keystone fixed for CVE-2013-2157 bug 473304

(Portage version: 2.1.11.62/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)

5 files changed, 176 insertions, 3 deletions

diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog
index abffcccf6dab..ac0444f6f7fe 100644
--- a/sys-auth/keystone/ChangeLog
+++ b/sys-auth/keystone/ChangeLog
@@ -1,6 +1,16 @@
 # ChangeLog for sys-auth/keystone
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.21 2013/06/06 19:24:26 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.22 2013/06/14 21:57:36 prometheanfire Exp $
+
+*keystone-2013.1.2-r1 (14 Jun 2013)
+*keystone-2012.2.4-r5 (14 Jun 2013)
+
+  14 Jun 2013; Matthew Thode <prometheanfire@gentoo.org>
+  +files/keystone-folsom-4-CVE-2013-2157.patch,
+  +files/keystone-grizzly-2-CVE-2013-2157.patch, +keystone-2012.2.4-r5.ebuild,
+  +keystone-2013.1.2-r1.ebuild, -keystone-2012.2.4-r4.ebuild,
+  -keystone-2013.1.2.ebuild:
+  keystone fixed for CVE-2013-2157 bug 473304
 
 *keystone-2013.1.2 (06 Jun 2013)
 
diff --git a/sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2157.patch b/sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2157.patch
new file mode 100644
index 000000000000..e2a172b5dafb
--- /dev/null
+++ b/sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2157.patch
@@ -0,0 +1,78 @@
+From 953fd4a2ac43ffcdf7edb4a35e0ca6a1c573092d Mon Sep 17 00:00:00 2001
+From: Jose Castro Leon <jose.castro.leon@cern.ch>
+Date: Thu, 6 Jun 2013 10:57:09 -0500
+Subject: [PATCH] Force simple Bind for authentication
+
+The authentication code was using a common code path with
+other LDAP code that got an LDAP connection.  If the system
+was configured to do Anonymous binding, users could by pass
+the authentication check.
+
+This patch forces the authentication code to do a simple_bind.
+
+Change-Id: Id0c19f09d615446927db1ba074561b129329b5c8
+---
+ keystone/identity/backends/ldap/core.py | 14 ++------------
+ tests/test_backend_ldap.py              | 16 ++++++++++++++++
+ 2 files changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py
+index 03d3ab6..e5bfcf6 100644
+--- a/keystone/identity/backends/ldap/core.py
++++ b/keystone/identity/backends/ldap/core.py
+@@ -58,18 +58,6 @@ class Identity(identity.Driver):
+         self.tenant = TenantApi(CONF)
+         self.role = RoleApi(CONF)
+ 
+-    def get_connection(self, user=None, password=None):
+-        if self.LDAP_URL.startswith('fake://'):
+-            conn = fakeldap.FakeLdap(self.LDAP_URL)
+-        else:
+-            conn = common_ldap.LdapWrapper(self.LDAP_URL)
+-        if user is None:
+-            user = self.LDAP_USER
+-        if password is None:
+-            password = self.LDAP_PASSWORD
+-        conn.simple_bind_s(user, password)
+-        return conn
+-
+     # Identity interface
+     def authenticate(self, user_id=None, tenant_id=None, password=None):
+         """Authenticate based on a user, tenant and password.
+@@ -85,6 +73,8 @@ class Identity(identity.Driver):
+         except exception.UserNotFound:
+             raise AssertionError('Invalid user / password')
+ 
++        if not user_id or not password:
++            raise AssertionError('Invalid user / password')
+         try:
+             conn = self.user.get_connection(self.user._id_to_dn(user_id),
+                                             password)
+diff --git a/tests/test_backend_ldap.py b/tests/test_backend_ldap.py
+index 5f0137c..88e48c5 100644
+--- a/tests/test_backend_ldap.py
++++ b/tests/test_backend_ldap.py
+@@ -65,3 +65,19 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
+         user_api = identity_ldap.UserApi(CONF)
+         self.assertTrue(user_api)
+         self.assertEquals(user_api.tree_dn, "ou=Users,%s" % CONF.ldap.suffix)
++
++    def test_authenticate_requires_simple_bind(self):
++        user = {
++            'id': uuid.uuid4().hex,
++            'name': uuid.uuid4().hex,
++            'password': uuid.uuid4().hex,
++            'enabled': True,
++        }
++        self.identity_api.create_user(user['id'], user)
++        self.identity_api.user.LDAP_USER = None
++        self.identity_api.user.LDAP_PASSWORD = None
++
++        self.assertRaises(AssertionError,
++                          self.identity_api.authenticate,
++                          user_id=user['id'],
++                          password=None)
+-- 
+1.8.2.3
+
+
diff --git a/sys-auth/keystone/files/keystone-grizzly-2-CVE-2013-2157.patch b/sys-auth/keystone/files/keystone-grizzly-2-CVE-2013-2157.patch
new file mode 100644
index 000000000000..37a724cf3d8a
--- /dev/null
+++ b/sys-auth/keystone/files/keystone-grizzly-2-CVE-2013-2157.patch
@@ -0,0 +1,83 @@
+From 1eaaf4ddb94626f3ff44931e764858161468e159 Mon Sep 17 00:00:00 2001
+From: Jose Castro Leon <jose.castro.leon@cern.ch>
+Date: Tue, 4 Jun 2013 11:59:35 -0400
+Subject: [PATCH] Force simple Bind for authentication
+
+The authentication code was using a common code path with
+other LDAP code that got an LDAP connection.  If the system
+was configured to do Anonymous binding, users could by pass
+the authentication check.
+
+This patch forces the authentication code to do a simple_bind.
+
+Change-Id: Id0c19f09d615446927db1ba074561b129329b5c8
+---
+ keystone/identity/backends/ldap/core.py | 14 ++------------
+ tests/test_backend_ldap.py              | 20 ++++++++++++++++++++
+ 2 files changed, 22 insertions(+), 12 deletions(-)
+
+diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py
+index 1fad1120667f4d86f6d05c0109827be7e2160248..9ada436c8b2308a300966bacf8d2a7d78b118331 100644
+--- a/keystone/identity/backends/ldap/core.py
++++ b/keystone/identity/backends/ldap/core.py
+@@ -52,18 +52,6 @@ class Identity(identity.Driver):
+         self.role = RoleApi(CONF)
+         self.group = GroupApi(CONF)
+ 
+-    def get_connection(self, user=None, password=None):
+-        if self.LDAP_URL.startswith('fake://'):
+-            conn = fakeldap.FakeLdap(self.LDAP_URL)
+-        else:
+-            conn = common_ldap.LdapWrapper(self.LDAP_URL)
+-        if user is None:
+-            user = self.LDAP_USER
+-        if password is None:
+-            password = self.LDAP_PASSWORD
+-        conn.simple_bind_s(user, password)
+-        return conn
+-
+     def _validate_domain(self, ref):
+         """Validate that either the default domain or nothing is specified.
+ 
+@@ -109,6 +97,8 @@ class Identity(identity.Driver):
+         except exception.UserNotFound:
+             raise AssertionError('Invalid user / password')
+ 
++        if not user_id or not password:
++            raise AssertionError('Invalid user / password')
+         try:
+             conn = self.user.get_connection(self.user._id_to_dn(user_id),
+                                             password)
+diff --git a/tests/test_backend_ldap.py b/tests/test_backend_ldap.py
+index c0bceea52a6b550736146c88cacdc2fccb72053f..b2e33ee2c379e5662d07de8fbb0458a5acee647a 100644
+--- a/tests/test_backend_ldap.py
++++ b/tests/test_backend_ldap.py
+@@ -595,6 +595,26 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
+               'name': 'Default',
+               'enabled': True}])
+ 
++    def test_authenticate_requires_simple_bind(self):
++        user = {
++            'id': 'no_meta',
++            'name': 'NO_META',
++            'domain_id': test_backend.DEFAULT_DOMAIN_ID,
++            'password': 'no_meta2',
++            'enabled': True,
++        }
++        self.identity_man.create_user({}, user['id'], user)
++        self.identity_api.add_user_to_project(self.tenant_baz['id'],
++                                              user['id'])
++        self.identity_api.user.LDAP_USER = None
++        self.identity_api.user.LDAP_PASSWORD = None
++
++        self.assertRaises(AssertionError,
++                          self.identity_api.authenticate,
++                          user_id=user['id'],
++                          tenant_id=self.tenant_baz['id'],
++                          password=None)
++
+ 
+ class LDAPIdentityEnabledEmulation(LDAPIdentity):
+     def setUp(self):
+-- 
+1.8.1.4
diff --git a/sys-auth/keystone/keystone-2012.2.4-r4.ebuild b/sys-auth/keystone/keystone-2012.2.4-r5.ebuild
index 884f158b46f6..d8d7b64cfb88 100644
--- a/sys-auth/keystone/keystone-2012.2.4-r4.ebuild
+++ b/sys-auth/keystone/keystone-2012.2.4-r5.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.4-r4.ebuild,v 1.1 2013/05/28 16:34:39 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.4-r5.ebuild,v 1.1 2013/06/14 21:57:36 prometheanfire Exp $
 
 EAPI=5
 #test restricted becaues of bad requirements given (old webob for instance)
@@ -73,6 +73,7 @@ PATCHES=(
 	"${FILESDIR}/keystone-folsom-4-CVE-2013-2059.patch"
 	"${FILESDIR}/keystone-folsom-4-CVE-2013-1977.patch"
 	"${FILESDIR}/keystone-folsom-4-CVE-2013-2104.patch"
+	"${FILESDIR}/keystone-folsom-4-CVE-2013-2157.patch"
 )
 
 python_install() {
diff --git a/sys-auth/keystone/keystone-2013.1.2.ebuild b/sys-auth/keystone/keystone-2013.1.2-r1.ebuild
index a8ac0f9015f7..02552d29a144 100644
--- a/sys-auth/keystone/keystone-2013.1.2.ebuild
+++ b/sys-auth/keystone/keystone-2013.1.2-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.1.2.ebuild,v 1.1 2013/06/06 19:24:26 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.1.2-r1.ebuild,v 1.1 2013/06/14 21:57:36 prometheanfire Exp $
 
 EAPI=5
 #test restricted becaues of bad requirements given (old webob for instance)
@@ -70,6 +70,7 @@ RDEPEND="${DEPEND}
 #			dev-python/webtest
 #			)
 PATCHES=(
+	"${FILESDIR}/keystone-grizzly-2-CVE-2013-2157.patch"
 )
 #
 #python_test() {