Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:keystone User: [email protected] Usertags: pu
Hi, As comment from last time, filling one bug for Trixie p-u, and one for Bookworm p-u. [ Reason ] As per: https://bugs.launchpad.net/swift/+bug/2142138 with an app credential (that's supposed to be a restricted access to part of the OpenStack API, to be used by an app/script), it is currently possible to create a valid read/write access S3 token. [ Tests ] The usual unit tests when building the package, plus upstream CI. [ Risks ] The patch is very small, and only adds new API policy rules, so kind of easy to understand. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Please allow me to upload Keystone 27.0.0-3+deb13u2 to Trixie p-u. Cheers, Thomas Goirand (zigo)
diff -Nru keystone-27.0.0/debian/changelog keystone-27.0.0/debian/changelog --- keystone-27.0.0/debian/changelog 2025-10-30 09:26:19.000000000 +0100 +++ keystone-27.0.0/debian/changelog 2026-04-10 13:49:40.000000000 +0200 @@ -1,3 +1,11 @@ +keystone (2:27.0.0-3+deb13u2) trixie-security; urgency=medium + + * CVE-2026-33551 / OSSA-2026-005: Restricted application credentials can + create EC2 credentials. Applied upstream patch "Prevent unauthorized EC2 + credential creation and deletion" (Closes: #1133118). + + -- Thomas Goirand <[email protected]> Fri, 10 Apr 2026 13:49:40 +0200 + keystone (2:27.0.0-3+deb13u1) trixie-security; urgency=high * OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and diff -Nru keystone-27.0.0/debian/patches/CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch keystone-27.0.0/debian/patches/CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch --- keystone-27.0.0/debian/patches/CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch 1970-01-01 01:00:00.000000000 +0100 +++ keystone-27.0.0/debian/patches/CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch 2026-04-10 13:49:40.000000000 +0200 @@ -0,0 +1,70 @@ +Author: Grzegorz Grasza <[email protected]> +Date: Thu, 26 Feb 2026 10:09:18 +0100 +Description: Prevent unauthorized EC2 credential creation and deletion + A restricted application credential could be used to create EC2 + credentials granting full user access to S3, bypassing the role + restriction. Add the same _check_unrestricted_application_credential + guard that already protects application credential create/delete + endpoints. + . + Additionally, tighten the ec2_create_credential and ec2_delete_credential + policies to require at least member role, as these are write operations + that should not be accessible to reader-role users regardless of whether + they are using an application credential. +Change-Id: Ib6904ec9f1bc069a9f607d39814b1d2633c17f53 +Bug: https://launchpad.net/bugs/2142138 +Signed-off-by: Grzegorz Grasza <[email protected]> +Bug-Debian: https://bugs.debian.org/1133118 +Origin: upstream, https://review.opendev.org/c/openstack/keystone/+/983589 +Last-Update: 2026-04-10 + +diff --git a/keystone/api/users.py b/keystone/api/users.py +index b3ec13f..f614f1c 100644 +--- a/keystone/api/users.py ++++ b/keystone/api/users.py +@@ -425,6 +425,8 @@ + ENFORCER.enforce_call( + action='identity:ec2_create_credential', target_attr=target + ) ++ token = self.auth_context['token'] ++ _check_unrestricted_application_credential(token) + PROVIDERS.identity_api.get_user(user_id) + tenant_id = self.request_body_json.get('tenant_id') + PROVIDERS.resource_api.get_project(tenant_id) +diff --git a/keystone/common/policies/base.py b/keystone/common/policies/base.py +index 97970e4..5c807f1 100644 +--- a/keystone/common/policies/base.py ++++ b/keystone/common/policies/base.py +@@ -62,6 +62,10 @@ + ADMIN_OR_CRED_OWNER = ( + '(' + RULE_ADMIN_REQUIRED + ') ' 'or user_id:%(target.credential.user_id)s' + ) ++ADMIN_OR_MEMBER_AND_CRED_OWNER = ( ++ '(' + RULE_ADMIN_REQUIRED + ') or ' ++ '(role:member and user_id:%(target.credential.user_id)s)' ++) + + # This rule template is meant for restricting role assignments done by domain + # managers. It is intended to restrict the roles a domain manager can assign or +diff --git a/keystone/common/policies/ec2_credential.py b/keystone/common/policies/ec2_credential.py +index ab4b3db..efca8c4 100644 +--- a/keystone/common/policies/ec2_credential.py ++++ b/keystone/common/policies/ec2_credential.py +@@ -73,7 +73,7 @@ + ), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'ec2_create_credential', +- check_str=base.RULE_ADMIN_OR_OWNER, ++ check_str=base.ADMIN_OR_MEMBER_AND_CRED_OWNER, + scope_types=['system', 'project'], + description='Create ec2 credential.', + operations=[ +@@ -86,7 +86,7 @@ + ), + policy.DocumentedRuleDefault( + name=base.IDENTITY % 'ec2_delete_credential', +- check_str=base.ADMIN_OR_CRED_OWNER, ++ check_str=base.ADMIN_OR_MEMBER_AND_CRED_OWNER, + scope_types=['system', 'project'], + description='Delete ec2 credential.', + operations=[ diff -Nru keystone-27.0.0/debian/patches/series keystone-27.0.0/debian/patches/series --- keystone-27.0.0/debian/patches/series 2025-10-30 09:26:19.000000000 +0100 +++ keystone-27.0.0/debian/patches/series 2026-04-10 13:49:40.000000000 +0200 @@ -3,3 +3,4 @@ set-deprecation-warnings-to-ignore.patch api_Remove_constraints_on_user_IDs.patch keystone-bug-2119646-stable-2025.1.patch +CVE-2026-33551~OSSA-2026-005_Prevent_unauthorized_EC2_credential_creation_and_deletion.patch
