summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/changelog12
-rw-r--r--debian/patches/CVE-2023-6110.patch143
-rw-r--r--debian/patches/series1
3 files changed, 156 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 21a3e15..076a085 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+python-openstackclient (5.8.0-0ubuntu1.1) jammy-security; urgency=medium
+
+ * SECURITY UPDATE: deleting a non existing access rule deletes another
+ existing access rule
+ - debian/patches/CVE-2023-6110.patch: fix access rule commands to only
+ use ID in openstackclient/identity/common.py,
+ openstackclient/identity/v3/access_rule.py,
+ openstackclient/tests/unit/identity/v3/test_access_rule.py.
+ - CVE-2023-6110
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 20 Feb 2024 08:08:45 -0500
+
python-openstackclient (5.8.0-0ubuntu1) jammy; urgency=medium
* New upstream release for OpenStack Yoga.
diff --git a/debian/patches/CVE-2023-6110.patch b/debian/patches/CVE-2023-6110.patch
new file mode 100644
index 0000000..2930e40
--- /dev/null
+++ b/debian/patches/CVE-2023-6110.patch
@@ -0,0 +1,143 @@
+Backport of:
+
+From bc60e3bb908a7f10c87993d791184bfe46784d6c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= <dmendiza@redhat.com>
+Date: Wed, 31 May 2023 16:00:02 -0500
+Subject: [PATCH] Fix "access rule" commands to only use ID
+
+This patch modifies the access rule commands to use only the resource
+ID. The previous logic incorrectly assumed that access rules have a
+"name" property, which resulted in unexpected behaviors.
+
+For example, "access rule delete {non-existent-id}" now results in a
+"not found" error instead of sometimes deleting an unrelated rule.
+
+Story: 2010775
+Task: 48163
+Change-Id: Ib5c3b7f86acf1dfe7cc76dfa99fa4c118388bd71
+---
+ openstackclient/identity/common.py | 12 ++++++++++
+ openstackclient/identity/v3/access_rule.py | 8 +++----
+ .../unit/identity/v3/test_access_rule.py | 24 ++++++++-----------
+ .../fix-story-2010775-953dbdf03b2b6746.yaml | 8 +++++++
+ 4 files changed, 34 insertions(+), 18 deletions(-)
+ create mode 100644 releasenotes/notes/fix-story-2010775-953dbdf03b2b6746.yaml
+
+#--- /dev/null
+#+++ b/releasenotes/notes/fix-story-2010775-953dbdf03b2b6746.yaml
+#@@ -0,0 +1,8 @@
+#+---
+#+fixes:
+#+ - |
+#+ Fixed a bug in "access rule" subcommands where the client logic incorrectly
+#+ assumed that access rules have a "name" property which resulted in
+#+ unpredictable behaviors. e.g. "access rule delete {non-existent-id}" now
+#+ results in a not-found error instead of sometimes deleting an unrelated
+#+ rule.
+--- a/openstackclient/identity/common.py
++++ b/openstackclient/identity/common.py
+@@ -87,6 +87,18 @@ def get_resource(manager, name_type_or_i
+ raise exceptions.CommandError(msg % name_type_or_id)
+
+
++def get_resource_by_id(manager, resource_id):
++ """Get resource by ID
++
++ Raises CommandError if the resource is not found
++ """
++ try:
++ return manager.get(resource_id)
++ except identity_exc.NotFound:
++ msg = _("Resource with id {} not found")
++ raise exceptions.CommandError(msg.format(resource_id))
++
++
+ def _get_token_resource(client, resource, parsed_name, parsed_domain=None):
+ """Peek into the user's auth token to get resource IDs
+
+--- a/openstackclient/identity/v3/access_rule.py
++++ b/openstackclient/identity/v3/access_rule.py
+@@ -37,7 +37,7 @@ class DeleteAccessRule(command.Command):
+ 'access_rule',
+ metavar='<access-rule>',
+ nargs="+",
+- help=_('Access rule(s) to delete (name or ID)'),
++ help=_('Access rule ID(s) to delete'),
+ )
+ return parser
+
+@@ -47,7 +47,7 @@ class DeleteAccessRule(command.Command):
+ errors = 0
+ for ac in parsed_args.access_rule:
+ try:
+- access_rule = utils.find_resource(
++ access_rule = common.get_resource_by_id(
+ identity_client.access_rules, ac)
+ identity_client.access_rules.delete(access_rule.id)
+ except Exception as e:
+@@ -103,14 +103,14 @@ class ShowAccessRule(command.ShowOne):
+ parser.add_argument(
+ 'access_rule',
+ metavar='<access-rule>',
+- help=_('Access rule to display (name or ID)'),
++ help=_('Access rule ID to display'),
+ )
+ return parser
+
+ def take_action(self, parsed_args):
+ identity_client = self.app.client_manager.identity
+- access_rule = utils.find_resource(identity_client.access_rules,
+- parsed_args.access_rule)
++ access_rule = common.get_resource_by_id(identity_client.access_rules,
++ parsed_args.access_rule)
+
+ access_rule._info.pop('links', None)
+
+--- a/openstackclient/tests/unit/identity/v3/test_access_rule.py
++++ b/openstackclient/tests/unit/identity/v3/test_access_rule.py
+@@ -14,10 +14,9 @@
+ #
+
+ import copy
+-from unittest import mock
+
++from keystoneclient import exceptions as identity_exc
+ from osc_lib import exceptions
+-from osc_lib import utils
+
+ from openstackclient.identity.v3 import access_rule
+ from openstackclient.tests.unit import fakes
+@@ -69,10 +68,13 @@ class TestAccessRuleDelete(TestAccessRul
+ )
+ self.assertIsNone(result)
+
+- @mock.patch.object(utils, 'find_resource')
+- def test_delete_multi_access_rules_with_exception(self, find_mock):
+- find_mock.side_effect = [self.access_rules_mock.get.return_value,
+- exceptions.CommandError]
++ def test_delete_multi_access_rules_with_exception(self):
++ # mock returns for common.get_resource_by_id
++ mock_get = self.access_rules_mock.get
++ mock_get.side_effect = [
++ mock_get.return_value,
++ identity_exc.NotFound,
++ ]
+ arglist = [
+ identity_fakes.access_rule_id,
+ 'nonexistent_access_rule',
+@@ -89,12 +91,10 @@ class TestAccessRuleDelete(TestAccessRul
+ self.assertEqual('1 of 2 access rules failed to'
+ ' delete.', str(e))
+
+- find_mock.assert_any_call(self.access_rules_mock,
+- identity_fakes.access_rule_id)
+- find_mock.assert_any_call(self.access_rules_mock,
+- 'nonexistent_access_rule')
++ mock_get.assert_any_call(identity_fakes.access_rule_id)
++ mock_get.assert_any_call('nonexistent_access_rule')
+
+- self.assertEqual(2, find_mock.call_count)
++ self.assertEqual(2, mock_get.call_count)
+ self.access_rules_mock.delete.assert_called_once_with(
+ identity_fakes.access_rule_id)
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..75a2735
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-6110.patch