bup for CVE-2014-3520, no vulnerable left in tree

(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)

4 files changed, 104 insertions, 66 deletions

diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog
index 71243ad11b0c..1649d6f34380 100644
--- a/sys-auth/keystone/ChangeLog
+++ b/sys-auth/keystone/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for sys-auth/keystone
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.73 2014/06/30 01:30:42 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.74 2014/07/02 17:12:34 prometheanfire Exp $
+
+*keystone-2014.1.1-r2 (02 Jul 2014)
+
+  02 Jul 2014; Matthew Thode <prometheanfire@gentoo.org>
+  +files/2014.1.1-CVE-2014-3250.patch, +keystone-2014.1.1-r2.ebuild,
+  -files/CVE-2014-2828-2013.2.3.patch, -keystone-2014.1.1-r1.ebuild:
+  bup for CVE-2014-3520, no vulnerable left in tree
 
 *keystone-2014.1.1-r1 (30 Jun 2014)
 
diff --git a/sys-auth/keystone/files/2014.1.1-CVE-2014-3250.patch b/sys-auth/keystone/files/2014.1.1-CVE-2014-3250.patch
new file mode 100644
index 000000000000..0bf2bb6e2a2c
--- /dev/null
+++ b/sys-auth/keystone/files/2014.1.1-CVE-2014-3250.patch
@@ -0,0 +1,94 @@
+From 8ac8484e1daadfda3f36b3135a8f6de56fc41795 Mon Sep 17 00:00:00 2001
+From: Jamie Lennox <jamielennox@redhat.com>
+Date: Thu, 19 Jun 2014 14:41:22 +1000
+Subject: [PATCH] Ensure that in v2 auth tenant_id matches trust
+
+Previously if a trustee requests a trust scoped token for a project that
+is different to the one in the trust, however the trustor has the
+appropriate roles then a token would be issued.
+
+Ensure that the trust that was given matches the project that was
+specified in the scope.
+
+(cherry picked from commit 1556faec2f65dba60584f0a9657d5b717a6ede3a)
+
+Change-Id: I00ad783bcb93cea9e5622965f81b91c80f4570cc
+Closes-Bug: #1331912
+---
+ keystone/tests/test_auth.py   | 15 +++++++++++++--
+ keystone/token/controllers.py |  6 +++++-
+ 2 files changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/keystone/tests/test_auth.py b/keystone/tests/test_auth.py
+index 6d93e7f..4d9d9da 100644
+--- a/keystone/tests/test_auth.py
++++ b/keystone/tests/test_auth.py
+@@ -693,13 +693,15 @@ class AuthWithTrust(AuthTest):
+         self.new_trust = self.trust_controller.create_trust(
+             context, trust=trust_data)['trust']
+ 
+-    def build_v2_token_request(self, username, password):
++    def build_v2_token_request(self, username, password, tenant_id=None):
++        if not tenant_id:
++            tenant_id = self.tenant_bar['id']
+         body_dict = _build_user_auth(username=username, password=password)
+         self.unscoped_token = self.controller.authenticate({}, body_dict)
+         unscoped_token_id = self.unscoped_token['access']['token']['id']
+         request_body = _build_user_auth(token={'id': unscoped_token_id},
+                                         trust_id=self.new_trust['id'],
+-                                        tenant_id=self.tenant_bar['id'])
++                                        tenant_id=tenant_id)
+         return request_body
+ 
+     def test_create_trust_bad_data_fails(self):
+@@ -782,6 +784,15 @@ class AuthWithTrust(AuthTest):
+             exception.Forbidden,
+             self.controller.authenticate, {}, request_body)
+ 
++    def test_token_from_trust_wrong_project_fails(self):
++        for assigned_role in self.assigned_roles:
++            self.assignment_api.add_role_to_user_and_project(
++                self.trustor['id'], self.tenant_baz['id'], assigned_role)
++        request_body = self.build_v2_token_request('TWO', 'two2',
++                                                   self.tenant_baz['id'])
++        self.assertRaises(exception.Forbidden, self.controller.authenticate,
++                          {}, request_body)
++
+     def fetch_v2_token_from_trust(self):
+         request_body = self.build_v2_token_request('TWO', 'two2')
+         auth_response = self.controller.authenticate({}, request_body)
+diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py
+index bcae12c..be16145 100644
+--- a/keystone/token/controllers.py
++++ b/keystone/token/controllers.py
+@@ -164,6 +164,8 @@ class Auth(controller.V2Controller):
+ 
+         user_ref = old_token_ref['user']
+         user_id = user_ref['id']
++        tenant_id = self._get_project_id_from_auth(auth)
++
+         if not CONF.trust.enabled and 'trust_id' in auth:
+             raise exception.Forbidden('Trusts are disabled.')
+         elif CONF.trust.enabled and 'trust_id' in auth:
+@@ -172,6 +174,9 @@ class Auth(controller.V2Controller):
+                 raise exception.Forbidden()
+             if user_id != trust_ref['trustee_user_id']:
+                 raise exception.Forbidden()
++            if (trust_ref['project_id'] and
++                    tenant_id != trust_ref['project_id']):
++                raise exception.Forbidden()
+             if ('expires' in trust_ref) and (trust_ref['expires']):
+                 expiry = trust_ref['expires']
+                 if expiry < timeutils.parse_isotime(timeutils.isotime()):
+@@ -196,7 +201,6 @@ class Auth(controller.V2Controller):
+             current_user_ref = self.identity_api.get_user(user_id)
+ 
+         metadata_ref = {}
+-        tenant_id = self._get_project_id_from_auth(auth)
+         tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref(
+             user_id, tenant_id)
+ 
+-- 
+1.9.3
+
+
diff --git a/sys-auth/keystone/files/CVE-2014-2828-2013.2.3.patch b/sys-auth/keystone/files/CVE-2014-2828-2013.2.3.patch
deleted file mode 100644
index 950696125f23..000000000000
--- a/sys-auth/keystone/files/CVE-2014-2828-2013.2.3.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From e364ba5b12de8e4c11bd80bcca903f9615dcfc2e Mon Sep 17 00:00:00 2001
-From: Florent Flament <florent.flament-ext@cloudwatt.com>
-Date: Tue, 1 Apr 2014 12:48:22 +0000
-Subject: [PATCH] Sanitizes authentication methods received in requests.
-
-When a user authenticates against Identity V3 API, he can specify
-multiple authentication methods. This patch removes duplicates, which
-could have been used to achieve DoS attacks.
-
-Closes-Bug: 1300274
-(cherry picked from commit ef868ad92c00e23a4a5e9eb71e3e0bf5ae2fff0c)
-Cherry-pick from https://review.openstack.org/#/c/84425/
-
-Change-Id: I6e60324309baa094a5e54b012fb0fc528fea72ab
----
- keystone/auth/controllers.py   |  8 +++++++-
- keystone/tests/test_v3_auth.py | 12 ++++++++++++
- 2 files changed, 19 insertions(+), 1 deletion(-)
-
-diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py
-index c3399df..4944316 100644
---- a/keystone/auth/controllers.py
-+++ b/keystone/auth/controllers.py
-@@ -225,7 +225,13 @@ def get_method_names(self):
-         :returns: list of auth method names
- 
-         """
--        return self.auth['identity']['methods'] or []
-+        # Sanitizes methods received in request's body
-+        # Filters out duplicates, while keeping elements' order.
-+        method_names = []
-+        for method in self.auth['identity']['methods']:
-+            if method not in method_names:
-+                method_names.append(method)
-+        return method_names
- 
-     def get_method_data(self, method):
-         """Get the auth method payload.
-diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py
-index d07e6ae..e89e29f 100644
---- a/keystone/tests/test_v3_auth.py
-+++ b/keystone/tests/test_v3_auth.py
-@@ -81,6 +81,18 @@ def test_both_project_and_domain_in_scope(self):
-                           None,
-                           auth_data)
- 
-+    def test_get_method_names_duplicates(self):
-+        auth_data = self.build_authentication_request(
-+            token='test',
-+            user_id='test',
-+            password='test')['auth']
-+        auth_data['identity']['methods'] = ['password', 'token',
-+                                            'password', 'password']
-+        context = None
-+        auth_info = auth.controllers.AuthInfo(context, auth_data)
-+        self.assertEqual(auth_info.get_method_names(),
-+                         ['password', 'token'])
-+
-     def test_get_method_data_invalid_method(self):
-         auth_data = self.build_authentication_request(
-             user_id='test',
--- 
-1.9.1
-
diff --git a/sys-auth/keystone/keystone-2014.1.1-r1.ebuild b/sys-auth/keystone/keystone-2014.1.1-r2.ebuild
index 9396507ff2d7..3e1486547baf 100644
--- a/sys-auth/keystone/keystone-2014.1.1-r1.ebuild
+++ b/sys-auth/keystone/keystone-2014.1.1-r2.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2014.1.1-r1.ebuild,v 1.1 2014/06/30 01:30:42 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2014.1.1-r2.ebuild,v 1.1 2014/07/02 17:12:34 prometheanfire Exp $
 
 EAPI=5
 
@@ -79,6 +79,7 @@ RDEPEND=">=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}]
 
 PATCHES=(
 	"${FILESDIR}/2014.1.1-CVE-2014-3476.patch"
+	"${FILESDIR}/2014.1.1-CVE-2014-3250.patch"
 )
 
 pkg_setup() {