Bug#947146: buster-pu: package python-mistral-lib/1.0.0-1 CVE-2019-3866

2019-12-22 Thread Thomas Goirand 
On 12/21/19 11:34 PM, Salvatore Bonaccorso wrote:
> Hi Thomas
> 
> [Disclaimer: not part of the stable release managers, so this reply is
> not authoritative]
> 
> Thanks for handling CVE-2019-3866 for unstable and buster.
> 
> On Sat, Dec 21, 2019 at 11:12:17PM +0100, Thomas Goirand wrote:
>> Package: release.debian.org
>> Severity: normal
>> Tags: buster
>> User: release.debian@packages.debian.org
>> Usertags: pu
>>
>> Dear Stable Release team,
>>
>> I'd like to upgrade python-mistral-lib to address CVE-2019-3866,
>> which is described in https://bugs.debian.org/946060. Please note
>> that this patch is only useful if you also approve the upload of
>> python-oslo.utils which I requested in #947142.
>>
>> Debdiff containing the patch is attached. Note that there's, as
>> much as I understand, no need to upgrade Mistral to address this
>> CVE (probably it would be needed in Stretch though...), as I believe
>> the issue is fully addressed by the update of python-mistral-lib
>> (at least, that's my understanding when reading the upstream bug
>> entry at https://bugs.launchpad.net/tripleo/+bug/1850843).
> 
> Question (which apply as well for the unstable upload which was just
> done): the python-mistral-lib patch depends on the fixed version of
> python-oslo.utils. Wouldn't that need a versioned dependency
> python-oslo.utils?
> 
> Regards,
> Salvatore

Hi,

There's currently no dependency at all on python3-oslo.utils, because
it's not completely needed. It looks like it is needed only some usage
of Mistral only (like the one TripleO is doing), when calling
generate_unicode_uuid(), is_valid_uuid() or utc_now_sec() from
mistral_lib.utils.

So no, I don't think we should add an artificial hard runtime dependency
on oslo.utils, as long as upstream isn't doing it in requirements.txt.

Your thoughts?

Cheers,

Thomas Goirand (zigo)

Bug#947146: buster-pu: package python-mistral-lib/1.0.0-1 CVE-2019-3866

2019-12-21 Thread Salvatore Bonaccorso 
Hi Thomas

[Disclaimer: not part of the stable release managers, so this reply is
not authoritative]

Thanks for handling CVE-2019-3866 for unstable and buster.

On Sat, Dec 21, 2019 at 11:12:17PM +0100, Thomas Goirand wrote:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> Dear Stable Release team,
> 
> I'd like to upgrade python-mistral-lib to address CVE-2019-3866,
> which is described in https://bugs.debian.org/946060. Please note
> that this patch is only useful if you also approve the upload of
> python-oslo.utils which I requested in #947142.
> 
> Debdiff containing the patch is attached. Note that there's, as
> much as I understand, no need to upgrade Mistral to address this
> CVE (probably it would be needed in Stretch though...), as I believe
> the issue is fully addressed by the update of python-mistral-lib
> (at least, that's my understanding when reading the upstream bug
> entry at https://bugs.launchpad.net/tripleo/+bug/1850843).

Question (which apply as well for the unstable upload which was just
done): the python-mistral-lib patch depends on the fixed version of
python-oslo.utils. Wouldn't that need a versioned dependency
python-oslo.utils?

Regards,
Salvatore

Bug#947146: buster-pu: package python-mistral-lib/1.0.0-1 CVE-2019-3866

2019-12-21 Thread Thomas Goirand 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Dear Stable Release team,

I'd like to upgrade python-mistral-lib to address CVE-2019-3866,
which is described in https://bugs.debian.org/946060. Please note
that this patch is only useful if you also approve the upload of
python-oslo.utils which I requested in #947142.

Debdiff containing the patch is attached. Note that there's, as
much as I understand, no need to upgrade Mistral to address this
CVE (probably it would be needed in Stretch though...), as I believe
the issue is fully addressed by the update of python-mistral-lib
(at least, that's my understanding when reading the upstream bug
entry at https://bugs.launchpad.net/tripleo/+bug/1850843).

Note that I've also uploaded the package here, for your convenience:

http://shade.infomaniak.ch/buster-pu/python-mistral-lib/

Please allow me to upload:
python-mistral-lib/1.0.0-1+deb10u1.

Cheers,

Thomas Goirand (zigo)
diff -Nru python-mistral-lib-1.0.0/debian/changelog 
python-mistral-lib-1.0.0/debian/changelog
--- python-mistral-lib-1.0.0/debian/changelog   2018-09-04 00:06:52.0 
+0200
+++ python-mistral-lib-1.0.0/debian/changelog   2019-12-21 22:59:56.0 
+0100
@@ -1,3 +1,10 @@
+python-mistral-lib (1.0.0-1+deb10u1) buster; urgency=medium
+
+  * CVE-2019-3866: Sensitive information leaked in mistral logs. Apply
+upstream patch: Ensure we mask sensitive data from Mistral Action logs.
+
+ -- Thomas Goirand   Sat, 21 Dec 2019 22:59:56 +0100
+
 python-mistral-lib (1.0.0-1) unstable; urgency=medium
 
   [ Ondřej Nový ]
diff -Nru 
python-mistral-lib-1.0.0/debian/patches/CVE-2019-3866_Ensure_we_mask_sensitive_data_from_Mistral_Action_logs.patch
 
python-mistral-lib-1.0.0/debian/patches/CVE-2019-3866_Ensure_we_mask_sensitive_data_from_Mistral_Action_logs.patch
--- 
python-mistral-lib-1.0.0/debian/patches/CVE-2019-3866_Ensure_we_mask_sensitive_data_from_Mistral_Action_logs.patch
  1970-01-01 01:00:00.0 +0100
+++ 
python-mistral-lib-1.0.0/debian/patches/CVE-2019-3866_Ensure_we_mask_sensitive_data_from_Mistral_Action_logs.patch
  2019-12-21 22:59:56.0 +0100
@@ -0,0 +1,97 @@
+Author: Cédric Jeanneret 
+Date: Fri, 1 Nov 2019 11:47:35 +0100
+Description: CVE-2019-3866 Ensure we mask sensitive data from Mistral Action 
logs
+ Mistral didn't make use of the oslo_utils "mask_password" methods,
+ leading in sensitive data leakage in its logs.
+ .
+ This patch corrects this security issue.
+ Note that it depends on oslo_utils patch adding new patterns, and
+ ensuring it's case-insensitive.
+Change-Id: I544d3c172f2dea02c62c49c311c4b5954413ae15
+Related-Bug: #1850843
+Co-Authored-By: Dougal Matthews 
+Signed-off-by: Cédric Jeanneret 
+Origin: upstream, https://review.opendev.org/692975
+
+diff --git a/mistral_lib/actions/types.py b/mistral_lib/actions/types.py
+index cd8bf28..a77b96f 100644
+--- a/mistral_lib/actions/types.py
 b/mistral_lib/actions/types.py
+@@ -32,8 +32,11 @@ class Result(serialization.MistralSerializable):
+ )
+ 
+ def cut_repr(self):
++_data = utils.mask_data(self.data)
++_error = utils.mask_data(self.error)
++_cancel = utils.mask_data(self.cancel)
+ return 'Result [data=%s, error=%s, cancel=%s]' % (
+-utils.cut(self.data), utils.cut(self.error), str(self.cancel)
++utils.cut(_data), utils.cut(_error), str(_cancel)
+ )
+ 
+ def is_cancel(self):
+diff --git a/mistral_lib/tests/test_utils.py b/mistral_lib/tests/test_utils.py
+index 599aaac..78ec3ec 100644
+--- a/mistral_lib/tests/test_utils.py
 b/mistral_lib/tests/test_utils.py
+@@ -84,3 +84,20 @@ class TestUtils(tests_base.TestCase):
+ s = utils.cut_dict(d, 100)
+ 
+ self.assertIn(s, ["{1: 2, 3: 4}", "{3: 4, 1: 2}"])
++
++def test_mask_data(self):
++payload = {'adminPass': 'fooBarBaz'}
++expected = {'adminPass': '***'}
++self.assertEqual(expected, utils.mask_data(payload))
++
++payload = """adminPass='fooBarBaz'"""
++expected = """adminPass='***'"""
++self.assertEqual(expected, utils.mask_data(payload))
++
++payload = [{'adminPass': 'fooBarBaz'}, {"new_pass": "blah"}]
++expected = [{'adminPass': '***'}, {"new_pass": "***"}]
++self.assertEqual(expected, utils.mask_data(payload))
++
++payload = ["adminPass", 'fooBarBaz']
++expected = ["adminPass", 'fooBarBaz']
++self.assertEqual(expected, utils.mask_data(payload))
+diff --git a/mistral_lib/utils/__init__.py b/mistral_lib/utils/__init__.py
+index 92dda4e..7f845dc 100644
+--- a/mistral_lib/utils/__init__.py
 b/mistral_lib/utils/__init__.py
+@@ -14,6 +14,8 @@
+ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ # License for the specific language governing permissions and limitations
+ # under the License.
++from oslo_utils.strutils import mask_dict_password
++from