diff options
| author | Marc Deslauriers <marc.deslauriers@ubuntu.com> | 2024-02-20 08:12:46 -0500 |
|---|---|---|
| committer | git-ubuntu importer <ubuntu-devel-discuss@lists.ubuntu.com> | 2024-02-28 13:30:04 +0000 |
| commit | 37b942676e1e55296b84f433bbfd54fd391adcc3 (patch) | |
| tree | 37767ac550e5b0bff206cc24985c47d6be24ea1a | |
| parent | b9babfb37d9393c346464877b5c6721119301b3d (diff) | |
5.2.0-0ubuntu1.20.04.2 (patches unapplied)import/5.2.0-0ubuntu1.20.04.2ubuntu/focal-updatesubuntu/focal-securityubuntu/focal-devel
Imported using git-ubuntu import.
Notes
Notes:
* SECURITY UPDATE: deleting a non existing access rule deletes another
existing access rule
- debian/patches/CVE-2023-6110.patch: fix access rule commands to only
use ID in openstackclient/identity/common.py,
openstackclient/identity/v3/access_rule.py,
openstackclient/tests/unit/identity/v3/test_access_rule.py.
- CVE-2023-6110
| -rw-r--r-- | debian/changelog | 12 | ||||
| -rw-r--r-- | debian/patches/CVE-2023-6110.patch | 142 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
3 files changed, 155 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 5afb25a..f865af4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +python-openstackclient (5.2.0-0ubuntu1.20.04.2) focal-security; urgency=medium + + * SECURITY UPDATE: deleting a non existing access rule deletes another + existing access rule + - debian/patches/CVE-2023-6110.patch: fix access rule commands to only + use ID in openstackclient/identity/common.py, + openstackclient/identity/v3/access_rule.py, + openstackclient/tests/unit/identity/v3/test_access_rule.py. + - CVE-2023-6110 + + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 20 Feb 2024 08:12:46 -0500 + python-openstackclient (5.2.0-0ubuntu1.20.04.1) focal; urgency=medium * compute: Add missing options for 'server group list' (LP: #1980801) diff --git a/debian/patches/CVE-2023-6110.patch b/debian/patches/CVE-2023-6110.patch new file mode 100644 index 0000000..c47946f --- /dev/null +++ b/debian/patches/CVE-2023-6110.patch @@ -0,0 +1,142 @@ +Backport of: + +From bc60e3bb908a7f10c87993d791184bfe46784d6c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= <dmendiza@redhat.com> +Date: Wed, 31 May 2023 16:00:02 -0500 +Subject: [PATCH] Fix "access rule" commands to only use ID + +This patch modifies the access rule commands to use only the resource +ID. The previous logic incorrectly assumed that access rules have a +"name" property, which resulted in unexpected behaviors. + +For example, "access rule delete {non-existent-id}" now results in a +"not found" error instead of sometimes deleting an unrelated rule. + +Story: 2010775 +Task: 48163 +Change-Id: Ib5c3b7f86acf1dfe7cc76dfa99fa4c118388bd71 +--- + openstackclient/identity/common.py | 12 ++++++++++ + openstackclient/identity/v3/access_rule.py | 8 +++---- + .../unit/identity/v3/test_access_rule.py | 24 ++++++++----------- + .../fix-story-2010775-953dbdf03b2b6746.yaml | 8 +++++++ + 4 files changed, 34 insertions(+), 18 deletions(-) + create mode 100644 releasenotes/notes/fix-story-2010775-953dbdf03b2b6746.yaml + +#--- /dev/null +#+++ b/releasenotes/notes/fix-story-2010775-953dbdf03b2b6746.yaml +#@@ -0,0 +1,8 @@ +#+--- +#+fixes: +#+ - | +#+ Fixed a bug in "access rule" subcommands where the client logic incorrectly +#+ assumed that access rules have a "name" property which resulted in +#+ unpredictable behaviors. e.g. "access rule delete {non-existent-id}" now +#+ results in a not-found error instead of sometimes deleting an unrelated +#+ rule. +--- a/openstackclient/identity/common.py ++++ b/openstackclient/identity/common.py +@@ -87,6 +87,18 @@ def get_resource(manager, name_type_or_i + raise exceptions.CommandError(msg % name_type_or_id) + + ++def get_resource_by_id(manager, resource_id): ++ """Get resource by ID ++ ++ Raises CommandError if the resource is not found ++ """ ++ try: ++ return manager.get(resource_id) ++ except identity_exc.NotFound: ++ msg = _("Resource with id {} not found") ++ raise exceptions.CommandError(msg.format(resource_id)) ++ ++ + def _get_token_resource(client, resource, parsed_name, parsed_domain=None): + """Peek into the user's auth token to get resource IDs + +--- a/openstackclient/identity/v3/access_rule.py ++++ b/openstackclient/identity/v3/access_rule.py +@@ -38,7 +38,7 @@ class DeleteAccessRule(command.Command): + 'access_rule', + metavar='<access-rule>', + nargs="+", +- help=_('Access rule(s) to delete (name or ID)'), ++ help=_('Access rule ID(s) to delete'), + ) + return parser + +@@ -48,7 +48,7 @@ class DeleteAccessRule(command.Command): + errors = 0 + for ac in parsed_args.access_rule: + try: +- access_rule = utils.find_resource( ++ access_rule = common.get_resource_by_id( + identity_client.access_rules, ac) + identity_client.access_rules.delete(access_rule.id) + except Exception as e: +@@ -104,14 +104,14 @@ class ShowAccessRule(command.ShowOne): + parser.add_argument( + 'access_rule', + metavar='<access-rule>', +- help=_('Access rule to display (name or ID)'), ++ help=_('Access rule ID to display'), + ) + return parser + + def take_action(self, parsed_args): + identity_client = self.app.client_manager.identity +- access_rule = utils.find_resource(identity_client.access_rules, +- parsed_args.access_rule) ++ access_rule = common.get_resource_by_id(identity_client.access_rules, ++ parsed_args.access_rule) + + access_rule._info.pop('links', None) + +--- a/openstackclient/tests/unit/identity/v3/test_access_rule.py ++++ b/openstackclient/tests/unit/identity/v3/test_access_rule.py +@@ -15,9 +15,8 @@ + + import copy + +-import mock ++from keystoneclient import exceptions as identity_exc + from osc_lib import exceptions +-from osc_lib import utils + + from openstackclient.identity.v3 import access_rule + from openstackclient.tests.unit import fakes +@@ -69,10 +68,13 @@ class TestAccessRuleDelete(TestAccessRul + ) + self.assertIsNone(result) + +- @mock.patch.object(utils, 'find_resource') +- def test_delete_multi_access_rules_with_exception(self, find_mock): +- find_mock.side_effect = [self.access_rules_mock.get.return_value, +- exceptions.CommandError] ++ def test_delete_multi_access_rules_with_exception(self): ++ # mock returns for common.get_resource_by_id ++ mock_get = self.access_rules_mock.get ++ mock_get.side_effect = [ ++ mock_get.return_value, ++ identity_exc.NotFound, ++ ] + arglist = [ + identity_fakes.access_rule_id, + 'nonexistent_access_rule', +@@ -89,12 +91,10 @@ class TestAccessRuleDelete(TestAccessRul + self.assertEqual('1 of 2 access rules failed to' + ' delete.', str(e)) + +- find_mock.assert_any_call(self.access_rules_mock, +- identity_fakes.access_rule_id) +- find_mock.assert_any_call(self.access_rules_mock, +- 'nonexistent_access_rule') ++ mock_get.assert_any_call(identity_fakes.access_rule_id) ++ mock_get.assert_any_call('nonexistent_access_rule') + +- self.assertEqual(2, find_mock.call_count) ++ self.assertEqual(2, mock_get.call_count) + self.access_rules_mock.delete.assert_called_once_with( + identity_fakes.access_rule_id) + diff --git a/debian/patches/series b/debian/patches/series index 846ff8b..eec119e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ compute-Add-missing-options-for-server-group-list.patch +CVE-2023-6110.patch |
