From fd1371e01ea808309b76a72cc9a161c72e148279 Mon Sep 17 00:00:00 2001 From: Amy Fong Date: Wed, 7 May 2014 14:20:09 -0400 Subject: CVE-2014-0006 Openstack Swift: TempURL timing attack The TempURL middleware in OpenStack Object Storage (Swift) 1.4.6 through 1.8.0, 1.9.0 through 1.10.0, and 1.11.0 allows remote attackers to obtain secret URLs by leveraging an object name and a timing side-channel attack. Signed-off-by: Amy Fong Signed-off-by: Bruce Ashfield --- .../python-swift/CVE-2014-0006-swift-1265665.patch | 59 ++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 meta-openstack/recipes-devtools/python/python-swift/CVE-2014-0006-swift-1265665.patch (limited to 'meta-openstack/recipes-devtools/python/python-swift') diff --git a/meta-openstack/recipes-devtools/python/python-swift/CVE-2014-0006-swift-1265665.patch b/meta-openstack/recipes-devtools/python/python-swift/CVE-2014-0006-swift-1265665.patch new file mode 100644 index 0000000..a284b5b --- /dev/null +++ b/meta-openstack/recipes-devtools/python/python-swift/CVE-2014-0006-swift-1265665.patch @@ -0,0 +1,59 @@ +From b2c61375b3255486adb2900922a894dc7dad3c6d Mon Sep 17 00:00:00 2001 +From: Samuel Merritt +Date: Thu, 16 Jan 2014 13:44:23 +0100 +Subject: Use constant time comparison in tempURL + +Use constant time comparison when evaluating tempURL to avoid timing +attacks (CVE-2014-0006). This is the havana backport of the master +patch. + +Fixes bug 1265665 + +Change-Id: I11e4ad83cc4077e52adf54a0bd0f9749294b2a48 + +diff --git a/swift/common/middleware/tempurl.py b/swift/common/middleware/tempurl.py +index ffc1431..ae2f4a1 100644 +--- a/swift/common/middleware/tempurl.py ++++ b/swift/common/middleware/tempurl.py +@@ -98,7 +98,7 @@ from urlparse import parse_qs + + from swift.proxy.controllers.base import get_account_info + from swift.common.swob import HeaderKeyDict +-from swift.common.utils import split_path ++from swift.common.utils import split_path, streq_const_time + + + #: Default headers to remove from incoming requests. Simply a whitespace +@@ -267,17 +267,20 @@ class TempURL(object): + if not keys: + return self._invalid(env, start_response) + if env['REQUEST_METHOD'] == 'HEAD': +- hmac_vals = self._get_hmacs(env, temp_url_expires, keys, +- request_method='GET') +- if temp_url_sig not in hmac_vals: +- hmac_vals = self._get_hmacs(env, temp_url_expires, keys, +- request_method='PUT') +- if temp_url_sig not in hmac_vals: +- return self._invalid(env, start_response) ++ hmac_vals = (self._get_hmacs(env, temp_url_expires, keys, ++ request_method='GET') + ++ self._get_hmacs(env, temp_url_expires, keys, ++ request_method='PUT')) + else: + hmac_vals = self._get_hmacs(env, temp_url_expires, keys) +- if temp_url_sig not in hmac_vals: +- return self._invalid(env, start_response) ++ ++ # While it's true that any() will short-circuit, this doesn't affect ++ # the timing-attack resistance since the only way this will ++ # short-circuit is when a valid signature is passed in. ++ is_valid_hmac = any(streq_const_time(temp_url_sig, h) ++ for h in hmac_vals) ++ if not is_valid_hmac: ++ return self._invalid(env, start_response) + self._clean_incoming_headers(env) + env['swift.authorize'] = lambda req: None + env['swift.authorize_override'] = True +-- +cgit v0.10.1 + -- cgit v1.2.3-54-g00ecf