summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatt Thode <prometheanfire@gentoo.org>2013-09-11 16:01:46 +0000
committerMatt Thode <prometheanfire@gentoo.org>2013-09-11 16:01:46 +0000
commit8ed21562b0d4bf9e11d0e6cc791ed53792674c83 (patch)
tree2917cd4651c4bcb41f514c36d65489228beb92f3 /sys-auth/keystone
parentFix failing patch wrt bug #484092. Tidy ebuild. (diff)
downloadhistorical-8ed21562b0d4bf9e11d0e6cc791ed53792674c83.tar.gz
historical-8ed21562b0d4bf9e11d0e6cc791ed53792674c83.tar.bz2
historical-8ed21562b0d4bf9e11d0e6cc791ed53792674c83.zip
updating keystone for cve-2013-4294
Package-Manager: portage-2.1.12.2/cvs/Linux x86_64 Manifest-Sign-Key: 0x2471EB3E40AC5AC3
Diffstat (limited to 'sys-auth/keystone')
-rw-r--r--sys-auth/keystone/ChangeLog12
-rw-r--r--sys-auth/keystone/Manifest34
-rw-r--r--sys-auth/keystone/files/keystone-cve-2013-4294-folsom.patch143
-rw-r--r--sys-auth/keystone/files/keystone-cve-2013-4294-grizzly.patch139
-rw-r--r--sys-auth/keystone/keystone-2012.2.4-r7.ebuild (renamed from sys-auth/keystone/keystone-2012.2.4-r6.ebuild)3
-rw-r--r--sys-auth/keystone/keystone-2013.1.3-r1.ebuild (renamed from sys-auth/keystone/keystone-2013.1.3.ebuild)3
6 files changed, 315 insertions, 19 deletions
diff --git a/sys-auth/keystone/ChangeLog b/sys-auth/keystone/ChangeLog
index 7999ba7cdc76..ba893f0d6602 100644
--- a/sys-auth/keystone/ChangeLog
+++ b/sys-auth/keystone/ChangeLog
@@ -1,6 +1,16 @@
# ChangeLog for sys-auth/keystone
# Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.29 2013/08/19 03:26:04 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/ChangeLog,v 1.30 2013/09/11 16:01:38 prometheanfire Exp $
+
+*keystone-2012.2.4-r7 (11 Sep 2013)
+*keystone-2013.1.3-r1 (11 Sep 2013)
+
+ 11 Sep 2013; Matthew Thode <prometheanfire@gentoo.org>
+ +files/keystone-cve-2013-4294-folsom.patch,
+ +files/keystone-cve-2013-4294-grizzly.patch, +keystone-2012.2.4-r7.ebuild,
+ +keystone-2013.1.3-r1.ebuild, -keystone-2012.2.4-r6.ebuild,
+ -keystone-2013.1.3.ebuild:
+ updating keystone for cve-2013-4294
19 Aug 2013; Matthew Thode <prometheanfire@gentoo.org>
keystone-2013.1.9999.ebuild:
diff --git a/sys-auth/keystone/Manifest b/sys-auth/keystone/Manifest
index b5c1496ed3c0..844466d2a978 100644
--- a/sys-auth/keystone/Manifest
+++ b/sys-auth/keystone/Manifest
@@ -2,6 +2,8 @@
Hash: SHA256
AUX 2012.2.4-upstream-1181157.patch 1336 SHA256 355c3e49e2c0ea0924bfb7eaf2d6a82120d2eb0f31fc4863ef6bf1b9791c94d4 SHA512 b90d41bcd9b60886af2f37de3cbc33c3583eef65b9ed4a92e2b55e8701f883f3662b8f5e00a4c65d869914b8c9718364b8024604197a5f6cc5403508e3fb8827 WHIRLPOOL 0454536a2c9ed28c6b164c9f64af6c472f8d22b38a509d27d4d0d22a238737f4d51ed17f416c04c7fe3b43790741e0914b09e0435c6dbc8e34c7c1debf75eb19
+AUX keystone-cve-2013-4294-folsom.patch 5662 SHA256 69b07e87cf021b21168fe40fedd2dabd492991e0b4192f86fad378e24ef0429c SHA512 502cca91cfd71bd43f1a0dd0ada718cc9020071e41b13abd7310de175a794453bdb529e1ffb641e60e199fef9a2226aa44395f32eb3b0af8dc0b56dbf739b307 WHIRLPOOL 58f95de485b6351f78a680a65531bee8bcc2d725329aefa21116443a8a5ad6759a32d0ff39aa97a5226fa32fdcf0ac689bab1e7730207677334d1559f8c8d790
+AUX keystone-cve-2013-4294-grizzly.patch 5704 SHA256 86a7f54c72675d5041b648dff4f607e7e20659dbdd56084aec4424e3e552e419 SHA512 b58bb75fa4bbfcc09b3a02ee407c05b031dce54976b949e140894f43b5691048ee62921496e132f0ac1d0c47e9a7a75b5ac238fa84f870289563abcda2e72d28 WHIRLPOOL 775365acc88a7486dd8ede7b999fb4811cca493a1487a9177b9af0ca8d0093aa2cc45e9ba6583b4b069671f3c44402269ae63875ca057d76e707e970d0a175e0
AUX keystone-folsom-4-CVE-2013-1977.patch 1114 SHA256 af81df239364cab3f94b14636359a19e6c8474f8282d2c174e3e75208fa508c6 SHA512 e9139487cdf6185d0405fd034a48c451c15ab568ebb6d4e58c2c50160ef8dc6b926a31fd0b31c646ecfccf68f2b667d9577bbe6e169ef28f8abfc06ae9031210 WHIRLPOOL c2ed7858f514f3d4a45303b0a307eb259c3c53373160ad35afcb7012ca63f9360d152f4869745579b678d990ed6f929ef050b1c68683bac656123a0aea394ec0
AUX keystone-folsom-4-CVE-2013-2030.patch 2318 SHA256 fd824a4000da663568f26dbcfa6de031911ebdca1dea2c0958b3d5398d4d9ba6 SHA512 6b00a6d9062dd418299f9f02891fbfaa86f8f69db394ccfff31367555d1d7dbad1cf0d5a8647b61addeaabd2107b9f75cdc1986df8186de5c428f33533abffab WHIRLPOOL 842c4adb14c4a4501ea84c0082c0f28295027e27fee9957eafea6db9397a26c4955eb355b955d625bf5df818c1178af2267270aedec93bc47da8f17b59eaeca2
AUX keystone-folsom-4-CVE-2013-2059.patch 2340 SHA256 9c3a1d953abd719c55c77fd13295c0aa5caf730a4656f3a111a1bfc1d92a282c SHA512 c6f50ed21c95c7be256f0a15ef804eaf16f32fec038be53742ce85b9a303f4c613728c95af606aafd779009f298a68517668594a590fa40258dbbb6646c3fbed WHIRLPOOL 723b4d0e5573a2e7473e4613fcfc717d1e0d90ff18a7559baa7fe0a21c6c5fcb84648afcb227ea9231ed87738e0c17cf79153287d2d6b14a65974a67e78dbd2f
@@ -14,26 +16,26 @@ AUX keystone.initd 1245 SHA256 16f50903b74dd21ef0641333e013f2c6b661590ee519b6f6c
AUX keystone_test-requires.patch 1082 SHA256 6c91814d1a6aea942f23767b13a9ad77fb08ae16255887d974abd9db852c563a SHA512 d6fc133b44555e50895b9d82f9240aff284e1668ef35823a3e82900ccf9e6a7e11a448f4998c1d8f0938f5d45ce1506bd27417f576ee99aa7738ae74424ec343 WHIRLPOOL 0689d244f94a5489c7ca4551c5fb7c436f6012a932b4fb0142a759c734d5ce24a1aa813c9c1a5356dc38f4b4b342c85703413656139085155f9c5ab89dd012c5
DIST keystone-2012.2.4.tar.gz 555448 SHA256 ab3a9a6c1f8ef9b95a73920883294f888f298db6330b8d4ed43e28354e8ca7af SHA512 481bde4372525c92144059c94d95ddac95dc720e486428f2e7ad1d5e0c6c2b6eb9a17be40f83c5866b522a512a2a3d331a08498c6704b794fea343fc2c0c1d93 WHIRLPOOL 243d9fe82988fd6057ffdae7971b570cb129a168fba3f6a38ea105fadc51e7e9fbfd29d88bb389572fc00cfbe0cc17e9e4c4f4ebf9d61ff589148b1b0c171558
DIST keystone-2013.1.3.tar.gz 799651 SHA256 e097170ebb1cf22de50f2d5ab2216a5116ffe0934720dbad8b02d61c370b8261 SHA512 0d0a5f6902f78c5962ee19d29645081380d247a22d4de942a28e7fa28a4f6dca396114d94c6e8188d618b4de12d3b90187a4832575b37394a2b84c5eb9592876 WHIRLPOOL d74459c5e4f64287c3734384c075523ed2b88d4e4d044e5d45345009f2ce9b98d708367dcb3cc968df90b97972d0fd52d49ffb289a1982533370e5f9b075833b
-EBUILD keystone-2012.2.4-r6.ebuild 2740 SHA256 12aa067203a588a93f2f1da80d6fbf1bde8518addb32938028735e28235e05ea SHA512 26a7fae98ae28cd749f89f66b76ebe16c1124fcaf78c87354a98b4bce583fa1005a9bb9875d8574239fa1d6ed64ca48035818d50715a344580c6bc576f51c26c WHIRLPOOL 551b2a7f9004d552998881d73e116aa62643bb82a0232da7fe34663874fc75dfe88ac0925ea95a72f639d61b769e7d6a754334431f4785caf9899e595d2fe61a
-EBUILD keystone-2013.1.3.ebuild 2976 SHA256 2a20baff08b1a09ac51c1de0f214e8ab758d264d2da74223e26491ee03486ef9 SHA512 391c0b833f1de04030abd996dd14c8361e27ee2adaf7db6b5a8a0632f1b1d55b240a662e593f0f25abef0ef2cd766d321b210b503379ee1f904448e3a9c047bb WHIRLPOOL 4253883fe0c682301d0aab615e0edcad9620795bf7cf24782d42366707cbd34a057d5424c10b24ad57d81861e59553c74a322d61a896ba3982b35d4280cb0075
+EBUILD keystone-2012.2.4-r7.ebuild 2791 SHA256 27ce95c013742fcba83a1dc8a0afe55255bb961815de447063f85356abf69cae SHA512 ad23ebf40fe647e5159cbfce92fe53f3bb3c0bbc6cea5d4bfd6f02a5a64f8bdcfa1fdc0576827b42a3b0491c437ea760a346a4c47635515ee440998465620893 WHIRLPOOL d27995dbfca7f164408d2cc6f5287bbd0de6d09218fa88d8e16a60aad40768fcc3302a1a6a4a04479086c091ba3626f6f97cf46a2c960f3b60515d6ff3eb5b01
+EBUILD keystone-2013.1.3-r1.ebuild 3031 SHA256 9e8d5c65055eb7362704cf83b90ab7111e598f0b8a9582e77c1447854a857e52 SHA512 b84ce60a9d51bded4ac7c6519b0aa53e95d3b3717e2f1bf80372bc339351f00eede55c56d56d919e1a532432d1cd6a80aca4a6e30e63f29fac271b7ad2531da3 WHIRLPOOL 3ec1d5449e6bf39ec2960f573ad8b49ccac9eb08de3106dc3e06f40f281c19b17e9a7a237ec5f58ba6499cd7e8585a123758d5b86226c1e65efd4167aba0b221
EBUILD keystone-2013.1.9999.ebuild 2859 SHA256 d3ea8321720c2ace785900affc03531f4774405cfb57eb1bc58460cfec9f6d89 SHA512 6bc083d4dab8dea112ebcd32c1016a6e78b4fc96f4c3fb5dbb6ea5ece142bf781328b0cf9a568d15413ee44d73b99a5ab895037fcf248530441fd66d54ff3dd2 WHIRLPOOL 20cf4775024c9bc1bdcdc9668538c037ae671efa759447a709939ba0ed86f5093c1f5665233769b12bfdd642123d44ccccdda06f0469fb735579056cff5cc64a
EBUILD keystone-9999.ebuild 2942 SHA256 048862e16792a3de401129f16b01fdfedbbcebc0f126dd1a39fb63c0118cd030 SHA512 767dccb4ce53d3162156f965c97bb4d33ff6d1d7dfd5efaa3a223d66915694f2d946e6e7774b73ac1c4f5a42af6228dafd3f30d3fb57da59bc293bae141a18a7 WHIRLPOOL 944e87af5b6a7f4276d49751d0b578052257c833350a568e7dd031f138b20a1714e38874f4992486fd8ca51d83e01516c055a244c634ec35e931149d120fdbc2
-MISC ChangeLog 6196 SHA256 cceff3b78d07888b5004853a8bab4bddccc54d4622baa6b3a095cc92a6377714 SHA512 4168f656a0f7e4966a319188269eb2d2c3b6571324ae0890c3ff0625f4d0e73d123275e21e58da0f4273523d8dbc44dcad540356237707ab82799a495997e3d3 WHIRLPOOL 5916276ba81afe9a552aaca6e2898eb023729a54287dedc4780791bc8b9c56dea3f4d3a41178bdd07f59c98e36629818dc8bcfcfd21dc37bf4ccb370c7f12f14
+MISC ChangeLog 6579 SHA256 50de7e8a86a6f1ef8d04d7e047cb9908c7a9b65060a59660c2699371302702aa SHA512 b4635410af93a013485c9e1b095c5b7c4c288efaea3efba1585abc06ccf44d3acd9c3cc5a113fb5c921e27292f26f87fbecd73c35c5e23ca2b2d59af390b3b08 WHIRLPOOL cc38c58a1128e76aa3614dd08756d5038120018760e333bb292fdc6899748c4e222fc4f134cd97027f6c09d8e77d6b6338edcb2160f00bb3a36aa0140e495238
MISC metadata.xml 399 SHA256 7f8946a43a8187a3901e53e0e3b4293e49bb2a1d1785c472b1d0ffd83e0ba2a8 SHA512 9448005b3be5621b302b4c71d190c621f245163a2c7aa8277a3af8132558543c774e9bb20b39bcb0ad896db5d2feac7649b107d7850f68e437f18214891ab16f WHIRLPOOL b46a5eadc17d5e38d23efed9620772e6d5e2cbd7733e1c0a8d15a506cacc8a31e9b26a354a1b749a7c64bff08722658b2feb651679a6a6054cd3b551839ddb38
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)
-iQIcBAEBCAAGBQJSEZCPAAoJECRx6z5ArFrDFTsQAJCcvrWOpSAKRbGWyq9ePL+4
-BuDOVn+oBa+0RBavR5qb8pVvXEHVLggq/A89/7pB4cqi6G1jtKDRuRBloCWNN7TO
-KjKAe6sv/cQ7ZuIBfwXi6qV+WWeFbuZ+dzIP42OKkxeXhSUJ3CbcN+uZ4YXIJvJZ
-n9XVHF45+h690cLNH+p7St6Jd+t1ILqyK042CEiBTSrHVlNf5SKpaiRDUgj2iYFh
-TpIrcr8dg3XJKb9yrc5iEajQUsf+2PM5PFtMbfIMJUa7HySO6UUujHKydj7su/5n
-yqSsBSNw5sz59BeJWeYHqPdNTlWjXk8ip2nkaA3hy+N9nH5Woe5g9T5B37nVK0wj
-7SJ6jvU9ss0jxo440JQM1PSRikaOeIZMgpydmradZoh2cZ0ApGtSlUi7wUNBWiGU
-fqQqK0bqQw/hX4OiDmFAKmnkSbcZdcGxkceq0zWACsIlwIRTmXtr0BJpFlAsIQio
-qQ6HTnPipoJ7GvYJcKHg8+M/0UB810GV/NSJe0ehza/KPaVZaKEuvAKYKaQA1oBp
-s9tem6WVm0Ob6grEFjYYLOWM2SeoEGURtX+cRI4/R/SG23HHj+GQWrdyNofXiwYj
-2JYJdYQ7tZMXmi6O/5tfZNfX0gzAMLaCdA2qhLC4XZiQcB4fslyzX3YZ38HVIX9N
-mDFgogI0EhniBjesqSSj
-=5Ixl
+iQIcBAEBCAAGBQJSMJQ5AAoJECRx6z5ArFrDDHEQAN/szHyi9lFgicUTgKHz17VU
+ctVCPpgw2BGDkBseUOkkiVuhK+KIaRHneEynJC8WjicfbpVBszbalkRos089SXpC
+Ujn1mSYWaaMTfQpiWYBZlkr0sIHqiI6NEOWwpeL8HOFDyRZYYmRK3tX7uLkEz3u6
+dTqQt/CO3BFqTXWt2mae8Zl6j3nDg9GjsTVp07Ue7IOFU3+HZ9Sc8KiFzn676ZSi
+v0AbxB2rL6NOx5X0w4rBV2+7zOcsYCX1TLBbnWq/UT67cq6gToBRnqE2AjKzgqmi
+lapYe9it6z6fuCl3cn3xNGQoVtdtsk43voFydYsZVrFANzn4+ATUoxKZEOd1wDrw
+sMAWFGs9JXAAnkPxjtyNvtX1R1VHArG91hs7mQqrBft7oSCLd1iU0c1VeCngSpS0
+7Z+ycPyXYN1hv2nRyHgGAxwUBP4pDgAkGeBtgqEVCYntdiShvfJxwHM9/4fq7BO5
+uiVXTk3G+sRlfir+8ajunnNMdjTJFy7WB4/B7Ct6i0TR7SmqrmyTEf3NbaXsd8Z4
+tKZcnGNKPa/a6AEGD3Y4Tw8vR7Lj6+kcLqQn8iE9r6BLMFQFQLAvrf4cS81PHHBU
+6zkYm/fRYUc7HhHk/ERXpj1U1sywmRZAKESO/XjeOI3+vNPRFaa9ZRjp8htJw6J/
+uuz2TJzub2PxHqg8ICH9
+=AvOU
-----END PGP SIGNATURE-----
diff --git a/sys-auth/keystone/files/keystone-cve-2013-4294-folsom.patch b/sys-auth/keystone/files/keystone-cve-2013-4294-folsom.patch
new file mode 100644
index 000000000000..2d9e9b5a1ea4
--- /dev/null
+++ b/sys-auth/keystone/files/keystone-cve-2013-4294-folsom.patch
@@ -0,0 +1,143 @@
+From 8ef8be4af315d50edd661d8a5e846d260a5a3ce2 Mon Sep 17 00:00:00 2001
+From: Morgan Fainberg <m@metacloud.com>
+Date: Fri, 23 Aug 2013 14:10:28 -0700
+Subject: [PATCH] Fix and test token revocation list API
+
+Change-Id: I07257b3704895a2af2654aa863f0b910122666da
+---
+ keystone/token/backends/kvs.py | 2 +-
+ keystone/token/backends/memcache.py | 12 ++++++----
+ tests/test_backend.py | 48 +++++++++++++++++++++++++++++++++----
+ 3 files changed, 51 insertions(+), 11 deletions(-)
+
+diff --git a/keystone/token/backends/kvs.py b/keystone/token/backends/kvs.py
+index 123e12f..e5e0ee2 100644
+--- a/keystone/token/backends/kvs.py
++++ b/keystone/token/backends/kvs.py
+@@ -81,7 +81,7 @@ class Token(kvs.Base, token.Driver):
+ if not token.startswith('revoked-token-'):
+ continue
+ record = {}
+- record['id'] = token_ref['id']
++ record['id'] = token[len('revoked-token-'):]
+ record['expires'] = token_ref['expires']
+ tokens.append(record)
+ return tokens
+diff --git a/keystone/token/backends/memcache.py b/keystone/token/backends/memcache.py
+index e4fa69a..815c392 100644
+--- a/keystone/token/backends/memcache.py
++++ b/keystone/token/backends/memcache.py
+@@ -82,8 +82,9 @@ class Token(token.Driver):
+ raise exception.UnexpectedError(msg)
+ return copy.deepcopy(data_copy)
+
+- def _add_to_revocation_list(self, data):
+- data_json = jsonutils.dumps(data)
++ def _add_to_revocation_list(self, token_id, token_data):
++ data_json = jsonutils.dumps({'id': token_id,
++ 'expires': token_data['expires']})
+ if not self.client.append(self.revocation_key, ',%s' % data_json):
+ if not self.client.add(self.revocation_key, data_json):
+ if not self.client.append(self.revocation_key,
+@@ -93,10 +94,11 @@ class Token(token.Driver):
+
+ def delete_token(self, token_id):
+ # Test for existence
+- data = self.get_token(self.token_to_key(token_id))
+- ptk = self._prefix_token_id(self.token_to_key(token_id))
++ token_id = self.token_to_key(token_id)
++ data = self.get_token(token_id)
++ ptk = self._prefix_token_id(token_id)
+ result = self.client.delete(ptk)
+- self._add_to_revocation_list(data)
++ self._add_to_revocation_list(token_id, data)
+ return result
+
+ def list_tokens(self, user_id, tenant_id=None):
+diff --git a/tests/test_backend.py b/tests/test_backend.py
+index 0a56cdb..3798e37 100644
+--- a/tests/test_backend.py
++++ b/tests/test_backend.py
+@@ -14,9 +14,11 @@
+ # License for the specific language governing permissions and limitations
+ # under the License.
+
++import copy
+ import datetime
+-import uuid
+ import default_fixtures
++import hashlib
++import uuid
+
+ from keystone.catalog import core
+ from keystone import exception
+@@ -628,19 +630,29 @@ class IdentityTests(object):
+
+
+ class TokenTests(object):
++ def _create_token_id(self):
++ # Token must start with MII here otherwise it fails the asn1 test
++ # and is not hashed in a SQL backend.
++ token_id = "MII"
++ for i in range(1, 20):
++ token_id += uuid.uuid4().hex
++ return token_id
++
+ def test_token_crud(self):
+ token_id = uuid.uuid4().hex
+ data = {'id': token_id, 'a': 'b',
+ 'user': {'id': 'testuserid'}}
+ data_ref = self.token_api.create_token(token_id, data)
+- expires = data_ref.pop('expires')
++ data_ref_copy = copy.deepcopy(data_ref)
++ expires = data_ref_copy.pop('expires')
+ self.assertTrue(isinstance(expires, datetime.datetime))
+- self.assertDictEqual(data_ref, data)
++ self.assertDictEqual(data_ref_copy, data)
+
+ new_data_ref = self.token_api.get_token(token_id)
+- expires = new_data_ref.pop('expires')
++ new_data_ref_copy = copy.deepcopy(new_data_ref)
++ expires = new_data_ref_copy.pop('expires')
+ self.assertTrue(isinstance(expires, datetime.datetime))
+- self.assertEquals(new_data_ref, data)
++ self.assertEquals(new_data_ref_copy, data)
+
+ self.token_api.delete_token(token_id)
+ self.assertRaises(exception.TokenNotFound,
+@@ -758,6 +770,32 @@ class TokenTests(object):
+ self.check_list_revoked_tokens([self.delete_token()
+ for x in xrange(2)])
+
++ def test_predictable_revoked_pki_token_id(self):
++ token_id = self._create_token_id()
++ token_id_hash = hashlib.md5(token_id).hexdigest()
++ token = {'user': {'id': uuid.uuid4().hex}}
++
++ self.token_api.create_token(token_id, token)
++ self.token_api.delete_token(token_id)
++
++ revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()]
++ self.assertIn(token_id_hash, revoked_ids)
++ self.assertNotIn(token_id, revoked_ids)
++ for t in self.token_api.list_revoked_tokens():
++ self.assertIn('expires', t)
++
++ def test_predictable_revoked_uuid_token_id(self):
++ token_id = uuid.uuid4().hex
++ token = {'user': {'id': uuid.uuid4().hex}}
++
++ self.token_api.create_token(token_id, token)
++ self.token_api.delete_token(token_id)
++
++ revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()]
++ self.assertIn(token_id, revoked_ids)
++ for t in self.token_api.list_revoked_tokens():
++ self.assertIn('expires', t)
++
+
+ class CommonHelperTests(test.TestCase):
+ def test_format_helper_raises_malformed_on_missing_key(self):
+--
+1.8.2.1 (Apple Git-45)
+
diff --git a/sys-auth/keystone/files/keystone-cve-2013-4294-grizzly.patch b/sys-auth/keystone/files/keystone-cve-2013-4294-grizzly.patch
new file mode 100644
index 000000000000..d789ea38443c
--- /dev/null
+++ b/sys-auth/keystone/files/keystone-cve-2013-4294-grizzly.patch
@@ -0,0 +1,139 @@
+From a20dcd159f9bf98e5605a3d13d4ba8de9aa1533e Mon Sep 17 00:00:00 2001
+From: Morgan Fainberg <m@metacloud.com>
+Date: Fri, 23 Aug 2013 14:53:26 -0700
+Subject: [PATCH] Fix and test token revocation list API
+
+Change-Id: I6c60bf2aecc7c9353e837e59a4e09860d049e0f5
+---
+ keystone/token/backends/kvs.py | 2 +-
+ keystone/token/backends/memcache.py | 12 ++++++----
+ tests/test_backend.py | 47 +++++++++++++++++++++++++++++++------
+ 3 files changed, 48 insertions(+), 13 deletions(-)
+
+diff --git a/keystone/token/backends/kvs.py b/keystone/token/backends/kvs.py
+index 49f15ad..1935b41 100644
+--- a/keystone/token/backends/kvs.py
++++ b/keystone/token/backends/kvs.py
+@@ -111,7 +111,7 @@ class Token(kvs.Base, token.Driver):
+ if not token.startswith('revoked-token-'):
+ continue
+ record = {}
+- record['id'] = token_ref['id']
++ record['id'] = token[len('revoked-token-'):]
+ record['expires'] = token_ref['expires']
+ tokens.append(record)
+ return tokens
+diff --git a/keystone/token/backends/memcache.py b/keystone/token/backends/memcache.py
+index a62f342..c2c9b51 100644
+--- a/keystone/token/backends/memcache.py
++++ b/keystone/token/backends/memcache.py
+@@ -84,8 +84,9 @@ class Token(token.Driver):
+ raise exception.UnexpectedError(msg)
+ return copy.deepcopy(data_copy)
+
+- def _add_to_revocation_list(self, data):
+- data_json = jsonutils.dumps(data)
++ def _add_to_revocation_list(self, token_id, token_data):
++ data_json = jsonutils.dumps({'id': token_id,
++ 'expires': token_data['expires']})
+ if not self.client.append(self.revocation_key, ',%s' % data_json):
+ if not self.client.add(self.revocation_key, data_json):
+ if not self.client.append(self.revocation_key,
+@@ -95,10 +96,11 @@ class Token(token.Driver):
+
+ def delete_token(self, token_id):
+ # Test for existence
+- data = self.get_token(token.unique_id(token_id))
+- ptk = self._prefix_token_id(token.unique_id(token_id))
++ token_id = token.unique_id(token_id)
++ data = self.get_token(token_id)
++ ptk = self._prefix_token_id(token_id)
+ result = self.client.delete(ptk)
+- self._add_to_revocation_list(data)
++ self._add_to_revocation_list(token_id, data)
+ return result
+
+ def list_tokens(self, user_id, tenant_id=None, trust_id=None):
+diff --git a/tests/test_backend.py b/tests/test_backend.py
+index 85ac7cf..d4c2e6c 100644
+--- a/tests/test_backend.py
++++ b/tests/test_backend.py
+@@ -14,10 +14,11 @@
+ # License for the specific language governing permissions and limitations
+ # under the License.
+
++import copy
+ import datetime
+ import default_fixtures
++import hashlib
+ import uuid
+-import nose.exc
+
+ from keystone.catalog import core
+ from keystone import config
+@@ -2065,17 +2066,19 @@ class TokenTests(object):
+ 'trust_id': None,
+ 'user': {'id': 'testuserid'}}
+ data_ref = self.token_api.create_token(token_id, data)
+- expires = data_ref.pop('expires')
+- data_ref.pop('user_id')
++ data_ref_copy = copy.deepcopy(data_ref)
++ expires = data_ref_copy.pop('expires')
++ data_ref_copy.pop('user_id')
+ self.assertTrue(isinstance(expires, datetime.datetime))
+- self.assertDictEqual(data_ref, data)
++ self.assertDictEqual(data_ref_copy, data)
+
+ new_data_ref = self.token_api.get_token(token_id)
+- expires = new_data_ref.pop('expires')
+- new_data_ref.pop('user_id')
++ new_data_ref_copy = copy.deepcopy(new_data_ref)
++ expires = new_data_ref_copy.pop('expires')
++ new_data_ref_copy.pop('user_id')
+
+ self.assertTrue(isinstance(expires, datetime.datetime))
+- self.assertEquals(new_data_ref, data)
++ self.assertEquals(new_data_ref_copy, data)
+
+ self.token_api.delete_token(token_id)
+ self.assertRaises(exception.TokenNotFound,
+@@ -2248,6 +2251,36 @@ class TokenTests(object):
+ self.check_list_revoked_tokens([self.delete_token()
+ for x in xrange(2)])
+
++ def test_predictable_revoked_pki_token_id(self):
++ # NOTE(dolph): _create_token_id() includes 'MII' as a prefix of the
++ # returned token str in master, but not in grizzly.
++ # revising _create_token_id() in grizzly to include the
++ # previx breaks several other tests here
++ token_id = 'MII' + self._create_token_id()
++ token_id_hash = hashlib.md5(token_id).hexdigest()
++ token = {'user': {'id': uuid.uuid4().hex}}
++
++ self.token_api.create_token(token_id, token)
++ self.token_api.delete_token(token_id)
++
++ revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()]
++ self.assertIn(token_id_hash, revoked_ids)
++ self.assertNotIn(token_id, revoked_ids)
++ for t in self.token_api.list_revoked_tokens():
++ self.assertIn('expires', t)
++
++ def test_predictable_revoked_uuid_token_id(self):
++ token_id = uuid.uuid4().hex
++ token = {'user': {'id': uuid.uuid4().hex}}
++
++ self.token_api.create_token(token_id, token)
++ self.token_api.delete_token(token_id)
++
++ revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()]
++ self.assertIn(token_id, revoked_ids)
++ for t in self.token_api.list_revoked_tokens():
++ self.assertIn('expires', t)
++
+
+ class TrustTests(object):
+ def create_sample_trust(self, new_id):
+--
+1.8.2.1 (Apple Git-45)
+
diff --git a/sys-auth/keystone/keystone-2012.2.4-r6.ebuild b/sys-auth/keystone/keystone-2012.2.4-r7.ebuild
index e8eba2575642..33d6a7cff4ea 100644
--- a/sys-auth/keystone/keystone-2012.2.4-r6.ebuild
+++ b/sys-auth/keystone/keystone-2012.2.4-r7.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2013 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.4-r6.ebuild,v 1.1 2013/07/17 16:30:36 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2012.2.4-r7.ebuild,v 1.1 2013/09/11 16:01:38 prometheanfire Exp $
EAPI=5
#test restricted becaues of bad requirements given (old webob for instance)
@@ -74,6 +74,7 @@ PATCHES=(
"${FILESDIR}/keystone-folsom-4-CVE-2013-1977.patch"
"${FILESDIR}/keystone-folsom-4-CVE-2013-2104.patch"
"${FILESDIR}/keystone-folsom-4-CVE-2013-2157.patch"
+ "${FILESDIR}/keystone-cve-2013-4294-folsom.patch"
"${FILESDIR}/2012.2.4-upstream-1181157.patch"
)
diff --git a/sys-auth/keystone/keystone-2013.1.3.ebuild b/sys-auth/keystone/keystone-2013.1.3-r1.ebuild
index 498607be2433..6a6023ca7840 100644
--- a/sys-auth/keystone/keystone-2013.1.3.ebuild
+++ b/sys-auth/keystone/keystone-2013.1.3-r1.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2013 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.1.3.ebuild,v 1.1 2013/08/11 00:56:17 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/keystone/keystone-2013.1.3-r1.ebuild,v 1.1 2013/09/11 16:01:37 prometheanfire Exp $
EAPI=5
#test restricted becaues of bad requirements given (old webob for instance)
@@ -70,6 +70,7 @@ RDEPEND="${DEPEND}
# dev-python/webtest
# )
PATCHES=(
+ "${FILESDIR}/keystone-cve-2013-4294-grizzly.patch"
)
# "${FILESDIR}/keystone-grizzly-2-CVE-2013-2157.patch"
#