keystoneclient fix for CVE-2013-2030

Package-Manager: portage-2.1.11.62/cvs/Linux x86_64 Manifest-Sign-Key: 0x2471EB3E40AC5AC3
author: Matt Thode <prometheanfire@gentoo.org> 2013-05-24 14:54:28 +0000
committer: Matt Thode <prometheanfire@gentoo.org> 2013-05-24 14:54:28 +0000
commit: 80233c860dd2b771a3d5db5f65bc04318067645a (patch)
tree: 86dbd9a28a6c59e1a9f8f051b432314e23a85a38 /dev-python/python-keystoneclient
parent: keystoneclient fix for upstream bug https://bugs.launchpad.net/opensuse/+bug/... (diff)
download: historical-80233c860dd2b771a3d5db5f65bc04318067645a.tar.gz
historical-80233c860dd2b771a3d5db5f65bc04318067645a.tar.bz2
historical-80233c860dd2b771a3d5db5f65bc04318067645a.zip
4 files changed, 75 insertions, 17 deletions
diff --git a/dev-python/python-keystoneclient/ChangeLog b/dev-python/python-keystoneclient/ChangeLog
index 6de6bfe16134..15ddf641a671 100644
--- a/dev-python/python-keystoneclient/ChangeLog
+++ b/dev-python/python-keystoneclient/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for dev-python/python-keystoneclient
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-python/python-keystoneclient/ChangeLog,v 1.8 2013/05/24 14:46:37 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-python/python-keystoneclient/ChangeLog,v 1.9 2013/05/24 14:54:20 prometheanfire Exp $
+
+*python-keystoneclient-0.2.3-r2 (24 May 2013)
+
+  24 May 2013; Matthew Thode <prometheanfire@gentoo.org>
+  +files/0.2.3-CVE-2013-2030.patch, +python-keystoneclient-0.2.3-r2.ebuild,
+  -python-keystoneclient-0.2.3-r1.ebuild:
+  keystoneclient fix for CVE-2013-2030
 
 *python-keystoneclient-0.2.3-r1 (24 May 2013)
 
diff --git a/dev-python/python-keystoneclient/Manifest b/dev-python/python-keystoneclient/Manifest
index ac79663037fb..c4b3bd758d2d 100644
--- a/dev-python/python-keystoneclient/Manifest
+++ b/dev-python/python-keystoneclient/Manifest
@@ -2,26 +2,27 @@
 Hash: SHA256
 
 AUX 0.2.3-CVE-2013-2013.patch 2927 SHA256 19a61c7453d1231bf2b90be2a95f3fe1c8fc65e381f52dc2c031a292bd9acf8e SHA512 573164b9d74e68c09052f4caf6b992c50b2410227ed299bc4248fb57acd4eb3086fe2c84c54d4739532ebb7a45567a50c9a43a414c0c4968494a76c77a1afed0 WHIRLPOOL ea78428bc2617492f00da08a0c9d5983f45534ad758f2d30e12c1530406866485dd4d880561980cfe9d6b80dda70eef7435f915cd1f65eab13a8f75968ad56a6
+AUX 0.2.3-CVE-2013-2030.patch 2267 SHA256 c2b9746339e1efef55fc768c36a9fb330165fcf0b2cc4f7568aa638e89f972f1 SHA512 e3f56d039449360196a5550f1a0a8db6e5373c30797842c996f71b1eaa620489fdd5b2681b8c940879c42fdcf2219eabaff8944dd42d7a3916102cc70004644c WHIRLPOOL 0a5cfeb10a4e520d6fab23a23637e2c13d598819643e1ba433487ad3aacc9eabb4dbc11e310ec68397e86077f007465701a122c2df301e68501961571ff35786
 AUX 0.2.3-upstream-1181157.patch 1732 SHA256 641d410662ae3259f8ed2772f39c29666f564eb7091f39b7d22522d42ce69c50 SHA512 d2f1bbfd96fec0542e8b1fea87f16288033de117df2ae45e2f19d1be7afe808f174ce527854ff1936f963e54895c5bc3e735e260c0acff7d3e8d61f471295ede WHIRLPOOL bc2e2eccb81dcbe542ea892bfa2a0ae84736d5e07f2a6f265c284799ee5eee3993c168e2e45e06563ac6c78abed1d41c9a19707676fe92943d6a745a81d84a71
 DIST python-keystoneclient-0.2.3.tar.gz 196250 SHA256 10b98946aaa98e97f032ca44848a5d84bc61d6f0b4186c635704087e72c08818 SHA512 d8a9dea1da767caf19c37fdc93c80959a83e78e8b0954b54edcffeebc4ca0bd60cc2ef716e3e4f173782d2a9bd1001825c8adab801e9dba6d3eb90c5f24f77ee WHIRLPOOL 68a5d6c640ad214924fbbad36d16cd613fe576be77d52a2a9d69346f7c9a2d7449437c53d992562233b2fda6c3c4b4c453611f7edf86c4808fbbafd02ba12e2c
-EBUILD python-keystoneclient-0.2.3-r1.ebuild 1735 SHA256 4c08cbddfa6f88cf7812fe3dfba86c7fe8bdea4554dc48f2dc1ab1220d485a8c SHA512 96988b31e57ea6e8b8dff75c0ffb378fdc7dc16ee31441d94c0609141954295a67b9ecd0a36880907225dae036d60caa5704a82462f8c56c1434cbe64167978c WHIRLPOOL e8a242d9a9d6cf234924ed7822cb5989a3980a9c969250d4b25cea18c0f969946c7ddf875992c86f9bc5e9dd36beaabecdcac74f9c3ffec90d2db5930c471bed
+EBUILD python-keystoneclient-0.2.3-r2.ebuild 1776 SHA256 f999042803ee048d29f2af325d1c9265b3e79936cb349487cce8fee76f0d230b SHA512 56e3ccb61743db0bef8dc6a7c2f91ecb0c779eccc965431b59dfaa89d54cd89135befffc1a41be4fc6e86696c55f41b356379260ee80d6437b95442e7e3eeeb0 WHIRLPOOL 1a16c5f647c04885ea9b55ac45b15a08c5d3e6dcf3822de51bd3aac016e8f3e66e0e7dcef3dc4556615e7fa5849e2f5d4f9513d683dc73d7e20d2ee4eed3fa6a
 EBUILD python-keystoneclient-9999.ebuild 1597 SHA256 0062df58f82beaaa54dd279e7a95ae8540c51cc1a2bb32e4621ae96cf2508216 SHA512 6de16b203f9cdf88cad8c8c19c99bfd1f243de807971ca2292437074b147f02476d526974cab64b8f881afb6e2c8f19938966f5322eed50b95c5a95de25461e0 WHIRLPOOL 8d26907ba7ac0e570a3fa245b8d2e04d5285c4ff02c2ecafd7fa9cf9cd4b3a6b938abfe9efb925e02b5733320a4cb05b2fb1aca005ca5ffd0f19ab4d19db58a4
-MISC ChangeLog 2304 SHA256 003d1f47dd3b6aa3972e3b28c53ff4a2d61ad14e21ef0fe06e0c7a26dc2dbdfa SHA512 ea626c34d08a9527093d0db2eda7db0ee3ec0f16e0e16072b1fe246558de5c2d6cb5c748e7773cb4a648038d3ede69c9b4d012ee1e7375eeff29b45211c9a47e WHIRLPOOL 606af12bebbc81389394e2c23ad895f9b984e4fc325cd9d88418a59899c836fceebbaf480492b4cfb308515441a1fe117ef7d2427cde0d276ade6b39bd88a03d
+MISC ChangeLog 2566 SHA256 566ff64f400f5493f0753ad5f91a528d34a993ed4c72e5c91b4da256b24aa00c SHA512 aaec7609e08661c8bd76d2f9e64cf337b11a9ba06f7b5fc3fefb03e2dedbad71e29d739bb3f944969192683609c5c26743789aefc780539d59b3de7a9c4d0654 WHIRLPOOL f7e53b9b1f2eab1c1b82bd37c4d13cad1fc41fe2af0df0ebe4a16125fa6778fcfe1795f944ad792d8f36e26a3b1bb9300661d2468d8d54e57a3451478b4dc39c
 MISC metadata.xml 343 SHA256 716e96a66916d216f80e7ce0283db63bd6d18a95e2365d9d1a35964b2ef461f9 SHA512 fd28e5434f725af6a835205ae8cfae1354983f8e68f6c25f9a4f56ec17041ac9bb1a460ff8e82d0e165ab19c5b0f26e0f0c8c5124dfcc37723c786e12cd4d3bf WHIRLPOOL b486328b67aa7f6e4b68adc757bf5d3983077a894d7ded68be7723fe5655805324a73e5914fda0f81ae334e75db9557e2675a43e9437df633311590758466c5c
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
-iQIcBAEBCAAGBQJRn32bAAoJECRx6z5ArFrDQMYQAKVnrY0TkbRRV8G7RmwflONj
-67eC9ycGudkaZoWA1DT0YDQD0BfjWdohZl73jUWNwGiLZVgwHhGPGGB2bDO2D5IF
-oK9Zr+4H9tuGXqwuHT6Iy/Zzz/KoiD9ql3Wk/rSQtxym/HAMEBnUvsJzaRaSdKgi
-9zXDcwe59eRa6BDJtMMoMoQkVtAQTJL4xLrIiA3NWr+PNYKvbAx88tqDQgeFlg/e
-0UpIdurRi/9kPwfDTb9xqLFCBHX8WMHUjw6Eh+8/7VoBXHJ2O2w9bzRB2VC/djGv
-Ws2/t/0jdLOyjusXcMXr4IIsBjszI5AQihdCp44kJYDmDvp2JOak9JsbQgpoCajC
-rKwO5ag0YlpA2PJvodVVGH1UMjkYEnID9M7yHoa9UadGsuuvF1rovpPLClgbfZkY
-8Tya8JGWiPn924wwvYg6lB4QNYZFM67EzOj2KzovNPuufyxTCAcQ4zuqmXuPoz7t
-r2KKw+UfA2nCGrw0i8rxWpjZP49Nv7mI/i4CVNL2QT9GNbMc0or9bB4dCiI1Owaq
-9zSH+7wGUMYNu/6SZ4/vo218WPqC1HhkpQPWdCUMH3Em3SsPZlb6rxcYu9bESSGo
-8SJWtwbHUPDQ6y3c+wsxTbS76/i3/W0y5IEXb2jKLGsV3j3nMsI0ZMAhX8ND/FSF
-6Qk/giR44Jz06sebEHvW
-=MtwE
+iQIcBAEBCAAGBQJRn39iAAoJECRx6z5ArFrDq2YQANE98xXNWFERtvIxPHSrkBUT
+fpsSLP9/AZRHiGs9j7wSk6wnj4NITXfxxqctObxGcf2GH1YpriGDE1+orOvcI29p
+a/yTjF5xel0DT6euPxNaAKQk7BVmgAh5I98iHRgVW91cRJb6tD9s0OVvdUJBiKaC
+fxKOPJEiUiY5SQ0uXVm5JAGz/jttODRB8zMZhONVheMK1PE2JLEVZpnHd/jf9Jg3
+eu0A6/31bBu2aJy0dWcGuUL/3EYgG7KKBekRgo9lLT2qdKS0IzbINyFWKadFRxeF
+UIYYOkRHveHeNHSg9STqdB7msI3+uC/y18rEitJTQUrkFAN6G17F25YooL7vuzH/
+TyTEsOyl9N/v8taHz5GmrCVCYtCI2rf7938HaT/z7cuyP/+CxPIo+GqSpYSwaAsr
+ROz8e4ukXn0Jkc6E4QuHYujoaLTTjO9GsVkedDn/PVtCcC2MRm+tDwGm0pDTrqu/
+kI0hpkcbJY2JNDy52IDn/+ybSukcwOTDFoR6wvvuemvI0QFKjeRsStrVwcJSZxJ3
+GEisDkQJSWZHbYWg2t36Y/PBHmB1yaw2bVTBQQQeUgZMvy/wbs3Y4JTjTovGiCup
+l3tTXf3Z7tNPvLCcWygO7QgR9msWpA52eDTtVRLXVPEjUjdX8vkM/H6jqoAnRXe1
+61K4QRVsuwj/Lp10soM9
+=z4nI
 -----END PGP SIGNATURE-----
diff --git a/dev-python/python-keystoneclient/files/0.2.3-CVE-2013-2030.patch b/dev-python/python-keystoneclient/files/0.2.3-CVE-2013-2030.patch
new file mode 100644
index 000000000000..a1248d7787af
--- /dev/null
+++ b/dev-python/python-keystoneclient/files/0.2.3-CVE-2013-2030.patch
@@ -0,0 +1,49 @@
+From 1736e2ffb12f70eeebed019448bc14def48aa036 Mon Sep 17 00:00:00 2001
+From: Dolph Mathews <dolph.mathews@gmail.com>
+Date: Wed, 8 May 2013 10:49:20 -0500
+Subject: [PATCH] Securely create signing_dir (bug 1174608)
+
+Also verifies the security of an existing signing_dir.
+
+Change-Id: I0685b4274a94ad3974a2b2a7ab3f45830d3934bb
+---
+ keystoneclient/middleware/auth_token.py | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/keystoneclient/middleware/auth_token.py b/keystoneclient/middleware/auth_token.py
+index 0d0e124..e6cf99f 100644
+--- a/keystoneclient/middleware/auth_token.py
++++ b/keystoneclient/middleware/auth_token.py
+@@ -296,15 +296,20 @@ class AuthProtocol(object):
+         self.signing_dirname = self._conf_get('signing_dir')
+         self.LOG.info('Using %s as cache directory for signing certificate' %
+                       self.signing_dirname)
+-        if (os.path.exists(self.signing_dirname) and
+-                not os.access(self.signing_dirname, os.W_OK)):
+-                raise ConfigurationError("unable to access signing dir %s" %
+-                                         self.signing_dirname)
+-
+-        if not os.path.exists(self.signing_dirname):
+-            os.makedirs(self.signing_dirname)
+-        #will throw IOError  if it cannot change permissions
+-        os.chmod(self.signing_dirname, stat.S_IRWXU)
++        if os.path.exists(self.signing_dirname):
++            if not os.access(self.signing_dirname, os.W_OK):
++                raise ConfigurationError(
++                    'unable to access signing_dir %s' % self.signing_dirname)
++            if os.stat(self.signing_dirname).st_uid != os.getuid():
++                self.LOG.warning(
++                    'signing_dir is not owned by %s' % os.getlogin())
++            current_mode = stat.S_IMODE(os.stat(self.signing_dirname).st_mode)
++            if current_mode != stat.S_IRWXU:
++                self.LOG.warning(
++                    'signing_dir mode is %s instead of %s' %
++                    (oct(current_mode), oct(stat.S_IRWXU)))
++        else:
++            os.makedirs(self.signing_dirname, stat.S_IRWXU)
+ 
+         val = '%s/signing_cert.pem' % self.signing_dirname
+         self.signing_cert_file_name = val
+-- 
+1.8.1.5
+
diff --git a/dev-python/python-keystoneclient/python-keystoneclient-0.2.3-r1.ebuild b/dev-python/python-keystoneclient/python-keystoneclient-0.2.3-r2.ebuild
index 5675829a4e45..eead9059df1a 100644
--- a/dev-python/python-keystoneclient/python-keystoneclient-0.2.3-r1.ebuild
+++ b/dev-python/python-keystoneclient/python-keystoneclient-0.2.3-r2.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/dev-python/python-keystoneclient/python-keystoneclient-0.2.3-r1.ebuild,v 1.1 2013/05/24 14:46:37 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-python/python-keystoneclient/python-keystoneclient-0.2.3-r2.ebuild,v 1.1 2013/05/24 14:54:20 prometheanfire Exp $
 
 EAPI=5
 #restricted due to packages missing and bad depends in the test ==webob-1.0.8
@@ -45,6 +45,7 @@ RDEPEND="dev-python/iso8601[${PYTHON_USEDEP}]
 PATCHES=(
 	"${FILESDIR}/0.2.3-CVE-2013-2013.patch"
 	"${FILESDIR}/0.2.3-upstream-1181157.patch"
+	"${FILESDIR}/0.2.3-CVE-2013-2030.patch"
 	)
 
 python_test() {
author	Matt Thode <prometheanfire@gentoo.org>	2013-05-24 14:54:28 +0000
committer	Matt Thode <prometheanfire@gentoo.org>	2013-05-24 14:54:28 +0000
commit	80233c860dd2b771a3d5db5f65bc04318067645a (patch)
tree	86dbd9a28a6c59e1a9f8f051b432314e23a85a38 /dev-python/python-keystoneclient
parent	keystoneclient fix for upstream bug https://bugs.launchpad.net/opensuse/+bug/... (diff)
download	historical-80233c860dd2b771a3d5db5f65bc04318067645a.tar.gz historical-80233c860dd2b771a3d5db5f65bc04318067645a.tar.bz2 historical-80233c860dd2b771a3d5db5f65bc04318067645a.zip