File fix-CVE-2022-31008-1.patch of Package rabbitmq-server

Overview Repositories Revisions Requests Users Attributes Meta

File fix-CVE-2022-31008-1.patch of Package rabbitmq-server

From eb41cc0f43ae0eaf8554a68736e0415f1b711ad5 Mon Sep 17 00:00:00 2001
From: Lajos Gerecs <lajos.gerecs@erlang-solutions.com>
Date: Fri, 6 May 2022 14:58:50 +0200
Subject: [PATCH] implement fallback secret for credentials obfuscation

Author:    Lajos Gerecs <lajos.gerecs@erlang-solutions.com>
(cherry picked from commit 25f8a9611bf8de61ac743442a9e9978ad535b7ee)
(cherry picked from commit 8b67133dd2044715075302b3fa08ed001c07f4a9)

# Conflicts:
#	deps/rabbit/Makefile
#	deps/rabbit/apps/rabbitmq_prelaunch/src/rabbit_prelaunch_conf.erl
(cherry picked from commit fe1e1668a2344d20c5961bad4b2876fd372bd0e6)

# Conflicts:
#	deps/rabbit/Makefile
#	deps/rabbit/apps/rabbitmq_prelaunch/src/rabbit_prelaunch_conf.erl
---
 deps/rabbit/Makefile                          | 12 +++++++
 .../src/rabbit_prelaunch_conf.erl             | 33 +++++++++++++++++
 .../src/rabbit_prelaunch_dist.erl             | 20 +++++++++++
 5 files changed, 111 insertions(+), 1 deletion(-)

Index: rabbitmq-server-3.8.11/deps/rabbit/Makefile
===================================================================
--- rabbitmq-server-3.8.11.orig/deps/rabbit/Makefile
+++ rabbitmq-server-3.8.11/deps/rabbit/Makefile
@@ -118,7 +118,19 @@ define PROJECT_ENV
 	    {writer_gc_threshold, 1000000000},
 	    %% interval at which connection/channel tracking executes post operations
 	    {tracking_execution_timeout, 15000},
+<<<<<<< HEAD
         {track_auth_attempt_source, false}
+=======
+	    {stream_messages_soft_limit, 256},
+<<<<<<< HEAD
+        {track_auth_attempt_source, false}
+=======
+      {track_auth_attempt_source, false},
+			{credentials_obfuscation_fallback_secret, <<"nocookie">>},
+      {dead_letter_worker_consumer_prefetch, 32},
+      {dead_letter_worker_publisher_confirm_timeout, 180000}
+>>>>>>> 8b67133dd2 (implement fallback secret for credentials obfuscation)
+>>>>>>> fe1e1668a2 (implement fallback secret for credentials obfuscation)
 	  ]
 endef
 
Index: rabbitmq-server-3.8.11/deps/rabbit/apps/rabbitmq_prelaunch/src/rabbit_prelaunch_conf.erl
===================================================================
--- rabbitmq-server-3.8.11.orig/deps/rabbit/apps/rabbitmq_prelaunch/src/rabbit_prelaunch_conf.erl
+++ rabbitmq-server-3.8.11/deps/rabbit/apps/rabbitmq_prelaunch/src/rabbit_prelaunch_conf.erl
@@ -66,10 +66,16 @@ setup(Context) ->
                     #{config_files => [],
                       config_advanced_file => undefined}
             end,
+<<<<<<< HEAD
     ok = override_with_hard_coded_critical_config(),
     ok = set_credentials_obfuscation_secret(),
     rabbit_log_prelaunch:debug(
       "Saving config state to application env: ~p", [State]),
+=======
+    ?LOG_DEBUG(
+      "Saving config state to application env: ~p", [State],
+      #{domain => ?RMQLOG_DOMAIN_PRELAUNCH}),
+>>>>>>> fe1e1668a2 (implement fallback secret for credentials obfuscation)
     store_config_state(State).
 
 store_config_state(ConfigState) ->
@@ -379,6 +385,7 @@ apply_app_env_vars(App, [{Var, Value} |
 apply_app_env_vars(_, []) ->
     ok.
 
+<<<<<<< HEAD
 set_credentials_obfuscation_secret() ->
     rabbit_log_prelaunch:debug(
       "Refreshing credentials obfuscation configuration from env: ~p",
@@ -388,6 +395,32 @@ set_credentials_obfuscation_secret() ->
     rabbit_log_prelaunch:debug(
       "Setting credentials obfuscation secret to '~s'", [CookieBin]),
     ok = credentials_obfuscation:set_secret(CookieBin).
+=======
+log_app_env_var(password = Var, _) ->
+    ?LOG_DEBUG("    - ~s = ********", [Var],
+               #{domain => ?RMQLOG_DOMAIN_PRELAUNCH});
+log_app_env_var(Var, Value) when is_list(Value) ->
+    %% To redact sensitive entries,
+    %% e.g. {password,"********"} for stream replication over TLS
+    Redacted = redact_env_var(Value),
+    ?LOG_DEBUG("    - ~s = ~p", [Var, Redacted],
+               #{domain => ?RMQLOG_DOMAIN_PRELAUNCH});
+log_app_env_var(Var, Value) ->
+    ?LOG_DEBUG("    - ~s = ~p", [Var, Value],
+               #{domain => ?RMQLOG_DOMAIN_PRELAUNCH}).
+
+redact_env_var(Value) when is_list(Value) ->
+    redact_env_var(Value, []);
+redact_env_var(Value) ->
+    Value.
+
+redact_env_var([], Acc) ->
+    lists:reverse(Acc);
+redact_env_var([{password, _Value} | Rest], Acc) ->
+    redact_env_var(Rest, Acc ++ [{password, "********"}]);
+redact_env_var([AppVar | Rest], Acc) ->
+    redact_env_var(Rest, [AppVar | Acc]).
+>>>>>>> 8b67133dd2 (implement fallback secret for credentials obfuscation)
 
 %% -------------------------------------------------------------------
 %% Config decryption.
Index: rabbitmq-server-3.8.11/deps/rabbit/apps/rabbitmq_prelaunch/src/rabbit_prelaunch_dist.erl
===================================================================
--- rabbitmq-server-3.8.11.orig/deps/rabbit/apps/rabbitmq_prelaunch/src/rabbit_prelaunch_dist.erl
+++ rabbitmq-server-3.8.11/deps/rabbit/apps/rabbitmq_prelaunch/src/rabbit_prelaunch_dist.erl
@@ -23,6 +23,8 @@ setup(#{nodename := Node, nodename_type
             throw({error, {erlang_dist_running_with_unexpected_nodename,
                            Unexpected, Node}})
     end,
+    ok = set_credentials_obfuscation_secret(),
+
     ok.
 
 do_setup(#{nodename := Node, nodename_type := NameType}) ->
@@ -102,3 +104,21 @@ dist_port_use_check_fail(Port, Host) ->
         [Name] ->
             throw({error, {dist_port_already_used, Port, Name, Host}})
     end.
+
+set_credentials_obfuscation_secret() ->
+    ?LOG_DEBUG(
+        "Refreshing credentials obfuscation configuration from env: ~p",
+        [application:get_all_env(credentials_obfuscation)],
+        #{domain => ?RMQLOG_DOMAIN_PRELAUNCH}),
+    ok = credentials_obfuscation:refresh_config(),
+    CookieBin = rabbit_data_coercion:to_binary(erlang:get_cookie()),
+    ?LOG_DEBUG(
+        "Setting credentials obfuscation secret to '~s'", [CookieBin],
+        #{domain => ?RMQLOG_DOMAIN_PRELAUNCH}),
+    ok = credentials_obfuscation:set_secret(CookieBin),
+    Fallback = application:get_env(rabbit, 
+                                   credentials_obfuscation_fallback_secret, 
+                                   <<"nocookie">>),
+    ok = credentials_obfuscation:set_fallback_secret(Fallback).
+
+    
\ No newline at end of file

Places

File fix-CVE-2022-31008-1.patch of Package rabbitmq-server

Places