[Openstack-devel] Bug#715551: pu: package python-keystoneclient/2012.1-3+deb7u1

Julien Cristau julien.cristau at logilab.fr
Wed Jul 10 12:00:33 UTC 2013 

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: python-keystoneclient at packages.debian.org

Hi,

I'd like to get a fix for CVE-2013-2013 in wheezy.  It's marked no-dsa
in the security tracker.  debdiff follows, pending dch -r -D wheezy.

diff -Nru python-keystoneclient-2012.1/debian/changelog python-keystoneclient-2012.1/debian/changelog
--- python-keystoneclient-2012.1/debian/changelog	2012-06-06 17:20:31.000000000 +0200
+++ python-keystoneclient-2012.1/debian/changelog	2013-07-10 13:49:04.000000000 +0200
@@ -1,3 +1,9 @@
+python-keystoneclient (2012.1-3+deb7u1) UNRELEASED; urgency=low
+
+  * CVE-2013-2013: OpenStack keystone password disclosure on command line
+
+ -- Julien Cristau <julien.cristau at logilab.fr>  Fri, 14 Jun 2013 13:27:44 +0200
+
 python-keystoneclient (2012.1-3) unstable; urgency=low
 
   [Ghe Rivero]
diff -Nru python-keystoneclient-2012.1/debian/patches/CVE-2013-2013.patch python-keystoneclient-2012.1/debian/patches/CVE-2013-2013.patch
--- python-keystoneclient-2012.1/debian/patches/CVE-2013-2013.patch	1970-01-01 01:00:00.000000000 +0100
+++ python-keystoneclient-2012.1/debian/patches/CVE-2013-2013.patch	2013-07-10 13:49:04.000000000 +0200
@@ -0,0 +1,85 @@
+From f2e0818bc97bfbeba83f6abbb07909a8debcad77 Mon Sep 17 00:00:00 2001
+From: Pradeep Kilambi <pkilambi at cisco.com>
+Date: Thu, 9 May 2013 09:29:02 -0700
+Subject: [PATCH] Allow secure user password update.
+
+This patch allows the ability for user password to be updated via
+a command prompt so the password doesnt show up in the bash history.
+The prompted password is asked twice to verify the match.
+If user cntl-D's the prompt a message appears suggesting user to use
+either of the options to update the password.
+
+Fixes: bug#938315
+
+Change-Id: I4271ae569b922f33c34f9b015a7ee6f760414e39
+---
+ keystoneclient/utils.py      |   23 ++++++++++++++++++++++-
+ keystoneclient/v2_0/shell.py |   10 ++++++++--
+ 2 files changed, 30 insertions(+), 3 deletions(-)
+
+Index: python-keystoneclient/keystoneclient/utils.py
+===================================================================
+--- python-keystoneclient.orig/keystoneclient/utils.py
++++ python-keystoneclient/keystoneclient/utils.py
+@@ -1,3 +1,5 @@
++import getpass
++import sys
+ import uuid
+ 
+ import prettytable
+@@ -95,3 +97,22 @@ def string_to_bool(arg):
+         return arg
+ 
+     return arg.strip().lower() in ('t', 'true', 'yes', '1')
++
++
++def prompt_for_password():
++    """
++     Prompt user for password if not provided so the password
++     doesn't show up in the bash history.
++    """
++    if not (hasattr(sys.stdin, 'isatty') and sys.stdin.isatty()):
++        # nothing to do
++        return
++
++    while True:
++        try:
++            new_passwd = getpass.getpass('New Password: ')
++            rep_passwd = getpass.getpass('Repeat New Password: ')
++            if new_passwd == rep_passwd:
++                return new_passwd
++        except EOFError:
++            return
+Index: python-keystoneclient/keystoneclient/v2_0/shell.py
+===================================================================
+--- python-keystoneclient.orig/keystoneclient/v2_0/shell.py
++++ python-keystoneclient/keystoneclient/v2_0/shell.py
+@@ -15,6 +15,8 @@
+ #    License for the specific language governing permissions and limitations
+ #    under the License.
+ 
++import sys
++
+ from keystoneclient.v2_0 import client
+ from keystoneclient import utils
+ 
+@@ -82,12 +84,17 @@ def do_user_update(kc, args):
+         print 'Unable to update user: %s' % e
+ 
+ 
+- at utils.arg('--pass', metavar='<password>', dest='passwd', required=True,
++ at utils.arg('--pass', metavar='<password>', dest='passwd', required=False,
+            help='Desired new password')
+ @utils.arg('id', metavar='<user-id>', help='User ID to update')
+ def do_user_password_update(kc, args):
+     """Update user password"""
+-    kc.users.update_password(args.id, args.passwd)
++    new_passwd = args.passwd or utils.prompt_for_password()
++    if new_passwd is None:
++        msg = ("\nPlease specify password using the --pass option "
++               "or using the prompt")
++        sys.exit(msg)
++    kc.users.update_password(args.id, new_passwd)
+ 
+ 
+ @utils.arg('id', metavar='<user-id>', help='User ID to delete')
diff -Nru python-keystoneclient-2012.1/debian/patches/series python-keystoneclient-2012.1/debian/patches/series
--- python-keystoneclient-2012.1/debian/patches/series	2012-06-06 17:20:31.000000000 +0200
+++ python-keystoneclient-2012.1/debian/patches/series	2013-07-10 13:49:04.000000000 +0200
@@ -1 +1,2 @@
 prettytable
+CVE-2013-2013.patch

Cheers,
Julien
-- 
Julien Cristau          <julien.cristau at logilab.fr>
Logilab		        http://www.logilab.fr/
Informatique scientifique & gestion de connaissances

More information about the Openstack-devel mailing list