Bug#1034243: unblock: heat/19.0.0-2 (fix for CVE-2023-1625 / #1034186)

Tue, 11 Apr 2023 02:03:37 -0700 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package heat

[ Reason ]
This last upload fixes CVE-2023-1625 / #1034186 (information leak in the
Heat API).

[ Impact ]
Before this patch, "openstack stack show" shows parameters that
are supposed to be hidden, like for example passwords (see the
launchpad entry https://launchpad.net/bugs/1999665 that is rather
explicit).

[ Tests ]
Building the package and the Debian CI contains upstream unit tests.
Also, the patch comes directly from upstream that runs functional
tests in their CI, which makes me confident nothing broke with this
patch. See test results at:
https://review.opendev.org/c/openstack/heat/+/873465

[ Risks ]
Not much risks as the patch only affects "stack show".

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

Cheers,

Thomas Goirand (zigo)

unblock heat/19.0.0-2

diff -Nru heat-19.0.0/debian/changelog heat-19.0.0/debian/changelog
--- heat-19.0.0/debian/changelog        2022-10-06 10:14:02.000000000 +0200
+++ heat-19.0.0/debian/changelog        2023-04-11 10:21:00.000000000 +0200
@@ -1,3 +1,12 @@
+heat (1:19.0.0-2) unstable; urgency=high
+
+  * CVE-2023-1625: information leak in API. Added upstream patch:
+    Honor-hidden-parameter-in-stack_environment_show-command.patch
+    (Closes: #1034186).
+  * Removed obsolete depends on lsb-base.
+
+ -- Thomas Goirand <z...@debian.org>  Tue, 11 Apr 2023 10:21:00 +0200
+
 heat (1:19.0.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru heat-19.0.0/debian/control heat-19.0.0/debian/control
--- heat-19.0.0/debian/control  2022-10-06 10:14:02.000000000 +0200
+++ heat-19.0.0/debian/control  2023-04-11 10:21:00.000000000 +0200
@@ -113,7 +113,6 @@
  python3-pastescript,
  uwsgi-plugin-python3,
  ${misc:Depends},
- ${ostack-lsb-base},
  ${python3:Depends},
 Description: OpenStack orchestration service - API server
  Heat is a service to orchestrate multiple composite cloud applications using
@@ -130,7 +129,6 @@
  python3-pastescript,
  uwsgi-plugin-python3,
  ${misc:Depends},
- ${ostack-lsb-base},
  ${python3:Depends},
 Description: OpenStack orchestration service - CFN API
  Heat is a service to orchestrate multiple composite cloud applications using
@@ -174,7 +172,6 @@
  adduser,
  heat-common (=${binary:Version}),
  ${misc:Depends},
- ${ostack-lsb-base},
  ${python3:Depends},
 Description: OpenStack orchestration service - engine
  Heat is a service to orchestrate multiple composite cloud applications using
diff -Nru heat-19.0.0/debian/debian_control_vars 
heat-19.0.0/debian/debian_control_vars
--- heat-19.0.0/debian/debian_control_vars      2022-10-06 10:14:02.000000000 
+0200
+++ heat-19.0.0/debian/debian_control_vars      1970-01-01 01:00:00.000000000 
+0100
@@ -1 +0,0 @@
-ostack-lsb-base= lsb-base
diff -Nru 
heat-19.0.0/debian/patches/CVE-2023-1625_Honor-hidden-parameter-in-stack_environment_show-command.patch
 
heat-19.0.0/debian/patches/CVE-2023-1625_Honor-hidden-parameter-in-stack_environment_show-command.patch
--- 
heat-19.0.0/debian/patches/CVE-2023-1625_Honor-hidden-parameter-in-stack_environment_show-command.patch
     1970-01-01 01:00:00.000000000 +0100
+++ 
heat-19.0.0/debian/patches/CVE-2023-1625_Honor-hidden-parameter-in-stack_environment_show-command.patch
     2023-04-11 10:21:00.000000000 +0200
@@ -0,0 +1,74 @@
+Description: CVE-2023-1625L Honor hidden parameter in 'stack environment show' 
command
+ Backport note:
+ This includes change I0abbd535aacc03446ada0fa806dfdfdaa4522afe which
+ fixed the wrong explanation in the release note file.
+Author: Chengen Du <chengen...@canonical.com>
+Date: Tue, 20 Dec 2022 18:00:00 +0800
+Bug: https://launchpad.net/bugs/1999665
+Bug-Debian: https://bugs.debian.org/1034186
+Story: 2010484
+Task: 47052
+Change-Id: Ifc51ff6a4deab05002ccded59383416f9a586aa0
+Origin: upstream, https://review.opendev.org/c/openstack/heat/+/873465
+Last-Update: 2023-04-11
+
+diff --git a/heat/engine/service.py b/heat/engine/service.py
+index fdd4975..9019ddb 100644
+--- a/heat/engine/service.py
++++ b/heat/engine/service.py
+@@ -12,6 +12,7 @@
+ #    under the License.
+ 
+ import collections
++import copy
+ import datetime
+ import functools
+ import itertools
+@@ -1354,7 +1355,16 @@
+         :rtype: dict
+         """
+         s = self._get_stack(cnxt, stack_identity, show_deleted=True)
+-        return s.raw_template.environment
++        tmpl = templatem.Template.load(cnxt, s.raw_template_id, 
s.raw_template)
++        param_schemata = tmpl.all_param_schemata(tmpl.files)
++        env = copy.deepcopy(s.raw_template.environment)
++        for section in [env_fmt.PARAMETERS, env_fmt.PARAMETER_DEFAULTS]:
++            for param_name in env.get(section, {}).keys():
++                if (param_name not in param_schemata
++                        or not param_schemata[param_name].hidden):
++                    continue
++                env[section][param_name] = str('******')
++        return env
+ 
+     @context.request_context
+     def get_files(self, cnxt, stack_identity):
+diff --git a/heat/tests/test_engine_service.py 
b/heat/tests/test_engine_service.py
+index 875d44d..9ce13e3 100644
+--- a/heat/tests/test_engine_service.py
++++ b/heat/tests/test_engine_service.py
+@@ -978,11 +978,12 @@
+         env = {'parameters': {'KeyName': 'EnvKey'}}
+         tmpl = templatem.Template(t)
+         stack = parser.Stack(self.ctx, 'get_env_stack', tmpl)
++        stack.store()
+ 
+         mock_get_stack = self.patchobject(self.eng, '_get_stack')
+         mock_get_stack.return_value = mock.MagicMock()
+         mock_get_stack.return_value.raw_template.environment = env
+-        self.patchobject(parser.Stack, 'load', return_value=stack)
++        self.patchobject(templatem.Template, 'load', return_value=tmpl)
+ 
+         # Test
+         found = self.eng.get_environment(self.ctx, stack.identifier())
+diff --git 
a/releasenotes/notes/honor-hidden-parameter-in-stack-env-show-cmd-062065545dfef82a.yaml
 
b/releasenotes/notes/honor-hidden-parameter-in-stack-env-show-cmd-062065545dfef82a.yaml
+new file mode 100644
+index 0000000..8a3a366
+--- /dev/null
++++ 
b/releasenotes/notes/honor-hidden-parameter-in-stack-env-show-cmd-062065545dfef82a.yaml
+@@ -0,0 +1,6 @@
++---
++fixes:
++  - |
++    Honor ``hidden`` parameter in get stack environment API. Now values passed
++    to hidden parameters are replaced by '******', similarly to the other
++    APIs such as show stack details API.
diff -Nru heat-19.0.0/debian/patches/series heat-19.0.0/debian/patches/series
--- heat-19.0.0/debian/patches/series   2022-10-06 10:14:02.000000000 +0200
+++ heat-19.0.0/debian/patches/series   2023-04-11 10:21:00.000000000 +0200
@@ -1,3 +1,4 @@
 remove-broken-rst.patch
 package-all-files.patch
 add-heat_api_root-configuration-variable.patch
+CVE-2023-1625_Honor-hidden-parameter-in-stack_environment_show-command.patch

Reply via email to