Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 454678 (CVE-2013-0212) - <app-admin/glance-2012.2.3: Password Disclosure (CVE-2013-0212)
Summary: <app-admin/glance-2012.2.3: Password Disclosure (CVE-2013-0212)
Status: RESOLVED FIXED
Alias: CVE-2013-0212
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/51957/
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-01-30 15:52 UTC by Agostino Sarubbo
Modified: 2013-03-04 23:13 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-01-30 15:52:39 UTC
From $URL :

Description
A security issue has been reported in OpenStack Glance, which can be exploited by malicious users 
to disclose certain sensitive information.

The security issue is caused due to an error within the error reporting mechanism, which logs the 
operator's Swift credentials when accessing a non-existing or mis-configured endpoint. This can 
lead to the operator's Swift credentials being disclosed via error messages.

The security issue is reported in versions Folsom (2012.2) and Essex (2012.1).


Solution
Fixed in the GIT repository.
Further details available to Secunia VIM customers

Provided and/or discovered by
Dan Prince, Red Hat in a bug report.

Original Advisory
https://bugs.launchpad.net/glance/+bug/1098962
http://www.openwall.com/lists/oss-security/2013/01/29/10
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-01-30 16:04:14 UTC
Will be fixed once this is released.  It is fixed in git head, so 9999 works.

https://launchpad.net/glance/+milestone/2012.2.3

bug glance side https://bugs.launchpad.net/glance/+bug/1098962
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-02-07 18:04:01 UTC
2012.2.1 out of tree and 2012.2.3 in tree (along with 9999).  you should be good to close methinks
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2013-02-24 20:06:15 UTC
Thanks, Matthew.

Closing noglsa for ~arch only.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-03-04 23:13:55 UTC
CVE-2013-0212 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0212):
  store/swift.py in OpenStack Glance Essex (2012.1), Folsom (2012.2) before
  2012.2.3, and Grizzly, when in Swift single tenant mode, logs the Swift
  endpoint's user name and password in cleartext when the endpoint is
  misconfigured or unusable, allows remote authenticated users to obtain
  sensitive information by reading the error messages.