diff --git a/fix-the-CVE-2023-6110.patch b/fix-the-CVE-2023-6110.patch new file mode 100644 index 0000000000000000000000000000000000000000..446ef6c37d4381aba303f32b828ee86b2da9db27 --- /dev/null +++ b/fix-the-CVE-2023-6110.patch @@ -0,0 +1,153 @@ +From bc60e3bb908a7f10c87993d791184bfe46784d6c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= +Date: Wed, 31 May 2023 16:00:02 -0500 +Subject: [PATCH] Fix "access rule" commands to only use ID + +This patch modifies the access rule commands to use only the resource +ID. The previous logic incorrectly assumed that access rules have a +"name" property, which resulted in unexpected behaviors. + +For example, "access rule delete {non-existent-id}" now results in a +"not found" error instead of sometimes deleting an unrelated rule. + +Story: 2010775 +Task: 48163 +Change-Id: Ib5c3b7f86acf1dfe7cc76dfa99fa4c118388bd71 +--- + openstackclient/identity/common.py | 12 ++++++++++ + openstackclient/identity/v3/access_rule.py | 8 +++---- + .../unit/identity/v3/test_access_rule.py | 24 ++++++++----------- + .../fix-story-2010775-953dbdf03b2b6746.yaml | 8 +++++++ + 4 files changed, 34 insertions(+), 18 deletions(-) + create mode 100644 releasenotes/notes/fix-story-2010775-953dbdf03b2b6746.yaml + +diff --git a/openstackclient/identity/common.py b/openstackclient/identity/common.py +index 745ffb2b..a9d8afa6 100644 +--- a/openstackclient/identity/common.py ++++ b/openstackclient/identity/common.py +@@ -92,6 +92,18 @@ def get_resource(manager, name_type_or_id): + raise exceptions.CommandError(msg % name_type_or_id) + + ++def get_resource_by_id(manager, resource_id): ++ """Get resource by ID ++ ++ Raises CommandError if the resource is not found ++ """ ++ try: ++ return manager.get(resource_id) ++ except identity_exc.NotFound: ++ msg = _("Resource with id {} not found") ++ raise exceptions.CommandError(msg.format(resource_id)) ++ ++ + def _get_token_resource(client, resource, parsed_name, parsed_domain=None): + """Peek into the user's auth token to get resource IDs + +diff --git a/openstackclient/identity/v3/access_rule.py b/openstackclient/identity/v3/access_rule.py +index 5eff39c7..b9a66e9a 100644 +--- a/openstackclient/identity/v3/access_rule.py ++++ b/openstackclient/identity/v3/access_rule.py +@@ -37,7 +37,7 @@ class DeleteAccessRule(command.Command): + 'access_rule', + metavar='', + nargs="+", +- help=_('Access rule(s) to delete (name or ID)'), ++ help=_('Access rule ID(s) to delete'), + ) + return parser + +@@ -47,7 +47,7 @@ class DeleteAccessRule(command.Command): + errors = 0 + for ac in parsed_args.access_rule: + try: +- access_rule = utils.find_resource( ++ access_rule = common.get_resource_by_id( + identity_client.access_rules, ac + ) + identity_client.access_rules.delete(access_rule.id) +@@ -114,13 +114,13 @@ class ShowAccessRule(command.ShowOne): + parser.add_argument( + 'access_rule', + metavar='', +- help=_('Access rule to display (name or ID)'), ++ help=_('Access rule ID to display'), + ) + return parser + + def take_action(self, parsed_args): + identity_client = self.app.client_manager.identity +- access_rule = utils.find_resource( ++ access_rule = common.get_resource_by_id( + identity_client.access_rules, parsed_args.access_rule + ) + +diff --git a/openstackclient/tests/unit/identity/v3/test_access_rule.py b/openstackclient/tests/unit/identity/v3/test_access_rule.py +index 3727dcfe..b62f283f 100644 +--- a/openstackclient/tests/unit/identity/v3/test_access_rule.py ++++ b/openstackclient/tests/unit/identity/v3/test_access_rule.py +@@ -14,10 +14,9 @@ + # + + import copy +-from unittest import mock + ++from keystoneclient import exceptions as identity_exc + from osc_lib import exceptions +-from osc_lib import utils + + from openstackclient.identity.v3 import access_rule + from openstackclient.tests.unit import fakes +@@ -64,11 +63,12 @@ class TestAccessRuleDelete(TestAccessRule): + ) + self.assertIsNone(result) + +- @mock.patch.object(utils, 'find_resource') +- def test_delete_multi_access_rules_with_exception(self, find_mock): +- find_mock.side_effect = [ +- self.access_rules_mock.get.return_value, +- exceptions.CommandError, ++ def test_delete_multi_access_rules_with_exception(self): ++ # mock returns for common.get_resource_by_id ++ mock_get = self.access_rules_mock.get ++ mock_get.side_effect = [ ++ mock_get.return_value, ++ identity_exc.NotFound, + ] + arglist = [ + identity_fakes.access_rule_id, +@@ -87,14 +87,10 @@ class TestAccessRuleDelete(TestAccessRule): + '1 of 2 access rules failed to' ' delete.', str(e) + ) + +- find_mock.assert_any_call( +- self.access_rules_mock, identity_fakes.access_rule_id +- ) +- find_mock.assert_any_call( +- self.access_rules_mock, 'nonexistent_access_rule' +- ) ++ mock_get.assert_any_call(identity_fakes.access_rule_id) ++ mock_get.assert_any_call('nonexistent_access_rule') + +- self.assertEqual(2, find_mock.call_count) ++ self.assertEqual(2, mock_get.call_count) + self.access_rules_mock.delete.assert_called_once_with( + identity_fakes.access_rule_id + ) +diff --git a/releasenotes/notes/fix-story-2010775-953dbdf03b2b6746.yaml b/releasenotes/notes/fix-story-2010775-953dbdf03b2b6746.yaml +new file mode 100644 +index 00000000..e4c98b74 +--- /dev/null ++++ b/releasenotes/notes/fix-story-2010775-953dbdf03b2b6746.yaml +@@ -0,0 +1,8 @@ ++--- ++fixes: ++ - | ++ Fixed a bug in "access rule" subcommands where the client logic incorrectly ++ assumed that access rules have a "name" property which resulted in ++ unpredictable behaviors. e.g. "access rule delete {non-existent-id}" now ++ results in a not-found error instead of sometimes deleting an unrelated ++ rule. +-- +2.27.0 + diff --git a/python-openstackclient.spec b/python-openstackclient.spec index b35c58146760e473841a17ad667fd2b03d82dea0..44fc146e2a471f8bf32d56da5bbba7fc69f7351a 100644 --- a/python-openstackclient.spec +++ b/python-openstackclient.spec @@ -4,11 +4,12 @@ Name: python-openstackclient Version: 5.5.0 -Release: 2 +Release: 3 Summary: OpenStack Command-line Client License: Apache-2.0 URL: http://launchpad.net/%{name} Source0: https://tarballs.openstack.org/%{name}/%{name}-%{upstream_version}.tar.gz +Patch0: fix-the-CVE-2023-6110.patch BuildArch: noarch BuildRequires: git @@ -88,6 +89,7 @@ Summary: Translation files for Openstackclient Translation files for Openstackclient %prep +%autosetup -n openstackclient-%{version} -p1 %autosetup -n %{name}-%{upstream_version} @@ -143,6 +145,8 @@ stestr run %license LICENSE %changelog +* Sat May 11 2024 lilu - 5.5.0-3 +- Fix the CVE-2023-6110 that "access rule" commands to only use ID * Fri Aug 13 2021 wangxiyuan 5.5.0-2 - Change osc-lib-tests to osc-lib * Wed Aug 04 2021 huangtianhua 5.5.0-1