[openstack-glance/f18] Security fix realted to CVE-2013-0212
Nikola Dipanov
ndipanov at fedoraproject.org
Tue Jan 29 15:29:50 UTC 2013
commit 509291f0166c033ff29157e069902cfc0abf337e
Author: Nikola Dipanov <ndipanov at redhat.com>
Date: Tue Jan 29 15:28:32 2013 +0100
Security fix realted to CVE-2013-0212
...end_password_leak_in_Glance_error_message.patch | 75 ++++++++++++++++++++
openstack-glance.spec | 7 ++-
2 files changed, 81 insertions(+), 1 deletions(-)
---
diff --git a/0002-Backend_password_leak_in_Glance_error_message.patch b/0002-Backend_password_leak_in_Glance_error_message.patch
new file mode 100644
index 0000000..88febc8
--- /dev/null
+++ b/0002-Backend_password_leak_in_Glance_error_message.patch
@@ -0,0 +1,75 @@
+diff --git a/glance/store/swift.py b/glance/store/swift.py
+index 59f0f57..64ef21b 100644
+--- a/glance/store/swift.py
++++ b/glance/store/swift.py
+@@ -136,7 +136,7 @@ class StoreLocation(glance.store.location.StoreLocation):
+ "like so: "
+ "swift+http://user:pass@authurl.com/v1/container/obj"
+ )
+- LOG.error(_("Invalid store uri %(uri)s: %(reason)s") % locals())
++ LOG.error(_("Invalid store URI: %(reason)s") % locals())
+ raise exception.BadStoreUri(message=reason)
+
+ pieces = urlparse.urlparse(uri)
+@@ -162,8 +162,7 @@ class StoreLocation(glance.store.location.StoreLocation):
+ if creds:
+ cred_parts = creds.split(':')
+ if len(cred_parts) != 2:
+- reason = (_("Badly formed credentials '%(creds)s' in Swift "
+- "URI") % locals())
++ reason = (_("Badly formed credentials in Swift URI."))
+ LOG.error(reason)
+ raise exception.BadStoreUri()
+ user, key = cred_parts
+@@ -181,7 +180,7 @@ class StoreLocation(glance.store.location.StoreLocation):
+ path_parts.insert(0, netloc)
+ self.auth_or_store_url = '/'.join(path_parts)
+ except IndexError:
+- reason = _("Badly formed Swift URI: %s") % uri
++ reason = _("Badly formed Swift URI.")
+ LOG.error(reason)
+ raise exception.BadStoreUri()
+
+@@ -293,8 +292,8 @@ class Store(glance.store.base.Store):
+ except swiftclient.ClientException, e:
+ if e.http_status == httplib.NOT_FOUND:
+ uri = location.get_store_uri()
+- raise exception.NotFound(_("Swift could not find image at "
+- "uri %(uri)s") % locals())
++ msg = _("Swift could not find image at URI.")
++ raise exception.NotFound(msg)
+ else:
+ raise
+
+@@ -543,7 +542,7 @@ class Store(glance.store.base.Store):
+ except swiftclient.ClientException, e:
+ if e.http_status == httplib.CONFLICT:
+ raise exception.Duplicate(_("Swift already has an image at "
+- "location %s") % location.get_uri())
++ "this location."))
+ msg = (_("Failed to add object to Swift.\n"
+ "Got error from Swift: %(e)s") % locals())
+ LOG.error(msg)
+@@ -596,8 +595,8 @@ class Store(glance.store.base.Store):
+ except swiftclient.ClientException, e:
+ if e.http_status == httplib.NOT_FOUND:
+ uri = location.get_store_uri()
+- raise exception.NotFound(_("Swift could not find image at "
+- "uri %(uri)s") % locals())
++ msg = _("Swift could not find image at URI.")
++ raise exception.NotFound(msg)
+ else:
+ raise
+
+@@ -637,8 +636,8 @@ class Store(glance.store.base.Store):
+ except swiftclient.ClientException, e:
+ if e.http_status == httplib.NOT_FOUND:
+ uri = location.get_store_uri()
+- raise exception.NotFound(_("Swift could not find image at "
+- "uri %(uri)s") % locals())
++ msg = _("Swift could not find image at URI.")
++ raise exception.NotFound(msg)
+ else:
+ raise
+
+
diff --git a/openstack-glance.spec b/openstack-glance.spec
index 6d296af..bf8a8d7 100644
--- a/openstack-glance.spec
+++ b/openstack-glance.spec
@@ -3,7 +3,7 @@
#
Name: openstack-glance
Version: 2012.2.1
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: OpenStack Image Service
Group: Applications/System
@@ -18,6 +18,7 @@ Source3: openstack-glance.logrotate
# patches_base=2012.2.1
#
Patch0001: 0001-Don-t-access-the-net-while-building-docs.patch
+Patch0002: 0002-Backend_password_leak_in_Glance_error_message.patch
BuildArch: noarch
BuildRequires: python2-devel
@@ -102,6 +103,7 @@ This package contains documentation files for glance.
%setup -q -n glance-%{version}
%patch0001 -p1
+%patch0002 -p1
# Remove bundled egg-info
rm -rf glance.egg-info
@@ -269,6 +271,9 @@ fi
%doc doc/build/html
%changelog
+* Tue Jan 29 2013 Nikola Đipanov <ndipanov at redhat.com> 2012.2.1-2
+- Fix backend password leak in Glance error message (CVE-2013-0212)
+
* Wed Jan 23 2013 Martin Magr <mmagr at redhat.com> - 2012.2.1-1
- Added python-keystone requirement
More information about the scm-commits
mailing list