[gentoo-commits] repo/gentoo:master commit in: sys-cluster/heat/files/, sys-cluster/heat/

["Matt Thode" <prometheanfire@gentoo.org>]

commit:     3930fb660c9d11c546f1959d4a2bdf66dd8f67e2
Author:     Matthew Thode <prometheanfire <AT> gentoo <DOT> org>
AuthorDate: Fri Nov  4 14:48:04 2016 +0000
Commit:     Matt Thode <prometheanfire <AT> gentoo <DOT> org>
CommitDate: Fri Nov  4 14:48:04 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3930fb66

sys-cluster/heat: fix CVE-2016-9185 bug 598940

Package-Manager: portage-2.3.0

 sys-cluster/heat/files/CVE-2016-9185.patch         | 53 ++++++++++++++++++++++
 .../{heat-7.0.0.ebuild => heat-7.0.0-r1.ebuild}    |  5 +-
 2 files changed, 56 insertions(+), 2 deletions(-)

diff --git a/sys-cluster/heat/files/CVE-2016-9185.patch b/sys-cluster/heat/files/CVE-2016-9185.patch
new file mode 100644
index 00000000..7b6bd86
--- /dev/null
+++ b/sys-cluster/heat/files/CVE-2016-9185.patch
@@ -0,0 +1,53 @@
+From 02dfb1a64f8a545a6dfed15245ac54c8ea835b81 Mon Sep 17 00:00:00 2001
+From: Daniel Gonzalez <daniel@gonzalez-nothnagel.de>
+Date: Mon, 17 Oct 2016 10:22:42 +0200
+Subject: Prevent template validate from scanning ports
+
+The template validation method in the heat API allows to specify the
+template to validate using a URL with the 'template_url' parameter.
+
+By entering invalid http URLs, like 'http://localhost:22' it is
+possible to scan ports by evaluating the error message of the request.
+
+For example, the request
+
+curl -H "Content-Type: application/json" -H "X-Auth-Token: <TOKEN>" \
+-X POST -d '{"template_url": "http://localhost:22"}' \
+http://127.0.0.1:8004/v1/<TENANT_ID>/validate
+
+causes the following error message to be returned to the user:
+
+"Could not retrieve template: Failed to retrieve template:
+('Connection aborted.',
+BadStatusLine('SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1\\r\\n',))"
+
+This could be misused by tenants to gain knowledge about the internal
+network the heat API runs in.
+
+To prevent this information leak, this patch alters the error message
+to not include such details when the url scheme is not 'file'.
+
+SecurityImpact
+
+Closes-Bug: #1606500
+
+Change-Id: Id1f86f41c1e6c028d889eca7ccbb9cde67631950
+(cherry picked from commit eab9a33ce760c55695a5beb2e541487588b08c98)
+---
+ heat/common/urlfetch.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/heat/common/urlfetch.py b/heat/common/urlfetch.py
+index 7efd968..8a7deae 100644
+--- a/heat/common/urlfetch.py
++++ b/heat/common/urlfetch.py
+@@ -75,4 +75,5 @@ def get(url, allowed_schemes=('http', 'https')):
+         return result
+ 
+     except exceptions.RequestException as ex:
+-        raise URLFetchError(_('Failed to retrieve template: %s') % ex)
++        LOG.info(_LI('Failed to retrieve template: %s') % ex)
++        raise URLFetchError(_('Failed to retrieve template from %s') % url)
+-- 
+cgit v0.12
+

diff --git a/sys-cluster/heat/heat-7.0.0.ebuild b/sys-cluster/heat/heat-7.0.0-r1.ebuild
similarity index 99%
rename from sys-cluster/heat/heat-7.0.0.ebuild
rename to sys-cluster/heat/heat-7.0.0-r1.ebuild
index 9477a14..37461d9 100644
--- a/sys-cluster/heat/heat-7.0.0.ebuild
+++ b/sys-cluster/heat/heat-7.0.0-r1.ebuild
@@ -113,8 +113,9 @@ RDEPEND="
 	>=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}]
 	>=dev-python/yaql-1.1.0[${PYTHON_USEDEP}]"
 
-#PATCHES=(
-#)
+PATCHES=(
+	"${FILESDIR}/CVE-2016-9185.patch"
+)
 
 pkg_setup() {
 	enewgroup heat