summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatt Thode <prometheanfire@gentoo.org>2014-07-17 07:06:55 +0000
committerMatt Thode <prometheanfire@gentoo.org>2014-07-17 07:06:55 +0000
commit7a2d8c0f5d159d3a981e4d524bd8b0909c387eda (patch)
treef2c77cd2c9b849cd3d9e4f191ddfe4ab679e781e
parentfollow-up with bug 506390, c5, thanks SN (Enlik) (diff)
downloadhistorical-7a2d8c0f5d159d3a981e4d524bd8b0909c387eda.tar.gz
historical-7a2d8c0f5d159d3a981e4d524bd8b0909c387eda.tar.bz2
historical-7a2d8c0f5d159d3a981e4d524bd8b0909c387eda.zip
fix for nova 2014.1.1 CVE-2014-3517, we good yo
Package-Manager: portage-2.2.8-r1/cvs/Linux x86_64 Manifest-Sign-Key: 0x2471EB3E40AC5AC3
-rw-r--r--sys-cluster/nova/ChangeLog9
-rw-r--r--sys-cluster/nova/Manifest33
-rw-r--r--sys-cluster/nova/files/nova-2014.1.1-CVE-2014-3517.patch100
-rw-r--r--sys-cluster/nova/nova-2014.1.1-r1.ebuild (renamed from sys-cluster/nova/nova-2014.1.1.ebuild)3
4 files changed, 126 insertions, 19 deletions
diff --git a/sys-cluster/nova/ChangeLog b/sys-cluster/nova/ChangeLog
index 22269695f49b..10f8d9a28b73 100644
--- a/sys-cluster/nova/ChangeLog
+++ b/sys-cluster/nova/ChangeLog
@@ -1,6 +1,13 @@
# ChangeLog for sys-cluster/nova
# Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.69 2014/07/06 12:57:19 mgorny Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.70 2014/07/17 07:06:48 prometheanfire Exp $
+
+*nova-2014.1.1-r1 (17 Jul 2014)
+
+ 17 Jul 2014; Matthew Thode <prometheanfire@gentoo.org>
+ +files/nova-2014.1.1-CVE-2014-3517.patch, +nova-2014.1.1-r1.ebuild,
+ -nova-2014.1.1.ebuild:
+ fix for nova 2014.1.1 CVE-2014-3517, we good yo
06 Jul 2014; Michał Górny <mgorny@gentoo.org> nova-2014.1.1.ebuild,
nova-2014.1.9999.ebuild, nova-9999.ebuild:
diff --git a/sys-cluster/nova/Manifest b/sys-cluster/nova/Manifest
index 3ef3ab57d1f3..c06a0ff32df4 100644
--- a/sys-cluster/nova/Manifest
+++ b/sys-cluster/nova/Manifest
@@ -1,33 +1,32 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
+AUX nova-2014.1.1-CVE-2014-3517.patch 3619 SHA256 3bbe89c956ab785e1a87e1d56ad909d6df5ffc573056ccda35b457eaab6f57b4 SHA512 222fd90bc93d19fa9c1d86b731bef7edc39528e6e79907bcbaa26b1559adc238cb24984ed03521775b9b4a7b0d1170d0cafaca299824b4b3c875d18d5d87972e WHIRLPOOL da772642d361fca3bb811486b4da4aad2a3d2cc155f06141de1534cda73129305e14227c3ae88da478119c844e0e97e738bf9605e084505924504c2391bfc383
AUX nova-confd 101 SHA256 d9013141618d1e8b8ba85297155747d9c8fc362238de7bba3108b9a2539c8c73 SHA512 4c7ec1d123f2cdaf394d1f4824df861bbe309b0b329db44080160d81746cd0fc9d4cc1b35da0f66ab075f1d4e835ababfb7bccaf4a2e931e60f2c0ac572a552e WHIRLPOOL 6a237357a3905d29a96b32c37f6d189e4f5cefc0986bb091e24a79295191332143741c604c2a9fd44484c75b3be89742a5570862cf0cd4ba225425f7f32b5348
AUX nova-initd 1496 SHA256 5b5f928335ac345103492555c3bc57407f547915b099762d0087aef172e5edf8 SHA512 cca06baba484d505f3a96643d836204a08e9dde50197531cdab2d95188b992a95a375a386b9c54fcc8e0a4f6167babba975db7510db1087f044afa39effe4eec WHIRLPOOL 4c667a5cc469826063a65879c1beddc98371edf295a273c9b8f679627cabfe2260d8b3bbdf9550d3894fc1525d63b9f98d6e939406f90ac5f2f745daa59311c2
AUX nova-sudoers 78 SHA256 9e88c2843fb74cc46802c0b103067ad12915ec50335d05e546a5dba76acb4a76 SHA512 22c0606c6335b2d1a03bd18a319a54f16f76f091b2e8416dbba05ce7c15890beff7f32f0322eb5ba3f2a5c750436cacbe0cee189b390b878e3f0c0df219ef984 WHIRLPOOL bc42ae1d12e9f900b263fd5c3d0f59062f46fbec1ff97c0bceb234082bea5943eb64795b4f5e102b8e2749c6868163e5924467088cad42df09345e3406e5f83c
AUX nova.initd 627 SHA256 74417e422e6c503ae338bb981934b54a5da57e783bdfed778de6ce9fec3617b8 SHA512 163d5d94f6ce7c67413b9e90161590651329c96e1c8df480d1c983294f43bd596ef75ebe818cd1a8f1557babfd6bbd02a7deaf597d936acfe882dc3c9c5a1f42 WHIRLPOOL b51a0316513d06083f2cfa572427926c14663ab984bcd26a9521bf88699bfefd745e7ff91e9330bae86bd769d809837e010caa948cd133fbd010e820b7ab8448
AUX nova.sudoersd 78 SHA256 9e88c2843fb74cc46802c0b103067ad12915ec50335d05e546a5dba76acb4a76 SHA512 22c0606c6335b2d1a03bd18a319a54f16f76f091b2e8416dbba05ce7c15890beff7f32f0322eb5ba3f2a5c750436cacbe0cee189b390b878e3f0c0df219ef984 WHIRLPOOL bc42ae1d12e9f900b263fd5c3d0f59062f46fbec1ff97c0bceb234082bea5943eb64795b4f5e102b8e2749c6868163e5924467088cad42df09345e3406e5f83c
DIST nova-2014.1.1.tar.gz 7979809 SHA256 3cb3b48c72c39e7637d6016039d353ad33de69bcd6ed04dbfdb0db9313eb9a5b SHA512 6f7b449e09e796c483d93399af24c2cd77042776e1c4d36c3bcd34814b42a252151542b684785ba6c1b28bc0b302cc15f5057da7f90884c73ff6b11ec748323e WHIRLPOOL 0d959b4655d6010825b0ef73b6ce983cd6a0679f5aa5d41ebfbddce26e74d402d9d571c65d26f71e60bb627fc9d4d924d1e4622c1d96d73e3b484f1c68502df7
-EBUILD nova-2014.1.1.ebuild 4781 SHA256 ceb30e35006ae3cd6f7baf5ecabf3514bb9c0af8e93377e0279af4c79940dc68 SHA512 4db4414baf99b8bade7048a0d72a68b32ec32cb4258db3658940c82b772f308cf8450c52ccdb9184f1b4f4833922ece78f5ba27c84d7f61d22b4e8f3fc61b41a WHIRLPOOL 6a24618eec94aa5912e87b6c1a172ddca0a64aa3f45b4e4c465bcf039fcc75439bc889af8378b13ab1ca2083cf79b13833f6a1f8227cfa20e5c38174401872ac
+EBUILD nova-2014.1.1-r1.ebuild 4841 SHA256 71555345c97aa1cfb2ec9a4533ceb495211830ac5b2ba965c373d3341ba105af SHA512 12f2998f64991b0f85b6cc976c01accbd5a05677477dac3f7d5ba71e7661896a1ff7409121fee064edf4d7e5665eddc01a951256d8257aafdb44c874e6430ed4 WHIRLPOOL 68112eaac6f0a806c9692aca959e85dc7ed537634743fdd590261147dc29f7284ed98f570c47eacd4503ad721567b511a60cc6bd9cf797c5cf61653857c1e925
EBUILD nova-2014.1.9999.ebuild 4789 SHA256 dbf74f43aafe5b60b7e9773a232f1394c162ec09a9bd4ac91eec2744ca08d904 SHA512 d655815622653ca840137bfd2e8badafe3ea8087287e5747852a57694d252a83aefcfb9bdf363b913b1a2febb9110005e87dcdf8c770759776268fd37716bec3 WHIRLPOOL a40ba33678835604508b526c2bdb926c879ed52a715b50a27e3445336a706394b6a2847270dadfbe9114f3879b1b1affc2f46b3fd4cd5384fe8bc6e61bafb7f2
EBUILD nova-9999.ebuild 4753 SHA256 cabc9d6ea2de890686220cbfa4128a6e7bd66f35cec2daf385ae60905afcc35e SHA512 9d6de0375f96fc3272b8cf03d50d13a98fda9593429629712c593e3fd6d796563bcb1704103c4e3bb1fd769448ac96fa14da61592d3e48ecf0434f7b2a81a8b1 WHIRLPOOL afa4cc1a18ba8b103f67b38a926caa506659b1b8ad0d92164717f1f36f620c77656cb5ce40eda24f398e3b4b03b250febd7cbccdaddfd3574d588a4c88d8e41c
-MISC ChangeLog 15834 SHA256 e6a9035f2d0fc5790d5bd221266a4629772ed5d8047d15de2edf7cba0d6fd61f SHA512 92c1210f2dc1b2066554ffd7d2b51df2687e76de682be292e8cc100c7e7a0a32ef3d350c6a5e5ac7d6bd64752d09247939bb519a6065176564545d6ef79651e6 WHIRLPOOL 775fd074e09fc2c6dad9634ea887efb26f08bff874338bc84331384d8fa0cb4f1ac3a4adeba47b5ae41bd295c64e7dad1b5283bfa8125a1ff18ff686dcdf98c5
+MISC ChangeLog 16078 SHA256 9c210a3932fcf414b7e81a2fd18c355544a64bad882429914c67674dfa29e962 SHA512 749c5a282248a5b8f8c919463da91ab8067a6dee55b5c05784eacd59abc7da298c8e593b0250a10acc9d0e4d3ae8066c665ab1a67253643656e7e784b614852e WHIRLPOOL 8255a1fe18c8852db2f91fd109761d7cbfed3a4cb3cda5d69d660f4ad36739c73a0c9c42638abccf23bce499d7548d65c1204d6c8fc61112f96eb227fd2fa834
MISC metadata.xml 818 SHA256 2db18087f26467d27436c57cc533ab1dc0e31e643ed2b212a78eaf1e9e4d702b SHA512 cd64b2b5fff76252104a60670edab8a732ea0c6ab5e72b083f988bbc18dcf38e455cadd589e89597fa049009b60a99631306ea61bb02e14f1658a52b22d4c5aa WHIRLPOOL 05cca8681c60b074f53e6874f1e8a5b17a3ebcdd06e552e4ac6a2672f91077ce71e0d343f0db27ba0722a33bc5b1e97d38ad34dbe418e2961ca067d8b863c6db
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-iQJ8BAEBCABmBQJTuUe2XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
-ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2REJCMDdDQzRGMERBRDA2RUEwQUZFNDFC
-MDdBMUFFQUVGQjQ0NjRFAAoJELB6GurvtEZOqjkQAKSBmXmCXpJcNipFp2SUKowE
-NJ+Rq4LqiBSG8ZvQ3w7GUaMZ2ucyEEzpUhBCff1IqpG6ISfE89Y7Nw2DmTLwWwDm
-Pl1PL2Fr9RZobz3tpO+/L5W8xvgksol1Uv7q3PiesVmCofMCQ3kmwFw+A4aLNn67
-lPfpkgEEZ04H4gG1aZrZrwZtmPMSYQV8terkq/0Ag0zz/cnhEdeTU9Xvn8TRb5lW
-6kJDjSNvZZkZ/SctNrHqXtHLKHHbFLQisbE6hFZ7xXU+MX93EgPYhKrj3xNRTqYJ
-7uH5g7neTE5vyRMlpqJygY+5IG69X0lOC5Ykn+nVk4x5cKZsL0cq1reW4Pi/TMej
-KFaYC76MeopCEHnnIKfg1ZyqA+/0GML1fc2eL6ONDW8UYvrn1ygUnr5Cc9ON+S9K
-XxUkSJLj+OqQhDHDGvvQRuHYtCwzzkajfp//a5qa+GxaacvHrULsihh5ACOiDvKT
-C4qA+LHnGIQjWtUCyBo1pbol1wu6FQepSe3Czek2hb2eAZRdDAOdrhlbN4NkguMA
-brECZZSZnqcLyMmKSnVA5aBUOSgYGS18at04nvYRgm3Wmbmmaf8QnsysnMTeiHZx
-VzVSHP1LPU590k18ikF42QiM7rMwzwms8m5cXG8bxdvJVa1+kSunQxb8dr5gIlDr
-NOAzRpCvskLFLXV86ron
-=bccf
+iQIcBAEBCAAGBQJTx3YdAAoJECRx6z5ArFrDIEwP/1JUdqpResy6uPZUKiGk680c
+dU/CWyApMdddSvDRULRijzQBEWSWyaq1JMDb85LxEY0Xq9stU5MfZJKHdB/rEDVU
+ZUj9Akb8DAJie4DtF7qDWAY1KxIK+BWTjhipwCwApBj8Gek6bHIXmzzHQRBkI/cD
+ilMZlTNlUmQAAb2XJWmApC8BiCga55GnkO8Ote/K743NBxaGS56Z6WhLKIFN9HHX
+8nPHMAYr4fpNx9QerWaRsuyHhf+gfGUPaobitieDVUWCpTA+Q/vme4wvwmbvPYKC
+5egbbOqI8tFIwr5DS+Dm97tznhogXb1c0PxwLppp7x6+yIisl67dfq8rlpbQhJR3
+c7A0vRXqBpi+o6hjKrizN4C9MkPFD/yTn6PsCTHDLXElet4FqVw7CjGz3FYtK4Uk
+Xb3lgOb39RzpTkv+fLYBUMshkuY7H2YSXMC9TdcCF+TzYwrRwU+p0AUMDPqHRlwO
+FdOl/GRm0wEKkCKwpMEy5aBxrRUUe30Oaii2r8hMxH1+lYoT7hnR8Xd428bugoSv
+ui7lfI4LRnJKbwgcCdyM6zMMm9dtmfMKaCjUYisWv+bm8VhySCNCQnddW7ZR+k8K
+ywXEuF+QPL3kU7AN/tXdwq6CitER0SSPpHVzzMBJhoWx4qdRmpN5YRgzIiqaTzSy
+UGCaUvYJBUJGqkZ+7eKG
+=AP63
-----END PGP SIGNATURE-----
diff --git a/sys-cluster/nova/files/nova-2014.1.1-CVE-2014-3517.patch b/sys-cluster/nova/files/nova-2014.1.1-CVE-2014-3517.patch
new file mode 100644
index 000000000000..cc4f2911c2d2
--- /dev/null
+++ b/sys-cluster/nova/files/nova-2014.1.1-CVE-2014-3517.patch
@@ -0,0 +1,100 @@
+From 3dd2cb0452b63d5de04606d79bbbf41a4e50a42a Mon Sep 17 00:00:00 2001
+From: Grant Murphy <gmurphy@redhat.com>
+Date: Tue, 8 Jul 2014 03:35:40 +0000
+Subject: [PATCH 1/1] Avoid possible timing attack in metadata api
+
+Introduce a constant time comparison function to
+nova utils for comparing authentication tokens.
+Original code taken from:
+
+https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/memcache_crypt.py#L86
+
+Change-Id: I7374f2edc6f03c7da59cf73ae91a87147e53d0de
+Closes-bug: #1325128
+---
+ nova/api/metadata/handler.py | 3 ++-
+ nova/tests/test_utils.py | 7 +++++++
+ nova/utils.py | 27 +++++++++++++++++++++++++++
+ 3 files changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/nova/api/metadata/handler.py b/nova/api/metadata/handler.py
+index a14db67..be866ef 100644
+--- a/nova/api/metadata/handler.py
++++ b/nova/api/metadata/handler.py
+@@ -30,6 +30,7 @@ from nova import exception
+ from nova.openstack.common.gettextutils import _
+ from nova.openstack.common import log as logging
+ from nova.openstack.common import memorycache
++from nova import utils
+ from nova import wsgi
+
+ CACHE_EXPIRATION = 15 # in seconds
+@@ -169,7 +170,7 @@ class MetadataRequestHandler(wsgi.Application):
+ instance_id,
+ hashlib.sha256).hexdigest()
+
+- if expected_signature != signature:
++ if not utils.constant_time_compare(expected_signature, signature):
+ if instance_id:
+ LOG.warn(_('X-Instance-ID-Signature: %(signature)s does not '
+ 'match the expected value: %(expected_signature)s '
+diff --git a/nova/tests/test_utils.py b/nova/tests/test_utils.py
+index 59d08fd..c2969a6 100644
+--- a/nova/tests/test_utils.py
++++ b/nova/tests/test_utils.py
+@@ -979,3 +979,10 @@ class VersionTestCase(test.NoDBTestCase):
+
+ def test_convert_version_to_tuple(self):
+ self.assertEqual(utils.convert_version_to_tuple('6.7.0'), (6, 7, 0))
++
++
++class ConstantTimeCompareTestCase(test.NoDBTestCase):
++ def test_constant_time_compare(self):
++ self.assertTrue(utils.constant_time_compare("abcd1234", "abcd1234"))
++ self.assertFalse(utils.constant_time_compare("abcd1234", "a"))
++ self.assertFalse(utils.constant_time_compare("abcd1234", "ABCD234"))
+diff --git a/nova/utils.py b/nova/utils.py
+index 0c3ee94..7dfa0cc 100644
+--- a/nova/utils.py
++++ b/nova/utils.py
+@@ -21,6 +21,7 @@ import contextlib
+ import datetime
+ import functools
+ import hashlib
++import hmac
+ import inspect
+ import multiprocessing
+ import os
+@@ -1170,3 +1171,29 @@ def cpu_count():
+ return multiprocessing.cpu_count()
+ except NotImplementedError:
+ return 1
++
++
++# NOTE(gm) Constant time comparison taken from keystone. This is a
++# candidate for inclusion in oslo.
++#
++# Original code: master/keystoneclient/middleware/memcache_crypt.py#L86
++if sys.version_info >= (3, 3):
++ constant_time_compare = hmac.compare_digest
++else:
++ def constant_time_compare(first, second):
++ """Returns True if both string inputs are equal, otherwise False.
++
++ This function should take a constant amount of time regardless of
++ how many characters in the strings match.
++
++ """
++ if len(first) != len(second):
++ return False
++ result = 0
++ if six.PY3 and isinstance(first, bytes) and isinstance(second, bytes):
++ for x, y in zip(first, second):
++ result |= x ^ y
++ else:
++ for x, y in zip(first, second):
++ result |= ord(x) ^ ord(y)
++ return result == 0
+--
+1.9.3
+
diff --git a/sys-cluster/nova/nova-2014.1.1.ebuild b/sys-cluster/nova/nova-2014.1.1-r1.ebuild
index 3744a9d74e43..af9e3180e57d 100644
--- a/sys-cluster/nova/nova-2014.1.1.ebuild
+++ b/sys-cluster/nova/nova-2014.1.1-r1.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2014.1.1.ebuild,v 1.2 2014/07/06 12:57:19 mgorny Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2014.1.1-r1.ebuild,v 1.1 2014/07/17 07:06:48 prometheanfire Exp $
EAPI=5
PYTHON_COMPAT=( python2_7 )
@@ -75,6 +75,7 @@ RDEPEND="sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}]
app-emulation/xen-tools )"
PATCHES=(
+ "${FILESDIR}/nova-2014.1.1-CVE-2014-3517.patch"
)
pkg_setup() {