[Openstack-devel] Bug#715551: pu: package python-keystoneclient/2012.1-3+deb7u1
Julien Cristau
julien.cristau at logilab.fr
Wed Jul 10 12:00:33 UTC 2013
Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: python-keystoneclient at packages.debian.org
Hi,
I'd like to get a fix for CVE-2013-2013 in wheezy. It's marked no-dsa
in the security tracker. debdiff follows, pending dch -r -D wheezy.
diff -Nru python-keystoneclient-2012.1/debian/changelog python-keystoneclient-2012.1/debian/changelog
--- python-keystoneclient-2012.1/debian/changelog 2012-06-06 17:20:31.000000000 +0200
+++ python-keystoneclient-2012.1/debian/changelog 2013-07-10 13:49:04.000000000 +0200
@@ -1,3 +1,9 @@
+python-keystoneclient (2012.1-3+deb7u1) UNRELEASED; urgency=low
+
+ * CVE-2013-2013: OpenStack keystone password disclosure on command line
+
+ -- Julien Cristau <julien.cristau at logilab.fr> Fri, 14 Jun 2013 13:27:44 +0200
+
python-keystoneclient (2012.1-3) unstable; urgency=low
[Ghe Rivero]
diff -Nru python-keystoneclient-2012.1/debian/patches/CVE-2013-2013.patch python-keystoneclient-2012.1/debian/patches/CVE-2013-2013.patch
--- python-keystoneclient-2012.1/debian/patches/CVE-2013-2013.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-keystoneclient-2012.1/debian/patches/CVE-2013-2013.patch 2013-07-10 13:49:04.000000000 +0200
@@ -0,0 +1,85 @@
+From f2e0818bc97bfbeba83f6abbb07909a8debcad77 Mon Sep 17 00:00:00 2001
+From: Pradeep Kilambi <pkilambi at cisco.com>
+Date: Thu, 9 May 2013 09:29:02 -0700
+Subject: [PATCH] Allow secure user password update.
+
+This patch allows the ability for user password to be updated via
+a command prompt so the password doesnt show up in the bash history.
+The prompted password is asked twice to verify the match.
+If user cntl-D's the prompt a message appears suggesting user to use
+either of the options to update the password.
+
+Fixes: bug#938315
+
+Change-Id: I4271ae569b922f33c34f9b015a7ee6f760414e39
+---
+ keystoneclient/utils.py | 23 ++++++++++++++++++++++-
+ keystoneclient/v2_0/shell.py | 10 ++++++++--
+ 2 files changed, 30 insertions(+), 3 deletions(-)
+
+Index: python-keystoneclient/keystoneclient/utils.py
+===================================================================
+--- python-keystoneclient.orig/keystoneclient/utils.py
++++ python-keystoneclient/keystoneclient/utils.py
+@@ -1,3 +1,5 @@
++import getpass
++import sys
+ import uuid
+
+ import prettytable
+@@ -95,3 +97,22 @@ def string_to_bool(arg):
+ return arg
+
+ return arg.strip().lower() in ('t', 'true', 'yes', '1')
++
++
++def prompt_for_password():
++ """
++ Prompt user for password if not provided so the password
++ doesn't show up in the bash history.
++ """
++ if not (hasattr(sys.stdin, 'isatty') and sys.stdin.isatty()):
++ # nothing to do
++ return
++
++ while True:
++ try:
++ new_passwd = getpass.getpass('New Password: ')
++ rep_passwd = getpass.getpass('Repeat New Password: ')
++ if new_passwd == rep_passwd:
++ return new_passwd
++ except EOFError:
++ return
+Index: python-keystoneclient/keystoneclient/v2_0/shell.py
+===================================================================
+--- python-keystoneclient.orig/keystoneclient/v2_0/shell.py
++++ python-keystoneclient/keystoneclient/v2_0/shell.py
+@@ -15,6 +15,8 @@
+ # License for the specific language governing permissions and limitations
+ # under the License.
+
++import sys
++
+ from keystoneclient.v2_0 import client
+ from keystoneclient import utils
+
+@@ -82,12 +84,17 @@ def do_user_update(kc, args):
+ print 'Unable to update user: %s' % e
+
+
+- at utils.arg('--pass', metavar='<password>', dest='passwd', required=True,
++ at utils.arg('--pass', metavar='<password>', dest='passwd', required=False,
+ help='Desired new password')
+ @utils.arg('id', metavar='<user-id>', help='User ID to update')
+ def do_user_password_update(kc, args):
+ """Update user password"""
+- kc.users.update_password(args.id, args.passwd)
++ new_passwd = args.passwd or utils.prompt_for_password()
++ if new_passwd is None:
++ msg = ("\nPlease specify password using the --pass option "
++ "or using the prompt")
++ sys.exit(msg)
++ kc.users.update_password(args.id, new_passwd)
+
+
+ @utils.arg('id', metavar='<user-id>', help='User ID to delete')
diff -Nru python-keystoneclient-2012.1/debian/patches/series python-keystoneclient-2012.1/debian/patches/series
--- python-keystoneclient-2012.1/debian/patches/series 2012-06-06 17:20:31.000000000 +0200
+++ python-keystoneclient-2012.1/debian/patches/series 2013-07-10 13:49:04.000000000 +0200
@@ -1 +1,2 @@
prettytable
+CVE-2013-2013.patch
Cheers,
Julien
--
Julien Cristau <julien.cristau at logilab.fr>
Logilab http://www.logilab.fr/
Informatique scientifique & gestion de connaissances
More information about the Openstack-devel
mailing list