Bug 972988 (CVE-2013-2161)

Summary: CVE-2013-2161 OpenStack Swift: Unchecked user input in Swift XML responses
Product: [Other] Security Response Reporter: Garth Mollett <gmollett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, chrisw, david.macdonald, derekh, gmollett, jlieskov, madam, markmc, pportant, rbryant, sclewis, security-response-team, zaitcev
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-20 10:39:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 973372, 972992, 973370, 974954, 974956    
Bug Blocks: 972990    
Attachments:
Description Flags
Patch
none
escape-CVE-2013-2161.patch none

Description Garth Mollett 2013-06-11 02:26:24 UTC 
Alex Gaynor from Rackspace reported a vulnerability in XML handling
within Swift account servers. Account strings were unescaped in xml
listings, and an attacker could potentially generate unparsable or
arbitrary XML responses which may be used to leverage other
vulnerabilities in the calling software.
Comment 2 Garth Mollett 2013-06-11 02:39:24 UTC 
Created attachment 759406 [details]
Patch
Comment 7 Kurt Seifried 2013-06-11 18:12:16 UTC 
Proposed public disclosure date/time:
Thursday, June 13, 2013, 1500UTC
Please do not make the issue public (or release public patches)
before this coordinated embargo date.
Comment 10 Garth Mollett 2013-06-11 23:45:33 UTC 
Statement:

The Red Hat Security Response Team has rated this issue as having moderate security impact in OpenStack Essex (1.0) and Openstack Folsom (2.1). A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 12 Kurt Seifried 2013-06-12 17:12:01 UTC 
Created attachment 760270 [details]
escape-CVE-2013-2161.patch
Comment 17 Jan Lieskovsky 2013-06-17 09:05:47 UTC 
This issue affects the versions of the openstack-swift package, as shipped with Fedora release of 17, 18, and Fedora EPEL-6. Please schedule an update.
Comment 18 Jan Lieskovsky 2013-06-17 09:07:08 UTC 
Created openstack-swift tracking bugs for this issue

Affects: fedora-all [bug 974954]
Affects: epel-6 [bug 974956]
Comment 19 Murray McAllister 2013-06-25 03:22:14 UTC 
Acknowledgements:

Red Hat would like to thank Alex Gaynor from Rackspace for reporting this issue.
Comment 20 errata-xmlrpc 2013-06-27 16:49:37 UTC 
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:0993 https://rhn.redhat.com/errata/RHSA-2013-0993.html