Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 466500 (CVE-2013-1977) - <sys-auth/keystone-{2012.2.4-r3,2013.1.1}: Insecure management of LDAP and admin_token configuration file values (CVE-2013-1977)
Summary: <sys-auth/keystone-{2012.2.4-r3,2013.1.1}: Insecure management of LDAP and ad...
Status: RESOLVED FIXED
Alias: CVE-2013-1977
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-19 19:34 UTC by Agostino Sarubbo
Modified: 2013-10-02 22:04 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-04-19 19:34:46 UTC 
From ${URL} :

A security flaw was found in the way Openstack Keystone (previously) performed management of LDAP 
password and admin_token Keystone daemon configuration file values. A local attacker could use this 
flaw to obtain sensitive information.

References:
[1] https://bugs.launchpad.net/keystone/+bug/1168252
[2] http://www.openwall.com/lists/oss-security/2013/04/19/2

Relevant upstream patch (Gerrit form):
[3] https://review.openstack.org/#/c/26826/
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-04-19 19:54:25 UTC 
Patch has not been approved yet.
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-05-17 15:35:03 UTC 
fix released for folsom and grizzly, offending ebuilds removed from tree.

fixed in keystone-2012.2.4-r3.ebuild and keystone-2013.1.1.ebuild
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-08-29 03:16:20 UTC 
CVE-2013-1977 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1977):
  OpenStack devstack uses world-readable permissions for keystone.conf, which
  allows local users to obtain sensitive information such as the LDAP password
  and admin_token secret by reading the file.
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-02 03:55:37 UTC 
We're done here.