CVE-2014-2828 openstack-keystone: denial of service via V3 API authentication chaining

The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cause a denial of service (CPU consumption) via a large number of the same authentication method in a request, aka "authentication chaining." Signed-off-by: Amy Fong <amy.fong@windriver.com>
author: Amy Fong <amy.fong@windriver.com> 2014-05-07 14:22:43 -0400
committer: Bruce Ashfield <bruce.ashfield@windriver.com> 2014-05-08 14:30:03 -0400
commit: d679e470b5c3a26eff41d1efb0b1c6500e3fc060 (patch)
tree: 88285392ae8348b46d9fe2ce814850331ec1865d /meta-openstack/recipes-devtools/python
parent: fd1371e01ea808309b76a72cc9a161c72e148279 (diff)
download: meta-cloud-services-d679e470b5c3a26eff41d1efb0b1c6500e3fc060.tar.gz
2 files changed, 62 insertions, 1 deletions
diff --git a/meta-openstack/recipes-devtools/python/python-keystone/CVE-2014-2828-keystone-1300274.patch b/meta-openstack/recipes-devtools/python/python-keystone/CVE-2014-2828-keystone-1300274.patch
new file mode 100644
index 0000000..1c5392f
--- /dev/null
+++ b/meta-openstack/recipes-devtools/python/python-keystone/CVE-2014-2828-keystone-1300274.patch
@@ -0,0 +1,60 @@
+From e364ba5b12de8e4c11bd80bcca903f9615dcfc2e Mon Sep 17 00:00:00 2001
+From: Florent Flament <florent.flament-ext@cloudwatt.com>
+Date: Tue, 1 Apr 2014 12:48:22 +0000
+Subject: Sanitizes authentication methods received in requests.
+When a user authenticates against Identity V3 API, he can specify
+multiple authentication methods. This patch removes duplicates, which
+could have been used to achieve DoS attacks.
+Closes-Bug: 1300274
+(cherry picked from commit ef868ad92c00e23a4a5e9eb71e3e0bf5ae2fff0c)
+Cherry-pick from https://review.openstack.org/#/c/84425/
+Change-Id: I6e60324309baa094a5e54b012fb0fc528fea72ab
+diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py
+index c3399df..4944316 100644
+--- a/keystone/auth/controllers.py
+++ b/keystone/auth/controllers.py
+@@ -225,7 +225,13 @@ class AuthInfo(object):
+         :returns: list of auth method names
+ 
+         """
+-        return self.auth['identity']['methods'] or []
+        # Sanitizes methods received in request's body
+        # Filters out duplicates, while keeping elements' order.
+        method_names = []
+        for method in self.auth['identity']['methods']:
+            if method not in method_names:
+                method_names.append(method)
+        return method_names
+ 
+     def get_method_data(self, method):
+         """Get the auth method payload.
+diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py
+index d07e6ae..e89e29f 100644
+--- a/keystone/tests/test_v3_auth.py
+++ b/keystone/tests/test_v3_auth.py
+@@ -81,6 +81,18 @@ class TestAuthInfo(test_v3.RestfulTestCase):
+                           None,
+                           auth_data)
+ 
+    def test_get_method_names_duplicates(self):
+        auth_data = self.build_authentication_request(
+            token='test',
+            user_id='test',
+            password='test')['auth']
+        auth_data['identity']['methods'] = ['password', 'token',
+                                            'password', 'password']
+        context = None
+        auth_info = auth.controllers.AuthInfo(context, auth_data)
+        self.assertEqual(auth_info.get_method_names(),
+                         ['password', 'token'])
+
+     def test_get_method_data_invalid_method(self):
+         auth_data = self.build_authentication_request(
+             user_id='test',
+-- 
+cgit v0.10.1
diff --git a/meta-openstack/recipes-devtools/python/python-keystone_git.bb b/meta-openstack/recipes-devtools/python/python-keystone_git.bb
index c0522f8..982a088 100644
--- a/meta-openstack/recipes-devtools/python/python-keystone_git.bb
+++ b/meta-openstack/recipes-devtools/python/python-keystone_git.bb
@@ -4,7 +4,7 @@ SECTION = "devel/python"
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=1dece7821bf3fd70fe1309eaa37d52a2"
-PR = "r0"
+PR = "r1"
 SRCNAME = "keystone"
 SRC_URI = "git://github.com/openstack/${SRCNAME}.git;branch=stable/havana \
@@ -13,6 +13,7 @@ SRC_URI = "git://github.com/openstack/${SRCNAME}.git;branch=stable/havana \
           file://keystone \
           file://openrc \
           file://Update-test-core-ETCDIR-location.patch \
+           file://CVE-2014-2828-keystone-1300274.patch \
          "
 SRCREV="a96d1a44bc0f074729c312e5c2a0f0875edf1765"
author	Amy Fong <amy.fong@windriver.com>	2014-05-07 14:22:43 -0400
committer	Bruce Ashfield <bruce.ashfield@windriver.com>	2014-05-08 14:30:03 -0400
commit	d679e470b5c3a26eff41d1efb0b1c6500e3fc060 (patch)
tree	88285392ae8348b46d9fe2ce814850331ec1865d /meta-openstack/recipes-devtools/python
parent	fd1371e01ea808309b76a72cc9a161c72e148279 (diff)
download	meta-cloud-services-d679e470b5c3a26eff41d1efb0b1c6500e3fc060.tar.gz

diff --git a/meta-openstack/recipes-devtools/python/python-keystone/CVE-2014-2828-keystone-1300274.patch b/meta-openstack/recipes-devtools/python/python-keystone/CVE-2014-2828-keystone-1300274.patch new file mode 100644 index 0000000..1c5392f --- /dev/null +++ b/meta-openstack/recipes-devtools/python/python-keystone/CVE-2014-2828-keystone-1300274.patch
@@ -0,0 +1,60 @@
		1	From e364ba5b12de8e4c11bd80bcca903f9615dcfc2e Mon Sep 17 00:00:00 2001
		2	From: Florent Flament <florent.flament-ext@cloudwatt.com>
		3	Date: Tue, 1 Apr 2014 12:48:22 +0000
		4	Subject: Sanitizes authentication methods received in requests.
		5
		6	When a user authenticates against Identity V3 API, he can specify
		7	multiple authentication methods. This patch removes duplicates, which
		8	could have been used to achieve DoS attacks.
		9
		10	Closes-Bug: 1300274
		11	(cherry picked from commit ef868ad92c00e23a4a5e9eb71e3e0bf5ae2fff0c)
		12	Cherry-pick from https://review.openstack.org/#/c/84425/
		13
		14	Change-Id: I6e60324309baa094a5e54b012fb0fc528fea72ab
		15
		16	diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py
		17	index c3399df..4944316 100644
		18	--- a/keystone/auth/controllers.py
		19	+++ b/keystone/auth/controllers.py
		20	@@ -225,7 +225,13 @@ class AuthInfo(object):
		21	:returns: list of auth method names
		22
		23	"""
		24	- return self.auth['identity']['methods'] or []
		25	+ # Sanitizes methods received in request's body
		26	+ # Filters out duplicates, while keeping elements' order.
		27	+ method_names = []
		28	+ for method in self.auth['identity']['methods']:
		29	+ if method not in method_names:
		30	+ method_names.append(method)
		31	+ return method_names
		32
		33	def get_method_data(self, method):
		34	"""Get the auth method payload.
		35	diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py
		36	index d07e6ae..e89e29f 100644
		37	--- a/keystone/tests/test_v3_auth.py
		38	+++ b/keystone/tests/test_v3_auth.py
		39	@@ -81,6 +81,18 @@ class TestAuthInfo(test_v3.RestfulTestCase):
		40	None,
		41	auth_data)
		42
		43	+ def test_get_method_names_duplicates(self):
		44	+ auth_data = self.build_authentication_request(
		45	+ token='test',
		46	+ user_id='test',
		47	+ password='test')['auth']
		48	+ auth_data['identity']['methods'] = ['password', 'token',
		49	+ 'password', 'password']
		50	+ context = None
		51	+ auth_info = auth.controllers.AuthInfo(context, auth_data)
		52	+ self.assertEqual(auth_info.get_method_names(),
		53	+ ['password', 'token'])
		54	+
		55	def test_get_method_data_invalid_method(self):
		56	auth_data = self.build_authentication_request(
		57	user_id='test',
		58	--
		59	cgit v0.10.1
		60


diff --git a/meta-openstack/recipes-devtools/python/python-keystone_git.bb b/meta-openstack/recipes-devtools/python/python-keystone_git.bb index c0522f8..982a088 100644 --- a/meta-openstack/recipes-devtools/python/python-keystone_git.bb +++ b/meta-openstack/recipes-devtools/python/python-keystone_git.bb
@@ -4,7 +4,7 @@ SECTION = "devel/python"
4	LICENSE = "Apache-2.0"	4	LICENSE = "Apache-2.0"
5	LIC_FILES_CHKSUM = "file://LICENSE;md5=1dece7821bf3fd70fe1309eaa37d52a2"	5	LIC_FILES_CHKSUM = "file://LICENSE;md5=1dece7821bf3fd70fe1309eaa37d52a2"
6		6
7	PR = "r0"	7	PR = "r1"
8	SRCNAME = "keystone"	8	SRCNAME = "keystone"
9		9
10	SRC_URI = "git://github.com/openstack/${SRCNAME}.git;branch=stable/havana \	10	SRC_URI = "git://github.com/openstack/${SRCNAME}.git;branch=stable/havana \
@@ -13,6 +13,7 @@ SRC_URI = "git://github.com/openstack/${SRCNAME}.git;branch=stable/havana \
13	file://keystone \	13	file://keystone \
14	file://openrc \	14	file://openrc \
15	file://Update-test-core-ETCDIR-location.patch \	15	file://Update-test-core-ETCDIR-location.patch \
		16	file://CVE-2014-2828-keystone-1300274.patch \
16	"	17	"
17		18
18	SRCREV="a96d1a44bc0f074729c312e5c2a0f0875edf1765"	19	SRCREV="a96d1a44bc0f074729c312e5c2a0f0875edf1765"