Bug 902964 (CVE-2013-0212)

Summary: CVE-2013-0212 openstack-glance: Backend password leak in Glance error message
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: apevec, eglynn, jrusnack, markmc, ndipanov, rcvalle, rhos-maint, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-09 04:31:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 903032, 903033    
Bug Blocks: 902968    
Attachments:
Description Flags
essex-CVE-2013-0212.patch
none
folsom-CVE-2013-0212.patch
none
grizzly-CVE-2013-0212.patch none

Description Kurt Seifried 2013-01-22 20:03:03 UTC 
Thierry Carrez (thierry) reports on behalf of the OpenStack Project:

Title: Backend password leak in Glance error message
Reporter: Dan Prince (Red Hat)
Products: Glance
Affects: All versions

Dan Prince of Red Hat discovered an issue in Glance error reporting. By
creating an image in Glance by URL that references a mis-configured
Swift endpoint, or if the Swift endpoint that a previously-ACTIVE image
references for any reason becomes unusable, an authenticated user may
access the Glance operator's Swift credentials for that endpoint. Only
setups that use the single-tenant Swift store are affected.

Proposed patches:
See attached patches for current development tree (Grizzly) and the
Folsom and Essex series. Unless a flaw is discovered in them, these
proposed patches will be merged to Glance master, stable/folsom and
stable/essex branches on the public disclosure date.
Comment 1 Kurt Seifried 2013-01-22 20:05:56 UTC 
Created attachment 685412 [details]
essex-CVE-2013-0212.patch
Comment 2 Kurt Seifried 2013-01-22 20:06:13 UTC 
Created attachment 685413 [details]
folsom-CVE-2013-0212.patch
Comment 3 Kurt Seifried 2013-01-22 20:06:31 UTC 
Created attachment 685414 [details]
grizzly-CVE-2013-0212.patch
Comment 7 Murray McAllister 2013-01-29 06:16:03 UTC 
Acknowledgements:

This issue was discovered by Dan Prince of Red Hat.
Comment 8 Kurt Seifried 2013-01-29 18:24:42 UTC 
This is now public: https://bugs.launchpad.net/glance/+bug/1098962
Comment 9 errata-xmlrpc 2013-01-30 21:06:05 UTC 
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0209 https://rhn.redhat.com/errata/RHSA-2013-0209.html
Comment 10 Fedora Update System 2013-02-14 02:30:55 UTC 
openstack-glance-2012.2.3-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.