Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 469272 (CVE-2013-2030)

Summary: <sys-cluster/nova-{2013.1.2,2012.2.5}, <dev-python/python-keystoneclient-0.2.4: uses insecure keystone middleware tmpdir by default (CVE-2013-2030)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: trivial CC: prometheanfire
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-05-10 09:15:10 UTC
From ${URL} :

OpenStack Security Advisory: 2013-010
CVE: CVE-2013-2030
Date: May 9, 2013
Title: Nova uses insecure keystone middleware tmpdir by default
Reporter: Grant Murphy (Red Hat), Anton Lundin
Products: Nova
Affects: Folsom, Grizzly

Grant Murphy from Red Hat and Anton Lundin both independently reported a
vulnerability in Nova's default location for the Keystone middleware
signing directory (signing_dir). By previously setting up a malicious
directory structure, an attacker with local shell access on the Nova
node could potentially issue forged tokens that would be accepted by the
middleware. Only setups that use the default value for signing_dir are
affected. Note that future versions of the Keystone middleware will
issue a warning if an insecure signing directory is used.

Havana (development branch) fix:

Grizzly fix:

Folsom fix:


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-08 21:26:24 UTC
Patch for "folsom" version 2012.2.5 available at [1]. Fixed in 2013 "grizzly" branch since 2013.1.2. Live ebuild is unaffected, of course. Note that python-keystoneclient is also affected by this, but 0.2.4 is the only version in tree and it has the fix.

Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-07-09 01:18:36 UTC
I'm already patching it in gentoo-x86/sys-cluster/nova/nova-2012.2.4-r3.ebuild
I'll package 2012.2.5, but you reference 2012.2.5-r1, where is that?

keystoneclient should be fixed though

can you confirm that nova still needs the fix?
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-09 01:42:59 UTC
Err, sorry, my bad, was thinking of 2012.2.5 and "add a patch to fix" and came up with 2012.2.5-r1 :) As best I can tell, yes, nova does need the fix, and there are no packaged releases for the 2012 branch with the fix, but the 2013 branch does have the fix applied.
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-09 02:03:51 UTC
Well, the patch was already applied in 2012.2.4-r3. Nothing vulnerable in tree, no GLSA, closing.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-01-05 02:49:29 UTC
CVE-2013-2030 (
  keystone/middleware/ in OpenStack Nova Folsom, Grizzly, and
  Havana uses an insecure temporary directory for storing signing
  certificates, which allows local users to spoof servers by pre-creating this
  directory, which is reused by Nova, as demonstrated using
  /tmp/keystone-signing-nova on Fedora.