Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 473494 (CVE-2013-2161)

Summary: <sys-cluster/swift-1.7.6-r3: Unchecked user input in Swift XML responses (CVE-2013-2161)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: prometheanfire
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2013/06/13/4
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-06-16 13:38:50 UTC
From ${URL} :

OpenStack Security Advisory: 2013-016
CVE: CVE-2013-2161
Date: June 13, 2013
Title: Unchecked user input in Swift XML responses
Reporter: Alex Gaynor (Rackspace)
Products: Swift
Affects: All versions

Description:
Alex Gaynor from Rackspace reported a vulnerability in XML handling
within Swift account servers. Account strings were unescaped in XML
listings, and an attacker could potentially generate unparsable or
arbitrary XML responses which may be used to leverage other
vulnerabilities in the calling software.

Havana (development branch) fix:
https://review.openstack.org/32905

Grizzly fix:
https://review.openstack.org/32909

Folsom fix:
https://review.openstack.org/32911

Notes:
This fix will be included in the next release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2161
https://bugs.launchpad.net/swift/+bug/1183884



@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-06-16 13:55:55 UTC
already fixed
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-06-24 20:07:42 UTC
Is there anything to do here?  I don't think this bug should be open, but since I'm not on the sec team I don't want to close this myself...
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2013-06-26 21:17:26 UTC
(In reply to Matthew Thode ( prometheanfire ) from comment #2)
> Is there anything to do here?  

Yes, fill in the rest of the bug report. 

> I don't think this bug should be open, 

Not anymore.

> but since I'm not on the sec team I don't want to close this myself...

We don't mind the help :D


Closing noglsa for ~arch only.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-08-29 03:15:00 UTC
CVE-2013-2161 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2161):
  XML injection vulnerability in account/utils.py in OpenStack Swift Folsom,
  Grizzly, and Havana allows attackers to trigger invalid or spoofed Swift
  responses via an account name.