From 3d77310421fc2f7fca109b3927667d628e265ea3 Mon Sep 17 00:00:00 2001 From: huangtianhua Date: Wed, 25 May 2022 11:34:15 +0800 Subject: [PATCH] Fix CVE-2020-10755 (cherry picked from commit 0759652838b0e06869a95c7c9bc0d612208d3e30) --- ...edentials-from-connection_properties.patch | 107 ++++++++++++++++++ python-os-brick.spec | 6 +- 2 files changed, 112 insertions(+), 1 deletion(-) create mode 100644 Remove-VxFlex-OS-credentials-from-connection_properties.patch diff --git a/Remove-VxFlex-OS-credentials-from-connection_properties.patch b/Remove-VxFlex-OS-credentials-from-connection_properties.patch new file mode 100644 index 0000000..610263a --- /dev/null +++ b/Remove-VxFlex-OS-credentials-from-connection_properties.patch @@ -0,0 +1,107 @@ +diff --git a/os_brick/initiator/connectors/scaleio.py b/os_brick/initiator/connectors/scaleio.py +index e07911b..5ab9e8b 100644 +--- a/os_brick/initiator/connectors/scaleio.py ++++ b/os_brick/initiator/connectors/scaleio.py +@@ -27,8 +27,16 @@ from os_brick import initiator + from os_brick.initiator.connectors import base + from os_brick import utils + ++try: ++ import configparser ++ import io ++except ImportError: ++ import ConfigParser as configparser ++ import StringIO as io ++ + LOG = logging.getLogger(__name__) + DEVICE_SCAN_ATTEMPTS_DEFAULT = 3 ++CONNECTOR_CONF_PATH = '/opt/emc/scaleio/openstack/connector.conf' + synchronized = lockutils.synchronized_with_prefix('os-brick-') + + +@@ -39,6 +47,7 @@ class ScaleIOConnector(base.BaseLinuxConnector): + VOLUME_NOT_MAPPED_ERROR = 84 + VOLUME_ALREADY_MAPPED_ERROR = 81 + GET_GUID_CMD = ['/opt/emc/scaleio/sdc/bin/drv_cfg', '--query_guid'] ++ GET_PASSWORD_CMD = ['cat', CONNECTOR_CONF_PATH] + + def __init__(self, root_helper, driver=None, + device_scan_attempts=initiator.DEVICE_SCAN_ATTEMPTS_DEFAULT, +@@ -221,6 +230,32 @@ class ScaleIOConnector(base.BaseLinuxConnector): + {'volume_id': volume_id}) + return volume_id + ++ def _get_connector_password(self, config_group): ++ LOG.info("Get ScaleIO connector password from configuration file") ++ ++ if not os.path.isfile(CONNECTOR_CONF_PATH): ++ msg = ("ScaleIO connector configuration file " ++ "is not found in path %s." % CONNECTOR_CONF_PATH) ++ raise exception.BrickException(message=msg) ++ ++ try: ++ (out, err) = self._execute(*self.GET_PASSWORD_CMD, ++ run_as_root=True, ++ root_helper=self._root_helper) ++ conf = configparser.ConfigParser() ++ conf.readfp(io.StringIO(out)) ++ return conf[config_group]["san_password"] ++ except putils.ProcessExecutionError as e: ++ msg = _("Error reading ScaleIO connector " ++ "configuration file: %s") % e.stderr ++ LOG.error(msg) ++ raise exception.BrickException(message=msg) ++ except Exception as e: ++ msg = _("Error getting ScaleIO connector password from " ++ "configuration file: %s") % e ++ LOG.error(msg) ++ raise exception.BrickException(message=msg) ++ + def _check_response(self, response, request, is_get_request=True, + params=None): + if response.status_code == 401 or response.status_code == 403: +@@ -269,8 +304,9 @@ class ScaleIOConnector(base.BaseLinuxConnector): + self.server_ip = connection_properties['serverIP'] + self.server_port = connection_properties['serverPort'] + self.server_username = connection_properties['serverUsername'] +- self.server_password = connection_properties['serverPassword'] +- self.server_token = connection_properties['serverToken'] ++ self.server_password = self._get_connector_password( ++ connection_properties['config_group'], ++ ) + self.iops_limit = connection_properties['iopsLimit'] + self.bandwidth_limit = connection_properties['bandwidthLimit'] + device_info = {'type': 'block', +diff --git a/os_brick/tests/initiator/connectors/test_scaleio.py b/os_brick/tests/initiator/connectors/test_scaleio.py +index 146ed43..45f807b 100644 +--- a/os_brick/tests/initiator/connectors/test_scaleio.py ++++ b/os_brick/tests/initiator/connectors/test_scaleio.py +@@ -47,8 +47,7 @@ class ScaleIOConnectorTestCase(test_connector.ConnectorTestCase): + 'scaleIO_volume_id': self.vol['provider_id'], + 'serverPort': 443, + 'serverUsername': 'test', +- 'serverPassword': 'fake', +- 'serverToken': 'fake_token', ++ 'config_group': 'test', + 'iopsLimit': None, + 'bandwidthLimit': None + } +@@ -84,6 +83,10 @@ class ScaleIOConnectorTestCase(test_connector.ConnectorTestCase): + self.mock_object(os, 'listdir', + return_value=["emc-vol-{}".format(self.vol['id'])]) + ++ self.get_password_mock = self.mock_object(scaleio.ScaleIOConnector, ++ '_get_connector_password', ++ return_value='fake_password') ++ + # The actual ScaleIO connector + self.connector = scaleio.ScaleIOConnector( + 'sudo', execute=self.fake_execute) +@@ -170,6 +173,7 @@ class ScaleIOConnectorTestCase(test_connector.ConnectorTestCase): + def test_connect_volume(self): + """Successful connect to volume""" + self.connector.connect_volume(self.fake_connection_properties) ++ self.get_password_mock.assert_called_once() + + def test_connect_with_bandwidth_limit(self): + """Successful connect to volume with bandwidth limit""" diff --git a/python-os-brick.spec b/python-os-brick.spec index 779c5a7..d2f11a2 100644 --- a/python-os-brick.spec +++ b/python-os-brick.spec @@ -2,12 +2,13 @@ %global __requires_exclude os-win|eventlet Name: python-os-brick Version: 2.3.1 -Release: 5 +Release: 6 Summary: OpenStack Cinder brick library for managing local volume attaches License: Apache-2.0 URL: https://docs.openstack.org/os-brick/ Source0: https://files.pythonhosted.org/packages/64/20/619cfaad181f53abf5650147c5203d534824bab3641543228b369892242a/os-brick-2.3.1.tar.gz Patch0000: 0001-Drop-windows-connection.patch +Patch0001: Remove-VxFlex-OS-credentials-from-connection_properties.patch BuildArch: noarch %description Team and repository tags .. Change things from this point on OpenStack Cinder @@ -89,6 +90,9 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Wed May 25 2022 huangtianhua 2.3.1-6 +- Fix CVE-2020-10755 + * Mon Jun 07 2021 wangxiyuan - Drop windows support * Mon Jun 07 2021 zhangfan -- Gitee