[openstack-glance/el6-essex: 2/2] fix Glance auth bypass for image deletion (CVE-2012-4573) (cherry picked from commit cc52cd93dc0ed0a
Pádraig Brady
pbrady at fedoraproject.org
Mon Nov 12 14:43:04 UTC 2012
commit 611c5b9c077c32852715bac91c41ded1fb530760
Author: Pádraig Brady <P at draigBrady.com>
Date: Mon Nov 12 14:16:41 2012 +0000
fix Glance auth bypass for image deletion (CVE-2012-4573)
(cherry picked from commit cc52cd93dc0ed0ab2950c48af8dfa1732efdb1cb)
0002-pin-sqlalchemy-to-the-0.7-series.patch | 42 ++++++++++++++++++++
...age-owned-by-user-before-delayed_deletion.patch | 32 +++++++++++++++
...-Don-t-access-the-net-while-building-docs.patch | 2 +-
...> 0005-Support-DB-auto-create-suppression.patch | 2 +-
openstack-glance.spec | 15 +++++--
5 files changed, 87 insertions(+), 6 deletions(-)
---
diff --git a/0002-pin-sqlalchemy-to-the-0.7-series.patch b/0002-pin-sqlalchemy-to-the-0.7-series.patch
new file mode 100644
index 0000000..5e98a40
--- /dev/null
+++ b/0002-pin-sqlalchemy-to-the-0.7-series.patch
@@ -0,0 +1,42 @@
+From e6be0615b7c5648da2a96b4addeb11e330628685 Mon Sep 17 00:00:00 2001
+From: Sean Dague <sdague at linux.vnet.ibm.com>
+Date: Wed, 31 Oct 2012 09:25:10 -0400
+Subject: [PATCH] pin sqlalchemy to the 0.7 series
+
+sqlalchemy 0.8 beta has hit mirrors, and changes dependencies, thus
+breaking jenkins. This pins it to 0.7 series until all the projects
+agree to move forward to 0.8.
+
+Fixes bug #1073569
+
+Change-Id: I7b13ef48730e6499442a4a2a9d28b59e0121acf0
+---
+ Authors | 1 +
+ tools/pip-requires | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/Authors b/Authors
+index caf47b8..9d5b792 100644
+--- a/Authors
++++ b/Authors
+@@ -54,6 +54,7 @@ Rick Clark <rick at openstack.org>
+ Rick Harris <rconradharris at gmail.com>
+ Reynolds Chin <benzwt at gmail.com>
+ Russell Bryant <rbryant at redhat.com>
++Sean Dague <sdague at linux.vnet.ibm.com>
+ Soren Hansen <soren.hansen at rackspace.com>
+ Stuart McLaren <stuart.mclaren at hp.com>
+ Taku Fukushima <tfukushima at dcl.info.waseda.ac.jp>
+diff --git a/tools/pip-requires b/tools/pip-requires
+index 2c25845..c4bebc7 100644
+--- a/tools/pip-requires
++++ b/tools/pip-requires
+@@ -3,7 +3,7 @@
+ # package to get the right headers...
+ greenlet>=0.3.1
+
+-SQLAlchemy>=0.7
++SQLAlchemy>=0.7,<=0.7.9
+ anyjson
+ eventlet>=0.9.12
+ PasteDeploy
diff --git a/0003-Ensure-image-owned-by-user-before-delayed_deletion.patch b/0003-Ensure-image-owned-by-user-before-delayed_deletion.patch
new file mode 100644
index 0000000..6051af9
--- /dev/null
+++ b/0003-Ensure-image-owned-by-user-before-delayed_deletion.patch
@@ -0,0 +1,32 @@
+From efd7e75b1f419a52c7103c7840e24af8e5deb29d Mon Sep 17 00:00:00 2001
+From: Brian Waldon <bcwaldon at gmail.com>
+Date: Wed, 7 Nov 2012 10:06:43 -0500
+Subject: [PATCH] Ensure image owned by user before delayed_deletion
+
+Fixes bug 1065187.
+
+Change-Id: Icf2f117a094c712bad645ef5f297e9f7da994c84
+---
+ glance/api/v1/images.py | 9 +++++++++
+ 1 files changed, 9 insertions(+), 0 deletions(-)
+
+diff --git a/glance/api/v1/images.py b/glance/api/v1/images.py
+index 9bedf20..1a8eac8 100644
+--- a/glance/api/v1/images.py
++++ b/glance/api/v1/images.py
+@@ -727,6 +727,15 @@ class Controller(controller.BaseController):
+ content_type="text/plain")
+
+ image = self.get_image_meta_or_404(req, id)
++
++ if not (req.context.is_admin
++ or image['owner'] == None
++ or image['owner'] == req.context.owner):
++ msg = _("Unable to delete image you do not own")
++ logger.debug(msg)
++ raise HTTPForbidden(msg, request=req,
++ content_type="text/plain")
++
+ if image['protected']:
+ msg = _("Image is protected")
+ logger.debug(msg)
diff --git a/0002-Don-t-access-the-net-while-building-docs.patch b/0004-Don-t-access-the-net-while-building-docs.patch
similarity index 92%
rename from 0002-Don-t-access-the-net-while-building-docs.patch
rename to 0004-Don-t-access-the-net-while-building-docs.patch
index 1951d9a..8104a2f 100644
--- a/0002-Don-t-access-the-net-while-building-docs.patch
+++ b/0004-Don-t-access-the-net-while-building-docs.patch
@@ -1,4 +1,4 @@
-From d9c185d12021cef968f5bba529b3cb0a3570222b Mon Sep 17 00:00:00 2001
+From 7d8791aef55b5c4e148f0c17cd6e614ce20e1309 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A1draig=20Brady?= <pbrady at redhat.com>
Date: Fri, 6 Jan 2012 17:12:54 +0000
Subject: [PATCH] Don't access the net while building docs
diff --git a/0003-Support-DB-auto-create-suppression.patch b/0005-Support-DB-auto-create-suppression.patch
similarity index 99%
rename from 0003-Support-DB-auto-create-suppression.patch
rename to 0005-Support-DB-auto-create-suppression.patch
index e46b91d..3f6f774 100644
--- a/0003-Support-DB-auto-create-suppression.patch
+++ b/0005-Support-DB-auto-create-suppression.patch
@@ -1,4 +1,4 @@
-From 589235405cb0b2a633af7d41a6450f1a61e554c9 Mon Sep 17 00:00:00 2001
+From 510fbfede44378e5d80475b428c7117172a6b2e6 Mon Sep 17 00:00:00 2001
From: Eoghan Glynn <eglynn at redhat.com>
Date: Fri, 18 May 2012 14:23:41 +0100
Subject: [PATCH] Support DB auto-create suppression.
diff --git a/openstack-glance.spec b/openstack-glance.spec
index 5474db0..adc76db 100644
--- a/openstack-glance.spec
+++ b/openstack-glance.spec
@@ -1,6 +1,6 @@
Name: openstack-glance
Version: 2012.1.2
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: OpenStack Image Service
Group: Applications/System
@@ -17,8 +17,10 @@ Source3: openstack-glance.logrotate
# patches_base=2012.1.2
#
#Patch0001: 0001-Bump-version-to-2012.1.3.patch
-Patch0002: 0002-Don-t-access-the-net-while-building-docs.patch
-Patch0003: 0003-Support-DB-auto-create-suppression.patch
+#Patch0002: 0002-pin-sqlalchemy-to-the-0.7-series.patch
+Patch0003: 0003-Ensure-image-owned-by-user-before-delayed_deletion.patch
+Patch0004: 0004-Don-t-access-the-net-while-building-docs.patch
+Patch0005: 0005-Support-DB-auto-create-suppression.patch
# EPEL specific
Patch100: openstack-glance-newdeps.patch
@@ -102,8 +104,10 @@ This package contains documentation files for glance.
%setup -q -n glance-%{version}
#%patch0001 -p1
-%patch0002 -p1
+#%patch0002 -p1
%patch0003 -p1
+%patch0004 -p1
+%patch0005 -p1
%patch100 -p1
%patch101 -p1
@@ -234,6 +238,9 @@ fi
%doc doc/build/html
%changelog
+* Mon Nov 12 2012 Pádraig Brady <P at draigBrady.com> - 2012.1.2-2
+- Fix Glance Authentication bypass for image deletion (CVE-2012-4573)
+
* Mon Nov 12 2012 Pádraig Brady <P at draigBrady.com> - 2012.1.2-1
- Update to stable/essex 2012.1.2 including...
- Support zero-size image creation via the v1 API
More information about the scm-commits
mailing list