[openstack-nova/el6-icehouse] Avoid possible timing attack in metadata api - CVE-2014-3517
Vladan Popovic
vpopovic at fedoraproject.org
Tue Jul 22 16:30:02 UTC 2014
commit 55ff34659020b24646a802b041db803c8587fefb
Author: Vladan Popovic <vpopovic at redhat.com>
Date: Tue Jul 22 17:53:26 2014 +0200
Avoid possible timing attack in metadata api - CVE-2014-3517
...id-possible-timing-attack-in-metadata-api.patch | 87 ++++++++++++++++++++
openstack-nova.spec | 7 ++-
2 files changed, 93 insertions(+), 1 deletions(-)
---
diff --git a/0007-Avoid-possible-timing-attack-in-metadata-api.patch b/0007-Avoid-possible-timing-attack-in-metadata-api.patch
new file mode 100644
index 0000000..f63ad0a
--- /dev/null
+++ b/0007-Avoid-possible-timing-attack-in-metadata-api.patch
@@ -0,0 +1,87 @@
+From 49b1a6177953e6c4766a60fee8e6fac4087f04c5 Mon Sep 17 00:00:00 2001
+From: Grant Murphy <gmurphy at redhat.com>
+Date: Tue, 8 Jul 2014 03:35:40 +0000
+Subject: [PATCH] Avoid possible timing attack in metadata api
+
+Introduce a constant time comparison function to
+nova utils for comparing authentication tokens.
+
+Change-Id: I7374f2edc6f03c7da59cf73ae91a87147e53d0de
+Closes-bug: #1325128
+(cherry picked from commit 14e52608a1ff888a211647dfdc7fb41dfa86a187)
+---
+ nova/api/metadata/handler.py | 3 ++-
+ nova/tests/test_utils.py | 7 +++++++
+ nova/utils.py | 19 +++++++++++++++++++
+ 3 files changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/nova/api/metadata/handler.py b/nova/api/metadata/handler.py
+index a14db67..be866ef 100644
+--- a/nova/api/metadata/handler.py
++++ b/nova/api/metadata/handler.py
+@@ -30,6 +30,7 @@ from nova import exception
+ from nova.openstack.common.gettextutils import _
+ from nova.openstack.common import log as logging
+ from nova.openstack.common import memorycache
++from nova import utils
+ from nova import wsgi
+
+ CACHE_EXPIRATION = 15 # in seconds
+@@ -169,7 +170,7 @@ class MetadataRequestHandler(wsgi.Application):
+ instance_id,
+ hashlib.sha256).hexdigest()
+
+- if expected_signature != signature:
++ if not utils.constant_time_compare(expected_signature, signature):
+ if instance_id:
+ LOG.warn(_('X-Instance-ID-Signature: %(signature)s does not '
+ 'match the expected value: %(expected_signature)s '
+diff --git a/nova/tests/test_utils.py b/nova/tests/test_utils.py
+index 59d08fd..c2969a6 100644
+--- a/nova/tests/test_utils.py
++++ b/nova/tests/test_utils.py
+@@ -979,3 +979,10 @@ class VersionTestCase(test.NoDBTestCase):
+
+ def test_convert_version_to_tuple(self):
+ self.assertEqual(utils.convert_version_to_tuple('6.7.0'), (6, 7, 0))
++
++
++class ConstantTimeCompareTestCase(test.NoDBTestCase):
++ def test_constant_time_compare(self):
++ self.assertTrue(utils.constant_time_compare("abcd1234", "abcd1234"))
++ self.assertFalse(utils.constant_time_compare("abcd1234", "a"))
++ self.assertFalse(utils.constant_time_compare("abcd1234", "ABCD234"))
+diff --git a/nova/utils.py b/nova/utils.py
+index 0c3ee94..dddf0e7 100644
+--- a/nova/utils.py
++++ b/nova/utils.py
+@@ -21,6 +21,7 @@ import contextlib
+ import datetime
+ import functools
+ import hashlib
++import hmac
+ import inspect
+ import multiprocessing
+ import os
+@@ -1170,3 +1171,21 @@ def cpu_count():
+ return multiprocessing.cpu_count()
+ except NotImplementedError:
+ return 1
++
++
++if hasattr(hmac, 'compare_digest'):
++ constant_time_compare = hmac.compare_digest
++else:
++ def constant_time_compare(first, second):
++ """Returns True if both string inputs are equal, otherwise False.
++
++ This function should take a constant amount of time regardless of
++ how many characters in the strings match.
++
++ """
++ if len(first) != len(second):
++ return False
++ result = 0
++ for x, y in zip(first, second):
++ result |= ord(x) ^ ord(y)
++ return result == 0
diff --git a/openstack-nova.spec b/openstack-nova.spec
index 7202367..18e5050 100644
--- a/openstack-nova.spec
+++ b/openstack-nova.spec
@@ -2,7 +2,7 @@
Name: openstack-nova
Version: 2014.1.1
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: OpenStack Compute (nova)
Group: Applications/System
@@ -59,6 +59,7 @@ Patch0003: 0003-Revert-Replace-oslo.sphinx-with-oslosphinx.patch
Patch0004: 0004-notify-calling-process-we-are-ready-to-serve.patch
Patch0005: 0005-Move-notification-point-to-a-better-place.patch
Patch0006: 0006-Set-the-volume-access-mode-during-volume-attach.patch
+Patch0007: 0007-Avoid-possible-timing-attack-in-metadata-api.patch
# This is EPEL specific and not upstream
@@ -437,6 +438,7 @@ This package contains documentation files for nova.
%patch0004 -p1
%patch0005 -p1
%patch0006 -p1
+%patch0007 -p1
# Apply EPEL patch
@@ -902,6 +904,9 @@ fi
%endif
%changelog
+* Tue Jul 22 2014 Vladan Popovic <vpopovic at redhat.com> 2014.1.1-3
+- Avoid possible timing attack in metadata api - CVE-2014-3517
+
* Fri Jun 27 2014 Vladan Popovic <vpopovic at redhat.com> 2014.1.1-2
- Fixes rbd backend image size - rhbz#1112871
More information about the scm-commits
mailing list