fix for nova 2014.1.1 CVE-2014-3517, we good yo

(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)

3 files changed, 110 insertions, 2 deletions

diff --git a/sys-cluster/nova/ChangeLog b/sys-cluster/nova/ChangeLog
index 22269695f49b..10f8d9a28b73 100644
--- a/sys-cluster/nova/ChangeLog
+++ b/sys-cluster/nova/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for sys-cluster/nova
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.69 2014/07/06 12:57:19 mgorny Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/ChangeLog,v 1.70 2014/07/17 07:06:48 prometheanfire Exp $
+
+*nova-2014.1.1-r1 (17 Jul 2014)
+
+  17 Jul 2014; Matthew Thode <prometheanfire@gentoo.org>
+  +files/nova-2014.1.1-CVE-2014-3517.patch, +nova-2014.1.1-r1.ebuild,
+  -nova-2014.1.1.ebuild:
+  fix for nova 2014.1.1 CVE-2014-3517, we good yo
 
   06 Jul 2014; Michał Górny <mgorny@gentoo.org> nova-2014.1.1.ebuild,
   nova-2014.1.9999.ebuild, nova-9999.ebuild:
diff --git a/sys-cluster/nova/files/nova-2014.1.1-CVE-2014-3517.patch b/sys-cluster/nova/files/nova-2014.1.1-CVE-2014-3517.patch
new file mode 100644
index 000000000000..cc4f2911c2d2
--- /dev/null
+++ b/sys-cluster/nova/files/nova-2014.1.1-CVE-2014-3517.patch
@@ -0,0 +1,100 @@
+From 3dd2cb0452b63d5de04606d79bbbf41a4e50a42a Mon Sep 17 00:00:00 2001
+From: Grant Murphy <gmurphy@redhat.com>
+Date: Tue, 8 Jul 2014 03:35:40 +0000
+Subject: [PATCH 1/1] Avoid possible timing attack in metadata api
+
+Introduce a constant time comparison function to
+nova utils for comparing authentication tokens.
+Original code taken from:
+
+https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/memcache_crypt.py#L86
+
+Change-Id: I7374f2edc6f03c7da59cf73ae91a87147e53d0de
+Closes-bug: #1325128
+---
+ nova/api/metadata/handler.py |  3 ++-
+ nova/tests/test_utils.py     |  7 +++++++
+ nova/utils.py                | 27 +++++++++++++++++++++++++++
+ 3 files changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/nova/api/metadata/handler.py b/nova/api/metadata/handler.py
+index a14db67..be866ef 100644
+--- a/nova/api/metadata/handler.py
++++ b/nova/api/metadata/handler.py
+@@ -30,6 +30,7 @@ from nova import exception
+ from nova.openstack.common.gettextutils import _
+ from nova.openstack.common import log as logging
+ from nova.openstack.common import memorycache
++from nova import utils
+ from nova import wsgi
+ 
+ CACHE_EXPIRATION = 15  # in seconds
+@@ -169,7 +170,7 @@ class MetadataRequestHandler(wsgi.Application):
+             instance_id,
+             hashlib.sha256).hexdigest()
+ 
+-        if expected_signature != signature:
++        if not utils.constant_time_compare(expected_signature, signature):
+             if instance_id:
+                 LOG.warn(_('X-Instance-ID-Signature: %(signature)s does not '
+                            'match the expected value: %(expected_signature)s '
+diff --git a/nova/tests/test_utils.py b/nova/tests/test_utils.py
+index 59d08fd..c2969a6 100644
+--- a/nova/tests/test_utils.py
++++ b/nova/tests/test_utils.py
+@@ -979,3 +979,10 @@ class VersionTestCase(test.NoDBTestCase):
+ 
+     def test_convert_version_to_tuple(self):
+         self.assertEqual(utils.convert_version_to_tuple('6.7.0'), (6, 7, 0))
++
++
++class ConstantTimeCompareTestCase(test.NoDBTestCase):
++    def test_constant_time_compare(self):
++        self.assertTrue(utils.constant_time_compare("abcd1234", "abcd1234"))
++        self.assertFalse(utils.constant_time_compare("abcd1234", "a"))
++        self.assertFalse(utils.constant_time_compare("abcd1234", "ABCD234"))
+diff --git a/nova/utils.py b/nova/utils.py
+index 0c3ee94..7dfa0cc 100644
+--- a/nova/utils.py
++++ b/nova/utils.py
+@@ -21,6 +21,7 @@ import contextlib
+ import datetime
+ import functools
+ import hashlib
++import hmac
+ import inspect
+ import multiprocessing
+ import os
+@@ -1170,3 +1171,29 @@ def cpu_count():
+         return multiprocessing.cpu_count()
+     except NotImplementedError:
+         return 1
++
++
++# NOTE(gm) Constant time comparison taken from keystone. This is a
++# candidate for inclusion in oslo.
++#
++# Original code: master/keystoneclient/middleware/memcache_crypt.py#L86
++if sys.version_info >= (3, 3):
++    constant_time_compare = hmac.compare_digest
++else:
++    def constant_time_compare(first, second):
++        """Returns True if both string inputs are equal, otherwise False.
++
++        This function should take a constant amount of time regardless of
++        how many characters in the strings match.
++
++        """
++        if len(first) != len(second):
++            return False
++        result = 0
++        if six.PY3 and isinstance(first, bytes) and isinstance(second, bytes):
++            for x, y in zip(first, second):
++                result |= x ^ y
++        else:
++            for x, y in zip(first, second):
++                result |= ord(x) ^ ord(y)
++        return result == 0
+-- 
+1.9.3
+
diff --git a/sys-cluster/nova/nova-2014.1.1.ebuild b/sys-cluster/nova/nova-2014.1.1-r1.ebuild
index 3744a9d74e43..af9e3180e57d 100644
--- a/sys-cluster/nova/nova-2014.1.1.ebuild
+++ b/sys-cluster/nova/nova-2014.1.1-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2014.1.1.ebuild,v 1.2 2014/07/06 12:57:19 mgorny Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2014.1.1-r1.ebuild,v 1.1 2014/07/17 07:06:48 prometheanfire Exp $
 
 EAPI=5
 PYTHON_COMPAT=( python2_7 )
@@ -75,6 +75,7 @@ RDEPEND="sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}]
 			   app-emulation/xen-tools )"
 
 PATCHES=(
+	"${FILESDIR}/nova-2014.1.1-CVE-2014-3517.patch"
 )
 
 pkg_setup() {