keystone: CVE-2013-1664 (DoS in xml entitiy parsing) and CVE-2013-1665 (nformation leak via xml entity parsing)

Debian Bug report logs - #700948
keystone: CVE-2013-1664 (DoS in xml entitiy parsing) and CVE-2013-1665 (nformation leak via xml entity parsing)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2013-0280: Information leak and Denial of Service using XML entities

Date: Wed, 20 Feb 2013 00:01:20 +0800

Package: keystone
Version: 2012.1.1-12
Severity: grave
Tags: security

Jonathan Murray from NCC Group, Joshua Harlow from Yahoo! and Stuart Stent
independently reported a vulnerability in the parsing of XML requests in
Keystone, Nova and Cinder. By using entities in XML requests, an
unauthenticated attacker may consume excessive resources on the Keystone, Nova
or Cinder API servers, resulting in a denial of service and potentially a
crash. Authenticated attackers may also leverage XML entities to read the
content of a local file on the Keystone API server. This only affects servers
with XML support enabled.

Patched package is ready, upload is coming.

Thomas Goirand (zigo)

Message #10 received at 700948-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 700948-close@bugs.debian.org

Subject: Bug#700948: fixed in keystone 2012.1.1-13

Date: Tue, 19 Feb 2013 16:17:32 +0000

Source: keystone
Source-Version: 2012.1.1-13

We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 700948@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated keystone package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 19 Feb 2013 12:56:42 +0800
Source: keystone
Binary: python-keystone keystone keystone-doc
Architecture: source all
Version: 2012.1.1-13
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description: 
 keystone   - OpenStack identity service
 keystone-doc - OpenStack identity service - documentation
 python-keystone - OpenStack identity service - library
Closes: 700947 700948
Changes: 
 keystone (2012.1.1-13) unstable; urgency=high
 .
   * CVE-2013-0282: Ensure EC2 users and tenant are enabled (Closes: #700947).
   * CVE-2013-0280: Information leak and Denial of Service using XML entities
     (Closes: #700948).
Checksums-Sha1: 
 a72acb4d855b356d6bd6f1a1ffd737e6c32e10ce 1902 keystone_2012.1.1-13.dsc
 4f085537b9a6344138c8df4e00ae25e797eb57c4 30496 keystone_2012.1.1-13.debian.tar.gz
 d3f610d137ec2452308db923ebe3f894b8c65028 93616 python-keystone_2012.1.1-13_all.deb
 f33f5949c79ccf86d5596b5db7ad8cdceb0cd5bb 18424 keystone_2012.1.1-13_all.deb
 16377085b28d849a40e0a29f4bb3aec22b1ff80b 240718 keystone-doc_2012.1.1-13_all.deb
Checksums-Sha256: 
 3c1f5d8352a9057bf66e6a420a7e7c0ae58930a21f43806122503dc0ff9e2345 1902 keystone_2012.1.1-13.dsc
 01a1c9740f7ac62464d989e7b96f1becbd1d11d91f517588c5dfad47a6d16243 30496 keystone_2012.1.1-13.debian.tar.gz
 bd6387a02831a20a60af94132cec26548266ab9bbfa9b88bfdf94bdbbf09b843 93616 python-keystone_2012.1.1-13_all.deb
 2d0ec64df0487b6fadcd31671e2a366ff02b2d7c61e19e6182e7a75ee82ff0d4 18424 keystone_2012.1.1-13_all.deb
 94b86d5962cbea7b4ecbe1f38ffa632f8def67a1650ecf81fa82a95cb9434d78 240718 keystone-doc_2012.1.1-13_all.deb
Files: 
 4e0821b5b54502df2f96b13cb1c3536a 1902 net extra keystone_2012.1.1-13.dsc
 442be04bcc7ce1a03b9085609761c5ba 30496 net extra keystone_2012.1.1-13.debian.tar.gz
 c517ef72bfc29065610d21df894cfc61 93616 python extra python-keystone_2012.1.1-13_all.deb
 df630fa8b82b521504ac5876077570b0 18424 python extra keystone_2012.1.1-13_all.deb
 20a602f2aa1456f32dfaf6a1611d8bfe 240718 doc extra keystone-doc_2012.1.1-13_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlEjpLgACgkQl4M9yZjvmkkvYwCdGBnQZYurQI40PPwDoV0p3IH5
aH0AoI5SGkvgwq3yNdOxgTlMErQv+uOK
=cG5a
-----END PGP SIGNATURE-----

Message #15 received at 700948-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 700948-close@bugs.debian.org

Subject: Bug#700948: fixed in keystone 2012.2.3-1

Date: Tue, 19 Feb 2013 16:32:33 +0000

Source: keystone
Source-Version: 2012.2.3-1

We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 700948@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated keystone package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 03 Feb 2013 11:05:36 +0800
Source: keystone
Binary: python-keystone keystone keystone-doc
Architecture: source all
Version: 2012.2.3-1
Distribution: experimental
Urgency: low
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description: 
 keystone   - OpenStack identity service
 keystone-doc - OpenStack identity service - documentation
 python-keystone - OpenStack identity service - library
Closes: 700947 700948
Changes: 
 keystone (2012.2.3-1) experimental; urgency=low
 .
   * New upstream release.
   * CVE-2013-0247: Keystone denial of service through invalid token requests.
   * CVE-2013-0282 Keystone EC2-style authentication accepts disabled
     user/tenants (Closes: #700947).
   * CVE-2013-0280: Information leak and Denial of Service using XML entities
     (Closes: #700948)
Checksums-Sha1: 
 9acf1652d1989c833d69f10ad431cb0fc0f82925 2063 keystone_2012.2.3-1.dsc
 2df5ca9145991d87612cca7748b12f222d065173 190520 keystone_2012.2.3.orig.tar.xz
 4134835abc53dac6d36740aa34dbd104db8462f3 240672 keystone_2012.2.3-1.debian.tar.gz
 ebd1f2419211738c56d63b294ca0d0d0d825472c 305764 python-keystone_2012.2.3-1_all.deb
 bc9836c94ecf49a9721dcca6bd91d619f3f704b1 240294 keystone_2012.2.3-1_all.deb
 dd14888fd0bc2dc644b4b8bd6d6c554c3aa04758 300612 keystone-doc_2012.2.3-1_all.deb
Checksums-Sha256: 
 607a640cba1dcbeb4ab994019673a2be2a80792bbef46cd80f048fd3f48aaa68 2063 keystone_2012.2.3-1.dsc
 044cdbe7417c6ce622ebcafb58db346dde752e5a725fdaff344592eac9ffaf84 190520 keystone_2012.2.3.orig.tar.xz
 732f04cc70a53f660dea0242191b719c5717a6ee6496bb0ad88c20211ecb8bce 240672 keystone_2012.2.3-1.debian.tar.gz
 455111646aaafeeec2b2e5a81a9dbfadd1069d860b17653ff09888a97f5fa348 305764 python-keystone_2012.2.3-1_all.deb
 584b1f8b48ee797fc94345ba47c01f9c0caf4e39cf05e15793030e24ecc19f6b 240294 keystone_2012.2.3-1_all.deb
 d62dcdab35704fd39c1667694ae49f8baee51b6ed68761fa36f43900690d3848 300612 keystone-doc_2012.2.3-1_all.deb
Files: 
 0d36f2de9db11b7cf961e7a33dde87ad 2063 net extra keystone_2012.2.3-1.dsc
 9e241ae2f19e1819990ea7730d71a3dc 190520 net extra keystone_2012.2.3.orig.tar.xz
 f9494d865d21f561b22b6dd6133096a8 240672 net extra keystone_2012.2.3-1.debian.tar.gz
 bc31bcf95c428ea0bad3893eedc996a4 305764 python extra python-keystone_2012.2.3-1_all.deb
 ba72d25068aec5a2f2b9ee5dd71a6426 240294 python extra keystone_2012.2.3-1_all.deb
 d2d67e433e6852fc9cb6e33e5e90ff68 300612 doc extra keystone-doc_2012.2.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlEjpjYACgkQl4M9yZjvmkkXCwCg7kf/Avo3PtjcAcJuOkBjrozm
5a0AoIltM0vwwCXYH6En8fWbxosLYxnm
=ALAc
-----END PGP SIGNATURE-----

Message #20 received at 700948@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 700948@bugs.debian.org, 700949@bugs.debian.org, 700950@bugs.debian.org, Thomas Goirand <zigo@debian.org>

Cc: team@security.debian.org

Subject: keystone, nova, cinder: Assigned CVEs and three CVEs rejected

Date: Tue, 19 Feb 2013 22:46:46 +0100

Hi Thomas

This is to notify you about a problem in the CVEs used: There was a
small unclear situation on assigning the CVEs for these issues
aparently, see [1].

 [1]: http://marc.info/?l=oss-security&m=136129931825949&w=2

In short: CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280 where
rejected and CVE-2013-1664 and CVE-2013-1665 to be used for the
respective issues.

----cut---------cut---------cut---------cut---------cut---------cut-----
- From Thierry Carrez:
====
After discussion with the Python security team and Kurt, we'll use the
following common CVEs:

CVE-2013-1664 Unrestricted entity expansion induces DoS
vulnerabilities in Python XML libraries (XML bomb)
^ affects Keystone, Cinder, Nova

CVE-2013-1665 External entity expansion in Python XML libraries
inflicts potential security flaws and DoS vulnerabilities
^ affects Keystone

The vulnerabilities are actually in those Python libraries, they are
just being worked around in OpenStack patches. The description will be
updated to clarify this (see below).
====

As you can see from the advisories:

http://seclists.org/oss-sec/2013/q1/338
CVE: CVE-2013-1664, CVE-2013-1665

They were correctly referenced in the OpenStack advisories, however
the CVE's did get used elsewhere:

http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html

CVE-2013-0278
    OpenStack Keystone
CVE-2013-0279
    Cinder
CVE-2013-0280
    Nova

So please REJECT CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280 and
use CVE-2013-1664, CVE-2013-1665 as appropriate instead to identify
these issues. Sorry for the confusion.
----cut---------cut---------cut---------cut---------cut---------cut-----

I know you have already updated the packages, if possible could you
change the CVE identifiers in the changelog in your next upload?

I will try to update the security-tracker with the above information.

Regards,
Salvatore

Message #25 received at 700948@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 700948@bugs.debian.org, 700949@bugs.debian.org, 700950@bugs.debian.org, team@security.debian.org

Subject: Re: keystone, nova, cinder: Assigned CVEs and three CVEs rejected

Date: Wed, 20 Feb 2013 11:45:13 +0800

On 02/20/2013 05:46 AM, Salvatore Bonaccorso wrote:
> Hi Thomas
> 
> This is to notify you about a problem in the CVEs used: There was a
> small unclear situation on assigning the CVEs for these issues
> aparently, see [1].
> 
>  [1]: http://marc.info/?l=oss-security&m=136129931825949&w=2
> 
> In short: CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280 where
> rejected and CVE-2013-1664 and CVE-2013-1665 to be used for the
> respective issues.

Hi,

I know about it, but I already uploaded before reading TTX email. I will
change the CVE numbers in the changelog and patches, so that the issue
is well referenced on the next upload.

Cheers,

Thomas

Send a report that this bug log contains spam.