Bug 902964 (CVE-2013-0212)

Summary: CVE-2013-0212 openstack-glance: Backend password leak in Glance error message
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: apevec, eglynn, jrusnack, markmc, ndipanov, rcvalle, rhos-maint, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-09 04:31:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 903032, 903033    
Bug Blocks: 902968    
Description Flags
grizzly-CVE-2013-0212.patch none

Description Kurt Seifried 2013-01-22 20:03:03 UTC
Thierry Carrez (thierry) reports on behalf of the OpenStack Project:

Title: Backend password leak in Glance error message
Reporter: Dan Prince (Red Hat)
Products: Glance
Affects: All versions

Dan Prince of Red Hat discovered an issue in Glance error reporting. By
creating an image in Glance by URL that references a mis-configured
Swift endpoint, or if the Swift endpoint that a previously-ACTIVE image
references for any reason becomes unusable, an authenticated user may
access the Glance operator's Swift credentials for that endpoint. Only
setups that use the single-tenant Swift store are affected.

Proposed patches:
See attached patches for current development tree (Grizzly) and the
Folsom and Essex series. Unless a flaw is discovered in them, these
proposed patches will be merged to Glance master, stable/folsom and
stable/essex branches on the public disclosure date.

Comment 1 Kurt Seifried 2013-01-22 20:05:56 UTC
Created attachment 685412 [details]

Comment 2 Kurt Seifried 2013-01-22 20:06:13 UTC
Created attachment 685413 [details]

Comment 3 Kurt Seifried 2013-01-22 20:06:31 UTC
Created attachment 685414 [details]

Comment 7 Murray McAllister 2013-01-29 06:16:03 UTC

This issue was discovered by Dan Prince of Red Hat.

Comment 8 Kurt Seifried 2013-01-29 18:24:42 UTC
This is now public: https://bugs.launchpad.net/glance/+bug/1098962

Comment 9 errata-xmlrpc 2013-01-30 21:06:05 UTC
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0209 https://rhn.redhat.com/errata/RHSA-2013-0209.html

Comment 10 Fedora Update System 2013-02-14 02:30:55 UTC
openstack-glance-2012.2.3-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.