Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
Dear release team,
[ Reason ]
This patch fixes the lack of TLS verification with scciclient.
[ Impact ]
Man in the middle attack is possible without this patch.
[ Tests ]
Upstream has a unit test suite that runs 256 tests. This test
suite is ran at build time in this package.
[ Risks ]
IMO, minimal risks, because of the unit tests.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Backport of the upstream patch to add TLS verif.
Please approve this upload for the next point release,
Cheers,
Thomas Goirand (zigo)
diff -Nru python-scciclient-0.8.0/debian/changelog
python-scciclient-0.8.0/debian/changelog
--- python-scciclient-0.8.0/debian/changelog 2019-07-18 23:52:05.000000000
+0200
+++ python-scciclient-0.8.0/debian/changelog 2022-11-09 12:46:11.000000000
+0100
@@ -1,3 +1,11 @@
+python-scciclient (0.8.0-2+deb11u1) buster; urgency=medium
+
+ * Fix CVE-2022-2996: Missing SSL certificate verification
+ (Closes: #1018213). Thanks to Dominik George <naturesha...@debian.org>
+ for his help backporting the patch.
+
+ -- Thomas Goirand <z...@debian.org> Wed, 09 Nov 2022 12:46:11 +0100
+
python-scciclient (0.8.0-2) unstable; urgency=medium
[ Ondřej Nový ]
diff -Nru python-scciclient-0.8.0/debian/patches/CVE-2022-2996.patch
python-scciclient-0.8.0/debian/patches/CVE-2022-2996.patch
--- python-scciclient-0.8.0/debian/patches/CVE-2022-2996.patch 1970-01-01
01:00:00.000000000 +0100
+++ python-scciclient-0.8.0/debian/patches/CVE-2022-2996.patch 2022-11-09
12:46:11.000000000 +0100
@@ -0,0 +1,146 @@
+From 274dca0344b65b4ac113d3271d21c17e970a636c Mon Sep 17 00:00:00 2001
+From: Vanou Ishii <ishii.va...@fujitsu.com>
+Date: Wed, 1 Jun 2022 17:40:12 +0900
+Subject: [PATCH] Add parameter to specify certification file
+
+This patch adds functions & methods which have been used to connect
+to iRMC via HTTPS to accept additional parameter.
+With additional parameter, user is able to specify certification file.
+
+Co-authored-by: Kobayashi Daisuke <kobayashi.da...@fujitsu.com>
+Change-Id: I51203e16207f8d3b1448b581942111bff60d0c86
+---
+ scciclient/irmc/elcm.py | 7 ++++-
+ scciclient/irmc/scci.py | 48 +++++++++++++++++++++++-------
+ scciclient/tests/irmc/test_scci.py | 26 ++++++++--------
+ 3 files changed, 56 insertions(+), 25 deletions(-)
+
+--- a/scciclient/irmc/elcm.py
++++ b/scciclient/irmc/elcm.py
+@@ -188,6 +188,10 @@
+ 'irmc_port': 80 or 443, default is 443,
+ 'irmc_auth_method': 'basic' or 'digest', default is 'basic',
+ 'irmc_client_timeout': timeout, default is 60,
++ 'irmc_verify_ca': Either a boolean, in which case it controls
++ whether we verify the server's TLS certificate,
++ or a string, in which case it must be a path to
++ a CA bundle to use. Defaults to ``True``.
+ ...
+ }
+ :param method: request method such as 'GET', 'POST'
+@@ -203,6 +207,7 @@
+ userid = irmc_info['irmc_username']
+ password = irmc_info['irmc_password']
+ client_timeout = irmc_info.get('irmc_client_timeout', 60)
++ verify = irmc_info.get('irmc_verify_ca', True)
+
+ # Request headers, params, and data
+ headers = kwargs.get('headers', {'Accept': 'application/json'})
+@@ -229,7 +234,7 @@
+ headers=headers,
+ params=params,
+ data=data,
+- verify=False,
++ verify=verify,
+ timeout=client_timeout,
+ allow_redirects=False,
+ auth=auth_obj)
+--- a/scciclient/irmc/scci.py
++++ b/scciclient/irmc/scci.py
+@@ -242,7 +242,7 @@
+
+
+ def scci_cmd(host, userid, password, cmd, port=443, auth_method='basic',
+- client_timeout=60, do_async=True, **kwargs):
++ client_timeout=60, do_async=True, verify=True, **kwargs):
+ """execute SCCI command
+
+ This function calls SCCI server modules
+@@ -254,6 +254,10 @@
+ :param auth_method: irmc_username
+ :param client_timeout: timeout for SCCI operations
+ :param do_async: async call if True, sync call otherwise
++ :param verify: (optional) Either a boolean, in which case it
++ controls whether we verify the server's TLS certificate,
++ or a string, in which case it must be a path to
++ a CA bundle to use. Defaults to ``True``.
+ :returns: requests.Response from SCCI server
+ :raises: SCCIInvalidInputError if port and/or auth_method params
+ are invalid
+@@ -278,7 +282,7 @@
+ r = requests.post(protocol + '://' + host + '/config',
+ data=cmd,
+ headers=header,
+- verify=False,
++ verify=verify,
+ timeout=client_timeout,
+ allow_redirects=False,
+ auth=auth_obj)
+@@ -314,7 +318,7 @@
+
+
+ def get_client(host, userid, password, port=443, auth_method='basic',
+- client_timeout=60, **kwargs):
++ client_timeout=60, verify=True, **kwargs):
+ """get SCCI command partial function
+
+ This function returns SCCI command partial function
+@@ -324,12 +328,17 @@
+ :param port: port number of iRMC
+ :param auth_method: irmc_username
+ :param client_timeout: timeout for SCCI operations
++ :param verify: (optional) Either a boolean, in which case it
++ controls whether we verify the server's TLS certificate,
++ or a string, in which case it must be a path to
++ a CA bundle to use. Defaults to ``True``.
+ :returns: scci_cmd partial function which takes a SCCI command param
+ """
+
+ return functools.partial(scci_cmd, host, userid, password,
+ port=port, auth_method=auth_method,
+- client_timeout=client_timeout, **kwargs)
++ client_timeout=client_timeout,
++ verify=verify, **kwargs)
+
+
+ def get_virtual_cd_set_params_cmd(remote_image_server,
+@@ -396,7 +405,7 @@
+
+
+ def get_report(host, userid, password,
+- port=443, auth_method='basic', client_timeout=60):
++ port=443, auth_method='basic', client_timeout=60, verify=True):
+ """get iRMC report
+
+ This function returns iRMC report in XML format
+@@ -406,6 +415,10 @@
+ :param port: port number of iRMC
+ :param auth_method: irmc_username
+ :param client_timeout: timeout for SCCI operations
++ :param verify: (optional) Either a boolean, in which case it
++ controls whether we verify the server's TLS certificate,
++ or a string, in which case it must be a path to
++ a CA bundle to use. Defaults to ``True``.
+ :returns: root element of SCCI report
+ :raises: ISCCIInvalidInputError if port and/or auth_method params
+ are invalid
+@@ -428,7 +441,7 @@
+
+ try:
+ r = requests.get(protocol + '://' + host + '/report.xml',
+- verify=False,
++ verify=verify,
+ timeout=(10, client_timeout),
+ allow_redirects=False,
+ auth=auth_obj)
+--- a/scciclient/tests/irmc/test_scci.py
++++ b/scciclient/tests/irmc/test_scci.py
+@@ -119,7 +119,7 @@
+ 'https://' + self.irmc_address + '/config',
+ data=scci.POWER_ON,
+ headers={'Content-type': 'application/x-www-form-urlencoded'},
+- verify=False,
++ verify=True,
+ timeout=self.irmc_client_timeout,
+ allow_redirects=False,
+ auth=mock_requests.auth.HTTPBasicAuth(self.irmc_username,
diff -Nru python-scciclient-0.8.0/debian/patches/series
python-scciclient-0.8.0/debian/patches/series
--- python-scciclient-0.8.0/debian/patches/series 1970-01-01
01:00:00.000000000 +0100
+++ python-scciclient-0.8.0/debian/patches/series 2022-11-09
12:46:11.000000000 +0100
@@ -0,0 +1 @@
+CVE-2022-2996.patch
