[openstack-glance/el6-essex: 2/2] fix Glance auth bypass for image deletion (CVE-2012-4573) (cherry picked from commit cc52cd93dc0ed0a

Pádraig Brady pbrady at fedoraproject.org
Mon Nov 12 14:43:04 UTC 2012 

commit 611c5b9c077c32852715bac91c41ded1fb530760
Author: Pádraig Brady <P at draigBrady.com>
Date:   Mon Nov 12 14:16:41 2012 +0000

    fix Glance auth bypass for image deletion (CVE-2012-4573)
    (cherry picked from commit cc52cd93dc0ed0ab2950c48af8dfa1732efdb1cb)

 0002-pin-sqlalchemy-to-the-0.7-series.patch        |   42 ++++++++++++++++++++
 ...age-owned-by-user-before-delayed_deletion.patch |   32 +++++++++++++++
 ...-Don-t-access-the-net-while-building-docs.patch |    2 +-
 ...> 0005-Support-DB-auto-create-suppression.patch |    2 +-
 openstack-glance.spec                              |   15 +++++--
 5 files changed, 87 insertions(+), 6 deletions(-)
---
diff --git a/0002-pin-sqlalchemy-to-the-0.7-series.patch b/0002-pin-sqlalchemy-to-the-0.7-series.patch
new file mode 100644
index 0000000..5e98a40
--- /dev/null
+++ b/0002-pin-sqlalchemy-to-the-0.7-series.patch
@@ -0,0 +1,42 @@
+From e6be0615b7c5648da2a96b4addeb11e330628685 Mon Sep 17 00:00:00 2001
+From: Sean Dague <sdague at linux.vnet.ibm.com>
+Date: Wed, 31 Oct 2012 09:25:10 -0400
+Subject: [PATCH] pin sqlalchemy to the 0.7 series
+
+sqlalchemy 0.8 beta has hit mirrors, and changes dependencies, thus
+breaking jenkins. This pins it to 0.7 series until all the projects
+agree to move forward to 0.8.
+
+Fixes bug #1073569
+
+Change-Id: I7b13ef48730e6499442a4a2a9d28b59e0121acf0
+---
+ Authors            |    1 +
+ tools/pip-requires |    2 +-
+ 2 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/Authors b/Authors
+index caf47b8..9d5b792 100644
+--- a/Authors
++++ b/Authors
+@@ -54,6 +54,7 @@ Rick Clark <rick at openstack.org>
+ Rick Harris <rconradharris at gmail.com>
+ Reynolds Chin <benzwt at gmail.com>
+ Russell Bryant <rbryant at redhat.com>
++Sean Dague <sdague at linux.vnet.ibm.com>
+ Soren Hansen <soren.hansen at rackspace.com>
+ Stuart McLaren <stuart.mclaren at hp.com>
+ Taku Fukushima <tfukushima at dcl.info.waseda.ac.jp>
+diff --git a/tools/pip-requires b/tools/pip-requires
+index 2c25845..c4bebc7 100644
+--- a/tools/pip-requires
++++ b/tools/pip-requires
+@@ -3,7 +3,7 @@
+ # package to get the right headers...
+ greenlet>=0.3.1
+ 
+-SQLAlchemy>=0.7
++SQLAlchemy>=0.7,<=0.7.9
+ anyjson
+ eventlet>=0.9.12
+ PasteDeploy
diff --git a/0003-Ensure-image-owned-by-user-before-delayed_deletion.patch b/0003-Ensure-image-owned-by-user-before-delayed_deletion.patch
new file mode 100644
index 0000000..6051af9
--- /dev/null
+++ b/0003-Ensure-image-owned-by-user-before-delayed_deletion.patch
@@ -0,0 +1,32 @@
+From efd7e75b1f419a52c7103c7840e24af8e5deb29d Mon Sep 17 00:00:00 2001
+From: Brian Waldon <bcwaldon at gmail.com>
+Date: Wed, 7 Nov 2012 10:06:43 -0500
+Subject: [PATCH] Ensure image owned by user before delayed_deletion
+
+Fixes bug 1065187.
+
+Change-Id: Icf2f117a094c712bad645ef5f297e9f7da994c84
+---
+ glance/api/v1/images.py |    9 +++++++++
+ 1 files changed, 9 insertions(+), 0 deletions(-)
+
+diff --git a/glance/api/v1/images.py b/glance/api/v1/images.py
+index 9bedf20..1a8eac8 100644
+--- a/glance/api/v1/images.py
++++ b/glance/api/v1/images.py
+@@ -727,6 +727,15 @@ class Controller(controller.BaseController):
+                                 content_type="text/plain")
+ 
+         image = self.get_image_meta_or_404(req, id)
++
++        if not (req.context.is_admin
++                or image['owner'] == None
++                or image['owner'] == req.context.owner):
++            msg = _("Unable to delete image you do not own")
++            logger.debug(msg)
++            raise HTTPForbidden(msg, request=req,
++                                content_type="text/plain")
++
+         if image['protected']:
+             msg = _("Image is protected")
+             logger.debug(msg)
diff --git a/0002-Don-t-access-the-net-while-building-docs.patch b/0004-Don-t-access-the-net-while-building-docs.patch
similarity index 92%
rename from 0002-Don-t-access-the-net-while-building-docs.patch
rename to 0004-Don-t-access-the-net-while-building-docs.patch
index 1951d9a..8104a2f 100644
--- a/0002-Don-t-access-the-net-while-building-docs.patch
+++ b/0004-Don-t-access-the-net-while-building-docs.patch
@@ -1,4 +1,4 @@
-From d9c185d12021cef968f5bba529b3cb0a3570222b Mon Sep 17 00:00:00 2001
+From 7d8791aef55b5c4e148f0c17cd6e614ce20e1309 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?P=C3=A1draig=20Brady?= <pbrady at redhat.com>
 Date: Fri, 6 Jan 2012 17:12:54 +0000
 Subject: [PATCH] Don't access the net while building docs
diff --git a/0003-Support-DB-auto-create-suppression.patch b/0005-Support-DB-auto-create-suppression.patch
similarity index 99%
rename from 0003-Support-DB-auto-create-suppression.patch
rename to 0005-Support-DB-auto-create-suppression.patch
index e46b91d..3f6f774 100644
--- a/0003-Support-DB-auto-create-suppression.patch
+++ b/0005-Support-DB-auto-create-suppression.patch
@@ -1,4 +1,4 @@
-From 589235405cb0b2a633af7d41a6450f1a61e554c9 Mon Sep 17 00:00:00 2001
+From 510fbfede44378e5d80475b428c7117172a6b2e6 Mon Sep 17 00:00:00 2001
 From: Eoghan Glynn <eglynn at redhat.com>
 Date: Fri, 18 May 2012 14:23:41 +0100
 Subject: [PATCH] Support DB auto-create suppression.
diff --git a/openstack-glance.spec b/openstack-glance.spec
index 5474db0..adc76db 100644
--- a/openstack-glance.spec
+++ b/openstack-glance.spec
@@ -1,6 +1,6 @@
 Name:             openstack-glance
 Version:          2012.1.2
-Release:          1%{?dist}
+Release:          2%{?dist}
 Summary:          OpenStack Image Service
 
 Group:            Applications/System
@@ -17,8 +17,10 @@ Source3:          openstack-glance.logrotate
 # patches_base=2012.1.2
 #
 #Patch0001: 0001-Bump-version-to-2012.1.3.patch
-Patch0002: 0002-Don-t-access-the-net-while-building-docs.patch
-Patch0003: 0003-Support-DB-auto-create-suppression.patch
+#Patch0002: 0002-pin-sqlalchemy-to-the-0.7-series.patch
+Patch0003: 0003-Ensure-image-owned-by-user-before-delayed_deletion.patch
+Patch0004: 0004-Don-t-access-the-net-while-building-docs.patch
+Patch0005: 0005-Support-DB-auto-create-suppression.patch
 
 # EPEL specific
 Patch100:         openstack-glance-newdeps.patch
@@ -102,8 +104,10 @@ This package contains documentation files for glance.
 %setup -q -n glance-%{version}
 
 #%patch0001 -p1
-%patch0002 -p1
+#%patch0002 -p1
 %patch0003 -p1
+%patch0004 -p1
+%patch0005 -p1
 
 %patch100 -p1
 %patch101 -p1
@@ -234,6 +238,9 @@ fi
 %doc doc/build/html
 
 %changelog
+* Mon Nov 12 2012 Pádraig Brady <P at draigBrady.com> - 2012.1.2-2
+- Fix Glance Authentication bypass for image deletion (CVE-2012-4573)
+
 * Mon Nov 12 2012 Pádraig Brady <P at draigBrady.com> - 2012.1.2-1
 - Update to stable/essex 2012.1.2 including...
 - Support zero-size image creation via the v1 API

More information about the scm-commits mailing list