packages/ovirt-engine
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!41 Fix CVE-2020-10775

Browse Source 
From: @huan-yangqqq 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git
This commit is contained in:
openeuler-ci-bot 2022-06-08 08:31:38 +00:00 committed by Gitee
commit 9fe07cc8be
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 97 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
CVE-2020-10775.patch Normal file
View File

@ -0,0 +1,91 @@
diff -Naru a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java
--- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java 2020-11-19 01:15:47.000000000 +0800
+++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java 2022-06-06 10:28:53.426920000 +0800
@@ -8,6 +8,7 @@
import javax.naming.InitialContext;
import javax.naming.NamingException;
+import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -41,7 +42,7 @@
}
@Override
- public void init() {
+ public void init() throws ServletException {
String strVal = getServletConfig().getInitParameter("login-as-admin");
if (strVal == null) {
throw new RuntimeException("No login-as-admin init parameter specified for SsoPostLoginServlet.");
diff -Naru a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/SsoUtils.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/SsoUtils.java
--- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/SsoUtils.java 2020-11-19 01:15:47.000000000 +0800
+++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/SsoUtils.java 2022-06-06 10:27:53.774598000 +0800
@@ -135,7 +135,6 @@
if (StringUtils.isNotBlank(alternateFqdnString)) {
Arrays.stream(alternateFqdnString.trim().split("\\s *"))
.filter(StringUtils::isNotBlank)
- .map(String::toLowerCase)
.forEach(allowedDomains::add);
}
@@ -144,7 +143,7 @@
private static String parseHostFromUrl(String url, String urlPropertyName) {
try {
- return new URI(url).getHost().toLowerCase();
+ return new URI(url).getHost();
} catch (URISyntaxException e) {
throw new IllegalStateException(urlPropertyName + " not a valid URI: " + url);
}
diff -Naru a/backend/manager/modules/aaa/src/test/java/org/ovirt/engine/core/aaa/SsoUtilsTest.java b/backend/manager/modules/aaa/src/test/java/org/ovirt/engine/core/aaa/SsoUtilsTest.java
--- a/backend/manager/modules/aaa/src/test/java/org/ovirt/engine/core/aaa/SsoUtilsTest.java 2020-11-19 01:15:47.000000000 +0800
+++ b/backend/manager/modules/aaa/src/test/java/org/ovirt/engine/core/aaa/SsoUtilsTest.java 2022-06-06 10:26:52.261144000 +0800
@@ -38,23 +38,6 @@
}
@Test
- public void shouldMatchAppUrlDomainOnAlternateSSOEngineUrlRegardlessUpperCase() {
- // given
- EngineLocalConfig.getInstance(new HashMap<>() {
- {
- put("SSO_ENGINE_URL", "https://engine.example.com:8221/ovirt-engine");
- put("SSO_ALTERNATE_ENGINE_FQDNS", "engine1.example.com ALTERNATE-engine.example.com");
- }
- });
-
- // when
- boolean valid = SsoUtils.isDomainValid("https://alternate-engine.EXAMPLE.com:20001/somerest/api_v9");
-
- // then
- Assertions.assertTrue(valid);
- }
-
- @Test
public void shouldAllowBlankAppUrl() {
// given
EngineLocalConfig.getInstance(new HashMap<>() {
@@ -103,23 +86,6 @@
// then
Assertions.assertTrue(valid);
- }
-
- @Test
- public void shouldMatchAppUrlDomainOnSSOEngineUrlRegardlessUpperCase() {
- // given
- EngineLocalConfig.getInstance(new HashMap<>() {
- {
- put("SSO_ENGINE_URL", "https://engine.EXAMPLE.com:30003/ovirt-engine");
- put("SSO_ALTERNATE_ENGINE_FQDNS", "alternate-engine.example.com");
- }
- });
-
- // when
- boolean valid = SsoUtils.isDomainValid("https://ENGINE.example.com:20001/somerest/api_v9");
-
- // then
- Assertions.assertTrue(valid);
}
@Test

7
ovirt-engine.spec
View File

@ -176,7 +176,7 @@ getent passwd %1 >/dev/null || useradd -r -u %2 -g %3 -c %5 -s /sbin/nologin -d
Name: ovirt-engine
Version: 4.4.4.1
Release: 3
Release: 4
Summary: Management server for Open Virtualization
Group: %{ovirt_product_group}
License: Apache 2.0
@ -196,6 +196,7 @@ Patch3: 0003-add-virt-chipset-support.patch
Patch4: 0004-fit-cluster-can-not-find-error-under-aarch64-platform.patch
Patch5: 0005-fix-interface-report-an-error-when-emulatedMachine-is-null.patch
Patch6: 0007-add-config-item-for-openeuler.patch
Patch7: CVE-2020-10775.patch
BuildArch: noarch
BuildRequires: assertj-core >= 2.2.0
@ -653,6 +654,7 @@ Setup imageio service.
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
sed -i '87s/@Test/\/\/@Test/g' backend/manager/modules/vdsbroker/src/test/java/org/ovirt/engine/core/vdsbroker/builder/vminfo/LibvirtVmXmlBuilderTest.java
sed -i '88s/@MockedConfig/\/\/@MockedConfig/g' backend/manager/modules/vdsbroker/src/test/java/org/ovirt/engine/core/vdsbroker/builder/vminfo/LibvirtVmXmlBuilderTest.java
sed -i '121s/@Test/\/\/@Test/g' backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/AddClusterCommandTest.java
@ -1302,6 +1304,9 @@ fi
%{engine_data}/setup/bin/ovirt-engine-health
%changelog
* Fri May 27 2022 yanghuan <huan.yang@epro.com.cn> - 4.4.4.1-4
- Fix CVE-2020-10775
* Tue Nov 16 2021 Ge Wang <wangge20@huawei.com> - 4.4.4.1-3
- Modify install require version and add confit item for openeuler