Resolves: #2215765, insecure credentials submission

This commit is contained in:
Than Ngo 2023-06-23 16:39:42 +02:00
parent a09e7f6e99
commit b63ef766f0
2 changed files with 131 additions and 1 deletions

View File

@ -10,11 +10,12 @@
Name: librabbitmq Name: librabbitmq
Summary: Client library for AMQP Summary: Client library for AMQP
Version: 0.9.0 Version: 0.9.0
Release: 3%{?dist} Release: 4%{?dist}
License: MIT License: MIT
URL: https://github.com/alanxz/rabbitmq-c URL: https://github.com/alanxz/rabbitmq-c
Source0: https://github.com/alanxz/rabbitmq-c/archive/v%{version}.tar.gz Source0: https://github.com/alanxz/rabbitmq-c/archive/v%{version}.tar.gz
Patch0: rabbitmq-c-0.9.0-CVE-2019-18609.patch Patch0: rabbitmq-c-0.9.0-CVE-2019-18609.patch
Patch1: rabbitmq-c-CVE-2023-35789.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: cmake > 2.8 BuildRequires: cmake > 2.8
@ -57,6 +58,7 @@ amqp-publish Publish a message on an AMQP server
%prep %prep
%setup -q -n rabbitmq-c-%{version} %setup -q -n rabbitmq-c-%{version}
%patch0 -p1 -b .CVE-2019-18609 %patch0 -p1 -b .CVE-2019-18609
%patch1 -p1 -b .CVE-2023-35789
# Copy sources to be included in -devel docs. # Copy sources to be included in -devel docs.
cp -pr examples Examples cp -pr examples Examples
@ -106,6 +108,9 @@ make test
%changelog %changelog
* Fri Jun 23 2023 Than Ngo <than@redhat.com> - 0.9.0-4
- Resolves: #2215765, insecure credentials submission
* Tue Sep 29 2020 Than Ngo <than@redhat.com> - 0.9.0-3 * Tue Sep 29 2020 Than Ngo <than@redhat.com> - 0.9.0-3
- Resolves: #1857831, rpmdiff - Resolves: #1857831, rpmdiff

View File

@ -0,0 +1,125 @@
commit 463054383fbeef889b409a7f843df5365288e2a0
Author: Christian Kastner <ckk@kvr.at>
Date: Tue Jun 13 14:21:52 2023 +0200
Add option to read username/password from file (#781)
* Add option to read username/password from file
diff --git a/tools/common.c b/tools/common.c
index 73b47e2..7efe557 100644
--- a/tools/common.c
+++ b/tools/common.c
@@ -18,6 +18,11 @@
#include "compat.h"
#endif
+/* For when reading auth data from a file */
+#define MAXAUTHTOKENLEN 128
+#define USERNAMEPREFIX "username:"
+#define PASSWORDPREFIX "password:"
+
void die(const char *fmt, ...) {
va_list ap;
va_start(ap, fmt);
@@ -125,6 +130,7 @@ static char *amqp_vhost;
static char *amqp_username;
static char *amqp_password;
static int amqp_heartbeat = 0;
+static char *amqp_authfile;
#ifdef WITH_SSL
static int amqp_ssl = 0;
static char *amqp_cacert = "/etc/ssl/certs/cacert.pem";
@@ -147,6 +153,8 @@ struct poptOption connect_options[] = {
"the password to login with", "password"},
{"heartbeat", 0, POPT_ARG_INT, &amqp_heartbeat, 0,
"heartbeat interval, set to 0 to disable", "heartbeat"},
+ {"authfile", 0, POPT_ARG_STRING, &amqp_authfile, 0,
+ "path to file containing username/password for authentication", "file"},
#ifdef WITH_SSL
{"ssl", 0, POPT_ARG_NONE, &amqp_ssl, 0, "connect over SSL/TLS", NULL},
{"cacert", 0, POPT_ARG_STRING, &amqp_cacert, 0,
@@ -158,6 +166,50 @@ struct poptOption connect_options[] = {
#endif /* WITH_SSL */
{NULL, '\0', 0, NULL, 0, NULL, NULL}};
+void read_authfile(const char *path) {
+ size_t n;
+ FILE *fp = NULL;
+ char token[MAXAUTHTOKENLEN];
+
+ if ((amqp_username = malloc(MAXAUTHTOKENLEN)) == NULL ||
+ (amqp_password = malloc(MAXAUTHTOKENLEN)) == NULL) {
+ die("Out of memory");
+ } else if ((fp = fopen(path, "r")) == NULL) {
+ die("Could not read auth data file %s", path);
+ }
+
+ if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL ||
+ strncmp(token, USERNAMEPREFIX, strlen(USERNAMEPREFIX))) {
+ die("Malformed auth file (missing username)");
+ }
+ strncpy(amqp_username, &token[strlen(USERNAMEPREFIX)], MAXAUTHTOKENLEN);
+ /* Missing newline means token was cut off */
+ n = strlen(amqp_username);
+ if (amqp_username[n - 1] != '\n') {
+ die("Username too long");
+ } else {
+ amqp_username[n - 1] = '\0';
+ }
+
+ if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL ||
+ strncmp(token, PASSWORDPREFIX, strlen(PASSWORDPREFIX))) {
+ die("Malformed auth file (missing password)");
+ }
+ strncpy(amqp_password, &token[strlen(PASSWORDPREFIX)], MAXAUTHTOKENLEN);
+ /* Missing newline means token was cut off */
+ n = strlen(amqp_password);
+ if (amqp_password[n - 1] != '\n') {
+ die("Password too long");
+ } else {
+ amqp_password[n - 1] = '\0';
+ }
+
+ (void)fgetc(fp);
+ if (!feof(fp)) {
+ die("Malformed auth file (trailing data)");
+ }
+}
+
static void init_connection_info(struct amqp_connection_info *ci) {
ci->user = NULL;
ci->password = NULL;
@@ -237,6 +289,8 @@ static void init_connection_info(struct amqp_connection_info *ci) {
if (amqp_username) {
if (amqp_url) {
die("--username and --url options cannot be used at the same time");
+ } else if (amqp_authfile) {
+ die("--username and --authfile options cannot be used at the same time");
}
ci->user = amqp_username;
@@ -245,11 +299,23 @@ static void init_connection_info(struct amqp_connection_info *ci) {
if (amqp_password) {
if (amqp_url) {
die("--password and --url options cannot be used at the same time");
+ } else if (amqp_authfile) {
+ die("--password and --authfile options cannot be used at the same time");
}
ci->password = amqp_password;
}
+ if (amqp_authfile) {
+ if (amqp_url) {
+ die("--authfile and --url options cannot be used at the same time");
+ }
+
+ read_authfile(amqp_authfile);
+ ci->user = amqp_username;
+ ci->password = amqp_password;
+ }
+
if (amqp_vhost) {
if (amqp_url) {
die("--vhost and --url options cannot be used at the same time");