fix for CVE-2014-1948

(Portage version: 2.2.7/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)

3 files changed, 44 insertions, 3 deletions

diff --git a/app-admin/glance/ChangeLog b/app-admin/glance/ChangeLog
index 6cbb2f47222d..01b1e82ac5e0 100644
--- a/app-admin/glance/ChangeLog
+++ b/app-admin/glance/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for app-admin/glance
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-admin/glance/ChangeLog,v 1.29 2014/01/08 06:44:09 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-admin/glance/ChangeLog,v 1.30 2014/02/13 04:36:33 prometheanfire Exp $
+
+*glance-2013.2.1-r1 (13 Feb 2014)
+
+  13 Feb 2014; Matthew Thode <prometheanfire@gentoo.org>
+  +files/havana-1-CVE-2014-1948.patch, +glance-2013.2.1-r1.ebuild,
+  -glance-2013.2.1.ebuild:
+  fix for CVE-2014-1948
 
   08 Jan 2014; Mike Frysinger <vapier@gentoo.org> glance-2013.2.1.ebuild,
   glance-2013.2.9999.ebuild:
diff --git a/app-admin/glance/files/havana-1-CVE-2014-1948.patch b/app-admin/glance/files/havana-1-CVE-2014-1948.patch
new file mode 100644
index 000000000000..78f19a01cce2
--- /dev/null
+++ b/app-admin/glance/files/havana-1-CVE-2014-1948.patch
@@ -0,0 +1,33 @@
+From 108f0e04ad2ed3dc287f1b71b987a7e9d66072ba Mon Sep 17 00:00:00 2001
+From: Nikhil Komawar <nikhil.komawar@rackspace.com>
+Date: Wed, 05 Feb 2014 23:39:53 +0000
+Subject: Removes logging of location uri
+
+This patch removes logging of sensitive store location uri, which
+is logged when an exception occurs while trying to get the object
+from the store or due to a failure in getting the store api due to
+unauthorized context.
+
+fixes bug 1275062
+
+Change-Id: I679baa0897f242f4b8372c9c1c7ab28ae811f5e5
+---
+diff --git a/glance/store/__init__.py b/glance/store/__init__.py
+index b16fc5b..fa80b15 100644
+--- a/glance/store/__init__.py
++++ b/glance/store/__init__.py
+@@ -658,9 +658,9 @@ class ImageProxy(glance.domain.proxy.Image):
+ 
+                 return data
+             except Exception as e:
+-                LOG.warn(_('Get image %(id)s data from %(loc)s '
+-                           'failed: %(err)s.') % {'id': self.image.image_id,
+-                                                  'loc': loc, 'err': e})
++                LOG.warn(_('Get image %(id)s data failed: '
++                           '%(err)s.') % {'id': self.image.image_id,
++                                          'err': e})
+                 err = e
+         # tried all locations
+         LOG.error(_('Glance tried all locations to get data for image %s '
+--
+cgit v0.9.2
diff --git a/app-admin/glance/glance-2013.2.1.ebuild b/app-admin/glance/glance-2013.2.1-r1.ebuild
index 13e9c416a746..ad530e30be6f 100644
--- a/app-admin/glance/glance-2013.2.1.ebuild
+++ b/app-admin/glance/glance-2013.2.1-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-admin/glance/glance-2013.2.1.ebuild,v 1.2 2014/01/08 06:44:09 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-admin/glance/glance-2013.2.1-r1.ebuild,v 1.1 2014/02/13 04:36:33 prometheanfire Exp $
 
 EAPI=5
 PYTHON_COMPAT=( python2_7 )
@@ -85,7 +85,8 @@ RDEPEND=">=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}]
 		dev-python/pyopenssl[${PYTHON_USEDEP}]
 		>=dev-python/six-1.4.1[${PYTHON_USEDEP}]"
 
-PATCHES=( "${FILESDIR}"/${PN}-2013.2-sphinx_mapping.patch )
+PATCHES=( "${FILESDIR}/${PN}-2013.2-sphinx_mapping.patch"
+		"${FILESDIR}/havana-1-CVE-2014-1948.patch" )
 
 pkg_setup() {
 	enewgroup glance