[openstack-glance] Security fix realted to CVE-2013-0212

Nikola Dipanov ndipanov at fedoraproject.org
Tue Jan 29 15:28:58 UTC 2013 

commit 2535b3090716ef5c2c50d47bdf03e2160c1fe9fa
Author: Nikola Dipanov <ndipanov at redhat.com>
Date:   Tue Jan 29 15:28:32 2013 +0100

    Security fix realted to CVE-2013-0212

 ...end_password_leak_in_Glance_error_message.patch |   76 ++++++++++++++++++++
 openstack-glance.spec                              |    7 ++-
 2 files changed, 82 insertions(+), 1 deletions(-)
---
diff --git a/0002-Backend_password_leak_in_Glance_error_message.patch b/0002-Backend_password_leak_in_Glance_error_message.patch
new file mode 100644
index 0000000..afc802b
--- /dev/null
+++ b/0002-Backend_password_leak_in_Glance_error_message.patch
@@ -0,0 +1,76 @@
+diff --git a/glance/store/swift.py b/glance/store/swift.py
+index 2899fce..dfe3696 100644
+--- a/glance/store/swift.py
++++ b/glance/store/swift.py
+@@ -136,7 +136,7 @@ class StoreLocation(glance.store.location.StoreLocation):
+                        ", you need to change it to use the "
+                        "swift+http:// scheme, like so: "
+                        "swift+http://user:pass@authurl.com/v1/container/obj")
+-            LOG.debug(_("Invalid store uri %(uri)s: %(reason)s") % locals())
++            LOG.debug(_("Invalid store URI: %(reason)s") % locals())
+             raise exception.BadStoreUri(message=reason)
+ 
+         pieces = urlparse.urlparse(uri)
+@@ -162,8 +162,7 @@ class StoreLocation(glance.store.location.StoreLocation):
+         if creds:
+             cred_parts = creds.split(':')
+             if len(cred_parts) != 2:
+-                reason = (_("Badly formed credentials '%(creds)s' in Swift "
+-                            "URI") % locals())
++                reason = (_("Badly formed credentials in Swift URI."))
+                 LOG.debug(reason)
+                 raise exception.BadStoreUri()
+             user, key = cred_parts
+@@ -181,7 +180,7 @@ class StoreLocation(glance.store.location.StoreLocation):
+                 path_parts.insert(0, netloc)
+                 self.auth_or_store_url = '/'.join(path_parts)
+         except IndexError:
+-            reason = _("Badly formed Swift URI: %s") % uri
++            reason = _("Badly formed Swift URI.")
+             LOG.debug(reason)
+             raise exception.BadStoreUri()
+ 
+@@ -241,8 +240,8 @@ class BaseStore(glance.store.base.Store):
+         except swiftclient.ClientException, e:
+             if e.http_status == httplib.NOT_FOUND:
+                 uri = location.get_uri()
+-                raise exception.NotFound(_("Swift could not find image at "
+-                                           "uri %(uri)s") % locals())
++                msg = _("Swift could not find image at URI.")
++                raise exception.NotFound(msg)
+             else:
+                 raise
+ 
+@@ -375,8 +374,7 @@ class BaseStore(glance.store.base.Store):
+         except swiftclient.ClientException, e:
+             if e.http_status == httplib.CONFLICT:
+                 raise exception.Duplicate(_("Swift already has an image at "
+-                                            "location %s") %
+-                                          location.get_uri())
++                                            "this location"))
+             msg = (_("Failed to add object to Swift.\n"
+                      "Got error from Swift: %(e)s") % locals())
+             LOG.error(msg)
+@@ -419,8 +417,8 @@ class BaseStore(glance.store.base.Store):
+         except swiftclient.ClientException, e:
+             if e.http_status == httplib.NOT_FOUND:
+                 uri = location.get_uri()
+-                raise exception.NotFound(_("Swift could not find image at "
+-                                           "uri %(uri)s") % locals())
++                msg = _("Swift could not find image at URI.")
++                raise exception.NotFound(msg)
+             else:
+                 raise
+ 
+@@ -578,8 +576,8 @@ class MultiTenantStore(BaseStore):
+         except swiftclient.ClientException, e:
+             if e.http_status == httplib.NOT_FOUND:
+                 uri = location.get_uri()
+-                raise exception.NotFound(_("Swift could not find image at "
+-                                           "uri %(uri)s") % locals())
++                msg = _("Swift could not find image at URI.")
++                raise exception.NotFound(msg)
+             else:
+                 raise
+ 
+
diff --git a/openstack-glance.spec b/openstack-glance.spec
index cbeb95d..a0e6de4 100644
--- a/openstack-glance.spec
+++ b/openstack-glance.spec
@@ -1,6 +1,6 @@
 Name:             openstack-glance
 Version:          2013.1
-Release:          0.2.g2%{?dist}
+Release:          0.3.g2%{?dist}
 Summary:          OpenStack Image Service
 
 Group:            Applications/System
@@ -15,6 +15,7 @@ Source3:          openstack-glance.logrotate
 # patches_base=grizzly-2
 #
 Patch0001: 0001-Don-t-access-the-net-while-building-docs.patch
+Patch0002: 0002-Backend_password_leak_in_Glance_error_message.patch
 
 BuildArch:        noarch
 BuildRequires:    python2-devel
@@ -98,6 +99,7 @@ This package contains documentation files for glance.
 %setup -q -n glance-%{version}
 
 %patch0001 -p1
+%patch0002 -p1
 
 # Remove bundled egg-info
 rm -rf glance.egg-info
@@ -265,6 +267,9 @@ fi
 %doc doc/build/html
 
 %changelog
+* Tue Jan 29 2013 Nikola Đipanov <ndipanov at redhat.com> 2013.1-0.3.g2
+- Fix backend password leak in Glance error message (CVE-2013-0212)
+
 * Fri Jan 11 2013 Nikola Đipanov <ndipanov at redhat.com> 2013.1-0.2.g2
 - Update to Grizzlt milestone 2

More information about the scm-commits mailing list