[openstack-nova] Fix password leak in EC2 API (#749385, CVE 2011-4076)
Mark McLoughlin
markmc at fedoraproject.org
Wed Oct 26 21:29:06 UTC 2011
commit 26186577ec8eeca5c5e5bda3f53d2980c758807a
Author: Mark McLoughlin <markmc at redhat.com>
Date: Wed Oct 26 22:28:52 2011 +0100
Fix password leak in EC2 API (#749385, CVE 2011-4076)
...p-returning-correct-password-on-api-calls.patch | 77 ++++++++++++++++++++
openstack-nova.spec | 7 ++-
2 files changed, 83 insertions(+), 1 deletions(-)
---
diff --git a/0010-Stop-returning-correct-password-on-api-calls.patch b/0010-Stop-returning-correct-password-on-api-calls.patch
new file mode 100644
index 0000000..09f1af3
--- /dev/null
+++ b/0010-Stop-returning-correct-password-on-api-calls.patch
@@ -0,0 +1,77 @@
+From f76a2ecca3463c692cf5bad8384eafe677780e08 Mon Sep 17 00:00:00 2001
+From: Ahmad Hassan <ahmad.hassan at hp.com>
+Date: Mon, 1 Aug 2011 17:16:49 +0100
+Subject: [PATCH] Stop returning correct password on api calls
+
+Captured invalid signature exception in authentication step, so that
+the problem is not returning exception to user, revealing the real
+password.
+Fixes bug 868360.
+
+(cherry picked from commit beee11edbfdd82cd81bc9c0fd75912c167892c2b)
+
+Change-Id: I5d6f713358dc720514b3e693f9adb11ccacecdd0
+
+(cherry picked from commit b1ab6da1495784ff581000018a6047fd19cf82c4)
+---
+ Authors | 1 +
+ nova/api/ec2/__init__.py | 3 ++-
+ nova/auth/manager.py | 10 ++--------
+ 3 files changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/Authors b/Authors
+index 8d6837e..53b3f6c 100644
+--- a/Authors
++++ b/Authors
+@@ -1,5 +1,6 @@
+ Adam Gandelman <adamg at canonical.com>
+ Adam Johnson <adjohn at gmail.com>
++Ahmad Hassan <ahmad.hassan at hp.com>
+ Alex Meade <alex.meade at rackspace.com>
+ Alexander Sakhnov <asakhnov at mirantis.com>
+ Andrey Brindeyev <abrindeyev at griddynamics.com>
+diff --git a/nova/api/ec2/__init__.py b/nova/api/ec2/__init__.py
+index 8dcb44b..4b4c0f5 100644
+--- a/nova/api/ec2/__init__.py
++++ b/nova/api/ec2/__init__.py
+@@ -188,7 +188,8 @@ class Authenticate(wsgi.Middleware):
+ req.host,
+ req.path)
+ # Be explicit for what exceptions are 403, the rest bubble as 500
+- except (exception.NotFound, exception.NotAuthorized) as ex:
++ except (exception.NotFound, exception.NotAuthorized,
++ exception.InvalidSignature) as ex:
+ LOG.audit(_("Authentication Failure: %s"), unicode(ex))
+ raise webob.exc.HTTPForbidden()
+
+diff --git a/nova/auth/manager.py b/nova/auth/manager.py
+index 44e6e11..e050446 100644
+--- a/nova/auth/manager.py
++++ b/nova/auth/manager.py
+@@ -149,11 +149,7 @@ class User(AuthBase):
+ return AuthManager().is_project_manager(self, project)
+
+ def __repr__(self):
+- return "User('%s', '%s', '%s', '%s', %s)" % (self.id,
+- self.name,
+- self.access,
+- self.secret,
+- self.admin)
++ return "User('%s', '%s')" % (self.id, self.name)
+
+
+ class Project(AuthBase):
+@@ -200,9 +196,7 @@ class Project(AuthBase):
+ return AuthManager().get_credentials(user, self)
+
+ def __repr__(self):
+- return "Project('%s', '%s', '%s', '%s', %s)" % \
+- (self.id, self.name, self.project_manager_id, self.description,
+- self.member_ids)
++ return "Project('%s', '%s')" % (self.id, self.name)
+
+
+ class AuthManager(object):
+--
+1.7.6.4
+
diff --git a/openstack-nova.spec b/openstack-nova.spec
index 0a64397..58c91f2 100644
--- a/openstack-nova.spec
+++ b/openstack-nova.spec
@@ -2,7 +2,7 @@
Name: openstack-nova
Version: 2011.3
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: OpenStack Compute (nova)
Group: Applications/System
@@ -38,6 +38,7 @@ Patch6: 0006-Allow-the-user-to-choose-either-ietadm-or-tgtadm-lp-.patc
Patch7: 0007-Remove-VolumeDriver.sync_exec-method-lp-819997.patch
Patch8: 0008-Refactor-ietadm-tgtadm-calls-out-into-helper-classes.patch
Patch9: 0009-Fixed-bug-lp850602.patch
+Patch10: 0010-Stop-returning-correct-password-on-api-calls.patch
BuildArch: noarch
BuildRequires: intltool
@@ -174,6 +175,7 @@ This package contains documentation files for nova.
%patch7 -p1
%patch8 -p1
%patch9 -p1
+%patch10 -p1
find . \( -name .gitignore -o -name .placeholder \) -delete
@@ -361,6 +363,9 @@ fi
%endif
%changelog
+* Wed Oct 26 2011 Mark McLoughlin <markmc at redhat.com> - 2011.3-6
+- Fix password leak in EC2 API (#749385, CVE 2011-4076)
+
* Mon Oct 24 2011 Mark McLoughlin <markmc at redhat.com> - 2011.3-5
- Fix block migration (#741690)
More information about the scm-commits
mailing list