From 6188948f906285efcb7f5e66039a9825477518fb Mon Sep 17 00:00:00 2001
From: liksh <li_kunshan@163.com>
Date: Mon, 23 May 2022 16:32:02 +0800
Subject: [PATCH] fix CVE-2020-10755

Signed-off-by: liksh <li_kunshan@163.com>
(cherry picked from commit 62169d5d223a3870272703c1fa58ab13119d0146)
---
 0002-vxflex-os-password.patch | 126 ++++++++++++++++++++++++++++++++++
 python-os-brick.spec          |   6 +-
 2 files changed, 131 insertions(+), 1 deletion(-)
 create mode 100644 0002-vxflex-os-password.patch

diff --git a/0002-vxflex-os-password.patch b/0002-vxflex-os-password.patch
new file mode 100644
index 0000000..1d679c1
--- /dev/null
+++ b/0002-vxflex-os-password.patch
@@ -0,0 +1,126 @@
+From e2c8c3b645a151d35fee5bec8be44e8f408a0c4a Mon Sep 17 00:00:00 2001
+From: Ivan Pchelintsev <Ivan.Pchelintsev@dell.com>
+Date: Fri, 29 May 2020 12:44:32 +0300
+Subject: [PATCH] Remove VxFlex OS credentials from connection_properties
+
+VxFlex OS password is not stored in block_device_mapping table. Instead of this
+passwords are stored in separate file and are retrieved during each attach/detach
+operation.
+
+Change-Id: Id3c32644d6d044c321883600c467bdef23c934f0
+---
+ os_brick/initiator/connectors/scaleio.py      | 40 ++++++++++++++++++-
+ .../initiator/connectors/test_scaleio.py      |  8 +++-
+ 2 files changed, 44 insertions(+), 4 deletions(-)
+
+diff --git a/os_brick/initiator/connectors/scaleio.py b/os_brick/initiator/connectors/scaleio.py
+index 0969f29..648c286 100644
+--- a/os_brick/initiator/connectors/scaleio.py
++++ b/os_brick/initiator/connectors/scaleio.py
+@@ -28,8 +28,16 @@ from os_brick import initiator
+ from os_brick.initiator.connectors import base
+ from os_brick import utils
+ 
++try:
++    import configparser
++    import io
++except ImportError:
++    import ConfigParser as configparser
++    import StringIO as io
++
+ LOG = logging.getLogger(__name__)
+ DEVICE_SCAN_ATTEMPTS_DEFAULT = 3
++CONNECTOR_CONF_PATH = '/opt/emc/scaleio/openstack/connector.conf'
+ synchronized = lockutils.synchronized_with_prefix('os-brick-')
+ 
+ 
+@@ -40,6 +48,7 @@ class ScaleIOConnector(base.BaseLinuxConnector):
+     VOLUME_NOT_MAPPED_ERROR = 84
+     VOLUME_ALREADY_MAPPED_ERROR = 81
+     GET_GUID_CMD = ['/opt/emc/scaleio/sdc/bin/drv_cfg', '--query_guid']
++    GET_PASSWORD_CMD = ['cat', CONNECTOR_CONF_PATH]
+     RESCAN_VOLS_CMD = ['/opt/emc/scaleio/sdc/bin/drv_cfg', '--rescan']
+ 
+     def __init__(self, root_helper, driver=None,
+@@ -223,6 +232,32 @@ class ScaleIOConnector(base.BaseLinuxConnector):
+                  {'volume_id': volume_id})
+         return volume_id
+ 
++    def _get_connector_password(self, config_group):
++        LOG.info("Get ScaleIO connector password from configuration file")
++
++        if not os.path.isfile(CONNECTOR_CONF_PATH):
++            msg = ("ScaleIO connector configuration file "
++                   "is not found in path %s." % CONNECTOR_CONF_PATH)
++            raise exception.BrickException(message=msg)
++
++        try:
++            (out, err) = self._execute(*self.GET_PASSWORD_CMD,
++                                       run_as_root=True,
++                                       root_helper=self._root_helper)
++            conf = configparser.ConfigParser()
++            conf.readfp(io.StringIO(out))
++            return conf[config_group]["san_password"]
++        except putils.ProcessExecutionError as e:
++            msg = _("Error reading ScaleIO connector "
++                    "configuration file: %s") % e.stderr
++            LOG.error(msg)
++            raise exception.BrickException(message=msg)
++        except Exception as e:
++            msg = _("Error getting ScaleIO connector password from "
++                    "configuration file: %s") % e
++            LOG.error(msg)
++            raise exception.BrickException(message=msg)
++
+     def _check_response(self, response, request, is_get_request=True,
+                         params=None):
+         if response.status_code == 401 or response.status_code == 403:
+@@ -271,8 +306,9 @@ class ScaleIOConnector(base.BaseLinuxConnector):
+         self.server_ip = connection_properties['serverIP']
+         self.server_port = connection_properties['serverPort']
+         self.server_username = connection_properties['serverUsername']
+-        self.server_password = connection_properties['serverPassword']
+-        self.server_token = connection_properties['serverToken']
++        self.server_password = self._get_connector_password(
++            connection_properties['config_group'],
++        )
+         self.iops_limit = connection_properties['iopsLimit']
+         self.bandwidth_limit = connection_properties['bandwidthLimit']
+         device_info = {'type': 'block',
+diff --git a/os_brick/tests/initiator/connectors/test_scaleio.py b/os_brick/tests/initiator/connectors/test_scaleio.py
+index 3a1d87e..4e5bfbc 100644
+--- a/os_brick/tests/initiator/connectors/test_scaleio.py
++++ b/os_brick/tests/initiator/connectors/test_scaleio.py
+@@ -47,8 +47,7 @@ class ScaleIOConnectorTestCase(test_connector.ConnectorTestCase):
+             'scaleIO_volume_id': self.vol['provider_id'],
+             'serverPort': 443,
+             'serverUsername': 'test',
+-            'serverPassword': 'fake',
+-            'serverToken': 'fake_token',
++            'config_group': 'test',
+             'iopsLimit': None,
+             'bandwidthLimit': None
+         }
+@@ -84,6 +83,10 @@ class ScaleIOConnectorTestCase(test_connector.ConnectorTestCase):
+         self.mock_object(os, 'listdir',
+                          return_value=["emc-vol-{}".format(self.vol['id'])])
+ 
++        self.get_password_mock = self.mock_object(scaleio.ScaleIOConnector,
++                                                  '_get_connector_password',
++                                                  return_value='fake_password')
++
+         # The actual ScaleIO connector
+         self.connector = scaleio.ScaleIOConnector(
+             'sudo', execute=self.fake_execute)
+@@ -170,6 +173,7 @@ class ScaleIOConnectorTestCase(test_connector.ConnectorTestCase):
+     def test_connect_volume(self):
+         """Successful connect to volume"""
+         self.connector.connect_volume(self.fake_connection_properties)
++        self.get_password_mock.assert_called_once()
+ 
+     def test_connect_with_bandwidth_limit(self):
+         """Successful connect to volume with bandwidth limit"""
+-- 
+2.17.1
+
+
diff --git a/python-os-brick.spec b/python-os-brick.spec
index 03e25d9..9d512a1 100644
--- a/python-os-brick.spec
+++ b/python-os-brick.spec
@@ -11,13 +11,14 @@ OpenStack Cinder brick library for managing local volume attaches
 
 Name:           python-%{pypi_name}
 Version:        2.5.9
-Release:        3
+Release:        4
 Summary:        OpenStack Cinder brick library for managing local volume attaches
 
 License:        Apache-2.0
 URL:            http://www.openstack.org/
 Source0:        https://tarballs.openstack.org/%{pypi_name}/%{pypi_name}-%{version}.tar.gz
 Patch0000:      0001-Drop-windows-support.patch
+Patch0001:      0002-vxflex-os-password.patch
 BuildArch:      noarch
 
 %description
@@ -143,6 +144,9 @@ mv %{buildroot}/usr/etc/os-brick/rootwrap.d/*.filters %{buildroot}%{_datarootdir
 %endif
 
 %changelog
+* Tue May 24 2022 liksh <li_kunshan@163.com> 2.5.9 - 4 
+- Fix CVE-2020-10755
+
 * Mon Jun 07 2021 wangxiyuan <wangxiyuan1007@gmail.com>
 - Drop windows support
 * Thu Jun 03 2021 wangxiyuan <wangxiyuan1007@gmail.com>
-- 
Gitee