CVE-2016-9185 fix

* CVE-2016-9185_Prevent_template_validate_from_scanning_ports.patch Change-Id: I2f44ea70de2ae19a91fbc4331aa0d9da1785a9ac
2016-12-26 17:38:13 +01:00 · 2016-12-26 17:38:13 +01:00 · 3ab0b42ffb
parent fed9f0adf5
commit 3ab0b42ffb
3 changed files with 56 additions and 2 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,8 +1,13 @@
-heat (1:7.0.0-2) UNRELEASED; urgency=medium
+heat (1:7.0.0-2) unstable; urgency=medium

+  [ Ondřej Nový ]
  * Bumped debhelper compat version to 10

- -- Ondřej Nový <onovy@debian.org>  Wed, 23 Nov 2016 23:58:51 +0100
+  [ Thomas Goirand ]
+  * CVE-2016-9185: template source URL allows network port scan: applied
+    upstream patch (Closes: #843232).
+
+ -- Thomas Goirand <zigo@debian.org>  Mon, 26 Dec 2016 17:36:59 +0100

 heat (1:7.0.0-1) unstable; urgency=medium

--- a/debian/patches/CVE-2016-9185_Prevent_template_validate_from_scanning_ports.patch
+++ b/debian/patches/CVE-2016-9185_Prevent_template_validate_from_scanning_ports.patch
@ -0,0 +1,48 @@
+Author: Daniel Gonzalez <daniel@gonzalez-nothnagel.de>
+Date: Mon, 17 Oct 2016 08:22:42 +0000 (+0200)
+Description: CVE-2016-9185: Prevent template validate from scanning ports
+ Prevent template validate from scanning ports
+ .
+ The template validation method in the heat API allows to specify the
+ template to validate using a URL with the 'template_url,' parameter.
+ .
+ By entering invalid http URLs, like 'http://localhost:22' it is
+ possible to scan ports by evaluating the error message of the request.
+ .
+ For example, the request
+ .
+ curl -H "Content-Type: application/json" -H "X-Auth-Token: <TOKEN>" \
+ -X POST -d '{"template_url": "http://localhost:22"}' \
+ http://127.0.0.1:8004/v1/<TENANT_ID>/validate
+ .
+ causes the following error message to be returned to the user:
+ .
+ "Could not retrieve template: Failed to retrieve template:
+ ('Connection aborted.',
+ BadStatusLine('SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1\\r\\n',))"
+ .
+ This could be misused by tenants to gain knowledge about the internal
+ network the heat API runs in.
+ .
+ To prevent this information leak, this patch alters the error message
+ to not include such details when the url scheme is not 'file'.
+ .
+ SecurityImpact
+ .
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fheat.git;a=commitdiff_plain;h=02dfb1a64f8a545a6dfed15245ac54c8ea835b81
+Bug-Ubuntu: https://bugs.launchpad.net/ossa/+bug/1606500
+Change-Id: Id1f86f41c1e6c028d889eca7ccbb9cde67631950
+Origin: uptream, https://review.openstack.org/393147
+Last-Update: 2016-10-06
+
+diff --git a/heat/common/urlfetch.py b/heat/common/urlfetch.py
+index 7efd968..8a7deae 100644
+--- a/heat/common/urlfetch.py
+++ b/heat/common/urlfetch.py
+@@ -75,4 +75,5 @@ def get(url, allowed_schemes=('http', 'https')):
+         return result
+ 
+     except exceptions.RequestException as ex:
+-        raise URLFetchError(_('Failed to retrieve template: %s') % ex)
+        LOG.info(_LI('Failed to retrieve template: %s') % ex)
+        raise URLFetchError(_('Failed to retrieve template from %s') % url)
--- a/debian/patches/series
+++ b/debian/patches/series
@ -1,2 +1,3 @@
 only-run-tests-in-heat.tests.patch
 fix-requirements.txt.patch
+CVE-2016-9185_Prevent_template_validate_from_scanning_ports.patch