[openstack-nova] fix up protocol case handling for security groups (CVE-2012-2654)

Pádraig Brady pbrady at fedoraproject.org
Wed Jun 6 22:43:18 UTC 2012 

commit 7ab0654bfe4c4bcb4acb6465ddd4e490d948b5fb
Author: Pádraig Brady <P at draigBrady.com>
Date:   Wed Jun 6 23:39:45 2012 +0100

    fix up protocol case handling for security groups (CVE-2012-2654)

 ...rotocol-case-handling-for-security-groups.patch |   62 ++++++++++++++++++++
 openstack-nova.spec                                |    7 ++-
 2 files changed, 68 insertions(+), 1 deletions(-)
---
diff --git a/0003-Fix-up-protocol-case-handling-for-security-groups.patch b/0003-Fix-up-protocol-case-handling-for-security-groups.patch
new file mode 100644
index 0000000..ee30934
--- /dev/null
+++ b/0003-Fix-up-protocol-case-handling-for-security-groups.patch
@@ -0,0 +1,62 @@
+From d5f955368da8d858de87e504c5ec20685024a51d Mon Sep 17 00:00:00 2001
+From: Vishvananda Ishaya <vishvananda at gmail.com>
+Date: Wed, 6 Jun 2012 13:25:04 -0400
+Subject: [PATCH] Fix up protocol case handling for security groups.
+
+Fix bug 985184.
+
+When creating security group rules, any case for the protocol was
+accepted as input, such as TCP, Tcp, tcp, etc., and was stored in the
+database as specified.  However, unless specified as all lowercase, the
+code to apply the rules would break and result in some rules not being
+applied.
+
+Change-Id: I6c723d371579eb37a94bd484d39beeb773668ed4
+(cherry picked from commit ff06c7c885dc94ed7c828e8cdbb8b5d850a7e654)
+---
+ nova/api/ec2/cloud.py                              |    2 +-
+ .../openstack/compute/contrib/security_groups.py   |    2 +-
+ nova/virt/firewall.py                              |    4 ++--
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py
+index b077d55..c3bc823 100644
+--- a/nova/api/ec2/cloud.py
++++ b/nova/api/ec2/cloud.py
+@@ -595,7 +595,7 @@ class CloudController(object):
+                       to_port=to_port, msg="For ICMP, the"
+                                            " type:code must be valid")
+ 
+-            values['protocol'] = ip_protocol
++            values['protocol'] = ip_protocol.lower()
+             values['from_port'] = from_port
+             values['to_port'] = to_port
+         else:
+diff --git a/nova/api/openstack/compute/contrib/security_groups.py b/nova/api/openstack/compute/contrib/security_groups.py
+index 2a48869..21f050a 100644
+--- a/nova/api/openstack/compute/contrib/security_groups.py
++++ b/nova/api/openstack/compute/contrib/security_groups.py
+@@ -498,7 +498,7 @@ class SecurityGroupRulesController(SecurityGroupControllerBase):
+                       to_port=to_port, msg="For ICMP, the"
+                                            " type:code must be valid")
+ 
+-            values['protocol'] = ip_protocol
++            values['protocol'] = ip_protocol.lower()
+             values['from_port'] = from_port
+             values['to_port'] = to_port
+         else:
+diff --git a/nova/virt/firewall.py b/nova/virt/firewall.py
+index aa05a22..af0986a 100644
+--- a/nova/virt/firewall.py
++++ b/nova/virt/firewall.py
+@@ -302,8 +302,8 @@ class IptablesFirewallDriver(FirewallDriver):
+                 else:
+                     fw_rules = ipv6_rules
+ 
+-                protocol = rule.protocol
+-                if version == 6 and rule.protocol == 'icmp':
++                protocol = rule.protocol.lower()
++                if version == 6 and protocol == 'icmp':
+                     protocol = 'icmpv6'
+ 
+                 args = ['-j ACCEPT']
diff --git a/openstack-nova.spec b/openstack-nova.spec
index 2c5a960..590bf23 100644
--- a/openstack-nova.spec
+++ b/openstack-nova.spec
@@ -2,7 +2,7 @@
 
 Name:             openstack-nova
 Version:          2012.2
-Release:          0.1.f1%{?dist}
+Release:          0.2.f1%{?dist}
 Summary:          OpenStack Compute (nova)
 
 Group:            Applications/System
@@ -33,6 +33,7 @@ Source24:         nova-sudoers
 #
 Patch0001: 0001-Ensure-we-don-t-access-the-net-when-building-docs.patch
 Patch0002: 0002-fix-useexisting-deprecation-warnings.patch
+Patch0003: 0003-Fix-up-protocol-case-handling-for-security-groups.patch
 
 BuildArch:        noarch
 BuildRequires:    intltool
@@ -151,6 +152,7 @@ This package contains documentation files for nova.
 
 %patch0001 -p1
 %patch0002 -p1
+%patch0003 -p1
 
 find . \( -name .gitignore -o -name .placeholder \) -delete
 
@@ -346,6 +348,9 @@ fi
 %endif
 
 %changelog
+* Wed Jun 06 2012 Pádraig Brady <P at draigBrady.com> - 2012.2-0.2.f1
+- Fix up protocol case handling for security groups (CVE-2012-2654)
+
 * Tue May 29 2012 Pádraig Brady <P at draigBrady.com> - 2012.2-0.1.f1
 - Update to folsom milestone 1

More information about the scm-commits mailing list