[ovirt] answer files: Filter out all password keys

Instead of hard-coding specific keys and having to maintain them over time, replace the values of all keys that have 'password' in their name. I think this covers all our current and hopefully future keys. It might add "false positives" - keys that are not passwords but have 'password' in their name - and I think that's a risk worth taking. Sadly, the engine admin password prompt's name is 'OVESETUP_CONFIG_ADMIN_SETUP', which does not include 'password', so has to be listed specifically. A partial list of keys added since the replaced code was written: - grafana-related stuff - keycloak-related stuff - otopi-style answer files Signed-off-by: Yedidyah Bar David <didi@redhat.com> Change-Id: I416c6e4078e7c3638493eb271d08d73a0c22b5ba (cherry picked from commit aec4d394acf734bb782d541fe09ca8a1abd93a8d)
2024-05-06 16:40:45 +08:00 · 2024-05-06 16:40:45 +08:00 · 486949bd39
commit 486949bd39
parent 6569c824c8
2 changed files with 71 additions and 1 deletions
--- a/backport-ovirt-answer-files-Filter-out-all-password-keys.patch
+++ b/backport-ovirt-answer-files-Filter-out-all-password-keys.patch
@ -0,0 +1,66 @@
+From 5fd872c64c53af37015f366295e0c2418c969757 Mon Sep 17 00:00:00 2001
+From: Yedidyah Bar David <didi@redhat.com>
+Date: Thu, 26 May 2022 16:43:21 +0300
+Subject: [PATCH] [ovirt] answer files: Filter out all password keys
+
+Instead of hard-coding specific keys and having to maintain them over
+time, replace the values of all keys that have 'password' in their name.
+I think this covers all our current and hopefully future keys. It might
+add "false positives" - keys that are not passwords but have 'password'
+in their name - and I think that's a risk worth taking.
+
+Sadly, the engine admin password prompt's name is
+'OVESETUP_CONFIG_ADMIN_SETUP', which does not include 'password', so has
+to be listed specifically.
+
+A partial list of keys added since the replaced code was written:
+- grafana-related stuff
+- keycloak-related stuff
+- otopi-style answer files
+
+Signed-off-by: Yedidyah Bar David <didi@redhat.com>
+Change-Id: I416c6e4078e7c3638493eb271d08d73a0c22b5ba
+---
+ sos/report/plugins/ovirt.py | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/sos/report/plugins/ovirt.py b/sos/report/plugins/ovirt.py
+index 09647bf1..3b1bb29b 100644
+--- a/sos/report/plugins/ovirt.py
+++ b/sos/report/plugins/ovirt.py
+@@ -241,19 +241,22 @@ class Ovirt(Plugin, RedHatPlugin):
+                 r'{key}=********'.format(key=key)
+             )
+ 
+-        # Answer files contain passwords
+-        for key in (
+-            'OVESETUP_CONFIG/adminPassword',
+-            'OVESETUP_CONFIG/remoteEngineHostRootPassword',
+-            'OVESETUP_DWH_DB/password',
+-            'OVESETUP_DB/password',
+-            'OVESETUP_REPORTS_CONFIG/adminPassword',
+-            'OVESETUP_REPORTS_DB/password',
+        # Answer files contain passwords.
+        # Replace all keys that have 'password' in them, instead of hard-coding
+        # here the list of keys, which changes between versions.
+        # Sadly, the engine admin password prompt name does not contain
+        # 'password'... so neither does the env key.
+        for item in (
+            'password',
+            'OVESETUP_CONFIG_ADMIN_SETUP',
+         ):
+             self.do_path_regex_sub(
+                 r'/var/lib/ovirt-engine/setup/answers/.*',
+-                r'{key}=(.*)'.format(key=key),
+-                r'{key}=********'.format(key=key)
+                re.compile(
+                    r'(?P<key>[^=]*{item}[^=]*)=.*'.format(item=item),
+                    flags=re.IGNORECASE
+                ),
+                r'\g<key>=********'
+             )
+ 
+         # aaa profiles contain passwords
+-- 
+2.27.0
+
--- a/sos.spec
+++ b/sos.spec
@ -2,7 +2,7 @@

 Name:          sos
 Version:       4.0
-Release:       5
+Release:       6
 Summary:       A set of tools to gather troubleshooting information from a system
 License:       GPLv2+
 URL:           https://github.com/sosreport/sos
@ -12,6 +12,7 @@ Patch6000:     backport-Fix-dict-order-py38-incompatibility.patch
 Patch9000:     openEuler-add-openEuler-policy.patch
 Patch9001:     add-uniontech-os-support.patch
 Patch9002:     Fix-sos-command-failed-in-sos-4.0.patch
+Patch9003:     backport-ovirt-answer-files-Filter-out-all-password-keys.patch

 BuildRequires: python3-devel gettext
 Requires:      libxml2-python3 bzip2 xz python3-rpm tar python3-pexpect
@ -60,6 +61,9 @@ install -m 644 %{name}.conf %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf
 %{_mandir}/man5/*

 %changelog
+* Mon May 06 2024 GuoCe <guoce@kylinos.cn> - 4.0-6
+- Fix CVE-2022-2806
+
 * Tue Feb 22 2022 weidong <weidong@uniontech.com> - 4.0-5
 - Fix sos command failed in sos 4.0