summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthew Thode <prometheanfire@gentoo.org>2017-01-26 15:40:53 -0600
committerMatthew Thode <prometheanfire@gentoo.org>2017-01-26 15:43:41 -0600
commitad8a82887a3e612cae719a7ce6219f9ee760fc66 (patch)
tree88cd49f2c5c44ecbec6411f8610536646f60b2c7
parentdev-db/phpmyadmin: Security releases - 4.0.10.19, 4.4.15.10, 4.6.6 (PMASA-20... (diff)
downloadgentoo-ad8a82887a3e612cae719a7ce6219f9ee760fc66.tar.gz
gentoo-ad8a82887a3e612cae719a7ce6219f9ee760fc66.tar.bz2
gentoo-ad8a82887a3e612cae719a7ce6219f9ee760fc66.zip
dev-python/oslo-middleware: fix CVE-2017-2592 bug 606976
Package-Manager: portage-2.3.3
-rw-r--r--dev-python/oslo-middleware/files/cve-2017-2592-stable-mitaka.patch90
-rw-r--r--dev-python/oslo-middleware/files/cve-2017-2592-stable-newton.patch90
-rw-r--r--dev-python/oslo-middleware/oslo-middleware-3.19.0-r1.ebuild59
-rw-r--r--dev-python/oslo-middleware/oslo-middleware-3.8.0-r2.ebuild60
4 files changed, 299 insertions, 0 deletions
diff --git a/dev-python/oslo-middleware/files/cve-2017-2592-stable-mitaka.patch b/dev-python/oslo-middleware/files/cve-2017-2592-stable-mitaka.patch
new file mode 100644
index 000000000000..b38cd597c3d4
--- /dev/null
+++ b/dev-python/oslo-middleware/files/cve-2017-2592-stable-mitaka.patch
@@ -0,0 +1,90 @@
+From 095e90929d114e4b6cece67cb405741c14747356 Mon Sep 17 00:00:00 2001
+From: Jamie Lennox <jamielennox@gmail.com>
+Date: Wed, 28 Sep 2016 15:03:53 +1000
+Subject: [PATCH] Filter token data out of catch_errors middleware
+
+If an exception is caught by the catch_errors middleware the entire
+request is dumped into the log including sensitive information like
+tokens. Filter that information before outputting the failed request.
+
+Closes-Bug: #1628031
+Change-Id: I2563403993513c37751576223275350cac2e0937
+---
+ oslo_middleware/catch_errors.py | 6 +++++-
+ oslo_middleware/tests/test_catch_errors.py | 25 +++++++++++++++++++++++++
+ 2 files changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/oslo_middleware/catch_errors.py b/oslo_middleware/catch_errors.py
+index 43d085f..0934fc5 100644
+--- a/oslo_middleware/catch_errors.py
++++ b/oslo_middleware/catch_errors.py
+@@ -14,6 +14,7 @@
+ # under the License.
+
+ import logging
++import re
+
+ import webob.dec
+ import webob.exc
+@@ -24,6 +25,8 @@ from oslo_middleware import base
+
+ LOG = logging.getLogger(__name__)
+
++_TOKEN_RE = re.compile('^(X-\w+-Token):.*$', flags=re.MULTILINE)
++
+
+ class CatchErrors(base.ConfigurableMiddleware):
+ """Middleware that provides high-level error handling.
+@@ -37,7 +40,8 @@ class CatchErrors(base.ConfigurableMiddleware):
+ try:
+ response = req.get_response(self.application)
+ except Exception:
++ req_str = _TOKEN_RE.sub(r'\1: <removed>', req.as_text())
+ LOG.exception(_LE('An error occurred during '
+- 'processing the request: %s'), req)
++ 'processing the request: %s'), req_str)
+ response = webob.exc.HTTPInternalServerError()
+ return response
+diff --git a/oslo_middleware/tests/test_catch_errors.py b/oslo_middleware/tests/test_catch_errors.py
+index 920bbe2..0b675e2 100644
+--- a/oslo_middleware/tests/test_catch_errors.py
++++ b/oslo_middleware/tests/test_catch_errors.py
+@@ -13,6 +13,7 @@
+ # License for the specific language governing permissions and limitations
+ # under the License.
+
++import fixtures
+ import mock
+ from oslotest import base as test_base
+ import webob.dec
+@@ -45,3 +46,27 @@ class CatchErrorsTest(test_base.BaseTestCase):
+ self._test_has_request_id(application,
+ webob.exc.HTTPInternalServerError.code)
+ self.assertEqual(1, log_exc.call_count)
++
++ def test_filter_tokens_from_log(self):
++ logger = self.useFixture(fixtures.FakeLogger(nuke_handlers=False))
++
++ @webob.dec.wsgify
++ def application(req):
++ raise Exception()
++
++ app = catch_errors.CatchErrors(application)
++ req = webob.Request.blank('/test',
++ text=u'test data',
++ method='POST',
++ headers={'X-Auth-Token': 'secret1',
++ 'X-Service-Token': 'secret2',
++ 'X-Other-Token': 'secret3'})
++ res = req.get_response(app)
++ self.assertEqual(500, res.status_int)
++
++ output = logger.output
++
++ self.assertIn('X-Auth-Token: <removed>', output)
++ self.assertIn('X-Service-Token: <removed>', output)
++ self.assertIn('X-Other-Token: <removed>', output)
++ self.assertIn('test data', output)
+--
+2.7.4
+
diff --git a/dev-python/oslo-middleware/files/cve-2017-2592-stable-newton.patch b/dev-python/oslo-middleware/files/cve-2017-2592-stable-newton.patch
new file mode 100644
index 000000000000..b38cd597c3d4
--- /dev/null
+++ b/dev-python/oslo-middleware/files/cve-2017-2592-stable-newton.patch
@@ -0,0 +1,90 @@
+From 095e90929d114e4b6cece67cb405741c14747356 Mon Sep 17 00:00:00 2001
+From: Jamie Lennox <jamielennox@gmail.com>
+Date: Wed, 28 Sep 2016 15:03:53 +1000
+Subject: [PATCH] Filter token data out of catch_errors middleware
+
+If an exception is caught by the catch_errors middleware the entire
+request is dumped into the log including sensitive information like
+tokens. Filter that information before outputting the failed request.
+
+Closes-Bug: #1628031
+Change-Id: I2563403993513c37751576223275350cac2e0937
+---
+ oslo_middleware/catch_errors.py | 6 +++++-
+ oslo_middleware/tests/test_catch_errors.py | 25 +++++++++++++++++++++++++
+ 2 files changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/oslo_middleware/catch_errors.py b/oslo_middleware/catch_errors.py
+index 43d085f..0934fc5 100644
+--- a/oslo_middleware/catch_errors.py
++++ b/oslo_middleware/catch_errors.py
+@@ -14,6 +14,7 @@
+ # under the License.
+
+ import logging
++import re
+
+ import webob.dec
+ import webob.exc
+@@ -24,6 +25,8 @@ from oslo_middleware import base
+
+ LOG = logging.getLogger(__name__)
+
++_TOKEN_RE = re.compile('^(X-\w+-Token):.*$', flags=re.MULTILINE)
++
+
+ class CatchErrors(base.ConfigurableMiddleware):
+ """Middleware that provides high-level error handling.
+@@ -37,7 +40,8 @@ class CatchErrors(base.ConfigurableMiddleware):
+ try:
+ response = req.get_response(self.application)
+ except Exception:
++ req_str = _TOKEN_RE.sub(r'\1: <removed>', req.as_text())
+ LOG.exception(_LE('An error occurred during '
+- 'processing the request: %s'), req)
++ 'processing the request: %s'), req_str)
+ response = webob.exc.HTTPInternalServerError()
+ return response
+diff --git a/oslo_middleware/tests/test_catch_errors.py b/oslo_middleware/tests/test_catch_errors.py
+index 920bbe2..0b675e2 100644
+--- a/oslo_middleware/tests/test_catch_errors.py
++++ b/oslo_middleware/tests/test_catch_errors.py
+@@ -13,6 +13,7 @@
+ # License for the specific language governing permissions and limitations
+ # under the License.
+
++import fixtures
+ import mock
+ from oslotest import base as test_base
+ import webob.dec
+@@ -45,3 +46,27 @@ class CatchErrorsTest(test_base.BaseTestCase):
+ self._test_has_request_id(application,
+ webob.exc.HTTPInternalServerError.code)
+ self.assertEqual(1, log_exc.call_count)
++
++ def test_filter_tokens_from_log(self):
++ logger = self.useFixture(fixtures.FakeLogger(nuke_handlers=False))
++
++ @webob.dec.wsgify
++ def application(req):
++ raise Exception()
++
++ app = catch_errors.CatchErrors(application)
++ req = webob.Request.blank('/test',
++ text=u'test data',
++ method='POST',
++ headers={'X-Auth-Token': 'secret1',
++ 'X-Service-Token': 'secret2',
++ 'X-Other-Token': 'secret3'})
++ res = req.get_response(app)
++ self.assertEqual(500, res.status_int)
++
++ output = logger.output
++
++ self.assertIn('X-Auth-Token: <removed>', output)
++ self.assertIn('X-Service-Token: <removed>', output)
++ self.assertIn('X-Other-Token: <removed>', output)
++ self.assertIn('test data', output)
+--
+2.7.4
+
diff --git a/dev-python/oslo-middleware/oslo-middleware-3.19.0-r1.ebuild b/dev-python/oslo-middleware/oslo-middleware-3.19.0-r1.ebuild
new file mode 100644
index 000000000000..062868e1012a
--- /dev/null
+++ b/dev-python/oslo-middleware/oslo-middleware-3.19.0-r1.ebuild
@@ -0,0 +1,59 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+PYTHON_COMPAT=( python2_7 python3_4 python3_5 )
+
+inherit distutils-r1
+
+DESCRIPTION="Components injected into wsgi pipelines to intercept request/response flows."
+HOMEPAGE="https://pypi.python.org/pypi/oslo.middleware"
+SRC_URI="mirror://pypi/${PN:0:1}/oslo.middleware/oslo.middleware-${PV}.tar.gz"
+S="${WORKDIR}/oslo.middleware-${PV}"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~arm64 ~x86"
+IUSE="test"
+
+PATCHES=( "${FILESDIR}/cve-2017-2592-stable-newton.patch" )
+
+CDEPEND="
+ >=dev-python/pbr-1.6[${PYTHON_USEDEP}]
+ <dev-python/pbr-2.0[${PYTHON_USEDEP}]"
+DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]
+ ${CDEPEND}
+ test? (
+ >=dev-python/fixtures-3.0.0[${PYTHON_USEDEP}]
+ >=dev-python/mock-2.0.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-sphinx-2.5.0[${PYTHON_USEDEP}]
+ !~dev-python/oslo-sphinx-3.4.0[${PYTHON_USEDEP}]
+ >=dev-python/oslotest-1.10.0[${PYTHON_USEDEP}]
+ >=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}]
+ !~dev-python/sphinx-1.2.0[${PYTHON_USEDEP}]
+ <dev-python/sphinx-1.3.0[${PYTHON_USEDEP}]
+ >=dev-python/testtools-1.4.0[${PYTHON_USEDEP}]
+ >=dev-python/coverage-3.6[${PYTHON_USEDEP}]
+ )"
+RDEPEND="
+ ${CDEPEND}
+ >=dev-python/jinja-2.8[${PYTHON_USEDEP}]
+ >=dev-python/oslo-config-3.14.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-context-2.9.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-i18n-2.1.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-utils-3.16.0[${PYTHON_USEDEP}]
+ >=dev-python/six-1.9.0[${PYTHON_USEDEP}]
+ >=dev-python/stevedore-1.16.0[${PYTHON_USEDEP}]
+ >=dev-python/webob-1.2.3[${PYTHON_USEDEP}]
+ >=dev-python/debtcollector-1.2.0[${PYTHON_USEDEP}]
+"
+
+python_prepare_all() {
+ sed -i '/^hacking/d' test-requirements.txt || die
+ distutils-r1_python_prepare_all
+}
+
+python_test() {
+ nosetests tests/ || die "test failed under ${EPYTHON}"
+}
diff --git a/dev-python/oslo-middleware/oslo-middleware-3.8.0-r2.ebuild b/dev-python/oslo-middleware/oslo-middleware-3.8.0-r2.ebuild
new file mode 100644
index 000000000000..1a7e55b48a89
--- /dev/null
+++ b/dev-python/oslo-middleware/oslo-middleware-3.8.0-r2.ebuild
@@ -0,0 +1,60 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+PYTHON_COMPAT=( python2_7 python3_4 python3_5 )
+
+inherit distutils-r1
+
+DESCRIPTION="Components injected into wsgi pipelines to intercept request/response flows."
+HOMEPAGE="https://pypi.python.org/pypi/oslo.middleware"
+SRC_URI="mirror://pypi/${PN:0:1}/oslo.middleware/oslo.middleware-${PV}.tar.gz"
+S="${WORKDIR}/oslo.middleware-${PV}"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~arm64 ~x86"
+IUSE="test"
+
+FILES=( "${FILESDIR}/cve-2017-2592-stable-mitaka.patch" )
+
+CDEPEND="
+ >=dev-python/pbr-1.6[${PYTHON_USEDEP}]
+ <dev-python/pbr-2.0[${PYTHON_USEDEP}]"
+DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]
+ ${CDEPEND}
+ test? (
+ >=dev-python/fixtures-1.3.1[${PYTHON_USEDEP}]
+ >=dev-python/mock-1.2[${PYTHON_USEDEP}]
+ >=dev-python/oslo-sphinx-2.5.0[${PYTHON_USEDEP}]
+ !~dev-python/oslo-sphinx-3.4.0[${PYTHON_USEDEP}]
+ >=dev-python/oslotest-1.10.0[${PYTHON_USEDEP}]
+ >=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}]
+ !~dev-python/sphinx-1.2.0[${PYTHON_USEDEP}]
+ <dev-python/sphinx-1.3.0[${PYTHON_USEDEP}]
+ >=dev-python/testtools-1.4.0[${PYTHON_USEDEP}]
+ >=dev-python/coverage-3.6[${PYTHON_USEDEP}]
+ )"
+RDEPEND="
+ ${CDEPEND}
+ >=dev-python/Babel-1.3[${PYTHON_USEDEP}]
+ >=dev-python/jinja-2.8[${PYTHON_USEDEP}]
+ >=dev-python/oslo-config-3.7.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-context-0.2.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-i18n-2.1.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-utils-3.5.0[${PYTHON_USEDEP}]
+ >=dev-python/six-1.9.0[${PYTHON_USEDEP}]
+ >=dev-python/stevedore-1.5.0[${PYTHON_USEDEP}]
+ >=dev-python/webob-1.2.3[${PYTHON_USEDEP}]
+ >=dev-python/debtcollector-1.2.0[${PYTHON_USEDEP}]
+"
+
+python_prepare_all() {
+ sed -i '/^hacking/d' test-requirements.txt || die
+ distutils-r1_python_prepare_all
+}
+
+python_test() {
+ nosetests tests/ || die "test failed under ${EPYTHON}"
+}