packages/ovirt-engine
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!77 fix CVE-2020-35497

Browse Source 
From: @addrexist 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git
This commit is contained in:
openeuler-ci-bot 2024-06-13 09:23:22 +00:00 committed by Gitee
commit 57766bad50
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 104 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
CVE-2020-35497.patch Normal file
View File

@ -0,0 +1,98 @@
From d663972f8a144b283591e46693f0aa27a9f2e859 Mon Sep 17 00:00:00 2001
From: Eli Mesika <emesika@redhat.com>
Date: Wed, 23 Dec 2020 13:15:39 +0200
Subject: [PATCH] core: prevent non-admin users see other users data
This patch fixes a security hole that enables regular users to access
other user data including administrators.
The problem was in the DAO that accesses the users data according to the
user permission, the wrong logic was to get all the user data if any
permission is found for the given user.
This patch modifies the relevant queries in the BLL level to return only
the information that the user allowed to see
CVE-2020-35497
Change-Id: I5130799027ab79f03b4e25c5f2f2ca4150887719
Bug-Id: https://bugzilla.redhat.com/show_bug.cgi?id=1899938
Signed-off-by: Eli Mesika <emesika@redhat.com>
(cherry picked from commit 40160e6f678d632937a22a8e23370086024f9994)
---
.../engine/core/bll/aaa/GetAllDbUsersQuery.java | 17 +++++++++++++++--
.../core/bll/aaa/GetDbUserByUserIdQuery.java | 14 +++++++++++++-
2 files changed, 28 insertions(+), 3 deletions(-)
diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetAllDbUsersQuery.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetAllDbUsersQuery.java
index e799dbd8f76..4d964b110a9 100644
--- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetAllDbUsersQuery.java
+++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetAllDbUsersQuery.java
@@ -1,12 +1,17 @@
package org.ovirt.engine.core.bll.aaa;
-import javax.inject.Inject;
+import java.util.ArrayList;
+
+import javax.inject.Inject;
import org.ovirt.engine.core.bll.QueriesCommandBase;
import org.ovirt.engine.core.bll.context.EngineContext;
+import org.ovirt.engine.core.common.businessentities.aaa.DbUser;
import org.ovirt.engine.core.common.queries.QueryParametersBase;
import org.ovirt.engine.core.dao.DbUserDao;
+
+
public class GetAllDbUsersQuery<P extends QueryParametersBase>
extends QueriesCommandBase<P> {
@Inject
@@ -18,6 +23,14 @@ public class GetAllDbUsersQuery<P extends QueryParametersBase>
@Override
protected void executeQueryCommand() {
- getQueryReturnValue().setReturnValue(dbUserDao.getAll(getUserID(), getParameters().isFiltered()));
+ DbUser currentUser = getUser();
+ // A non-admin trying to get other user data will get its own data
+ if (!currentUser.isAdmin()) {
+ ArrayList<DbUser> users = new ArrayList<>();
+ users.add(currentUser);
+ getQueryReturnValue().setReturnValue(users);
+ } else {
+ getQueryReturnValue().setReturnValue(dbUserDao.getAll(getUserID(), getParameters().isFiltered()));
+ }
}
}
diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java
index 52f88740da6..df491489a80 100644
--- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java
+++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java
@@ -4,6 +4,7 @@ import javax.inject.Inject;
import org.ovirt.engine.core.bll.QueriesCommandBase;
import org.ovirt.engine.core.bll.context.EngineContext;
+import org.ovirt.engine.core.common.businessentities.aaa.DbUser;
import org.ovirt.engine.core.common.queries.IdQueryParameters;
import org.ovirt.engine.core.dao.DbUserDao;
@@ -19,6 +20,17 @@ public class GetDbUserByUserIdQuery<P extends IdQueryParameters>
@Override
protected void executeQueryCommand() {
- getQueryReturnValue().setReturnValue(dbUserDao.get(getParameters().getId(), getParameters().isFiltered()));
+ DbUser currentUser = getUser();
+ if (!currentUser.isAdmin()) {
+ // unauthorized access
+ if (!currentUser.getId().equals(getParameters().getId())) {
+ getQueryReturnValue().setReturnValue(null);
+ } else {
+ // A non-admin user can get only its own data
+ getQueryReturnValue().setReturnValue(dbUserDao.get(currentUser.getId(), false));
+ }
+ } else {
+ getQueryReturnValue().setReturnValue(dbUserDao.get(getParameters().getId(), getParameters().isFiltered()));
+ }
}
}
--
2.27.0

7
ovirt-engine.spec
View File

@ -176,7 +176,7 @@ getent passwd %1 >/dev/null || useradd -r -u %2 -g %3 -c %5 -s /sbin/nologin -d
Name: ovirt-engine
Version: 4.4.4.1
Release: 10
Release: 11
Summary: Management server for Open Virtualization
Group: %{ovirt_product_group}
License: Apache 2.0
@ -202,6 +202,7 @@ Patch9: 0009-fix-engine-setup-problem.patch
Patch10: 0010-fix-host-installation-failure.patch
Patch11: 0011-get-vdsm-id-from-dmidecode-system-uuid-on-aarch64.patch
Patch12: CVE-2024-0822.patch
Patch13: CVE-2020-35497.patch
BuildArch: noarch
BuildRequires: assertj-core >= 2.2.0
@ -655,6 +656,7 @@ Setup imageio service.
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
sed -i '87s/@Test/\/\/@Test/g' backend/manager/modules/vdsbroker/src/test/java/org/ovirt/engine/core/vdsbroker/builder/vminfo/LibvirtVmXmlBuilderTest.java
sed -i '88s/@MockedConfig/\/\/@MockedConfig/g' backend/manager/modules/vdsbroker/src/test/java/org/ovirt/engine/core/vdsbroker/builder/vminfo/LibvirtVmXmlBuilderTest.java
sed -i '121s/@Test/\/\/@Test/g' backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/AddClusterCommandTest.java
@ -1303,6 +1305,9 @@ fi
%{engine_data}/setup/bin/ovirt-engine-health
%changelog
* Fri Jun 07 2024 wangziliang <wangziliang@kylinos.cn> - 4.4.4.1-11
- Fix CVE-2020-35497
* Tue Mar 05 2024 yanjianqing <yanjianqing@kylinos.cn> - 4.4.4.1-10
- Fix CVE-2024-0822