Bug#923323: stretch-pu: CVE-2018-1000872: package python-pykmip/0.5.0-4

Tue, 26 Feb 2019 05:18:49 -0800 

Package: release.debian.org
Severity: important
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

Dear release team,

Here's the changelog entry:

+  * CVE-2018-1000872: Resource Management Errors (similar issue to
+    CVE-2015-5262) vulnerability in PyKMIP server that can result in DOS: the
+    server can be made unavailable by one or more clients opening all of the
+    available sockets. Applied upstream patch: Fix a denial-of-service bug by
+    setting the server socket timeout (Closes: #917030).

The security team doesn't think a DSA is needed. Debdiff is attached. The
resulting package is here:

http://sid.gplhost.com/stretch-proposed-updates/python-pykmip/

Please allow me to upload python-pykmip/0.5.0-4+deb9u1 to Stretch-proposed.

Cheers,

Thomas Goirand (zigo)

diff -Nru python-pykmip-0.5.0/debian/changelog 
python-pykmip-0.5.0/debian/changelog
--- python-pykmip-0.5.0/debian/changelog        2016-12-02 21:49:06.000000000 
+0000
+++ python-pykmip-0.5.0/debian/changelog        2019-02-24 16:43:42.000000000 
+0000
@@ -1,3 +1,13 @@
+python-pykmip (0.5.0-4+deb9u1) stretch; urgency=medium
+
+  * CVE-2018-1000872: Resource Management Errors (similar issue to
+    CVE-2015-5262) vulnerability in PyKMIP server that can result in DOS: the
+    server can be made unavailable by one or more clients opening all of the
+    available sockets. Applied upstream patch: Fix a denial-of-service bug by
+    setting the server socket timeout (Closes: #917030).
+
+ -- Thomas Goirand <z...@debian.org>  Sun, 24 Feb 2019 17:43:42 +0100
+
 python-pykmip (0.5.0-4) unstable; urgency=medium
 
   * Team upload.
diff -Nru 
python-pykmip-0.5.0/debian/patches/CVE-2018-1000872_Fix_a_denial-of-service_bug_by_setting_the_server_socket_timeout.patch
 
python-pykmip-0.5.0/debian/patches/CVE-2018-1000872_Fix_a_denial-of-service_bug_by_setting_the_server_socket_timeout.patch
--- 
python-pykmip-0.5.0/debian/patches/CVE-2018-1000872_Fix_a_denial-of-service_bug_by_setting_the_server_socket_timeout.patch
  1970-01-01 00:00:00.000000000 +0000
+++ 
python-pykmip-0.5.0/debian/patches/CVE-2018-1000872_Fix_a_denial-of-service_bug_by_setting_the_server_socket_timeout.patch
  2019-02-24 16:43:42.000000000 +0000
@@ -0,0 +1,54 @@
+Description: CVE-2018-1000872: Fix a denial-of-service bug by setting the 
server socket timeout
+ This change fixes a potential denial-of-service bug with the
+ server, setting a default timeout for all server sockets. This
+ allows the server to drop hung connections without blocking
+ forever. The interrupt triggered during accept calls is expected
+ and is now handled appropriately. Server unit tests have been
+ updated to reflect this change.
+Author: Peter Hamilton <peter.allen.hamil...@gmail.com>
+Date: Tue, 24 Apr 2018 21:57:20 -0400
+Origin: upstream, 
https://github.com/OpenKMIP/PyKMIP/commit/3a7b880bdf70d295ed8af3a5880bab65fa6b3932
+Bug-Debian: https://bugs.debian.org/917030
+Last-Update: 2019-02-24
+
+Index: python-pykmip/kmip/services/server/server.py
+===================================================================
+--- python-pykmip.orig/kmip/services/server/server.py
++++ python-pykmip/kmip/services/server/server.py
+@@ -176,6 +176,7 @@ class KmipServer(object):
+         self._logger.info("Starting server socket handler.")
+ 
+         # Create a TCP stream socket and configure it for immediate reuse.
++        socket.setdefaulttimeout(10)
+         self._socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+         self._socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+ 
+@@ -283,6 +284,11 @@ class KmipServer(object):
+         while self._is_serving:
+             try:
+                 connection, address = self._socket.accept()
++            except socket.timeout:
++                # Setting the default socket timeout to break hung connections
++                # will cause accept to periodically raise socket.timeout. This
++                # is expected behavior, so ignore it and retry accept.
++                pass
+             except socket.error as e:
+                 if e.errno == errno.EINTR:
+                     self._logger.warning("Interrupting connection service.")
+Index: python-pykmip/kmip/tests/unit/services/server/test_server.py
+===================================================================
+--- python-pykmip.orig/kmip/tests/unit/services/server/test_server.py
++++ python-pykmip/kmip/tests/unit/services/server/test_server.py
+@@ -342,7 +342,11 @@ class TestKmipServer(testtools.TestCase)
+ 
+         # Test the expected behavior for a normal server/interrupt sequence
+         s._socket.accept = mock.MagicMock(
+-            side_effect=[('connection', 'address'), expected_error]
++            side_effect=[
++                ('connection', 'address'),
++                socket.timeout,
++                expected_error
++            ]
+         )
+ 
+         s.serve()
diff -Nru python-pykmip-0.5.0/debian/patches/series 
python-pykmip-0.5.0/debian/patches/series
--- python-pykmip-0.5.0/debian/patches/series   1970-01-01 00:00:00.000000000 
+0000
+++ python-pykmip-0.5.0/debian/patches/series   2019-02-24 16:43:42.000000000 
+0000
@@ -0,0 +1 @@
+CVE-2018-1000872_Fix_a_denial-of-service_bug_by_setting_the_server_socket_timeout.patch

Reply via email to