[openstack-nova/el6-icehouse] Avoid possible timing attack in metadata api - CVE-2014-3517

Vladan Popovic vpopovic at fedoraproject.org
Tue Jul 22 16:30:02 UTC 2014 

commit 55ff34659020b24646a802b041db803c8587fefb
Author: Vladan Popovic <vpopovic at redhat.com>
Date:   Tue Jul 22 17:53:26 2014 +0200

    Avoid possible timing attack in metadata api - CVE-2014-3517

 ...id-possible-timing-attack-in-metadata-api.patch |   87 ++++++++++++++++++++
 openstack-nova.spec                                |    7 ++-
 2 files changed, 93 insertions(+), 1 deletions(-)
---
diff --git a/0007-Avoid-possible-timing-attack-in-metadata-api.patch b/0007-Avoid-possible-timing-attack-in-metadata-api.patch
new file mode 100644
index 0000000..f63ad0a
--- /dev/null
+++ b/0007-Avoid-possible-timing-attack-in-metadata-api.patch
@@ -0,0 +1,87 @@
+From 49b1a6177953e6c4766a60fee8e6fac4087f04c5 Mon Sep 17 00:00:00 2001
+From: Grant Murphy <gmurphy at redhat.com>
+Date: Tue, 8 Jul 2014 03:35:40 +0000
+Subject: [PATCH] Avoid possible timing attack in metadata api
+
+Introduce a constant time comparison function to
+nova utils for comparing authentication tokens.
+
+Change-Id: I7374f2edc6f03c7da59cf73ae91a87147e53d0de
+Closes-bug: #1325128
+(cherry picked from commit 14e52608a1ff888a211647dfdc7fb41dfa86a187)
+---
+ nova/api/metadata/handler.py |  3 ++-
+ nova/tests/test_utils.py     |  7 +++++++
+ nova/utils.py                | 19 +++++++++++++++++++
+ 3 files changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/nova/api/metadata/handler.py b/nova/api/metadata/handler.py
+index a14db67..be866ef 100644
+--- a/nova/api/metadata/handler.py
++++ b/nova/api/metadata/handler.py
+@@ -30,6 +30,7 @@ from nova import exception
+ from nova.openstack.common.gettextutils import _
+ from nova.openstack.common import log as logging
+ from nova.openstack.common import memorycache
++from nova import utils
+ from nova import wsgi
+ 
+ CACHE_EXPIRATION = 15  # in seconds
+@@ -169,7 +170,7 @@ class MetadataRequestHandler(wsgi.Application):
+             instance_id,
+             hashlib.sha256).hexdigest()
+ 
+-        if expected_signature != signature:
++        if not utils.constant_time_compare(expected_signature, signature):
+             if instance_id:
+                 LOG.warn(_('X-Instance-ID-Signature: %(signature)s does not '
+                            'match the expected value: %(expected_signature)s '
+diff --git a/nova/tests/test_utils.py b/nova/tests/test_utils.py
+index 59d08fd..c2969a6 100644
+--- a/nova/tests/test_utils.py
++++ b/nova/tests/test_utils.py
+@@ -979,3 +979,10 @@ class VersionTestCase(test.NoDBTestCase):
+ 
+     def test_convert_version_to_tuple(self):
+         self.assertEqual(utils.convert_version_to_tuple('6.7.0'), (6, 7, 0))
++
++
++class ConstantTimeCompareTestCase(test.NoDBTestCase):
++    def test_constant_time_compare(self):
++        self.assertTrue(utils.constant_time_compare("abcd1234", "abcd1234"))
++        self.assertFalse(utils.constant_time_compare("abcd1234", "a"))
++        self.assertFalse(utils.constant_time_compare("abcd1234", "ABCD234"))
+diff --git a/nova/utils.py b/nova/utils.py
+index 0c3ee94..dddf0e7 100644
+--- a/nova/utils.py
++++ b/nova/utils.py
+@@ -21,6 +21,7 @@ import contextlib
+ import datetime
+ import functools
+ import hashlib
++import hmac
+ import inspect
+ import multiprocessing
+ import os
+@@ -1170,3 +1171,21 @@ def cpu_count():
+         return multiprocessing.cpu_count()
+     except NotImplementedError:
+         return 1
++
++
++if hasattr(hmac, 'compare_digest'):
++    constant_time_compare = hmac.compare_digest
++else:
++    def constant_time_compare(first, second):
++        """Returns True if both string inputs are equal, otherwise False.
++
++        This function should take a constant amount of time regardless of
++        how many characters in the strings match.
++
++        """
++        if len(first) != len(second):
++            return False
++        result = 0
++        for x, y in zip(first, second):
++            result |= ord(x) ^ ord(y)
++        return result == 0
diff --git a/openstack-nova.spec b/openstack-nova.spec
index 7202367..18e5050 100644
--- a/openstack-nova.spec
+++ b/openstack-nova.spec
@@ -2,7 +2,7 @@
 
 Name:             openstack-nova
 Version:          2014.1.1
-Release:          2%{?dist}
+Release:          3%{?dist}
 Summary:          OpenStack Compute (nova)
 
 Group:            Applications/System
@@ -59,6 +59,7 @@ Patch0003: 0003-Revert-Replace-oslo.sphinx-with-oslosphinx.patch
 Patch0004: 0004-notify-calling-process-we-are-ready-to-serve.patch
 Patch0005: 0005-Move-notification-point-to-a-better-place.patch
 Patch0006: 0006-Set-the-volume-access-mode-during-volume-attach.patch
+Patch0007: 0007-Avoid-possible-timing-attack-in-metadata-api.patch
 
 # This is EPEL specific and not upstream
 
@@ -437,6 +438,7 @@ This package contains documentation files for nova.
 %patch0004 -p1
 %patch0005 -p1
 %patch0006 -p1
+%patch0007 -p1
 
 # Apply EPEL patch
 
@@ -902,6 +904,9 @@ fi
 %endif
 
 %changelog
+* Tue Jul 22 2014 Vladan Popovic <vpopovic at redhat.com> 2014.1.1-3
+- Avoid possible timing attack in metadata api - CVE-2014-3517
+
 * Fri Jun 27 2014 Vladan Popovic <vpopovic at redhat.com> 2014.1.1-2
 - Fixes rbd backend image size - rhbz#1112871

More information about the scm-commits mailing list