app-admin/sosreport: fix CVE-2022-2806
BUG=b/335883435
TEST=presubmit
RELEASE_NOTE=Fixed CVE-2022-2806 in app-admin/sosreport.
cos-patch: security-moderate
Change-Id: I099e24fa1406b918adbe52da909900f614d5c901
Reviewed-on: https://cos-review.googlesource.com/c/cos/overlays/board-overlays/+/70270
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Main-Branch-Verified: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Kevin Berry <kpberry@google.com>
diff --git a/project-lakitu/app-admin/sosreport/files/0013-fix-CVE-2022-2806.patch b/project-lakitu/app-admin/sosreport/files/0013-fix-CVE-2022-2806.patch
new file mode 100644
index 0000000..2f61bde
--- /dev/null
+++ b/project-lakitu/app-admin/sosreport/files/0013-fix-CVE-2022-2806.patch
@@ -0,0 +1,63 @@
+From 2701067029851fe2be6963e45b02bb8f4ea69a55 Mon Sep 17 00:00:00 2001
+From: Yedidyah Bar David <didi@redhat.com>
+Date: Thu, 26 May 2022 16:43:21 +0300
+Subject: [PATCH] [ovirt] answer files: Filter out all password keys
+
+Instead of hard-coding specific keys and having to maintain them over
+time, replace the values of all keys that have 'password' in their name.
+I think this covers all our current and hopefully future keys. It might
+add "false positives" - keys that are not passwords but have 'password'
+in their name - and I think that's a risk worth taking.
+
+Sadly, the engine admin password prompt's name is
+'OVESETUP_CONFIG_ADMIN_SETUP', which does not include 'password', so has
+to be listed specifically.
+
+A partial list of keys added since the replaced code was written:
+- grafana-related stuff
+- keycloak-related stuff
+- otopi-style answer files
+
+Signed-off-by: Yedidyah Bar David <didi@redhat.com>
+Change-Id: I416c6e4078e7c3638493eb271d08d73a0c22b5ba
+---
+ sos/report/plugins/ovirt.py | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/sos/report/plugins/ovirt.py b/sos/report/plugins/ovirt.py
+index 09647bf148..3b1bb29bce 100644
+--- a/sos/report/plugins/ovirt.py
++++ b/sos/report/plugins/ovirt.py
+@@ -241,19 +241,22 @@ def postproc(self):
+ r'{key}=********'.format(key=key)
+ )
+
+- # Answer files contain passwords
+- for key in (
+- 'OVESETUP_CONFIG/adminPassword',
+- 'OVESETUP_CONFIG/remoteEngineHostRootPassword',
+- 'OVESETUP_DWH_DB/password',
+- 'OVESETUP_DB/password',
+- 'OVESETUP_REPORTS_CONFIG/adminPassword',
+- 'OVESETUP_REPORTS_DB/password',
++ # Answer files contain passwords.
++ # Replace all keys that have 'password' in them, instead of hard-coding
++ # here the list of keys, which changes between versions.
++ # Sadly, the engine admin password prompt name does not contain
++ # 'password'... so neither does the env key.
++ for item in (
++ 'password',
++ 'OVESETUP_CONFIG_ADMIN_SETUP',
+ ):
+ self.do_path_regex_sub(
+ r'/var/lib/ovirt-engine/setup/answers/.*',
+- r'{key}=(.*)'.format(key=key),
+- r'{key}=********'.format(key=key)
++ re.compile(
++ r'(?P<key>[^=]*{item}[^=]*)=.*'.format(item=item),
++ flags=re.IGNORECASE
++ ),
++ r'\g<key>=********'
+ )
+
+ # aaa profiles contain passwords
diff --git a/project-lakitu/app-admin/sosreport/sosreport-4.3-r3.ebuild b/project-lakitu/app-admin/sosreport/sosreport-4.3-r4.ebuild
similarity index 100%
rename from project-lakitu/app-admin/sosreport/sosreport-4.3-r3.ebuild
rename to project-lakitu/app-admin/sosreport/sosreport-4.3-r4.ebuild
diff --git a/project-lakitu/app-admin/sosreport/sosreport-4.3.ebuild b/project-lakitu/app-admin/sosreport/sosreport-4.3.ebuild
index 6181b1a..78e7d3b 100644
--- a/project-lakitu/app-admin/sosreport/sosreport-4.3.ebuild
+++ b/project-lakitu/app-admin/sosreport/sosreport-4.3.ebuild
@@ -41,6 +41,7 @@
# this patch when upgrading past 4.3.
"${FILESDIR}/0012-fixup-setup-py.patch"
"${FILESDIR}/0012-add-nvidia-plugin.patch"
+ "${FILESDIR}/0013-fix-CVE-2022-2806.patch"
)
src_prepare() {
