diff options
author | Matt Thode <prometheanfire@gentoo.org> | 2014-07-17 07:06:55 +0000 |
---|---|---|
committer | Matt Thode <prometheanfire@gentoo.org> | 2014-07-17 07:06:55 +0000 |
commit | 7a2d8c0f5d159d3a981e4d524bd8b0909c387eda (patch) | |
tree | f2c77cd2c9b849cd3d9e4f191ddfe4ab679e781e | |
parent | follow-up with bug 506390, c5, thanks SN (Enlik) (diff) | |
download | historical-7a2d8c0f5d159d3a981e4d524bd8b0909c387eda.tar.gz historical-7a2d8c0f5d159d3a981e4d524bd8b0909c387eda.tar.bz2 historical-7a2d8c0f5d159d3a981e4d524bd8b0909c387eda.zip |
fix for nova 2014.1.1 CVE-2014-3517, we good yo
Package-Manager: portage-2.2.8-r1/cvs/Linux x86_64
Manifest-Sign-Key: 0x2471EB3E40AC5AC3
-rw-r--r-- | sys-cluster/nova/ChangeLog | 9 | ||||
-rw-r--r-- | sys-cluster/nova/Manifest | 33 | ||||
-rw-r--r-- | sys-cluster/nova/files/nova-2014.1.1-CVE-2014-3517.patch | 100 | ||||
-rw-r--r-- | sys-cluster/nova/nova-2014.1.1-r1.ebuild (renamed from sys-cluster/nova/nova-2014.1.1.ebuild) | 3 |
4 files changed, 126 insertions, 19 deletions
diff --git a/sys-cluster/nova/ChangeLog b/sys-cluster/nova/ChangeLog index 22269695f49b..10f8d9a28b73 100644 --- a/sys-cluster/nova/ChangeLog +++ b/sys-cluster/nova/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for sys-cluster/nova # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.69 2014/07/06 12:57:19 mgorny Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.70 2014/07/17 07:06:48 prometheanfire Exp $ + +*nova-2014.1.1-r1 (17 Jul 2014) + + 17 Jul 2014; Matthew Thode <prometheanfire@gentoo.org> + +files/nova-2014.1.1-CVE-2014-3517.patch, +nova-2014.1.1-r1.ebuild, + -nova-2014.1.1.ebuild: + fix for nova 2014.1.1 CVE-2014-3517, we good yo 06 Jul 2014; Michał Górny <mgorny@gentoo.org> nova-2014.1.1.ebuild, nova-2014.1.9999.ebuild, nova-9999.ebuild: diff --git a/sys-cluster/nova/Manifest b/sys-cluster/nova/Manifest index 3ef3ab57d1f3..c06a0ff32df4 100644 --- a/sys-cluster/nova/Manifest +++ b/sys-cluster/nova/Manifest @@ -1,33 +1,32 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 +AUX nova-2014.1.1-CVE-2014-3517.patch 3619 SHA256 3bbe89c956ab785e1a87e1d56ad909d6df5ffc573056ccda35b457eaab6f57b4 SHA512 222fd90bc93d19fa9c1d86b731bef7edc39528e6e79907bcbaa26b1559adc238cb24984ed03521775b9b4a7b0d1170d0cafaca299824b4b3c875d18d5d87972e WHIRLPOOL da772642d361fca3bb811486b4da4aad2a3d2cc155f06141de1534cda73129305e14227c3ae88da478119c844e0e97e738bf9605e084505924504c2391bfc383 AUX nova-confd 101 SHA256 d9013141618d1e8b8ba85297155747d9c8fc362238de7bba3108b9a2539c8c73 SHA512 4c7ec1d123f2cdaf394d1f4824df861bbe309b0b329db44080160d81746cd0fc9d4cc1b35da0f66ab075f1d4e835ababfb7bccaf4a2e931e60f2c0ac572a552e WHIRLPOOL 6a237357a3905d29a96b32c37f6d189e4f5cefc0986bb091e24a79295191332143741c604c2a9fd44484c75b3be89742a5570862cf0cd4ba225425f7f32b5348 AUX nova-initd 1496 SHA256 5b5f928335ac345103492555c3bc57407f547915b099762d0087aef172e5edf8 SHA512 cca06baba484d505f3a96643d836204a08e9dde50197531cdab2d95188b992a95a375a386b9c54fcc8e0a4f6167babba975db7510db1087f044afa39effe4eec WHIRLPOOL 4c667a5cc469826063a65879c1beddc98371edf295a273c9b8f679627cabfe2260d8b3bbdf9550d3894fc1525d63b9f98d6e939406f90ac5f2f745daa59311c2 AUX nova-sudoers 78 SHA256 9e88c2843fb74cc46802c0b103067ad12915ec50335d05e546a5dba76acb4a76 SHA512 22c0606c6335b2d1a03bd18a319a54f16f76f091b2e8416dbba05ce7c15890beff7f32f0322eb5ba3f2a5c750436cacbe0cee189b390b878e3f0c0df219ef984 WHIRLPOOL bc42ae1d12e9f900b263fd5c3d0f59062f46fbec1ff97c0bceb234082bea5943eb64795b4f5e102b8e2749c6868163e5924467088cad42df09345e3406e5f83c AUX nova.initd 627 SHA256 74417e422e6c503ae338bb981934b54a5da57e783bdfed778de6ce9fec3617b8 SHA512 163d5d94f6ce7c67413b9e90161590651329c96e1c8df480d1c983294f43bd596ef75ebe818cd1a8f1557babfd6bbd02a7deaf597d936acfe882dc3c9c5a1f42 WHIRLPOOL b51a0316513d06083f2cfa572427926c14663ab984bcd26a9521bf88699bfefd745e7ff91e9330bae86bd769d809837e010caa948cd133fbd010e820b7ab8448 AUX nova.sudoersd 78 SHA256 9e88c2843fb74cc46802c0b103067ad12915ec50335d05e546a5dba76acb4a76 SHA512 22c0606c6335b2d1a03bd18a319a54f16f76f091b2e8416dbba05ce7c15890beff7f32f0322eb5ba3f2a5c750436cacbe0cee189b390b878e3f0c0df219ef984 WHIRLPOOL bc42ae1d12e9f900b263fd5c3d0f59062f46fbec1ff97c0bceb234082bea5943eb64795b4f5e102b8e2749c6868163e5924467088cad42df09345e3406e5f83c DIST nova-2014.1.1.tar.gz 7979809 SHA256 3cb3b48c72c39e7637d6016039d353ad33de69bcd6ed04dbfdb0db9313eb9a5b SHA512 6f7b449e09e796c483d93399af24c2cd77042776e1c4d36c3bcd34814b42a252151542b684785ba6c1b28bc0b302cc15f5057da7f90884c73ff6b11ec748323e WHIRLPOOL 0d959b4655d6010825b0ef73b6ce983cd6a0679f5aa5d41ebfbddce26e74d402d9d571c65d26f71e60bb627fc9d4d924d1e4622c1d96d73e3b484f1c68502df7 -EBUILD nova-2014.1.1.ebuild 4781 SHA256 ceb30e35006ae3cd6f7baf5ecabf3514bb9c0af8e93377e0279af4c79940dc68 SHA512 4db4414baf99b8bade7048a0d72a68b32ec32cb4258db3658940c82b772f308cf8450c52ccdb9184f1b4f4833922ece78f5ba27c84d7f61d22b4e8f3fc61b41a WHIRLPOOL 6a24618eec94aa5912e87b6c1a172ddca0a64aa3f45b4e4c465bcf039fcc75439bc889af8378b13ab1ca2083cf79b13833f6a1f8227cfa20e5c38174401872ac +EBUILD nova-2014.1.1-r1.ebuild 4841 SHA256 71555345c97aa1cfb2ec9a4533ceb495211830ac5b2ba965c373d3341ba105af SHA512 12f2998f64991b0f85b6cc976c01accbd5a05677477dac3f7d5ba71e7661896a1ff7409121fee064edf4d7e5665eddc01a951256d8257aafdb44c874e6430ed4 WHIRLPOOL 68112eaac6f0a806c9692aca959e85dc7ed537634743fdd590261147dc29f7284ed98f570c47eacd4503ad721567b511a60cc6bd9cf797c5cf61653857c1e925 EBUILD nova-2014.1.9999.ebuild 4789 SHA256 dbf74f43aafe5b60b7e9773a232f1394c162ec09a9bd4ac91eec2744ca08d904 SHA512 d655815622653ca840137bfd2e8badafe3ea8087287e5747852a57694d252a83aefcfb9bdf363b913b1a2febb9110005e87dcdf8c770759776268fd37716bec3 WHIRLPOOL a40ba33678835604508b526c2bdb926c879ed52a715b50a27e3445336a706394b6a2847270dadfbe9114f3879b1b1affc2f46b3fd4cd5384fe8bc6e61bafb7f2 EBUILD nova-9999.ebuild 4753 SHA256 cabc9d6ea2de890686220cbfa4128a6e7bd66f35cec2daf385ae60905afcc35e SHA512 9d6de0375f96fc3272b8cf03d50d13a98fda9593429629712c593e3fd6d796563bcb1704103c4e3bb1fd769448ac96fa14da61592d3e48ecf0434f7b2a81a8b1 WHIRLPOOL afa4cc1a18ba8b103f67b38a926caa506659b1b8ad0d92164717f1f36f620c77656cb5ce40eda24f398e3b4b03b250febd7cbccdaddfd3574d588a4c88d8e41c -MISC ChangeLog 15834 SHA256 e6a9035f2d0fc5790d5bd221266a4629772ed5d8047d15de2edf7cba0d6fd61f SHA512 92c1210f2dc1b2066554ffd7d2b51df2687e76de682be292e8cc100c7e7a0a32ef3d350c6a5e5ac7d6bd64752d09247939bb519a6065176564545d6ef79651e6 WHIRLPOOL 775fd074e09fc2c6dad9634ea887efb26f08bff874338bc84331384d8fa0cb4f1ac3a4adeba47b5ae41bd295c64e7dad1b5283bfa8125a1ff18ff686dcdf98c5 +MISC ChangeLog 16078 SHA256 9c210a3932fcf414b7e81a2fd18c355544a64bad882429914c67674dfa29e962 SHA512 749c5a282248a5b8f8c919463da91ab8067a6dee55b5c05784eacd59abc7da298c8e593b0250a10acc9d0e4d3ae8066c665ab1a67253643656e7e784b614852e WHIRLPOOL 8255a1fe18c8852db2f91fd109761d7cbfed3a4cb3cda5d69d660f4ad36739c73a0c9c42638abccf23bce499d7548d65c1204d6c8fc61112f96eb227fd2fa834 MISC metadata.xml 818 SHA256 2db18087f26467d27436c57cc533ab1dc0e31e643ed2b212a78eaf1e9e4d702b SHA512 cd64b2b5fff76252104a60670edab8a732ea0c6ab5e72b083f988bbc18dcf38e455cadd589e89597fa049009b60a99631306ea61bb02e14f1658a52b22d4c5aa WHIRLPOOL 05cca8681c60b074f53e6874f1e8a5b17a3ebcdd06e552e4ac6a2672f91077ce71e0d343f0db27ba0722a33bc5b1e97d38ad34dbe418e2961ca067d8b863c6db -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 -iQJ8BAEBCABmBQJTuUe2XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w -ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2REJCMDdDQzRGMERBRDA2RUEwQUZFNDFC -MDdBMUFFQUVGQjQ0NjRFAAoJELB6GurvtEZOqjkQAKSBmXmCXpJcNipFp2SUKowE -NJ+Rq4LqiBSG8ZvQ3w7GUaMZ2ucyEEzpUhBCff1IqpG6ISfE89Y7Nw2DmTLwWwDm -Pl1PL2Fr9RZobz3tpO+/L5W8xvgksol1Uv7q3PiesVmCofMCQ3kmwFw+A4aLNn67 -lPfpkgEEZ04H4gG1aZrZrwZtmPMSYQV8terkq/0Ag0zz/cnhEdeTU9Xvn8TRb5lW -6kJDjSNvZZkZ/SctNrHqXtHLKHHbFLQisbE6hFZ7xXU+MX93EgPYhKrj3xNRTqYJ -7uH5g7neTE5vyRMlpqJygY+5IG69X0lOC5Ykn+nVk4x5cKZsL0cq1reW4Pi/TMej -KFaYC76MeopCEHnnIKfg1ZyqA+/0GML1fc2eL6ONDW8UYvrn1ygUnr5Cc9ON+S9K -XxUkSJLj+OqQhDHDGvvQRuHYtCwzzkajfp//a5qa+GxaacvHrULsihh5ACOiDvKT -C4qA+LHnGIQjWtUCyBo1pbol1wu6FQepSe3Czek2hb2eAZRdDAOdrhlbN4NkguMA -brECZZSZnqcLyMmKSnVA5aBUOSgYGS18at04nvYRgm3Wmbmmaf8QnsysnMTeiHZx -VzVSHP1LPU590k18ikF42QiM7rMwzwms8m5cXG8bxdvJVa1+kSunQxb8dr5gIlDr -NOAzRpCvskLFLXV86ron -=bccf +iQIcBAEBCAAGBQJTx3YdAAoJECRx6z5ArFrDIEwP/1JUdqpResy6uPZUKiGk680c +dU/CWyApMdddSvDRULRijzQBEWSWyaq1JMDb85LxEY0Xq9stU5MfZJKHdB/rEDVU +ZUj9Akb8DAJie4DtF7qDWAY1KxIK+BWTjhipwCwApBj8Gek6bHIXmzzHQRBkI/cD +ilMZlTNlUmQAAb2XJWmApC8BiCga55GnkO8Ote/K743NBxaGS56Z6WhLKIFN9HHX +8nPHMAYr4fpNx9QerWaRsuyHhf+gfGUPaobitieDVUWCpTA+Q/vme4wvwmbvPYKC +5egbbOqI8tFIwr5DS+Dm97tznhogXb1c0PxwLppp7x6+yIisl67dfq8rlpbQhJR3 +c7A0vRXqBpi+o6hjKrizN4C9MkPFD/yTn6PsCTHDLXElet4FqVw7CjGz3FYtK4Uk +Xb3lgOb39RzpTkv+fLYBUMshkuY7H2YSXMC9TdcCF+TzYwrRwU+p0AUMDPqHRlwO +FdOl/GRm0wEKkCKwpMEy5aBxrRUUe30Oaii2r8hMxH1+lYoT7hnR8Xd428bugoSv +ui7lfI4LRnJKbwgcCdyM6zMMm9dtmfMKaCjUYisWv+bm8VhySCNCQnddW7ZR+k8K +ywXEuF+QPL3kU7AN/tXdwq6CitER0SSPpHVzzMBJhoWx4qdRmpN5YRgzIiqaTzSy +UGCaUvYJBUJGqkZ+7eKG +=AP63 -----END PGP SIGNATURE----- diff --git a/sys-cluster/nova/files/nova-2014.1.1-CVE-2014-3517.patch b/sys-cluster/nova/files/nova-2014.1.1-CVE-2014-3517.patch new file mode 100644 index 000000000000..cc4f2911c2d2 --- /dev/null +++ b/sys-cluster/nova/files/nova-2014.1.1-CVE-2014-3517.patch @@ -0,0 +1,100 @@ +From 3dd2cb0452b63d5de04606d79bbbf41a4e50a42a Mon Sep 17 00:00:00 2001 +From: Grant Murphy <gmurphy@redhat.com> +Date: Tue, 8 Jul 2014 03:35:40 +0000 +Subject: [PATCH 1/1] Avoid possible timing attack in metadata api + +Introduce a constant time comparison function to +nova utils for comparing authentication tokens. +Original code taken from: + +https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/memcache_crypt.py#L86 + +Change-Id: I7374f2edc6f03c7da59cf73ae91a87147e53d0de +Closes-bug: #1325128 +--- + nova/api/metadata/handler.py | 3 ++- + nova/tests/test_utils.py | 7 +++++++ + nova/utils.py | 27 +++++++++++++++++++++++++++ + 3 files changed, 36 insertions(+), 1 deletion(-) + +diff --git a/nova/api/metadata/handler.py b/nova/api/metadata/handler.py +index a14db67..be866ef 100644 +--- a/nova/api/metadata/handler.py ++++ b/nova/api/metadata/handler.py +@@ -30,6 +30,7 @@ from nova import exception + from nova.openstack.common.gettextutils import _ + from nova.openstack.common import log as logging + from nova.openstack.common import memorycache ++from nova import utils + from nova import wsgi + + CACHE_EXPIRATION = 15 # in seconds +@@ -169,7 +170,7 @@ class MetadataRequestHandler(wsgi.Application): + instance_id, + hashlib.sha256).hexdigest() + +- if expected_signature != signature: ++ if not utils.constant_time_compare(expected_signature, signature): + if instance_id: + LOG.warn(_('X-Instance-ID-Signature: %(signature)s does not ' + 'match the expected value: %(expected_signature)s ' +diff --git a/nova/tests/test_utils.py b/nova/tests/test_utils.py +index 59d08fd..c2969a6 100644 +--- a/nova/tests/test_utils.py ++++ b/nova/tests/test_utils.py +@@ -979,3 +979,10 @@ class VersionTestCase(test.NoDBTestCase): + + def test_convert_version_to_tuple(self): + self.assertEqual(utils.convert_version_to_tuple('6.7.0'), (6, 7, 0)) ++ ++ ++class ConstantTimeCompareTestCase(test.NoDBTestCase): ++ def test_constant_time_compare(self): ++ self.assertTrue(utils.constant_time_compare("abcd1234", "abcd1234")) ++ self.assertFalse(utils.constant_time_compare("abcd1234", "a")) ++ self.assertFalse(utils.constant_time_compare("abcd1234", "ABCD234")) +diff --git a/nova/utils.py b/nova/utils.py +index 0c3ee94..7dfa0cc 100644 +--- a/nova/utils.py ++++ b/nova/utils.py +@@ -21,6 +21,7 @@ import contextlib + import datetime + import functools + import hashlib ++import hmac + import inspect + import multiprocessing + import os +@@ -1170,3 +1171,29 @@ def cpu_count(): + return multiprocessing.cpu_count() + except NotImplementedError: + return 1 ++ ++ ++# NOTE(gm) Constant time comparison taken from keystone. This is a ++# candidate for inclusion in oslo. ++# ++# Original code: master/keystoneclient/middleware/memcache_crypt.py#L86 ++if sys.version_info >= (3, 3): ++ constant_time_compare = hmac.compare_digest ++else: ++ def constant_time_compare(first, second): ++ """Returns True if both string inputs are equal, otherwise False. ++ ++ This function should take a constant amount of time regardless of ++ how many characters in the strings match. ++ ++ """ ++ if len(first) != len(second): ++ return False ++ result = 0 ++ if six.PY3 and isinstance(first, bytes) and isinstance(second, bytes): ++ for x, y in zip(first, second): ++ result |= x ^ y ++ else: ++ for x, y in zip(first, second): ++ result |= ord(x) ^ ord(y) ++ return result == 0 +-- +1.9.3 + diff --git a/sys-cluster/nova/nova-2014.1.1.ebuild b/sys-cluster/nova/nova-2014.1.1-r1.ebuild index 3744a9d74e43..af9e3180e57d 100644 --- a/sys-cluster/nova/nova-2014.1.1.ebuild +++ b/sys-cluster/nova/nova-2014.1.1-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2014.1.1.ebuild,v 1.2 2014/07/06 12:57:19 mgorny Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2014.1.1-r1.ebuild,v 1.1 2014/07/17 07:06:48 prometheanfire Exp $ EAPI=5 PYTHON_COMPAT=( python2_7 ) @@ -75,6 +75,7 @@ RDEPEND="sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}] app-emulation/xen-tools )" PATCHES=( + "${FILESDIR}/nova-2014.1.1-CVE-2014-3517.patch" ) pkg_setup() { |