[openstack-nova] Fix password leak in EC2 API (#749385, CVE 2011-4076)

Mark McLoughlin markmc at fedoraproject.org
Wed Oct 26 21:29:06 UTC 2011 

commit 26186577ec8eeca5c5e5bda3f53d2980c758807a
Author: Mark McLoughlin <markmc at redhat.com>
Date:   Wed Oct 26 22:28:52 2011 +0100

    Fix password leak in EC2 API (#749385, CVE 2011-4076)

 ...p-returning-correct-password-on-api-calls.patch |   77 ++++++++++++++++++++
 openstack-nova.spec                                |    7 ++-
 2 files changed, 83 insertions(+), 1 deletions(-)
---
diff --git a/0010-Stop-returning-correct-password-on-api-calls.patch b/0010-Stop-returning-correct-password-on-api-calls.patch
new file mode 100644
index 0000000..09f1af3
--- /dev/null
+++ b/0010-Stop-returning-correct-password-on-api-calls.patch
@@ -0,0 +1,77 @@
+From f76a2ecca3463c692cf5bad8384eafe677780e08 Mon Sep 17 00:00:00 2001
+From: Ahmad Hassan <ahmad.hassan at hp.com>
+Date: Mon, 1 Aug 2011 17:16:49 +0100
+Subject: [PATCH] Stop returning correct password on api calls
+
+Captured invalid signature exception in authentication step, so that
+the problem is not returning exception to user, revealing the real
+password.
+Fixes bug 868360.
+
+(cherry picked from commit beee11edbfdd82cd81bc9c0fd75912c167892c2b)
+
+Change-Id: I5d6f713358dc720514b3e693f9adb11ccacecdd0
+
+(cherry picked from commit b1ab6da1495784ff581000018a6047fd19cf82c4)
+---
+ Authors                  |    1 +
+ nova/api/ec2/__init__.py |    3 ++-
+ nova/auth/manager.py     |   10 ++--------
+ 3 files changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/Authors b/Authors
+index 8d6837e..53b3f6c 100644
+--- a/Authors
++++ b/Authors
+@@ -1,5 +1,6 @@
+ Adam Gandelman <adamg at canonical.com>
+ Adam Johnson <adjohn at gmail.com>
++Ahmad Hassan <ahmad.hassan at hp.com>
+ Alex Meade <alex.meade at rackspace.com>
+ Alexander Sakhnov <asakhnov at mirantis.com>
+ Andrey Brindeyev <abrindeyev at griddynamics.com>
+diff --git a/nova/api/ec2/__init__.py b/nova/api/ec2/__init__.py
+index 8dcb44b..4b4c0f5 100644
+--- a/nova/api/ec2/__init__.py
++++ b/nova/api/ec2/__init__.py
+@@ -188,7 +188,8 @@ class Authenticate(wsgi.Middleware):
+                     req.host,
+                     req.path)
+         # Be explicit for what exceptions are 403, the rest bubble as 500
+-        except (exception.NotFound, exception.NotAuthorized) as ex:
++        except (exception.NotFound, exception.NotAuthorized,
++                exception.InvalidSignature) as ex:
+             LOG.audit(_("Authentication Failure: %s"), unicode(ex))
+             raise webob.exc.HTTPForbidden()
+ 
+diff --git a/nova/auth/manager.py b/nova/auth/manager.py
+index 44e6e11..e050446 100644
+--- a/nova/auth/manager.py
++++ b/nova/auth/manager.py
+@@ -149,11 +149,7 @@ class User(AuthBase):
+         return AuthManager().is_project_manager(self, project)
+ 
+     def __repr__(self):
+-        return "User('%s', '%s', '%s', '%s', %s)" % (self.id,
+-                                                     self.name,
+-                                                     self.access,
+-                                                     self.secret,
+-                                                     self.admin)
++        return "User('%s', '%s')" % (self.id, self.name)
+ 
+ 
+ class Project(AuthBase):
+@@ -200,9 +196,7 @@ class Project(AuthBase):
+         return AuthManager().get_credentials(user, self)
+ 
+     def __repr__(self):
+-        return "Project('%s', '%s', '%s', '%s', %s)" % \
+-            (self.id, self.name, self.project_manager_id, self.description,
+-             self.member_ids)
++        return "Project('%s', '%s')" % (self.id, self.name)
+ 
+ 
+ class AuthManager(object):
+-- 
+1.7.6.4
+
diff --git a/openstack-nova.spec b/openstack-nova.spec
index 0a64397..58c91f2 100644
--- a/openstack-nova.spec
+++ b/openstack-nova.spec
@@ -2,7 +2,7 @@
 
 Name:             openstack-nova
 Version:          2011.3
-Release:          5%{?dist}
+Release:          6%{?dist}
 Summary:          OpenStack Compute (nova)
 
 Group:            Applications/System
@@ -38,6 +38,7 @@ Patch6:           0006-Allow-the-user-to-choose-either-ietadm-or-tgtadm-lp-.patc
 Patch7:           0007-Remove-VolumeDriver.sync_exec-method-lp-819997.patch
 Patch8:           0008-Refactor-ietadm-tgtadm-calls-out-into-helper-classes.patch
 Patch9:           0009-Fixed-bug-lp850602.patch
+Patch10:          0010-Stop-returning-correct-password-on-api-calls.patch
 
 BuildArch:        noarch
 BuildRequires:    intltool
@@ -174,6 +175,7 @@ This package contains documentation files for nova.
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
 
 find . \( -name .gitignore -o -name .placeholder \) -delete
 
@@ -361,6 +363,9 @@ fi
 %endif
 
 %changelog
+* Wed Oct 26 2011 Mark McLoughlin <markmc at redhat.com> - 2011.3-6
+- Fix password leak in EC2 API (#749385, CVE 2011-4076)
+
 * Mon Oct 24 2011 Mark McLoughlin <markmc at redhat.com> - 2011.3-5
 - Fix block migration (#741690)

More information about the scm-commits mailing list