diff --git a/CVE-2024-53916-Fix-the-tagging-policy-engine.patch b/CVE-2024-53916-Fix-the-tagging-policy-engine.patch new file mode 100644 index 0000000000000000000000000000000000000000..e519c56383d07b7846d759ed1bfca27b4d5a7985 --- /dev/null +++ b/CVE-2024-53916-Fix-the-tagging-policy-engine.patch @@ -0,0 +1,268 @@ +diff --git a/neutron/extensions/tagging.py b/neutron/extensions/tagging.py +index 30b5b06..63e35ba 100644 +--- a/neutron/extensions/tagging.py ++++ b/neutron/extensions/tagging.py +@@ -12,7 +12,10 @@ + # under the License. + + import abc ++import collections + import copy ++import functools ++import itertools + + from neutron_lib.api.definitions import port + from neutron_lib.api import extensions as api_extensions +@@ -29,6 +32,16 @@ from neutron._i18n import _ + from neutron.api import extensions + from neutron.api.v2 import resource as api_resource + ++from neutron.objects import network as network_obj ++from neutron.objects import network_segment_range as network_segment_range_obj ++from neutron.objects import ports as ports_obj ++from neutron.objects.qos import policy as policy_obj ++from neutron.objects import router as router_obj ++from neutron.objects import securitygroup as securitygroup_obj ++from neutron.objects import subnet as subnet_obj ++from neutron.objects import subnetpool as subnetpool_obj ++from neutron.objects import trunk as trunk_obj ++from neutron import policy + + TAG = 'tag' + TAGS = TAG + 's' +@@ -56,6 +69,34 @@ TAG_ATTRIBUTE_MAP_PORTS[TAGS] = { + 'default': [], 'is_visible': True, 'is_filter': True + } + ++PARENTS = { ++ 'floatingips': router_obj.FloatingIP, ++ 'network_segment_ranges': network_segment_range_obj.NetworkSegmentRange, ++ 'networks': network_obj.Network, ++ 'policies': policy_obj.QosPolicy, ++ 'ports': ports_obj.Port, ++ 'routers': router_obj.Router, ++ 'security_groups': securitygroup_obj.SecurityGroup, ++ 'subnets': ('networks', subnet_obj.Subnet), ++ 'subnetpools': subnetpool_obj.SubnetPool, ++ 'trunks': trunk_obj.Trunk, ++} ++ResourceInfo = collections.namedtuple( ++ 'ResourceInfo', ['project_id', ++ 'parent_type', ++ 'parent_id', ++ 'upper_parent_type', ++ 'upper_parent_id', ++ ]) ++EMPTY_RESOURCE_INFO = ResourceInfo(None, None, None, None, None) ++ ++def _policy_init(f): ++ @functools.wraps(f) ++ def func(self, *args, **kwargs): ++ policy.init() ++ return f(self, *args, **kwargs) ++ return func ++ + + class TagResourceNotFound(exceptions.NotFound): + message = _("Resource %(resource)s %(resource_id)s could not be found.") +@@ -95,6 +136,59 @@ class TaggingController(object): + self.plugin = directory.get_plugin(TAG_PLUGIN_TYPE) + self.supported_resources = TAG_SUPPORTED_RESOURCES + ++ def _get_target(self, res_info): ++ target = {'id': res_info.parent_id, ++ 'tenant_id': res_info.project_id, ++ 'project_id': res_info.project_id} ++ if res_info.upper_parent_type: ++ res_id = (self.supported_resources[res_info.upper_parent_type] + ++ '_id') ++ target[res_id] = res_info.upper_parent_id ++ return target ++ ++ def _get_resource_info(self, context, kwargs): ++ """Return the tag parent resource information ++ ++ Some parent resources, like the subnets, depend on other upper parent ++ resources (networks). In that case, it is needed to provide the upper ++ parent resource information. ++ ++ :param kwargs: dictionary with the parent resource ID, along with other ++ information not needed. It is formated as ++ {"resource_id": "id", ...} ++ :return: ``ResourceInfo`` named tuple with the parent and upper parent ++ information and the project ID (of the parent or upper ++ parent). ++ """ ++ for key, parent_type in itertools.product( ++ kwargs.keys(), self.supported_resources.keys()): ++ if key != self.supported_resources[parent_type] + '_id': ++ continue ++ ++ parent_id = kwargs[key] ++ parent_obj = PARENTS[parent_type] ++ if isinstance(parent_obj, tuple): ++ upper_parent_type = parent_obj[0] ++ parent_obj = parent_obj[1] ++ res_id = (self.supported_resources[upper_parent_type] + ++ '_id') ++ upper_parent_id = parent_obj.get_values( ++ context.elevated(), res_id, id=parent_id)[0] ++ else: ++ upper_parent_type = upper_parent_id = None ++ ++ try: ++ project_id = parent_obj.get_values( ++ context.elevated(), 'project_id', id=parent_id)[0] ++ except IndexError: ++ return EMPTY_RESOURCE_INFO ++ ++ return ResourceInfo(project_id, parent_type, parent_id, ++ upper_parent_type, upper_parent_id) ++ ++ # This should never be returned. ++ return EMPTY_RESOURCE_INFO ++ + def _get_parent_resource_and_id(self, kwargs): + for key in kwargs: + for resource in self.supported_resources: +@@ -102,68 +196,103 @@ class TaggingController(object): + return resource, kwargs[key] + return None, None + ++ @_policy_init + def index(self, request, **kwargs): +- # GET /v2.0/networks/{network_id}/tags +- parent, parent_id = self._get_parent_resource_and_id(kwargs) +- return self.plugin.get_tags(request.context, parent, parent_id) +- ++ # GET /v2.0/{parent_resource}/{parent_resource_id}/tags ++ ctx = request.context ++ rinfo = self._get_resource_info(ctx, kwargs) ++ target = self._get_target(rinfo) ++ policy.enforce(ctx, 'get_{}_{}'.format(rinfo.parent_type, TAGS), ++ target) ++ return self.plugin.get_tags(ctx, rinfo.parent_type, rinfo.parent_id) ++ ++ @_policy_init + def show(self, request, id, **kwargs): +- # GET /v2.0/networks/{network_id}/tags/{tag} ++ # GET /v2.0/{parent_resource}/{parent_resource_id}/tags/{tag} + # id == tag + validate_tag(id) +- parent, parent_id = self._get_parent_resource_and_id(kwargs) +- return self.plugin.get_tag(request.context, parent, parent_id, id) +- ++ ctx = request.context ++ rinfo = self._get_resource_info(ctx, kwargs) ++ target = self._get_target(rinfo) ++ policy.enforce(ctx, 'get_{}_{}'.format(rinfo.parent_type, TAGS), ++ target) ++ return self.plugin.get_tag(ctx, rinfo.parent_type, rinfo.parent_id, id) ++ ++ @_policy_init + def create(self, request, **kwargs): + # not supported + # POST /v2.0/networks/{network_id}/tags + raise webob.exc.HTTPNotFound("not supported") + ++ @_policy_init + def update(self, request, id, **kwargs): +- # PUT /v2.0/networks/{network_id}/tags/{tag} ++ # PUT /v2.0/{parent_resource}/{parent_resource_id}/tags/{tag} + # id == tag + validate_tag(id) +- parent, parent_id = self._get_parent_resource_and_id(kwargs) +- notify_tag_action(request.context, 'create.start', +- parent, parent_id, [id]) +- result = self.plugin.update_tag(request.context, parent, parent_id, id) +- notify_tag_action(request.context, 'create.end', +- parent, parent_id, [id]) ++ ctx = request.context ++ rinfo = self._get_resource_info(ctx, kwargs) ++ target = self._get_target(rinfo) ++ policy.enforce(ctx, 'update_{}_{}'.format(rinfo.parent_type, TAGS), ++ target) ++ notify_tag_action(ctx, 'create.start', rinfo.parent_type, ++ rinfo.parent_id, [id]) ++ result = self.plugin.update_tag(ctx, rinfo.parent_type, ++ rinfo.parent_id, id) ++ notify_tag_action(ctx, 'create.end', rinfo.parent_type, ++ rinfo.parent_id, [id]) + return result + ++ ++ @_policy_init + def update_all(self, request, body, **kwargs): +- # PUT /v2.0/networks/{network_id}/tags ++ # PUT /v2.0/{parent_resource}/{parent_resource_id}/tags + # body: {"tags": ["aaa", "bbb"]} + validate_tags(body) +- parent, parent_id = self._get_parent_resource_and_id(kwargs) +- notify_tag_action(request.context, 'update.start', +- parent, parent_id, body['tags']) +- result = self.plugin.update_tags(request.context, parent, +- parent_id, body) +- notify_tag_action(request.context, 'update.end', +- parent, parent_id, body['tags']) ++ ctx = request.context ++ rinfo = self._get_resource_info(ctx, kwargs) ++ target = self._get_target(rinfo) ++ policy.enforce(ctx, 'update_{}_{}'.format(rinfo.parent_type, TAGS), ++ target) ++ notify_tag_action(ctx, 'update.start', rinfo.parent_type, ++ rinfo.parent_id, body['tags']) ++ result = self.plugin.update_tags(ctx, rinfo.parent_type, ++ rinfo.parent_id, body) ++ notify_tag_action(ctx, 'update.end', rinfo.parent_type, ++ rinfo.parent_id, body['tags']) + return result + ++ @_policy_init + def delete(self, request, id, **kwargs): +- # DELETE /v2.0/networks/{network_id}/tags/{tag} ++ # DELETE /v2.0/{parent_resource}/{parent_resource_id}/tags/{tag} + # id == tag + validate_tag(id) +- parent, parent_id = self._get_parent_resource_and_id(kwargs) +- notify_tag_action(request.context, 'delete.start', +- parent, parent_id, [id]) +- result = self.plugin.delete_tag(request.context, parent, parent_id, id) +- notify_tag_action(request.context, 'delete.end', +- parent, parent_id, [id]) ++ ctx = request.context ++ rinfo = self._get_resource_info(ctx, kwargs) ++ target = self._get_target(rinfo) ++ policy.enforce(ctx, 'delete_{}_{}'.format(rinfo.parent_type, TAGS), ++ target) ++ notify_tag_action(ctx, 'delete.start', rinfo.parent_type, ++ rinfo.parent_id, [id]) ++ result = self.plugin.delete_tag(ctx, rinfo.parent_type, ++ rinfo.parent_id, id) ++ notify_tag_action(ctx, 'delete.end', rinfo.parent_type, ++ rinfo.parent_id, [id]) + return result + ++ @_policy_init + def delete_all(self, request, **kwargs): +- # DELETE /v2.0/networks/{network_id}/tags +- parent, parent_id = self._get_parent_resource_and_id(kwargs) +- notify_tag_action(request.context, 'delete_all.start', +- parent, parent_id) +- result = self.plugin.delete_tags(request.context, parent, parent_id) +- notify_tag_action(request.context, 'delete_all.end', +- parent, parent_id) ++ # DELETE /v2.0/{parent_resource}/{parent_resource_id}/tags ++ ctx = request.context ++ rinfo = self._get_resource_info(ctx, kwargs) ++ target = self._get_target(rinfo) ++ policy.enforce(ctx, 'delete_{}_{}'.format(rinfo.parent_type, TAGS), ++ target) ++ notify_tag_action(ctx, 'delete_all.start', rinfo.parent_type, ++ rinfo.parent_id) ++ result = self.plugin.delete_tags(ctx, rinfo.parent_type, ++ rinfo.parent_id) ++ notify_tag_action(ctx, 'delete_all.end', rinfo.parent_type, ++ rinfo.parent_id) + return result + + diff --git a/openstack-neutron.spec b/openstack-neutron.spec index 039b3e3fbe5d14c874d451d78276ea40f3c5f172..a1d8e62a2c10f792f8b933879e0acb6fb8bc939a 100644 --- a/openstack-neutron.spec +++ b/openstack-neutron.spec @@ -18,7 +18,7 @@ capabilities (e.g., QoS, ACLs, network monitoring, etc.) Name: openstack-%{service} Version: 22.1.0 -Release: 1 +Release: 2 Summary: OpenStack Networking Service License: ASL 2.0 @@ -52,6 +52,7 @@ Source34: neutron-l2-agent-sysctl.conf Source35: neutron-l2-agent.modules Source36: neutron-destroy-patch-ports.service Source37: neutron-ovn-metadata-agent.service +Patch1: CVE-2024-53916-Fix-the-tagging-policy-engine.patch # Required for tarball sources verification BuildArch: noarch @@ -845,6 +846,9 @@ fi %{_datadir}/ansible/neutron-ovn-migration/ %changelog +* Fri Nov 29 2024 wangjing - 22.1.0-2 +- add CVE-2024-53916-Fix-the-tagging-policy-engine.patch + * Tue Apr 16 2024 wangjing - 22.1.0-1 - update package of version 22.1.0