zookeeper: CVE-2019-0201: information disclosure vulnerability

Debian Bug report logs - #929283
zookeeper: CVE-2019-0201: information disclosure vulnerability

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: zookeeper: CVE-2019-0201: information disclosure vulnerability

Date: Mon, 20 May 2019 22:03:21 +0200

Source: zookeeper
Version: 3.4.13-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://issues.apache.org/jira/browse/ZOOKEEPER-1392
Control: found -1 3.4.9-3+deb9u1
Control: found -1 3.4.9-1

Hi,

The following vulnerability was published for zookeeper.

CVE-2019-0201[0]:
Information disclosure vulnerability

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-0201
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0201
[1] https://issues.apache.org/jira/browse/ZOOKEEPER-1392
[2] https://www.openwall.com/lists/oss-security/2019/05/20/1

Regards,
Salvatore

Message #14 received at 929283@bugs.debian.org (full text, mbox, reply):

From: "Chris Lamb" <lamby@debian.org>

To: 929283@bugs.debian.org

Cc: "Salvatore Bonaccorso" <carnil@debian.org>, team@security.debian.org

Subject: Re: zookeeper: CVE-2019-0201: information disclosure vulnerability

Date: Thu, 23 May 2019 07:04:43 +0100

[Adding team@security.debian.org to CC]

Hi,

> zookeeper: CVE-2019-0201: information disclosure vulnerability

Happy to prepare an update for stretch; I plan to do one for jessie
LTS (which, helpfully, has the same version...)


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #19 received at 929283@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Chris Lamb <lamby@debian.org>

Cc: 929283@bugs.debian.org, team@security.debian.org

Subject: Re: zookeeper: CVE-2019-0201: information disclosure vulnerability

Date: Thu, 23 May 2019 17:42:37 +0200

On Thu, May 23, 2019 at 07:04:43AM +0100, Chris Lamb wrote:
> [Adding team@security.debian.org to CC]
> 
> Hi,
> 
> > zookeeper: CVE-2019-0201: information disclosure vulnerability
> 
> Happy to prepare an update for stretch; I plan to do one for jessie
> LTS (which, helpfully, has the same version...)

Sounds good, we should fix that in Stretch. I've just added the reference
to the upstream commit in the 3.4 branch to the Security Tracker.

Cheers,
        Moritz

Message #24 received at 929283@bugs.debian.org (full text, mbox, reply):

From: "Chris Lamb" <lamby@debian.org>

To: "Moritz Muehlenhoff" <jmm@inutil.org>

Cc: 929283@bugs.debian.org, team@security.debian.org

Subject: Re: zookeeper: CVE-2019-0201: information disclosure vulnerability

Date: Fri, 24 May 2019 09:19:00 +0100

tags 929283 + patch
thanks

Hi Moritz,

> > > zookeeper: CVE-2019-0201: information disclosure vulnerability
> > 
> > Happy to prepare an update for stretch; I plan to do one for jessie
> > LTS (which, helpfully, has the same version...)
> 
> Sounds good, we should fix that in Stretch. I've just added the reference
> to the upstream commit in the 3.4 branch to the Security Tracker.

Thanks. Here is my diff:

diff --git a/debian/changelog b/debian/changelog
index ea8c13e..6e92313 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+zookeeper (3.4.9-3+deb9u2) stretch-security; urgency=high
+
+  * CVE-2019-0201: Prevent an information disclosure vulnerability where users
+    who were not authorised to read data were able to view the access control
+    list. (Closes: #929283)
+
+ -- Chris Lamb <lamby@debian.org>  Fri, 24 May 2019 08:57:53 +0100
+
 zookeeper (3.4.9-3+deb9u1) stretch-security; urgency=high
 
   * Team upload.
diff --git a/debian/patches/CVE-2019-11579.patch b/debian/patches/CVE-2019-11579.patch
new file mode 100644
index 0000000..e4c314c
--- /dev/null
+++ b/debian/patches/CVE-2019-11579.patch
@@ -0,0 +1,57 @@
+--- zookeeper-3.4.9.orig/src/java/main/org/apache/zookeeper/server/FinalRequestProcessor.java
++++ zookeeper-3.4.9/src/java/main/org/apache/zookeeper/server/FinalRequestProcessor.java
+@@ -20,6 +20,7 @@ package org.apache.zookeeper.server;
+ 
+ import java.io.IOException;
+ import java.nio.ByteBuffer;
++import java.util.ArrayList;
+ import java.util.List;
+ 
+ import org.apache.jute.Record;
+@@ -32,6 +33,7 @@ import org.apache.zookeeper.KeeperExcept
+ import org.apache.zookeeper.KeeperException.SessionMovedException;
+ import org.apache.zookeeper.ZooDefs.OpCode;
+ import org.apache.zookeeper.data.ACL;
++import org.apache.zookeeper.data.Id;
+ import org.apache.zookeeper.data.Stat;
+ import org.apache.zookeeper.proto.CreateResponse;
+ import org.apache.zookeeper.proto.ExistsRequest;
+@@ -308,10 +310,35 @@ public class FinalRequestProcessor imple
+                 GetACLRequest getACLRequest = new GetACLRequest();
+                 ByteBufferInputStream.byteBuffer2Record(request.request,
+                         getACLRequest);
++                DataNode n = zks.getZKDatabase().getNode(getACLRequest.getPath());
++                if (n == null) {
++                    throw new KeeperException.NoNodeException();
++                }
++                PrepRequestProcessor.checkACL(zks, zks.getZKDatabase().aclForNode(n),
++                        ZooDefs.Perms.READ | ZooDefs.Perms.ADMIN,
++                        request.authInfo);
++
+                 Stat stat = new Stat();
+-                List<ACL> acl = 
+-                    zks.getZKDatabase().getACL(getACLRequest.getPath(), stat);
+-                rsp = new GetACLResponse(acl, stat);
++                List<ACL> acl =
++                        zks.getZKDatabase().getACL(getACLRequest.getPath(), stat);
++                try {
++                    PrepRequestProcessor.checkACL(zks, zks.getZKDatabase().aclForNode(n),
++                            ZooDefs.Perms.ADMIN,
++                            request.authInfo);
++                    rsp = new GetACLResponse(acl, stat);
++                } catch (KeeperException.NoAuthException e) {
++                    List<ACL> acl1 = new ArrayList<ACL>(acl.size());
++                    for (ACL a : acl) {
++                        if ("digest".equals(a.getId().getScheme())) {
++                            Id id = a.getId();
++                            Id id1 = new Id(id.getScheme(), id.getId().replaceAll(":.*", ":x"));
++                            acl1.add(new ACL(a.getPerms(), id1));
++                        } else {
++                            acl1.add(a);
++                        }
++                    }
++                    rsp = new GetACLResponse(acl1, stat);
++                }
+                 break;
+             }
+             case OpCode.getChildren: {
diff --git a/debian/patches/series b/debian/patches/series
index 9dd03d0..c0b9747 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@
 09-spell-check.patch
 10-CVE-2017-5637.patch
 CVE-2018-8012.patch
+CVE-2019-11579.patch


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-

Message #31 received at 929283@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Chris Lamb <lamby@debian.org>

Cc: Moritz Muehlenhoff <jmm@inutil.org>, 929283@bugs.debian.org, team@security.debian.org

Subject: Re: zookeeper: CVE-2019-0201: information disclosure vulnerability

Date: Sun, 26 May 2019 20:58:29 +0200

On Fri, May 24, 2019 at 09:19:00AM +0100, Chris Lamb wrote:
> tags 929283 + patch
> thanks
> 
> Hi Moritz,
> 
> > > > zookeeper: CVE-2019-0201: information disclosure vulnerability
> > > 
> > > Happy to prepare an update for stretch; I plan to do one for jessie
> > > LTS (which, helpfully, has the same version...)
> > 
> > Sounds good, we should fix that in Stretch. I've just added the reference
> > to the upstream commit in the 3.4 branch to the Security Tracker.
> 
> Thanks. Here is my diff:

Looks fine, but can you please also include the test case upstream added?
Given that it's quite complex to reconstruct the specific affected ZK setup,
we should at least ship/run the test case.

Cheers,
	Moritz

Message #38 received at 929283@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>, 929283@bugs.debian.org

Cc: Chris Lamb <lamby@debian.org>, team@security.debian.org

Subject: Re: Bug#929283: zookeeper: CVE-2019-0201: information disclosure vulnerability

Date: Mon, 27 May 2019 22:07:38 -0700

[Message part 1 (text/plain, inline)]

On Sun, May 26, 2019 at 08:58:29PM +0200, Moritz Mühlenhoff wrote:
> On Fri, May 24, 2019 at 09:19:00AM +0100, Chris Lamb wrote:
> > tags 929283 + patch
> > thanks
> > 
> > Hi Moritz,
> > 
> > > > > zookeeper: CVE-2019-0201: information disclosure vulnerability
> > > > 
> > > > Happy to prepare an update for stretch; I plan to do one for jessie
> > > > LTS (which, helpfully, has the same version...)
> > > 
> > > Sounds good, we should fix that in Stretch. I've just added the reference
> > > to the upstream commit in the 3.4 branch to the Security Tracker.
> > 
> > Thanks. Here is my diff:
> 
> Looks fine, but can you please also include the test case upstream added?
> Given that it's quite complex to reconstruct the specific affected ZK setup,
> we should at least ship/run the test case.

I will prepare an upload for 3.4.13 in testing/unstable soon - should be
in the next day or so.

[signature.asc (application/pgp-signature, inline)]

Message #43 received at 929283@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>

To: 929283@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#929283: zookeeper: CVE-2019-0201: information disclosure vulnerability

Date: Thu, 30 May 2019 06:47:33 -0700

[Message part 1 (text/plain, inline)]

On Mon, May 27, 2019 at 10:07:38PM -0700, tony mancill wrote:
> On Sun, May 26, 2019 at 08:58:29PM +0200, Moritz Mühlenhoff wrote:
> > Looks fine, but can you please also include the test case upstream added?
> > Given that it's quite complex to reconstruct the specific affected ZK setup,
> > we should at least ship/run the test case.
> 
> I will prepare an upload for 3.4.13 in testing/unstable soon - should be
> in the next day or so.

As an update...

Regarding the upload of a patched 3.4.13 for buster and unstable,
cherry-picking and adapting the upstream patch from the 3.4.14 branch is
straight-forward and complete [1].  The package is building, etc.

The delay is that the tests for the Debian package aren't in a state
where they are easy to run.  This predates this issue, going back to the
changes made when netty 3.9 was removed from Debian.  Since the changes
to the packaging and patches to re-enable tests would be extensive (I am
still working through them), I'm not certain that they will be suitable
for an upload during the freeze.  At a minimum, I intend to get them
working locally and push a branch so that others can verify, as well as
run the updated ZK through some local smoke-testing that validates the
ACL change.

Cheers,
tony

[1] https://salsa.debian.org/java-team/zookeeper/commit/41265b610149bd708232e40faf945f3c79b60b85

[signature.asc (application/pgp-signature, inline)]

Message #48 received at 929283@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: tony mancill <tmancill@debian.org>

Cc: 929283@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#929283: zookeeper: CVE-2019-0201: information disclosure vulnerability

Date: Fri, 31 May 2019 09:01:12 +0200

Hi Tony,

On Thu, May 30, 2019 at 06:47:33AM -0700, tony mancill wrote:
> On Mon, May 27, 2019 at 10:07:38PM -0700, tony mancill wrote:
> > On Sun, May 26, 2019 at 08:58:29PM +0200, Moritz Mühlenhoff wrote:
> > > Looks fine, but can you please also include the test case upstream added?
> > > Given that it's quite complex to reconstruct the specific affected ZK setup,
> > > we should at least ship/run the test case.
> > 
> > I will prepare an upload for 3.4.13 in testing/unstable soon - should be
> > in the next day or so.
> 
> As an update...
> 
> Regarding the upload of a patched 3.4.13 for buster and unstable,
> cherry-picking and adapting the upstream patch from the 3.4.14 branch is
> straight-forward and complete [1].  The package is building, etc.
> 
> The delay is that the tests for the Debian package aren't in a state
> where they are easy to run.  This predates this issue, going back to the
> changes made when netty 3.9 was removed from Debian.  Since the changes
> to the packaging and patches to re-enable tests would be extensive (I am
> still working through them), I'm not certain that they will be suitable
> for an upload during the freeze.  At a minimum, I intend to get them
> working locally and push a branch so that others can verify, as well as
> run the updated ZK through some local smoke-testing that validates the
> ACL change.

Thanks for giving an update on the state!

Regards,
Salvatore

Message #53 received at 929283@bugs.debian.org (full text, mbox, reply):

From: "Chris Lamb" <lamby@debian.org>

To: "Moritz Muehlenhoff" <jmm@inutil.org>

Cc: 929283@bugs.debian.org, team@security.debian.org

Subject: Re: zookeeper: CVE-2019-0201: information disclosure vulnerability

Date: Tue, 04 Jun 2019 22:06:31 +0100

[Message part 1 (text/plain, inline)]

Hi Moritz,

> > Thanks. Here is my diff:
> 
> Looks fine, but can you please also include the test case upstream added?
> Given that it's quite complex to reconstruct the specific affected ZK setup,
> we should at least ship/run the test case.

Sure. Here's my updated patch:

diffstat for zookeeper-3.4.9 zookeeper-3.4.9

 changelog                    |    8 +
 patches/CVE-2019-11579.patch |  290 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 3 files changed, 299 insertions(+)

diff -Nru zookeeper-3.4.9/debian/changelog zookeeper-3.4.9/debian/changelog
--- zookeeper-3.4.9/debian/changelog	2018-05-23 21:34:43.000000000 +0100
+++ zookeeper-3.4.9/debian/changelog	2019-05-24 08:57:53.000000000 +0100
@@ -1,3 +1,11 @@
+zookeeper (3.4.9-3+deb9u2) stretch-security; urgency=high
+
+  * CVE-2019-0201: Prevent an information disclosure vulnerability where users
+    who were not authorised to read data were able to view the access control
+    list. (Closes: #929283)
+
+ -- Chris Lamb <lamby@debian.org>  Fri, 24 May 2019 08:57:53 +0100
+
 zookeeper (3.4.9-3+deb9u1) stretch-security; urgency=high
 
   * Team upload.
diff -Nru zookeeper-3.4.9/debian/patches/CVE-2019-11579.patch zookeeper-3.4.9/debian/patches/CVE-2019-11579.patch
--- zookeeper-3.4.9/debian/patches/CVE-2019-11579.patch	1970-01-01 01:00:00.000000000 +0100
+++ zookeeper-3.4.9/debian/patches/CVE-2019-11579.patch	2019-05-24 08:57:53.000000000 +0100
@@ -0,0 +1,290 @@
+--- zookeeper-3.4.9.orig/src/java/main/org/apache/zookeeper/server/FinalRequestProcessor.java
++++ zookeeper-3.4.9/src/java/main/org/apache/zookeeper/server/FinalRequestProcessor.java
+@@ -20,6 +20,7 @@ package org.apache.zookeeper.server;
+ 
+ import java.io.IOException;
+ import java.nio.ByteBuffer;
++import java.util.ArrayList;
+ import java.util.List;
+ 
+ import org.apache.jute.Record;
+@@ -32,6 +33,7 @@ import org.apache.zookeeper.KeeperExcept
+ import org.apache.zookeeper.KeeperException.SessionMovedException;
+ import org.apache.zookeeper.ZooDefs.OpCode;
+ import org.apache.zookeeper.data.ACL;
++import org.apache.zookeeper.data.Id;
+ import org.apache.zookeeper.data.Stat;
+ import org.apache.zookeeper.proto.CreateResponse;
+ import org.apache.zookeeper.proto.ExistsRequest;
+@@ -308,10 +310,35 @@ public class FinalRequestProcessor imple
+                 GetACLRequest getACLRequest = new GetACLRequest();
+                 ByteBufferInputStream.byteBuffer2Record(request.request,
+                         getACLRequest);
++                DataNode n = zks.getZKDatabase().getNode(getACLRequest.getPath());
++                if (n == null) {
++                    throw new KeeperException.NoNodeException();
++                }
++                PrepRequestProcessor.checkACL(zks, zks.getZKDatabase().aclForNode(n),
++                        ZooDefs.Perms.READ | ZooDefs.Perms.ADMIN,
++                        request.authInfo);
++
+                 Stat stat = new Stat();
+-                List<ACL> acl = 
+-                    zks.getZKDatabase().getACL(getACLRequest.getPath(), stat);
+-                rsp = new GetACLResponse(acl, stat);
++                List<ACL> acl =
++                        zks.getZKDatabase().getACL(getACLRequest.getPath(), stat);
++                try {
++                    PrepRequestProcessor.checkACL(zks, zks.getZKDatabase().aclForNode(n),
++                            ZooDefs.Perms.ADMIN,
++                            request.authInfo);
++                    rsp = new GetACLResponse(acl, stat);
++                } catch (KeeperException.NoAuthException e) {
++                    List<ACL> acl1 = new ArrayList<ACL>(acl.size());
++                    for (ACL a : acl) {
++                        if ("digest".equals(a.getId().getScheme())) {
++                            Id id = a.getId();
++                            Id id1 = new Id(id.getScheme(), id.getId().replaceAll(":.*", ":x"));
++                            acl1.add(new ACL(a.getPerms(), id1));
++                        } else {
++                            acl1.add(a);
++                        }
++                    }
++                    rsp = new GetACLResponse(acl1, stat);
++                }
+                 break;
+             }
+             case OpCode.getChildren: {
+--- /dev/null
++++ zookeeper-3.4.9/src/java/test/org/apache/zookeeper/test/FinalRequestProcessorTest.java
+@@ -0,0 +1,230 @@
++/**
++ * Licensed to the Apache Software Foundation (ASF) under one
++ * or more contributor license agreements.  See the NOTICE file
++ * distributed with this work for additional information
++ * regarding copyright ownership.  The ASF licenses this file
++ * to you under the Apache License, Version 2.0 (the
++ * "License"); you may not use this file except in compliance
++ * with the License.  You may obtain a copy of the License at
++ *
++ *     http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++package org.apache.zookeeper.server;
++
++import org.apache.jute.BinaryOutputArchive;
++import org.apache.jute.Record;
++import org.apache.zookeeper.KeeperException;
++import org.apache.zookeeper.ZooDefs;
++import org.apache.zookeeper.data.ACL;
++import org.apache.zookeeper.data.Id;
++import org.apache.zookeeper.data.Stat;
++import org.apache.zookeeper.proto.GetACLRequest;
++import org.apache.zookeeper.proto.GetACLResponse;
++import org.apache.zookeeper.proto.ReplyHeader;
++import org.junit.Before;
++import org.junit.Test;
++import org.mockito.invocation.InvocationOnMock;
++import org.mockito.stubbing.Answer;
++
++import java.io.ByteArrayOutputStream;
++import java.io.IOException;
++import java.nio.ByteBuffer;
++import java.util.ArrayList;
++import java.util.Arrays;
++import java.util.List;
++
++import static org.hamcrest.Matchers.equalTo;
++import static org.junit.Assert.assertThat;
++import static org.junit.Assert.assertTrue;
++import static org.mockito.Matchers.any;
++import static org.mockito.Matchers.anyString;
++import static org.mockito.Matchers.eq;
++import static org.mockito.Mockito.doAnswer;
++import static org.mockito.Mockito.mock;
++import static org.mockito.Mockito.when;
++
++public class FinalRequestProcessorTest {
++    private List<ACL> testACLs = new ArrayList<ACL>();
++    private final Record[] responseRecord = new Record[1];
++    private final ReplyHeader[] replyHeaders = new ReplyHeader[1];
++
++    private ServerCnxn cnxn;
++    private ByteBuffer bb;
++    private FinalRequestProcessor processor;
++
++    @Before
++    public void setUp() throws KeeperException.NoNodeException, IOException {
++        testACLs.clear();
++        testACLs.addAll(Arrays.asList(
++                new ACL(ZooDefs.Perms.ALL, new Id("digest", "user:secrethash")),
++                new ACL(ZooDefs.Perms.ADMIN, new Id("digest", "adminuser:adminsecret")),
++                new ACL(ZooDefs.Perms.READ, new Id("world", "anyone"))
++        ));
++
++        ZooKeeperServer zks = new ZooKeeperServer();
++        ZKDatabase db = mock(ZKDatabase.class);
++        String testPath = "/testPath";
++        when(db.getNode(eq(testPath))).thenReturn(new DataNode());
++        when(db.getACL(eq(testPath), any(Stat.class))).thenReturn(testACLs);
++        when(db.aclForNode(any(DataNode.class))).thenReturn(testACLs);
++        zks.setZKDatabase(db);
++        processor = new FinalRequestProcessor(zks);
++
++        cnxn = mock(ServerCnxn.class);
++        doAnswer(new Answer() {
++            @Override
++            public Object answer(InvocationOnMock invocationOnMock) {
++                replyHeaders[0] = (ReplyHeader) invocationOnMock.getArguments()[0];
++                responseRecord[0] = (Record) invocationOnMock.getArguments()[1];
++                return null;
++            }
++        }).when(cnxn).sendResponse(any(ReplyHeader.class), any(Record.class), anyString());
++
++        GetACLRequest getACLRequest = new GetACLRequest();
++        getACLRequest.setPath(testPath);
++        ByteArrayOutputStream baos = new ByteArrayOutputStream();
++        BinaryOutputArchive boa = BinaryOutputArchive.getArchive(baos);
++        getACLRequest.serialize(boa, "request");
++        baos.close();
++        bb = ByteBuffer.wrap(baos.toByteArray());
++    }
++
++    @Test
++    public void testACLDigestHashHiding_NoAuth_WorldCanRead() {
++        // Arrange
++
++        // Act
++        Request r = new Request(cnxn, 0, 0, ZooDefs.OpCode.getACL, bb, new ArrayList<Id>());
++        processor.processRequest(r);
++
++        // Assert
++        assertMasked(true);
++    }
++
++    @Test
++    public void testACLDigestHashHiding_NoAuth_NoWorld() {
++        // Arrange
++        testACLs.remove(2);
++
++        // Act
++        Request r = new Request(cnxn, 0, 0, ZooDefs.OpCode.getACL, bb, new ArrayList<Id>());
++        processor.processRequest(r);
++
++        // Assert
++        assertThat(KeeperException.Code.get(replyHeaders[0].getErr()), equalTo(KeeperException.Code.NOAUTH));
++    }
++
++    @Test
++    public void testACLDigestHashHiding_UserCanRead() {
++        // Arrange
++        List<Id> authInfo = new ArrayList<Id>();
++        authInfo.add(new Id("digest", "otheruser:somesecrethash"));
++
++        // Act
++        Request r = new Request(cnxn, 0, 0, ZooDefs.OpCode.getACL, bb, authInfo);
++        processor.processRequest(r);
++
++        // Assert
++        assertMasked(true);
++    }
++
++    @Test
++    public void testACLDigestHashHiding_UserCanAll() {
++        // Arrange
++        List<Id> authInfo = new ArrayList<Id>();
++        authInfo.add(new Id("digest", "user:secrethash"));
++
++        // Act
++        Request r = new Request(cnxn, 0, 0, ZooDefs.OpCode.getACL, bb, authInfo);
++        processor.processRequest(r);
++
++        // Assert
++        assertMasked(false);
++    }
++
++    @Test
++    public void testACLDigestHashHiding_AdminUser() {
++        // Arrange
++        List<Id> authInfo = new ArrayList<Id>();
++        authInfo.add(new Id("digest", "adminuser:adminsecret"));
++
++        // Act
++        Request r = new Request(cnxn, 0, 0, ZooDefs.OpCode.getACL, bb, authInfo);
++        processor.processRequest(r);
++
++        // Assert
++        assertMasked(false);
++    }
++
++    @Test
++    public void testACLDigestHashHiding_OnlyAdmin() {
++        // Arrange
++        testACLs.clear();
++        testACLs.addAll(Arrays.asList(
++                new ACL(ZooDefs.Perms.READ, new Id("digest", "user:secrethash")),
++                new ACL(ZooDefs.Perms.ADMIN, new Id("digest", "adminuser:adminsecret"))
++        ));
++        List<Id> authInfo = new ArrayList<Id>();
++        authInfo.add(new Id("digest", "adminuser:adminsecret"));
++
++        // Act
++        Request r = new Request(cnxn, 0, 0, ZooDefs.OpCode.getACL, bb, authInfo);
++        processor.processRequest(r);
++
++        // Assert
++        assertTrue("Not a GetACL response. Auth failed?", responseRecord[0] instanceof GetACLResponse);
++        GetACLResponse rsp = (GetACLResponse)responseRecord[0];
++        assertThat("Number of ACLs in the response are different", rsp.getAcl().size(), equalTo(2));
++
++        // Verify ACLs in the response
++        assertThat("Password hash mismatch in the response", rsp.getAcl().get(0).getId().getId(), equalTo("user:secrethash"));
++        assertThat("Password hash mismatch in the response", rsp.getAcl().get(1).getId().getId(), equalTo("adminuser:adminsecret"));
++    }
++
++    private void assertMasked(boolean masked) {
++        assertTrue("Not a GetACL response. Auth failed?", responseRecord[0] instanceof GetACLResponse);
++        GetACLResponse rsp = (GetACLResponse)responseRecord[0];
++        assertThat("Number of ACLs in the response are different", rsp.getAcl().size(), equalTo(3));
++
++        // Verify ACLs in the response
++        assertThat("Invalid ACL list in the response", rsp.getAcl().get(0).getPerms(), equalTo(ZooDefs.Perms.ALL));
++        assertThat("Invalid ACL list in the response", rsp.getAcl().get(0).getId().getScheme(), equalTo("digest"));
++        if (masked) {
++            assertThat("Password hash is not masked in the response", rsp.getAcl().get(0).getId().getId(), equalTo("user:x"));
++        } else {
++            assertThat("Password hash mismatch in the response", rsp.getAcl().get(0).getId().getId(), equalTo("user:secrethash"));
++        }
++
++        assertThat("Invalid ACL list in the response", rsp.getAcl().get(1).getPerms(), equalTo(ZooDefs.Perms.ADMIN));
++        assertThat("Invalid ACL list in the response", rsp.getAcl().get(1).getId().getScheme(), equalTo("digest"));
++        if (masked) {
++            assertThat("Password hash is not masked in the response", rsp.getAcl().get(1).getId().getId(), equalTo("adminuser:x"));
++        } else {
++            assertThat("Password hash mismatch in the response", rsp.getAcl().get(1).getId().getId(), equalTo("adminuser:adminsecret"));
++        }
++
++        assertThat("Invalid ACL list in the response", rsp.getAcl().get(2).getPerms(), equalTo(ZooDefs.Perms.READ));
++        assertThat("Invalid ACL list in the response", rsp.getAcl().get(2).getId().getScheme(), equalTo("world"));
++        assertThat("Invalid ACL list in the response", rsp.getAcl().get(2).getId().getId(), equalTo("anyone"));
++
++        // Verify that FinalRequestProcessor hasn't changed the original ACL objects
++        assertThat("Original ACL list has been modified", testACLs.get(0).getPerms(), equalTo(ZooDefs.Perms.ALL));
++        assertThat("Original ACL list has been modified", testACLs.get(0).getId().getScheme(), equalTo("digest"));
++        assertThat("Original ACL list has been modified", testACLs.get(0).getId().getId(), equalTo("user:secrethash"));
++
++        assertThat("Original ACL list has been modified", testACLs.get(1).getPerms(), equalTo(ZooDefs.Perms.ADMIN));
++        assertThat("Original ACL list has been modified", testACLs.get(1).getId().getScheme(), equalTo("digest"));
++        assertThat("Original ACL list has been modified", testACLs.get(1).getId().getId(), equalTo("adminuser:adminsecret"));
++
++        assertThat("Original ACL list has been modified", testACLs.get(2).getPerms(), equalTo(ZooDefs.Perms.READ));
++        assertThat("Original ACL list has been modified", testACLs.get(2).getId().getScheme(), equalTo("world"));
++        assertThat("Original ACL list has been modified", testACLs.get(2).getId().getId(), equalTo("anyone"));
++    }
++}
diff -Nru zookeeper-3.4.9/debian/patches/series zookeeper-3.4.9/debian/patches/series
--- zookeeper-3.4.9/debian/patches/series	2018-05-23 21:34:43.000000000 +0100
+++ zookeeper-3.4.9/debian/patches/series	2019-05-24 08:57:53.000000000 +0100
@@ -9,3 +9,4 @@
 09-spell-check.patch
 10-CVE-2017-5637.patch
 CVE-2018-8012.patch
+CVE-2019-11579.patch



Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-

[CVE-2019-11579.patch (text/x-patch, attachment)]

Message #58 received at 929283@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 929283@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#929283: zookeeper: CVE-2019-0201: information disclosure vulnerability

Date: Tue, 4 Jun 2019 22:01:09 -0700

[Message part 1 (text/plain, inline)]

On Fri, May 31, 2019 at 09:01:12AM +0200, Salvatore Bonaccorso wrote:
> Hi Tony,
> 
> On Thu, May 30, 2019 at 06:47:33AM -0700, tony mancill wrote:
> > On Mon, May 27, 2019 at 10:07:38PM -0700, tony mancill wrote:
> > > On Sun, May 26, 2019 at 08:58:29PM +0200, Moritz Mühlenhoff wrote:
> > > > Looks fine, but can you please also include the test case upstream added?
> > > > Given that it's quite complex to reconstruct the specific affected ZK setup,
> > > > we should at least ship/run the test case.
> > > 
> > > I will prepare an upload for 3.4.13 in testing/unstable soon - should be
> > > in the next day or so.
> > 
> > As an update...
> > 
> > Regarding the upload of a patched 3.4.13 for buster and unstable,
> > cherry-picking and adapting the upstream patch from the 3.4.14 branch is
> > straight-forward and complete [1].  The package is building, etc.
> > 
> > The delay is that the tests for the Debian package aren't in a state
> > where they are easy to run.  This predates this issue, going back to the
> > changes made when netty 3.9 was removed from Debian.  Since the changes
> > to the packaging and patches to re-enable tests would be extensive (I am
> > still working through them), I'm not certain that they will be suitable
> > for an upload during the freeze.  At a minimum, I intend to get them
> > working locally and push a branch so that others can verify, as well as
> > run the updated ZK through some local smoke-testing that validates the
> > ACL change.
> 
> Thanks for giving an update on the state!

Hi Salvatore - 

Apologies again for the delay.  The zookeeper package tests are in rough
shape and I wasn't able to get all tests passing even after installing
libjetty-3.9-java in a local chroot and some hacking.  The
work-in-progress 3.4.13-2+test branch is on Salsa [1], but getting the
tests into good working order will be a goal for buster.

However, I did verify the following before uploading:

- the test results between 3.4.13-1 and 3.4.13-2 are the same, meaning
  no regressions
- the newly added FinalRequestProcessorTest in 3.4.13-2 passes
- I could reproduce the ACL information disclosure on 3.4.13-1
- 3.4.13-2 no longer freely shares ACLs on nodes with ACLs that prevent
  unauthorized reading

I have just uploaded to unstable [2] and will request an unblock for
buster.

Thank you,
tony

[1] https://salsa.debian.org/java-team/zookeeper/tree/3.4.13-2+test

[signature.asc (application/pgp-signature, inline)]

Message #67 received at 929283-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: control@bugs.debian.org

Cc: 929283-submitter@bugs.debian.org

Subject: closing 929283

Date: Wed, 05 Jun 2019 11:13:40 +0200

close 929283 3.4.13-2
thanks

Message #72 received at 929283@bugs.debian.org (full text, mbox, reply):

From: "Chris Lamb" <lamby@debian.org>

To: "Moritz Muehlenhoff" <jmm@inutil.org>

Cc: team@security.debian.org, 929283@bugs.debian.org

Subject: Re: zookeeper: CVE-2019-0201: information disclosure vulnerability

Date: Wed, 05 Jun 2019 15:53:47 +0100

[adding 929283@bugs.debian.org to CC]

Hi Moritz,

> > Sure. Here's my updated patch:

Uploaded zookeeper_3.4.9-3+deb9u2_amd64.changes to security-master.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-

Message #77 received at 929283-close@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 929283-close@bugs.debian.org

Subject: Bug#929283: fixed in zookeeper 3.4.9-3+deb9u2

Date: Tue, 18 Jun 2019 21:51:05 +0000

Source: zookeeper
Source-Version: 3.4.9-3+deb9u2

We believe that the bug you reported is fixed in the latest version of
zookeeper, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 929283@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated zookeeper package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 24 May 2019 08:57:53 +0100
Source: zookeeper
Binary: libzookeeper-java zookeeper zookeeperd libzookeeper-java-doc libzookeeper-mt2 libzookeeper-st2 libzookeeper2 libzookeeper-mt-dev libzookeeper-st-dev zookeeper-bin python-zookeeper
Architecture: source all amd64
Version: 3.4.9-3+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 libzookeeper-java - Core Java libraries for zookeeper
 libzookeeper-java-doc - API Documentation for zookeeper
 libzookeeper-mt-dev - Development files for multi threaded zookeeper C bindings
 libzookeeper-mt2 - Multi threaded C bindings for zookeeper
 libzookeeper-st-dev - Development files for single threaded zookeeper C bindings
 libzookeeper-st2 - Single threaded C bindings for zookeeper
 libzookeeper2 - C bindings for zookeeper - transitional package
 python-zookeeper - Python bindings for zookeeper
 zookeeper  - High-performance coordination service for distributed application
 zookeeper-bin - Command line utilities for zookeeper
 zookeeperd - Init control scripts for zookeeper
Closes: 929283
Changes:
 zookeeper (3.4.9-3+deb9u2) stretch-security; urgency=high
 .
   * CVE-2019-0201: Prevent an information disclosure vulnerability where users
     who were not authorised to read data were able to view the access control
     list. (Closes: #929283)
Checksums-Sha1:
 fd422563f8da1d774762931103c97e8515da3b3b 3021 zookeeper_3.4.9-3+deb9u2.dsc
 a0a6168dcd380c5586c8dcfa144668f7a1a21c6d 1931392 zookeeper_3.4.9.orig.tar.xz
 96790de23fd6781d297276ded726d95efa1185ff 87508 zookeeper_3.4.9-3+deb9u2.debian.tar.xz
 cc0ae6b679b3c431bbff5768d57757478716943b 370888 libzookeeper-java-doc_3.4.9-3+deb9u2_all.deb
 61657b56f6dd11792c90a29a1da3b8b61e177cdc 1360168 libzookeeper-java_3.4.9-3+deb9u2_all.deb
 64fe2edb1e7c2eeeb6d90a832c18ad6ad2e603a5 90990 libzookeeper-mt-dev_3.4.9-3+deb9u2_amd64.deb
 93b93d0d47773cd23f3853954a9f7a1bc328460c 112700 libzookeeper-mt2-dbgsym_3.4.9-3+deb9u2_amd64.deb
 7525db2f8c22dd3db1f2d82f248852edac5d891e 75406 libzookeeper-mt2_3.4.9-3+deb9u2_amd64.deb
 0fe1abc3325edfc21d551a6a91c1b16670878ccb 88248 libzookeeper-st-dev_3.4.9-3+deb9u2_amd64.deb
 9d78cceb2f4c020a4c43446038cdaff1d678e1a1 105602 libzookeeper-st2-dbgsym_3.4.9-3+deb9u2_amd64.deb
 f9fdd7ac14042e29455c4f258cca91c4c2f78edb 72966 libzookeeper-st2_3.4.9-3+deb9u2_amd64.deb
 a6b739496bd7fc40c13776f9a90c77e9804f4e58 40982 libzookeeper2_3.4.9-3+deb9u2_amd64.deb
 0cd165ffaefa231ca56c78010a9767f0430cae95 32352 python-zookeeper-dbgsym_3.4.9-3+deb9u2_amd64.deb
 8893ba2fce4b65393c25781a8b9fc69cdc74b39d 58382 python-zookeeper_3.4.9-3+deb9u2_amd64.deb
 cdf4de6ac208d33dee28da1e306eaca2c63c1cb7 413390 zookeeper-bin-dbgsym_3.4.9-3+deb9u2_amd64.deb
 c35e5e224a75c7fd8fcd17fd6623d8bfa04c3662 94730 zookeeper-bin_3.4.9-3+deb9u2_amd64.deb
 83f323ed9e982feb33809d3f8aac785f446b2ad9 141954 zookeeper_3.4.9-3+deb9u2_all.deb
 6d399ec7ed1efe3ebb2a5023f746ac8c497c6b8b 17413 zookeeper_3.4.9-3+deb9u2_amd64.buildinfo
 498a76e0bfabc5ca175691716314b94a345d936f 44068 zookeeperd_3.4.9-3+deb9u2_all.deb
Checksums-Sha256:
 efbf3e61208c807edba26e62535f76527045fbeb21d18ade5b352db2c35f54ac 3021 zookeeper_3.4.9-3+deb9u2.dsc
 1471e69d0b391c87208ec5a6ef5c6dbb1e31820b274b34ebd9a808940f36410b 1931392 zookeeper_3.4.9.orig.tar.xz
 eec0dee2d132413af212cf07eec8fe9c57737761026462b645105b44258cfe74 87508 zookeeper_3.4.9-3+deb9u2.debian.tar.xz
 91711e8000dbc6066598168e4e32fd0c702666b9a41be45d3cab279d2fe3af57 370888 libzookeeper-java-doc_3.4.9-3+deb9u2_all.deb
 8254de5cb5c406f0f75bd9195cbf1ef251f389fc97f3f36aa5bdb85efda992e8 1360168 libzookeeper-java_3.4.9-3+deb9u2_all.deb
 417778e736a31c5fbede8bfc60bd4bf91d67a4863455829b328f9d8b4cbc85df 90990 libzookeeper-mt-dev_3.4.9-3+deb9u2_amd64.deb
 463b2ac62797051501b3fce7aeb5b300ee4bf987b48941e26d807e25849d4e3d 112700 libzookeeper-mt2-dbgsym_3.4.9-3+deb9u2_amd64.deb
 705707822972c9ddb575bd89e3aaf0b7777ecf2241bf72b9e28bbb2acfac8467 75406 libzookeeper-mt2_3.4.9-3+deb9u2_amd64.deb
 888cee40140e31d763b1e5b84ac8d971537165a9f9f54b8112954d090c1a4b28 88248 libzookeeper-st-dev_3.4.9-3+deb9u2_amd64.deb
 3f033833f6e2ea02e377e66769c0c7b26f9d350b0c0c3ec75d36f1254e9293fd 105602 libzookeeper-st2-dbgsym_3.4.9-3+deb9u2_amd64.deb
 cc220abb7197ecad89f1aa111ac2565647d9d0b29cc85da62ec344a79d271994 72966 libzookeeper-st2_3.4.9-3+deb9u2_amd64.deb
 f4ba21723801807fd61f6725c2d01a4049e7e6df1338d8c35091444a797464ce 40982 libzookeeper2_3.4.9-3+deb9u2_amd64.deb
 c7992e1f460167e26a751a9171776fbecff2866e4ae3c5dcc1bf7dbe51460c21 32352 python-zookeeper-dbgsym_3.4.9-3+deb9u2_amd64.deb
 4f6164918249af2dd43310fe43eabcbf3e14aec1d7c0f53e55db4db6f6e325b5 58382 python-zookeeper_3.4.9-3+deb9u2_amd64.deb
 2a8d2865f4cffbacdcdf2306abab859ff4762765ffe5e584da31663dbbac07aa 413390 zookeeper-bin-dbgsym_3.4.9-3+deb9u2_amd64.deb
 3ed7b14aefc70368820601bd104409c630f3bf2eca35155c029449b568056ea1 94730 zookeeper-bin_3.4.9-3+deb9u2_amd64.deb
 dd73ac6f0bac6ebbc092958a2a4f52bf7e3c8c54f6e286365b80232b7e8f62c4 141954 zookeeper_3.4.9-3+deb9u2_all.deb
 7f0d550183d3f13912b6ca757996f997c25de59e75f26946eaadc468340968c5 17413 zookeeper_3.4.9-3+deb9u2_amd64.buildinfo
 0dae6405cf625dbf8ff754c87bb40d3087fde82faa398e14d8ad20d07936e0ba 44068 zookeeperd_3.4.9-3+deb9u2_all.deb
Files:
 d1d5583f09aeabf30fc2a7268104b8b2 3021 java optional zookeeper_3.4.9-3+deb9u2.dsc
 d33aa506accaeade4260f1ba26ad3b8e 1931392 java optional zookeeper_3.4.9.orig.tar.xz
 ef1b7f910ff68518158146e962f8287e 87508 java optional zookeeper_3.4.9-3+deb9u2.debian.tar.xz
 a54ec72675f64d901f2d9a9e4870f7a1 370888 doc optional libzookeeper-java-doc_3.4.9-3+deb9u2_all.deb
 e1c0059f814aa8e1f32cdba2251335c1 1360168 java optional libzookeeper-java_3.4.9-3+deb9u2_all.deb
 877092808b4841ac6827dee814a0f917 90990 libdevel optional libzookeeper-mt-dev_3.4.9-3+deb9u2_amd64.deb
 81fd831b7a77c933dd8bcfe198eda242 112700 debug extra libzookeeper-mt2-dbgsym_3.4.9-3+deb9u2_amd64.deb
 49433fdb5fd17ea35b7d00f44c2b6b94 75406 libs optional libzookeeper-mt2_3.4.9-3+deb9u2_amd64.deb
 1cd3623e86be4861176551dd00e14fd7 88248 libdevel optional libzookeeper-st-dev_3.4.9-3+deb9u2_amd64.deb
 a86e32289b329bc95b6fac0d17f2c54c 105602 debug extra libzookeeper-st2-dbgsym_3.4.9-3+deb9u2_amd64.deb
 b64b8c3fb47688ac1dbbee9103b1f842 72966 libs optional libzookeeper-st2_3.4.9-3+deb9u2_amd64.deb
 3f0cbd7d4eff0a5bc772d8662de806bd 40982 oldlibs extra libzookeeper2_3.4.9-3+deb9u2_amd64.deb
 d4ff32643c92c5c0926fc2181a034197 32352 debug extra python-zookeeper-dbgsym_3.4.9-3+deb9u2_amd64.deb
 00b3b18bcdb7d3d79f8f580c199f4e46 58382 python optional python-zookeeper_3.4.9-3+deb9u2_amd64.deb
 16b27c21c065a0c9fdeae1bd834897f7 413390 debug extra zookeeper-bin-dbgsym_3.4.9-3+deb9u2_amd64.deb
 cf4fd47923dd59c9e03bfe1a29f6a456 94730 misc optional zookeeper-bin_3.4.9-3+deb9u2_amd64.deb
 5c4cd01b83082f579ab5edca580064eb 141954 java optional zookeeper_3.4.9-3+deb9u2_all.deb
 209a4545070e7e53ba0f14ec6050d57a 17413 java optional zookeeper_3.4.9-3+deb9u2_amd64.buildinfo
 d7fef17d15a25d3408a087ba3b0cdc19 44068 java optional zookeeperd_3.4.9-3+deb9u2_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlz31wgACgkQHpU+J9Qx
Hlgm1Q//V7RxWF0cUhq1cWS44HpIwfG4dc4PM61+6IEz4h5werE6IB8BD/vWIH1K
9bzYW3wBk5xJH1H1YtZ6WajDLEMo004SL8KeiTxVTlWbZeK1W3cFt94anVpQpRIP
R5qF+ZeBpWJzLICDGbGqmGnmO1Tp4N68dsMJZiVyUynYvdArSJMe+wYmyFnHh0q/
+TTZvlPkyVHVxgUpGorl8q36nNF/+iEr8pqsT+KtKYIAIG3rUuexy314m235MAy9
C+o27kt8oxBDCIdkO40U2CxFKT7B1YA8nj4Gi2rQcx50uZjfOnlufInl7+zFkOfU
nb64IqvSFX/+bQY2OEu/lhy4fr5Oqe1jdfDtcggI4z604sgrjoQcuu8u8cfDmiLN
PRg/7ITwIbqg6V6GSMBBBgsXgqYlIXqBAWP53gGVqXRX1eLSNsJ6X+W1TEfD7RfN
jDAr/rkvEbh7ruK6SiNphk/wawNIKBkKibo0l+BxhmBSOxYTv0a2DugLCBDPK+xW
f99gh0T0EmUTb7QU111ElEqps5Vs8ifRmCxj+tdgRah4uGrClVn+zDWMNWTJ5v5Q
ezdHtOnxrXcmU8q3e8GOaa/QlAkk7hgoFW+Nv8lMqfZ0kUXbLzrXaOjmw/C6xCHH
ecFxfP6eE28nlN+zgEzzn3pJY+Ff63jEjJkY5/72oVoPa7kfklU=
=SB8+
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.