diff --git a/CVE-2020-10775.patch b/CVE-2020-10775.patch new file mode 100644 index 0000000000000000000000000000000000000000..43731eeefcfca0735cdd9d9ce50e72a2dcf6b070 --- /dev/null +++ b/CVE-2020-10775.patch @@ -0,0 +1,185 @@ +diff -Naru a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java +--- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java 2021-07-20 03:39:24.000000000 +0800 ++++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java 2022-06-06 14:16:06.807214000 +0800 +@@ -8,6 +8,7 @@ + + import javax.naming.InitialContext; + import javax.naming.NamingException; ++import javax.servlet.ServletException; + import javax.servlet.http.HttpServlet; + import javax.servlet.http.HttpServletRequest; + import javax.servlet.http.HttpServletResponse; +@@ -41,7 +42,7 @@ + } + + @Override +- public void init() { ++ public void init() throws ServletException { + String strVal = getServletConfig().getInitParameter("login-as-admin"); + if (strVal == null) { + throw new RuntimeException("No login-as-admin init parameter specified for SsoPostLoginServlet."); +@@ -61,9 +62,8 @@ + @Override + protected void service(HttpServletRequest request, HttpServletResponse response) throws IOException { + log.debug("Entered SsoPostLoginServlet"); +- String username; ++ String username = null; + String profile = null; +- String authzName; + InitialContext ctx = null; + try { + String error_description = request.getParameter("error_description"); +@@ -90,12 +90,12 @@ + Map payload = (Map) jsonResponse.get("ovirt"); + + username = (String) jsonResponse.get("user_id"); ++ profile = ""; + int index = username.lastIndexOf("@"); + if (index != -1) { + profile = username.substring(index + 1); + username = username.substring(0, index); + } +- authzName = (String) jsonResponse.get("user_authz"); + + try { + ctx = new InitialContext(); +@@ -120,14 +120,12 @@ + "Unable to login user %s@%s with profile [%s]" + + " because the maximum number of allowed sessions %s is exceeded", + username, +- authzName, + profile, + maxUserSessions)); + } + throw new RuntimeException(String.format( + "The user %s@%s with profile [%s] is not authorized to perform login", + username, +- authzName, + profile)); + } else { + HttpSession httpSession = request.getSession(true); +@@ -143,9 +141,7 @@ + } catch (RuntimeException ex) { + throw ex; + } catch (Exception ex) { +- throw new RuntimeException( +- String.format("User login failure: %s@%s with profile [%s]", username, authzName, profile), +- ex); ++ throw new RuntimeException(String.format("User login failure: %s", username), ex); + } finally { + try { + if (ctx != null) { +diff -Naru a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/SsoUtils.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/SsoUtils.java +--- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/SsoUtils.java 2021-07-20 03:39:24.000000000 +0800 ++++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/SsoUtils.java 2022-06-06 14:19:02.265717000 +0800 +@@ -33,7 +33,7 @@ + public static String createUserSession(HttpServletRequest req, + Map jsonResponse, + boolean loginAsAdmin) throws Exception { +- String engineSessionId; ++ String engineSessionId = null; + if (!FiltersHelper.isStatusOk(jsonResponse)) { + throw new RuntimeException((String) jsonResponse.get("MESSAGE")); + } +@@ -46,7 +46,6 @@ + profile = username.substring(index + 1); + username = username.substring(0, index); + } +- String authzName = (String) jsonResponse.get("user_authz"); + try { + ctx = new InitialContext(); + ActionReturnValue queryRetVal = FiltersHelper.getBackend(ctx).runAction(ActionType.CreateUserSession, +@@ -70,14 +69,12 @@ + "Unable to login user %s@%s with profile [%s] " + + "because the maximum number of allowed sessions %s is exceeded", + username, +- authzName, + profile, + EngineLocalConfig.getInstance().getInteger("ENGINE_MAX_USER_SESSIONS"))); + } + throw new RuntimeException(String.format( + "The user %s@%s with profile [%s] is not authorized to perform login", + username, +- authzName, + profile)); + } + engineSessionId = queryRetVal.getActionReturnValue(); +@@ -90,8 +87,8 @@ + true); + } + } catch (Exception ex) { +- log.error("User '{}@{}' with profile [{}] login failed: {}", username, authzName, profile, ex.getMessage()); +- log.debug("User '{}@{}' with profile [{}] login failed", username, authzName, profile, ex); ++ log.error("User '{}@{}' login failed: {}", username, profile, ex.getMessage()); ++ log.debug("User '{}@{}' login failed", username, profile, ex); + throw ex; + } finally { + try { +@@ -139,7 +136,6 @@ + if (StringUtils.isNotBlank(alternateFqdnString)) { + Arrays.stream(alternateFqdnString.trim().split("\\s *")) + .filter(StringUtils::isNotBlank) +- .map(String::toLowerCase) + .forEach(allowedDomains::add); + } + +@@ -148,7 +144,7 @@ + + private static String parseHostFromUrl(String url, String urlPropertyName) { + try { +- return new URI(url).getHost().toLowerCase(); ++ return new URI(url).getHost(); + } catch (URISyntaxException e) { + throw new IllegalStateException(urlPropertyName + " not a valid URI: " + url); + } +diff -Naru a/backend/manager/modules/aaa/src/test/java/org/ovirt/engine/core/aaa/SsoUtilsTest.java b/backend/manager/modules/aaa/src/test/java/org/ovirt/engine/core/aaa/SsoUtilsTest.java +--- a/backend/manager/modules/aaa/src/test/java/org/ovirt/engine/core/aaa/SsoUtilsTest.java 2021-07-20 03:39:24.000000000 +0800 ++++ b/backend/manager/modules/aaa/src/test/java/org/ovirt/engine/core/aaa/SsoUtilsTest.java 2022-06-06 14:20:07.028614000 +0800 +@@ -38,23 +38,6 @@ + } + + @Test +- public void shouldMatchAppUrlDomainOnAlternateSSOEngineUrlRegardlessUpperCase() { +- // given +- EngineLocalConfig.getInstance(new HashMap<>() { +- { +- put("SSO_ENGINE_URL", "https://engine.example.com:8221/ovirt-engine"); +- put("SSO_ALTERNATE_ENGINE_FQDNS", "engine1.example.com ALTERNATE-engine.example.com"); +- } +- }); +- +- // when +- boolean valid = SsoUtils.isDomainValid("https://alternate-engine.EXAMPLE.com:20001/somerest/api_v9"); +- +- // then +- Assertions.assertTrue(valid); +- } +- +- @Test + public void shouldAllowBlankAppUrl() { + // given + EngineLocalConfig.getInstance(new HashMap<>() { +@@ -103,23 +86,6 @@ + + // then + Assertions.assertTrue(valid); +- } +- +- @Test +- public void shouldMatchAppUrlDomainOnSSOEngineUrlRegardlessUpperCase() { +- // given +- EngineLocalConfig.getInstance(new HashMap<>() { +- { +- put("SSO_ENGINE_URL", "https://engine.EXAMPLE.com:30003/ovirt-engine"); +- put("SSO_ALTERNATE_ENGINE_FQDNS", "alternate-engine.example.com"); +- } +- }); +- +- // when +- boolean valid = SsoUtils.isDomainValid("https://ENGINE.example.com:20001/somerest/api_v9"); +- +- // then +- Assertions.assertTrue(valid); + } + + @Test diff --git a/ovirt-engine.spec b/ovirt-engine.spec index afe9520b57c938f98a94f5798fde702b0ba5cac4..f24ac2fdafffa1a2d621c2feac39cb4806236ef6 100644 --- a/ovirt-engine.spec +++ b/ovirt-engine.spec @@ -174,6 +174,7 @@ Source2: xalan-2.7.1.jbossorg-2.jar # sed -i "s/$version/5.10.3/g" libsass-maven-plugin-0.2.8-libsass_3.4.4.pom Source3: libsass-maven-plugin-0.2.8-libsass_3.4.4.pom Patch1: 0001-add-dependent-package-to-lib.patch +Patch2: CVE-2020-10775.patch BuildArch: noarch BuildRequires: assertj-core >= 2.2.0 @@ -617,6 +618,7 @@ Setup imageio service. %prep %setup -c -q %patch1 -p1 +%patch2 -p1 mvn install:install-file -DgroupId=io.reactive.rxjava2 -DartifactId=rxjava -Dversion=2.2.4 -Dpackaging=jar -Dfile=%{SOURCE1} mvn install:install-file -DgroupId=xalan -DartifactId=xalan -Dversion=2.7.1.jbossorg-2 -Dpackaging=jar -Dfile=%{SOURCE2} mkdir -p ~/.m2/repository/com/github/warmuuh/libsass-maven-plugin/0.2.8-libsass_3.4.4 @@ -1253,6 +1255,9 @@ fi %{engine_data}/setup/bin/ovirt-engine-health %changelog +* Fri May 27 2022 yanghuan - 4.4.7.7-4 +- Fix CVE-2020-10775 + * Wed Sep 15 2021 Ge Wang - 4.4.7.7-3 - Fix aarch64 setup error