bucket': bucket, 'key': key})
+
+ if not self._object_exists(s3_client, bucket, key):
+ if image_size < self.s3_store_large_object_size:
+@@ -794,9 +790,8 @@
+ raise exceptions.NotFound(image=key)
+
+ LOG.debug("Deleting image object from S3 using s3_host=%(s3_host)s, "
+- "accesskey=%(accesskey)s, bucket=%(bucket)s, key=%(key)s)",
+- {'s3_host': loc.s3serviceurl, 'accesskey': loc.accesskey,
+- 'bucket': bucket, 'key': key})
++ "bucket=%(bucket)s, key=%(key)s)",
++ {'s3_host': loc.s3serviceurl, 'bucket': bucket, 'key': key})
+
+ return s3_client.delete_object(Bucket=bucket, Key=key)
+
diff -Nru python-glance-store-4.1.0/debian/patches/series python-glance-store-4.1.1/debian/patches/series
--- python-glance-store-4.1.0/debian/patches/series 2023-05-12 08:52:34.000000000 +0200
+++ python-glance-store-4.1.1/debian/patches/series 2023-09-01 15:10:49.000000000 +0200
@@ -1,2 +1,2 @@
OverflowError_running_on_32-bit_systems.patch
-CVE-2023-2088_Add_force_to_os-brick_disconnect.patch
+CVE-2024-1141_Do_not_show_access_key_in_s3_driver.patch
diff -Nru python-glance-store-4.1.0/.gitreview python-glance-store-4.1.1/.gitreview
--- python-glance-store-4.1.0/.gitreview 2022-08-23 09:20:00.000000000 +0200
+++ python-glance-store-4.1.1/.gitreview 2023-05-10 16:46:25.000000000 +0200
@@ -2,3 +2,4 @@
host=review.opendev.org
port=29418
project=openstack/glance_store.git
+defaultbranch=stable/zed
diff -Nru python-glance-store-4.1.0/glance_store/common/attachment_state_manager.py python-glance-store-4.1.1/glance_store/common/attachment_state_manager.py
--- python-glance-store-4.1.0/glance_store/common/attachment_state_manager.py 2022-08-23 09:20:00.000000000 +0200
+++ python-glance-store-4.1.1/glance_store/common/attachment_state_manager.py 2023-05-10 16:46:25.000000000 +0200
@@ -230,7 +230,8 @@
{'volume_id': volume_id, 'host': host})
if not vol_attachment.in_use():
- conn.disconnect_volume(connection_info, device)
+ # Bug #2004555: use force so there aren't any leftovers
+ conn.disconnect_volume(connection_info, device, force=True)
del self.volumes[volume_id]
self.volume_api.attachment_delete(client, attachment_id)
diff -Nru python-glance-store-4.1.0/glance_store/_drivers/cinder.py python-glance-store-4.1.1/glance_store/_drivers/cinder.py
--- python-glance-store-4.1.0/glance_store/_drivers/cinder.py 2022-08-23 09:20:00.000000000 +0200
+++ python-glance-store-4.1.1/glance_store/_drivers/cinder.py 2023-05-10 16:46:25.000000000 +0200
@@ -831,7 +831,10 @@
client, attachment.id, volume_id, host, conn,
connection_info, device)
else:
- conn.disconnect_volume(connection_info, device)
+ # Bug #2004555: use force so there aren't any
+ # leftovers
+ conn.disconnect_volume(connection_info, device,
+ force=True)
except Exception:
LOG.exception(_LE('Failed to disconnect volume '
'%(volume_id)s.'),
diff -Nru python-glance-store-4.1.0/glance_store/tests/unit/common/test_attachment_state_manager.py python-glance-store-4.1.1/glance_store/tests/unit/common/test_attachment_state_manager.py
--- python-glance-store-4.1.0/glance_store/tests/unit/common/test_attachment_state_manager.py 2022-08-23 09:20:00.000000000 +0200
+++ python-glance-store-4.1.1/glance_store/tests/unit/common/test_attachment_state_manager.py 2023-05-10 16:46:25.000000000 +0200
@@ -91,7 +91,7 @@
mock_attach_delete.side_effect = ex()
self.assertRaises(ex, self._sentinel_detach, conn)
conn.disconnect_volume.assert_called_once_with(
- *self.disconnect_vol_call)
+ *self.disconnect_vol_call, force=True)
@mock.patch.object(cinder_utils.API, 'attachment_create')
@mock.patch.object(cinder_utils.API, 'attachment_delete')
@@ -104,7 +104,7 @@
*self.attach_call_1, **self.attach_call_2)
self.assertEqual(mock.sentinel.attachment_id, attachment['id'])
conn.disconnect_volume.assert_called_once_with(
- *self.disconnect_vol_call)
+ *self.disconnect_vol_call, force=True)
mock_attach_delete.assert_called_once_with(
*self.detach_call)
diff -Nru python-glance-store-4.1.0/glance_store/tests/unit/test_cinder_base.py python-glance-store-4.1.1/glance_store/tests/unit/test_cinder_base.py
--- python-glance-store-4.1.0/glance_store/tests/unit/test_cinder_base.py 2022-08-23 09:20:00.000000000 +0200
+++ python-glance-store-4.1.1/glance_store/tests/unit/test_cinder_base.py 2023-05-10 16:46:25.000000000 +0200
@@ -315,7 +315,7 @@
fake_connector.connect_volume.assert_called_once_with(
mock.ANY)
fake_connector.disconnect_volume.assert_called_once_with(
- mock.ANY, fake_devinfo)
+ mock.ANY, fake_devinfo, force=True)
fake_conn_obj.assert_called_once_with(
mock.ANY, root_helper, conn=mock.ANY,
use_multipath=multipath_supported)
diff -Nru python-glance-store-4.1.0/releasenotes/notes/bug-2004555-4fd67fce86c07461.yaml python-glance-store-4.1.1/releasenotes/notes/bug-2004555-4fd67fce86c07461.yaml
--- python-glance-store-4.1.0/releasenotes/notes/bug-2004555-4fd67fce86c07461.yaml 1970-01-01 01:00:00.000000000 +0100
+++ python-glance-store-4.1.1/releasenotes/notes/bug-2004555-4fd67fce86c07461.yaml 2023-05-10 16:46:25.000000000 +0200
@@ -0,0 +1,11 @@
+security:
+ - |
+ Cinder glance_store driver: in order to avoid a situation where a
+ leftover device could be mapped to a different volume than the one
+ intended, the cinder glance_store driver now instructs the os-brick
+ library to force detach volumes, which ensures that devices are
+ removed from the host.
+
+ See `Bug #2004555
+ <https://bugs.launchpad.net/glance-store/+bug/2004555>`_ for more
+ information about this issue.
diff -Nru python-glance-store-4.1.0/tox.ini python-glance-store-4.1.1/tox.ini
--- python-glance-store-4.1.0/tox.ini 2022-08-23 09:20:00.000000000 +0200
+++ python-glance-store-4.1.1/tox.ini 2023-05-10 16:46:25.000000000 +0200
@@ -1,7 +1,6 @@
[tox]
minversion = 3.1.1
envlist = py39,py38,pep8
-skipsdist = True
ignore_basepython_conflict = True
[testenv]
@@ -9,7 +8,7 @@
setenv = VIRTUAL_ENV={envdir}
usedevelop = True
deps =
- -c{env:UPPER_CONSTRAINTS_FILE:https://opendev.org/openstack/requirements/raw/branch/master/upper-constraints.txt}
+ -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/zed}
-r{toxinidir}/requirements.txt
-r{toxinidir}/test-requirements.txt
passenv = OS_TEST_*
@@ -17,13 +16,13 @@
[testenv:docs]
deps =
- -c{env:UPPER_CONSTRAINTS_FILE:https://opendev.org/openstack/requirements/raw/branch/master/upper-constraints.txt}
+ -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/zed}
-r{toxinidir}/doc/requirements.txt
commands = sphinx-build -W -b html doc/source doc/build/html
[testenv:releasenotes]
deps =
- -c{env:UPPER_CONSTRAINTS_FILE:https://opendev.org/openstack/requirements/raw/branch/master/upper-constraints.txt}
+ -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/zed}
-r{toxinidir}/doc/requirements.txt
commands = sphinx-build -a -E -W -d releasenotes/build/.doctrees -b html releasenotes/source releasenotes/build/html
Reply to: