[openstack-glance/el6-havana] Fix for CVE-2014-0162
Flavio Percoco
flaper87 at fedoraproject.org
Mon Apr 14 08:58:03 UTC 2014
commit d90454bd0584efb3d75d89ce0b40824816f5dd67
Author: Flavio Percoco <flaper87 at gmail.com>
Date: Mon Apr 14 10:56:10 2014 +0200
Fix for CVE-2014-0162
...-Don-t-access-the-net-while-building-docs.patch | 4 +-
...-parallel-install-versions-of-epel-packag.patch | 4 +-
...d-the-uneeded-dependency-on-Crypto.Random.patch | 4 +-
0004-Avoid-NULLs-in-crypto-padding.patch | 4 +-
0005-Remove-runtime-dep-on-python-pbr.patch | 4 +-
...t-remote-code-injection-on-Sheepdog-store.patch | 221 ++++++++++++++++++++
openstack-glance.spec | 7 +-
7 files changed, 237 insertions(+), 11 deletions(-)
---
diff --git a/0001-Don-t-access-the-net-while-building-docs.patch b/0001-Don-t-access-the-net-while-building-docs.patch
index 940acaf..3aeedaf 100644
--- a/0001-Don-t-access-the-net-while-building-docs.patch
+++ b/0001-Don-t-access-the-net-while-building-docs.patch
@@ -8,8 +8,8 @@ Subject: [PATCH] Don't access the net while building docs
Change-Id: I42c6e3a5062db209a0abe00cebc04d383c79cbcb
(cherry picked from commit f2b4bb4e45afcc178200966193a7b87401c534d7)
---
- doc/source/conf.py | 1 -
- 1 files changed, 0 insertions(+), 1 deletions(-)
+ doc/source/conf.py | 1 -
+ 1 file changed, 1 deletion(-)
diff --git a/doc/source/conf.py b/doc/source/conf.py
index 04f4ebe..8ceeb43 100644
diff --git a/0002-Use-updated-parallel-install-versions-of-epel-packag.patch b/0002-Use-updated-parallel-install-versions-of-epel-packag.patch
index 0ae600e..6cfdd1c 100644
--- a/0002-Use-updated-parallel-install-versions-of-epel-packag.patch
+++ b/0002-Use-updated-parallel-install-versions-of-epel-packag.patch
@@ -11,8 +11,8 @@ Delve into pkg_resources a little to get it to modify sys.path,
so that our parallel installed egg takes precedence over the
system default module versions.
---
- glance/__init__.py | 32 ++++++++++++++++++++++++++++++++
- 1 files changed, 32 insertions(+), 0 deletions(-)
+ glance/__init__.py | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
diff --git a/glance/__init__.py b/glance/__init__.py
index b606957..dd75292 100644
diff --git a/0003-avoid-the-uneeded-dependency-on-Crypto.Random.patch b/0003-avoid-the-uneeded-dependency-on-Crypto.Random.patch
index eb131f8..e487da0 100644
--- a/0003-avoid-the-uneeded-dependency-on-Crypto.Random.patch
+++ b/0003-avoid-the-uneeded-dependency-on-Crypto.Random.patch
@@ -12,8 +12,8 @@ but I'm leaving that as is for now:
http://www.codekoala.com/blog/2009/aes-encryption-python-using-pycrypto/#comment-25921785
http://eli.thegreenplace.net/2010/06/25/aes-encryption-of-files-in-python-with-pycrypto/
---
- glance/common/crypt.py | 8 ++------
- 1 files changed, 2 insertions(+), 6 deletions(-)
+ glance/common/crypt.py | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/glance/common/crypt.py b/glance/common/crypt.py
index ee5f2dd..ef6496b 100644
diff --git a/0004-Avoid-NULLs-in-crypto-padding.patch b/0004-Avoid-NULLs-in-crypto-padding.patch
index 683367d..ff40d8c 100644
--- a/0004-Avoid-NULLs-in-crypto-padding.patch
+++ b/0004-Avoid-NULLs-in-crypto-padding.patch
@@ -17,8 +17,8 @@ Reviewed-on: https://code.engineering.redhat.com/gerrit/2809
Reviewed-by: Nikola Dipanov <ndipanov at redhat.com>
Tested-by: Nikola Dipanov <ndipanov at redhat.com>
---
- glance/common/crypt.py | 7 ++++++-
- 1 files changed, 6 insertions(+), 1 deletions(-)
+ glance/common/crypt.py | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/glance/common/crypt.py b/glance/common/crypt.py
index ef6496b..3874de7 100644
diff --git a/0005-Remove-runtime-dep-on-python-pbr.patch b/0005-Remove-runtime-dep-on-python-pbr.patch
index 16ebca1..8ec04e5 100644
--- a/0005-Remove-runtime-dep-on-python-pbr.patch
+++ b/0005-Remove-runtime-dep-on-python-pbr.patch
@@ -4,8 +4,8 @@ Date: Wed, 18 Sep 2013 19:18:43 -1000
Subject: [PATCH] Remove runtime dep on python pbr
---
- glance/version.py | 29 +++++++++++++++++++++++++++--
- 1 files changed, 27 insertions(+), 2 deletions(-)
+ glance/version.py | 29 +++++++++++++++++++++++++++--
+ 1 file changed, 27 insertions(+), 2 deletions(-)
diff --git a/glance/version.py b/glance/version.py
index d815183..9e20ed0 100644
diff --git a/0006-To-prevent-remote-code-injection-on-Sheepdog-store.patch b/0006-To-prevent-remote-code-injection-on-Sheepdog-store.patch
new file mode 100644
index 0000000..457a86f
--- /dev/null
+++ b/0006-To-prevent-remote-code-injection-on-Sheepdog-store.patch
@@ -0,0 +1,221 @@
+From a47df53d823c85bbae09063605fde6dad9a00c95 Mon Sep 17 00:00:00 2001
+From: Zhi Yan Liu <zhiyanl at cn.ibm.com>
+Date: Sat, 29 Mar 2014 03:35:35 +0800
+Subject: [PATCH] To prevent remote code injection on Sheepdog store
+
+Change-Id: Iae92eaf9eb023f36a1bab7c20ea41c985f2bf51b
+Signed-off-by: Zhi Yan Liu <zhiyanl at cn.ibm.com>
+(cherry picked from commit 13069a4017d36a549576a21ca3ec5b15c411effc)
+(cherry picked from commit 4db73ac4417ee012915ff109e1ca3e60036d5388)
+---
+ glance/store/sheepdog.py | 61 ++++++++++++++++++--------------
+ glance/tests/unit/test_sheepdog_store.py | 3 +-
+ glance/tests/unit/test_store_location.py | 13 ++++---
+ 3 files changed, 45 insertions(+), 32 deletions(-)
+
+diff --git a/glance/store/sheepdog.py b/glance/store/sheepdog.py
+index d10aea7..2f75441 100644
+--- a/glance/store/sheepdog.py
++++ b/glance/store/sheepdog.py
+@@ -25,6 +25,7 @@ from glance.common import exception
+ from glance.openstack.common import excutils
+ import glance.openstack.common.log as logging
+ from glance.openstack.common import processutils
++from glance.openstack.common import uuidutils
+ import glance.store
+ import glance.store.base
+ import glance.store.location
+@@ -32,7 +33,7 @@ import glance.store.location
+
+ LOG = logging.getLogger(__name__)
+
+-DEFAULT_ADDR = 'localhost'
++DEFAULT_ADDR = '127.0.0.1'
+ DEFAULT_PORT = '7000'
+ DEFAULT_CHUNKSIZE = 64 # in MiB
+
+@@ -63,18 +64,14 @@ class SheepdogImage:
+ self.chunk_size = chunk_size
+
+ def _run_command(self, command, data, *params):
+- cmd = ("collie vdi %(command)s -a %(addr)s -p %(port)s %(name)s "
+- "%(params)s" %
+- {"command": command,
+- "addr": self.addr,
+- "port": self.port,
+- "name": self.name,
+- "params": " ".join(map(str, params))})
++ cmd = ["collie", "vdi"]
++ cmd.extend(command)
++ cmd.extend(["-a", self.addr, "-p", self.port, self.name])
++ cmd.extend(params)
+
+ try:
+- return processutils.execute(
+- cmd, process_input=data, shell=True)[0]
+- except processutils.ProcessExecutionError as exc:
++ return processutils.execute(*cmd, process_input=data)[0]
++ except (processutils.ProcessExecutionError, OSError) as exc:
+ LOG.error(exc)
+ raise glance.store.BackendException(exc)
+
+@@ -84,7 +81,7 @@ class SheepdogImage:
+
+ Sheepdog Usage: collie vdi list -r -a address -p port image
+ """
+- out = self._run_command("list -r", None)
++ out = self._run_command(["list", "-r"], None)
+ return long(out.split(' ')[3])
+
+ def read(self, offset, count):
+@@ -94,7 +91,7 @@ class SheepdogImage:
+
+ Sheepdog Usage: collie vdi read -a address -p port image offset len
+ """
+- return self._run_command("read", None, str(offset), str(count))
++ return self._run_command(["read"], None, str(offset), str(count))
+
+ def write(self, data, offset, count):
+ """
+@@ -103,7 +100,7 @@ class SheepdogImage:
+
+ Sheepdog Usage: collie vdi write -a address -p port image offset len
+ """
+- self._run_command("write", data, str(offset), str(count))
++ self._run_command(["write"], data, str(offset), str(count))
+
+ def create(self, size):
+ """
+@@ -111,7 +108,7 @@ class SheepdogImage:
+
+ Sheepdog Usage: collie vdi create -a address -p port image size
+ """
+- self._run_command("create", None, str(size))
++ self._run_command(["create"], None, str(size))
+
+ def delete(self):
+ """
+@@ -119,7 +116,7 @@ class SheepdogImage:
+
+ Sheepdog Usage: collie vdi delete -a address -p port image
+ """
+- self._run_command("delete", None)
++ self._run_command(["delete"], None)
+
+ def exist(self):
+ """
+@@ -127,7 +124,7 @@ class SheepdogImage:
+
+ Sheepdog Usage: collie vdi list -r -a address -p port image
+ """
+- out = self._run_command("list -r", None)
++ out = self._run_command(["list", "-r"], None)
+ if not out:
+ return False
+ else:
+@@ -138,7 +135,7 @@ class StoreLocation(glance.store.location.StoreLocation):
+ """
+ Class describing a Sheepdog URI. This is of the form:
+
+- sheepdog://image
++ sheepdog://image-id
+
+ """
+
+@@ -149,10 +146,14 @@ class StoreLocation(glance.store.location.StoreLocation):
+ return "sheepdog://%s" % self.image
+
+ def parse_uri(self, uri):
+- if not uri.startswith('sheepdog://'):
+- raise exception.BadStoreUri(uri, "URI must start with %s://" %
+- 'sheepdog')
+- self.image = uri[11:]
++ valid_schema = 'sheepdog://'
++ if not uri.startswith(valid_schema):
++ raise exception.BadStoreUri(_("URI must start with %s://") %
++ valid_schema)
++ self.image = uri[len(valid_schema):]
++ if not uuidutils.is_uuid_like(self.image):
++ raise exception.BadStoreUri(_("URI must contains well-formated "
++ "image id"))
+
+
+ class ImageIterator(object):
+@@ -192,7 +193,7 @@ class Store(glance.store.base.Store):
+
+ try:
+ self.chunk_size = CONF.sheepdog_store_chunk_size * 1024 * 1024
+- self.addr = CONF.sheepdog_store_address
++ self.addr = CONF.sheepdog_store_address.strip()
+ self.port = CONF.sheepdog_store_port
+ except cfg.ConfigFileValueError as e:
+ reason = _("Error in store configuration: %s") % e
+@@ -200,10 +201,18 @@ class Store(glance.store.base.Store):
+ raise exception.BadStoreConfiguration(store_name='sheepdog',
+ reason=reason)
+
++ if ' ' in self.addr:
++ reason = (_("Invalid address configuration of sheepdog store: %s")
++ % self.addr)
++ LOG.error(reason)
++ raise exception.BadStoreConfiguration(store_name='sheepdog',
++ reason=reason)
++
+ try:
+- processutils.execute("collie", shell=True)
+- except processutils.ProcessExecutionError as exc:
+- reason = _("Error in store configuration: %s") % exc
++ cmd = ["collie", "vdi", "list", "-a", self.addr, "-p", self.port]
++ processutils.execute(*cmd)
++ except Exception as e:
++ reason = _("Error in store configuration: %s") % e
+ LOG.error(reason)
+ raise exception.BadStoreConfiguration(store_name='sheepdog',
+ reason=reason)
+diff --git a/glance/tests/unit/test_sheepdog_store.py b/glance/tests/unit/test_sheepdog_store.py
+index 8eef86b..bea7e29 100644
+--- a/glance/tests/unit/test_sheepdog_store.py
++++ b/glance/tests/unit/test_sheepdog_store.py
+@@ -57,4 +57,5 @@ class TestStore(base.StoreClearingUnitTest):
+ 'fake_image_id',
+ utils.LimitingReader(StringIO.StringIO('xx'), 1),
+ 2)
+- self.assertEqual(called_commands, ['list -r', 'create', 'delete'])
++ self.assertEqual([['list', '-r'], ['create'], ['delete']],
++ called_commands)
+diff --git a/glance/tests/unit/test_store_location.py b/glance/tests/unit/test_store_location.py
+index 7eec171..2464ebb 100644
+--- a/glance/tests/unit/test_store_location.py
++++ b/glance/tests/unit/test_store_location.py
+@@ -52,7 +52,7 @@ class TestStoreLocation(base.StoreClearingUnitTest):
+ 'rbd://imagename',
+ 'rbd://fsid/pool/image/snap',
+ 'rbd://%2F/%2F/%2F/%2F',
+- 'sheepdog://imagename',
++ 'sheepdog://244e75f1-9c69-4167-9db7-1aa7d1973f6c',
+ 'cinder://12345678-9012-3455-6789-012345678901',
+ ]
+
+@@ -367,15 +367,18 @@ class TestStoreLocation(base.StoreClearingUnitTest):
+ """
+ Test the specific StoreLocation for the Sheepdog store
+ """
+- uri = 'sheepdog://imagename'
++ uri = 'sheepdog://244e75f1-9c69-4167-9db7-1aa7d1973f6c'
+ loc = glance.store.sheepdog.StoreLocation({})
+ loc.parse_uri(uri)
+- self.assertEqual('imagename', loc.image)
++ self.assertEqual('244e75f1-9c69-4167-9db7-1aa7d1973f6c', loc.image)
+
+- bad_uri = 'sheepdog:/image'
++ bad_uri = 'sheepdog:/244e75f1-9c69-4167-9db7-1aa7d1973f6c'
+ self.assertRaises(exception.BadStoreUri, loc.parse_uri, bad_uri)
+
+- bad_uri = 'http://image'
++ bad_uri = 'http://244e75f1-9c69-4167-9db7-1aa7d1973f6c'
++ self.assertRaises(exception.BadStoreUri, loc.parse_uri, bad_uri)
++
++ bad_uri = 'image; name'
+ self.assertRaises(exception.BadStoreUri, loc.parse_uri, bad_uri)
+
+ def test_cinder_store_good_location(self):
diff --git a/openstack-glance.spec b/openstack-glance.spec
index 47f2a01..35b327c 100644
--- a/openstack-glance.spec
+++ b/openstack-glance.spec
@@ -2,7 +2,7 @@
Name: openstack-glance
Version: 2013.2.3
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: OpenStack Image Service
Group: Applications/System
@@ -30,6 +30,7 @@ Patch0002: 0002-Use-updated-parallel-install-versions-of-epel-packag.patch
Patch0003: 0003-avoid-the-uneeded-dependency-on-Crypto.Random.patch
Patch0004: 0004-Avoid-NULLs-in-crypto-padding.patch
Patch0005: 0005-Remove-runtime-dep-on-python-pbr.patch
+Patch0006: 0006-To-prevent-remote-code-injection-on-Sheepdog-store.patch
BuildArch: noarch
BuildRequires: python2-devel
@@ -124,6 +125,7 @@ This package contains documentation files for glance.
%patch0003 -p1
%patch0004 -p1
%patch0005 -p1
+%patch0006 -p1
# Remove bundled egg-info
rm -rf glance.egg-info
@@ -336,6 +338,9 @@ fi
%doc doc/build/html
%changelog
+* Mon Apr 14 2014 Flavio Percoco <flavio at redhat.com> - 2013.2.3-3
+- CVE-2014-0162
+
* Thu Apr 10 2014 Pádraig Brady <pbrady at redhat.com> - 2013.2.3-2
- Update to Havana stable release 2013.2.3
More information about the scm-commits
mailing list