Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Dear Stable Release team, I'd like to upgrade python-mistral-lib to address CVE-2019-3866, which is described in https://bugs.debian.org/946060. Please note that this patch is only useful if you also approve the upload of python-oslo.utils which I requested in #947142. Debdiff containing the patch is attached. Note that there's, as much as I understand, no need to upgrade Mistral to address this CVE (probably it would be needed in Stretch though...), as I believe the issue is fully addressed by the update of python-mistral-lib (at least, that's my understanding when reading the upstream bug entry at https://bugs.launchpad.net/tripleo/+bug/1850843). Note that I've also uploaded the package here, for your convenience: http://shade.infomaniak.ch/buster-pu/python-mistral-lib/ Please allow me to upload: python-mistral-lib/1.0.0-1+deb10u1. Cheers, Thomas Goirand (zigo)
diff -Nru python-mistral-lib-1.0.0/debian/changelog python-mistral-lib-1.0.0/debian/changelog --- python-mistral-lib-1.0.0/debian/changelog 2018-09-04 00:06:52.000000000 +0200 +++ python-mistral-lib-1.0.0/debian/changelog 2019-12-21 22:59:56.000000000 +0100 @@ -1,3 +1,10 @@ +python-mistral-lib (1.0.0-1+deb10u1) buster; urgency=medium + + * CVE-2019-3866: Sensitive information leaked in mistral logs. Apply + upstream patch: Ensure we mask sensitive data from Mistral Action logs. + + -- Thomas Goirand <z...@debian.org> Sat, 21 Dec 2019 22:59:56 +0100 + python-mistral-lib (1.0.0-1) unstable; urgency=medium [ Ondřej Nový ] diff -Nru python-mistral-lib-1.0.0/debian/patches/CVE-2019-3866_Ensure_we_mask_sensitive_data_from_Mistral_Action_logs.patch python-mistral-lib-1.0.0/debian/patches/CVE-2019-3866_Ensure_we_mask_sensitive_data_from_Mistral_Action_logs.patch --- python-mistral-lib-1.0.0/debian/patches/CVE-2019-3866_Ensure_we_mask_sensitive_data_from_Mistral_Action_logs.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-mistral-lib-1.0.0/debian/patches/CVE-2019-3866_Ensure_we_mask_sensitive_data_from_Mistral_Action_logs.patch 2019-12-21 22:59:56.000000000 +0100 @@ -0,0 +1,97 @@ +Author: Cédric Jeanneret <cjean...@redhat.com> +Date: Fri, 1 Nov 2019 11:47:35 +0100 +Description: CVE-2019-3866 Ensure we mask sensitive data from Mistral Action logs + Mistral didn't make use of the oslo_utils "mask_password" methods, + leading in sensitive data leakage in its logs. + . + This patch corrects this security issue. + Note that it depends on oslo_utils patch adding new patterns, and + ensuring it's case-insensitive. +Change-Id: I544d3c172f2dea02c62c49c311c4b5954413ae15 +Related-Bug: #1850843 +Co-Authored-By: Dougal Matthews <dou...@redhat.com> +Signed-off-by: Cédric Jeanneret <cjean...@redhat.com> +Origin: upstream, https://review.opendev.org/692975 + +diff --git a/mistral_lib/actions/types.py b/mistral_lib/actions/types.py +index cd8bf28..a77b96f 100644 +--- a/mistral_lib/actions/types.py ++++ b/mistral_lib/actions/types.py +@@ -32,8 +32,11 @@ class Result(serialization.MistralSerializable): + ) + + def cut_repr(self): ++ _data = utils.mask_data(self.data) ++ _error = utils.mask_data(self.error) ++ _cancel = utils.mask_data(self.cancel) + return 'Result [data=%s, error=%s, cancel=%s]' % ( +- utils.cut(self.data), utils.cut(self.error), str(self.cancel) ++ utils.cut(_data), utils.cut(_error), str(_cancel) + ) + + def is_cancel(self): +diff --git a/mistral_lib/tests/test_utils.py b/mistral_lib/tests/test_utils.py +index 599aaac..78ec3ec 100644 +--- a/mistral_lib/tests/test_utils.py ++++ b/mistral_lib/tests/test_utils.py +@@ -84,3 +84,20 @@ class TestUtils(tests_base.TestCase): + s = utils.cut_dict(d, 100) + + self.assertIn(s, ["{1: 2, 3: 4}", "{3: 4, 1: 2}"]) ++ ++ def test_mask_data(self): ++ payload = {'adminPass': 'fooBarBaz'} ++ expected = {'adminPass': '***'} ++ self.assertEqual(expected, utils.mask_data(payload)) ++ ++ payload = """adminPass='fooBarBaz'""" ++ expected = """adminPass='***'""" ++ self.assertEqual(expected, utils.mask_data(payload)) ++ ++ payload = [{'adminPass': 'fooBarBaz'}, {"new_pass": "blah"}] ++ expected = [{'adminPass': '***'}, {"new_pass": "***"}] ++ self.assertEqual(expected, utils.mask_data(payload)) ++ ++ payload = ["adminPass", 'fooBarBaz'] ++ expected = ["adminPass", 'fooBarBaz'] ++ self.assertEqual(expected, utils.mask_data(payload)) +diff --git a/mistral_lib/utils/__init__.py b/mistral_lib/utils/__init__.py +index 92dda4e..7f845dc 100644 +--- a/mistral_lib/utils/__init__.py ++++ b/mistral_lib/utils/__init__.py +@@ -14,6 +14,8 @@ + # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + # License for the specific language governing permissions and limitations + # under the License. ++from oslo_utils.strutils import mask_dict_password ++from oslo_utils.strutils import mask_password + + + def cut_dict(d, length=100): +@@ -139,3 +141,12 @@ def cut(data, length=100): + return cut_dict(data, length=length) + + return cut_string(str(data), length=length) ++ ++ ++def mask_data(obj): ++ if isinstance(obj, dict): ++ return mask_dict_password(obj) ++ elif isinstance(obj, list): ++ return [mask_data(i) for i in obj] ++ else: ++ return mask_password(obj) +diff --git a/releasenotes/notes/mask-password-6899d868d213f722.yaml b/releasenotes/notes/mask-password-6899d868d213f722.yaml +new file mode 100644 +index 0000000..5178a04 +--- /dev/null ++++ b/releasenotes/notes/mask-password-6899d868d213f722.yaml +@@ -0,0 +1,5 @@ ++--- ++security: ++ - Ensure we mask sensitive data before logging Action return values ++fixes: ++ - https://bugs.launchpad.net/tripleo/+bug/1850843 +-- +2.7.4 + diff -Nru python-mistral-lib-1.0.0/debian/patches/series python-mistral-lib-1.0.0/debian/patches/series --- python-mistral-lib-1.0.0/debian/patches/series 2018-09-04 00:06:52.000000000 +0200 +++ python-mistral-lib-1.0.0/debian/patches/series 2019-12-21 22:59:56.000000000 +0100 @@ -1 +1,2 @@ remove-privacy-branch.patch +CVE-2019-3866_Ensure_we_mask_sensitive_data_from_Mistral_Action_logs.patch