[openstack-glance] Security fix realted to CVE-2013-0212
Nikola Dipanov
ndipanov at fedoraproject.org
Tue Jan 29 15:28:58 UTC 2013
commit 2535b3090716ef5c2c50d47bdf03e2160c1fe9fa
Author: Nikola Dipanov <ndipanov at redhat.com>
Date: Tue Jan 29 15:28:32 2013 +0100
Security fix realted to CVE-2013-0212
...end_password_leak_in_Glance_error_message.patch | 76 ++++++++++++++++++++
openstack-glance.spec | 7 ++-
2 files changed, 82 insertions(+), 1 deletions(-)
---
diff --git a/0002-Backend_password_leak_in_Glance_error_message.patch b/0002-Backend_password_leak_in_Glance_error_message.patch
new file mode 100644
index 0000000..afc802b
--- /dev/null
+++ b/0002-Backend_password_leak_in_Glance_error_message.patch
@@ -0,0 +1,76 @@
+diff --git a/glance/store/swift.py b/glance/store/swift.py
+index 2899fce..dfe3696 100644
+--- a/glance/store/swift.py
++++ b/glance/store/swift.py
+@@ -136,7 +136,7 @@ class StoreLocation(glance.store.location.StoreLocation):
+ ", you need to change it to use the "
+ "swift+http:// scheme, like so: "
+ "swift+http://user:pass@authurl.com/v1/container/obj")
+- LOG.debug(_("Invalid store uri %(uri)s: %(reason)s") % locals())
++ LOG.debug(_("Invalid store URI: %(reason)s") % locals())
+ raise exception.BadStoreUri(message=reason)
+
+ pieces = urlparse.urlparse(uri)
+@@ -162,8 +162,7 @@ class StoreLocation(glance.store.location.StoreLocation):
+ if creds:
+ cred_parts = creds.split(':')
+ if len(cred_parts) != 2:
+- reason = (_("Badly formed credentials '%(creds)s' in Swift "
+- "URI") % locals())
++ reason = (_("Badly formed credentials in Swift URI."))
+ LOG.debug(reason)
+ raise exception.BadStoreUri()
+ user, key = cred_parts
+@@ -181,7 +180,7 @@ class StoreLocation(glance.store.location.StoreLocation):
+ path_parts.insert(0, netloc)
+ self.auth_or_store_url = '/'.join(path_parts)
+ except IndexError:
+- reason = _("Badly formed Swift URI: %s") % uri
++ reason = _("Badly formed Swift URI.")
+ LOG.debug(reason)
+ raise exception.BadStoreUri()
+
+@@ -241,8 +240,8 @@ class BaseStore(glance.store.base.Store):
+ except swiftclient.ClientException, e:
+ if e.http_status == httplib.NOT_FOUND:
+ uri = location.get_uri()
+- raise exception.NotFound(_("Swift could not find image at "
+- "uri %(uri)s") % locals())
++ msg = _("Swift could not find image at URI.")
++ raise exception.NotFound(msg)
+ else:
+ raise
+
+@@ -375,8 +374,7 @@ class BaseStore(glance.store.base.Store):
+ except swiftclient.ClientException, e:
+ if e.http_status == httplib.CONFLICT:
+ raise exception.Duplicate(_("Swift already has an image at "
+- "location %s") %
+- location.get_uri())
++ "this location"))
+ msg = (_("Failed to add object to Swift.\n"
+ "Got error from Swift: %(e)s") % locals())
+ LOG.error(msg)
+@@ -419,8 +417,8 @@ class BaseStore(glance.store.base.Store):
+ except swiftclient.ClientException, e:
+ if e.http_status == httplib.NOT_FOUND:
+ uri = location.get_uri()
+- raise exception.NotFound(_("Swift could not find image at "
+- "uri %(uri)s") % locals())
++ msg = _("Swift could not find image at URI.")
++ raise exception.NotFound(msg)
+ else:
+ raise
+
+@@ -578,8 +576,8 @@ class MultiTenantStore(BaseStore):
+ except swiftclient.ClientException, e:
+ if e.http_status == httplib.NOT_FOUND:
+ uri = location.get_uri()
+- raise exception.NotFound(_("Swift could not find image at "
+- "uri %(uri)s") % locals())
++ msg = _("Swift could not find image at URI.")
++ raise exception.NotFound(msg)
+ else:
+ raise
+
+
diff --git a/openstack-glance.spec b/openstack-glance.spec
index cbeb95d..a0e6de4 100644
--- a/openstack-glance.spec
+++ b/openstack-glance.spec
@@ -1,6 +1,6 @@
Name: openstack-glance
Version: 2013.1
-Release: 0.2.g2%{?dist}
+Release: 0.3.g2%{?dist}
Summary: OpenStack Image Service
Group: Applications/System
@@ -15,6 +15,7 @@ Source3: openstack-glance.logrotate
# patches_base=grizzly-2
#
Patch0001: 0001-Don-t-access-the-net-while-building-docs.patch
+Patch0002: 0002-Backend_password_leak_in_Glance_error_message.patch
BuildArch: noarch
BuildRequires: python2-devel
@@ -98,6 +99,7 @@ This package contains documentation files for glance.
%setup -q -n glance-%{version}
%patch0001 -p1
+%patch0002 -p1
# Remove bundled egg-info
rm -rf glance.egg-info
@@ -265,6 +267,9 @@ fi
%doc doc/build/html
%changelog
+* Tue Jan 29 2013 Nikola Đipanov <ndipanov at redhat.com> 2013.1-0.3.g2
+- Fix backend password leak in Glance error message (CVE-2013-0212)
+
* Fri Jan 11 2013 Nikola Đipanov <ndipanov at redhat.com> 2013.1-0.2.g2
- Update to Grizzlt milestone 2
More information about the scm-commits
mailing list