[openstack-glance/f18] Security fix realted to CVE-2013-0212

Nikola Dipanov ndipanov at fedoraproject.org
Tue Jan 29 15:29:50 UTC 2013 

commit 509291f0166c033ff29157e069902cfc0abf337e
Author: Nikola Dipanov <ndipanov at redhat.com>
Date:   Tue Jan 29 15:28:32 2013 +0100

    Security fix realted to CVE-2013-0212

 ...end_password_leak_in_Glance_error_message.patch |   75 ++++++++++++++++++++
 openstack-glance.spec                              |    7 ++-
 2 files changed, 81 insertions(+), 1 deletions(-)
---
diff --git a/0002-Backend_password_leak_in_Glance_error_message.patch b/0002-Backend_password_leak_in_Glance_error_message.patch
new file mode 100644
index 0000000..88febc8
--- /dev/null
+++ b/0002-Backend_password_leak_in_Glance_error_message.patch
@@ -0,0 +1,75 @@
+diff --git a/glance/store/swift.py b/glance/store/swift.py
+index 59f0f57..64ef21b 100644
+--- a/glance/store/swift.py
++++ b/glance/store/swift.py
+@@ -136,7 +136,7 @@ class StoreLocation(glance.store.location.StoreLocation):
+                     "like so: "
+                     "swift+http://user:pass@authurl.com/v1/container/obj"
+                     )
+-            LOG.error(_("Invalid store uri %(uri)s: %(reason)s") % locals())
++            LOG.error(_("Invalid store URI: %(reason)s") % locals())
+             raise exception.BadStoreUri(message=reason)
+ 
+         pieces = urlparse.urlparse(uri)
+@@ -162,8 +162,7 @@ class StoreLocation(glance.store.location.StoreLocation):
+         if creds:
+             cred_parts = creds.split(':')
+             if len(cred_parts) != 2:
+-                reason = (_("Badly formed credentials '%(creds)s' in Swift "
+-                            "URI") % locals())
++                reason = (_("Badly formed credentials in Swift URI."))
+                 LOG.error(reason)
+                 raise exception.BadStoreUri()
+             user, key = cred_parts
+@@ -181,7 +180,7 @@ class StoreLocation(glance.store.location.StoreLocation):
+                 path_parts.insert(0, netloc)
+                 self.auth_or_store_url = '/'.join(path_parts)
+         except IndexError:
+-            reason = _("Badly formed Swift URI: %s") % uri
++            reason = _("Badly formed Swift URI.")
+             LOG.error(reason)
+             raise exception.BadStoreUri()
+ 
+@@ -293,8 +292,8 @@ class Store(glance.store.base.Store):
+         except swiftclient.ClientException, e:
+             if e.http_status == httplib.NOT_FOUND:
+                 uri = location.get_store_uri()
+-                raise exception.NotFound(_("Swift could not find image at "
+-                                         "uri %(uri)s") % locals())
++                msg = _("Swift could not find image at URI.")
++                raise exception.NotFound(msg)
+             else:
+                 raise
+ 
+@@ -543,7 +542,7 @@ class Store(glance.store.base.Store):
+         except swiftclient.ClientException, e:
+             if e.http_status == httplib.CONFLICT:
+                 raise exception.Duplicate(_("Swift already has an image at "
+-                                          "location %s") % location.get_uri())
++                                          "this location."))
+             msg = (_("Failed to add object to Swift.\n"
+                      "Got error from Swift: %(e)s") % locals())
+             LOG.error(msg)
+@@ -596,8 +595,8 @@ class Store(glance.store.base.Store):
+         except swiftclient.ClientException, e:
+             if e.http_status == httplib.NOT_FOUND:
+                 uri = location.get_store_uri()
+-                raise exception.NotFound(_("Swift could not find image at "
+-                                         "uri %(uri)s") % locals())
++                msg = _("Swift could not find image at URI.")
++                raise exception.NotFound(msg)
+             else:
+                 raise
+ 
+@@ -637,8 +636,8 @@ class Store(glance.store.base.Store):
+             except swiftclient.ClientException, e:
+                 if e.http_status == httplib.NOT_FOUND:
+                     uri = location.get_store_uri()
+-                    raise exception.NotFound(_("Swift could not find image at "
+-                                             "uri %(uri)s") % locals())
++                    msg = _("Swift could not find image at URI.")
++                    raise exception.NotFound(msg)
+                 else:
+                     raise
+ 
+
diff --git a/openstack-glance.spec b/openstack-glance.spec
index 6d296af..bf8a8d7 100644
--- a/openstack-glance.spec
+++ b/openstack-glance.spec
@@ -3,7 +3,7 @@
 #
 Name:             openstack-glance
 Version:          2012.2.1
-Release:          1%{?dist}
+Release:          2%{?dist}
 Summary:          OpenStack Image Service
 
 Group:            Applications/System
@@ -18,6 +18,7 @@ Source3:          openstack-glance.logrotate
 # patches_base=2012.2.1
 #
 Patch0001: 0001-Don-t-access-the-net-while-building-docs.patch
+Patch0002: 0002-Backend_password_leak_in_Glance_error_message.patch
 
 BuildArch:        noarch
 BuildRequires:    python2-devel
@@ -102,6 +103,7 @@ This package contains documentation files for glance.
 %setup -q -n glance-%{version}
 
 %patch0001 -p1
+%patch0002 -p1
 
 # Remove bundled egg-info
 rm -rf glance.egg-info
@@ -269,6 +271,9 @@ fi
 %doc doc/build/html
 
 %changelog
+* Tue Jan 29 2013 Nikola Đipanov <ndipanov at redhat.com> 2012.2.1-2
+- Fix backend password leak in Glance error message (CVE-2013-0212)
+
 * Wed Jan 23 2013 Martin Magr <mmagr at redhat.com> - 2012.2.1-1
 - Added python-keystone requirement

More information about the scm-commits mailing list