xen/20174-pygrub-security.patch

# HG changeset patch
# User Keir Fraser <keir.fraser@citrix.com>
# Date 1252327855 -3600
# Node ID a28c9c2fa8de05ebd0284f578289e96d2d15d574
# Parent  b81e375e03922cd72d6e1404bc62a05059a4fe61
pygrub: trap exception when python module import fails

Fix the issue when importing 'crypt' module or crypt.crypt fails in
pygrub. The exception is written on the same line like "Failed!"
message but only if there is an exception. If there is no exception,
we don't bother users with details (probably the password they entered
was wrong) so we just display "Failed!" message. Also, the code for
hasPassword() was rewritten not to have try/except block here.

Signed-off-by: Michal Novotny <minovotn@redhat.com>

Index: xen-3.4.1-testing/tools/pygrub/src/GrubConf.py
===================================================================
--- xen-3.4.1-testing.orig/tools/pygrub/src/GrubConf.py
+++ xen-3.4.1-testing/tools/pygrub/src/GrubConf.py
@@ -158,6 +158,7 @@ class GrubConfigFile(object):
         self.timeout = -1
         self._default = 0
         self.passwordAccess = True
+        self.passExc = None
 
         if fn is not None:
             self.parse()
@@ -197,7 +198,6 @@ class GrubConfigFile(object):
             if self.commands.has_key(com):
                 if self.commands[com] is not None:
                     setattr(self, self.commands[com], arg.strip())
-                    #print "%s = %s => %s" % (com, self.commands[com], arg.strip() )
                 else:
                     logging.info("Ignored directive %s" %(com,))
             else:
@@ -216,25 +216,28 @@ class GrubConfigFile(object):
         self.passwordAccess = val
 
     def hasPassword(self):
-        try:
-            getattr(self, self.commands['password'])
-            return True
-        except:
-            return False
+        return hasattr(self, 'password')
 
     def checkPassword(self, password):
-        try:
-            pwd = getattr(self, self.commands['password']).split()
-            if pwd[0] == '--md5':
+        # Always allow if no password defined in grub.conf
+        if not self.hasPassword:
+            return True
+
+        # If we're here, we're having 'password' attribute set
+        pwd = getattr(self, 'password').split()
+
+        # We check whether password is in MD5 hash for comparison
+        if pwd[0] == '--md5':
+            try:
                 import crypt
                 if crypt.crypt(password, pwd[1]) == pwd[1]:
                     return True
+            except Exception, e:
+                self.passExc = "Can't verify password: %s" % str(e)
+                return False
 
-            if pwd[0] == password:
-                return True
-
-            return False
-        except:
+        # ... and if not, we compare it as a plain text
+        if pwd[0] == password:
             return True
 
     def set(self, line):
Index: xen-3.4.1-testing/tools/pygrub/src/pygrub
===================================================================
--- xen-3.4.1-testing.orig/tools/pygrub/src/pygrub
+++ xen-3.4.1-testing/tools/pygrub/src/pygrub
@@ -487,7 +487,11 @@ class Grub:
                 pwd = self.text_win.getstr(6, 8)
                 if not self.cf.checkPassword(pwd):
                     self.text_win.addstr(6, 1, "Password: ")
-                    self.text_win.addstr(7, 0, "Failed!")
+                    if self.cf.passExc is not None:
+                        self.text_win.addstr(7, 0, "Exception: %s"
+                                                  % self.cf.passExc)
+                    else:
+                        self.text_win.addstr(7, 0, "Failed!")
                     self.cf.setPasswordAccess( False )
                 else:
                     self.cf.setPasswordAccess( True )
- Add patch ioemu-bdrv-open-CACHE_WB.patch for install guest on tapdisk very very slow. - bnc#542525 - VUL-1: xen pygrub vulnerability 20099-pygrub-security.patch 20107-pygrub-security.patch 20146-pygrub-security.patch 20174-pygrub-security.patch 20201-pygrub-security.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=22 2009-09-30 18:44:28 +02:00			`# HG changeset patch`
			`# User Keir Fraser <keir.fraser@citrix.com>`
			`# Date 1252327855 -3600`
			`# Node ID a28c9c2fa8de05ebd0284f578289e96d2d15d574`
			`# Parent b81e375e03922cd72d6e1404bc62a05059a4fe61`
			`pygrub: trap exception when python module import fails`

			`Fix the issue when importing 'crypt' module or crypt.crypt fails in`
			`pygrub. The exception is written on the same line like "Failed!"`
			`message but only if there is an exception. If there is no exception,`
			`we don't bother users with details (probably the password they entered`
			`was wrong) so we just display "Failed!" message. Also, the code for`
			`hasPassword() was rewritten not to have try/except block here.`

			`Signed-off-by: Michal Novotny <minovotn@redhat.com>`

			`Index: xen-3.4.1-testing/tools/pygrub/src/GrubConf.py`
			`===================================================================`
			`--- xen-3.4.1-testing.orig/tools/pygrub/src/GrubConf.py`
			`+++ xen-3.4.1-testing/tools/pygrub/src/GrubConf.py`
			`@@ -158,6 +158,7 @@ class GrubConfigFile(object):`
			`self.timeout = -1`
			`self._default = 0`
			`self.passwordAccess = True`
			`+ self.passExc = None`

			`if fn is not None:`
			`self.parse()`
			`@@ -197,7 +198,6 @@ class GrubConfigFile(object):`
			`if self.commands.has_key(com):`
			`if self.commands[com] is not None:`
			`setattr(self, self.commands[com], arg.strip())`
			`- #print "%s = %s => %s" % (com, self.commands[com], arg.strip() )`
			`else:`
			`logging.info("Ignored directive %s" %(com,))`
			`else:`
			`@@ -216,25 +216,28 @@ class GrubConfigFile(object):`
			`self.passwordAccess = val`

			`def hasPassword(self):`
			`- try:`
			`- getattr(self, self.commands['password'])`
			`- return True`
			`- except:`
			`- return False`
			`+ return hasattr(self, 'password')`

			`def checkPassword(self, password):`
			`- try:`
			`- pwd = getattr(self, self.commands['password']).split()`
			`- if pwd[0] == '--md5':`
			`+ # Always allow if no password defined in grub.conf`
			`+ if not self.hasPassword:`
			`+ return True`
			`+`
			`+ # If we're here, we're having 'password' attribute set`
			`+ pwd = getattr(self, 'password').split()`
			`+`
			`+ # We check whether password is in MD5 hash for comparison`
			`+ if pwd[0] == '--md5':`
			`+ try:`
			`import crypt`
			`if crypt.crypt(password, pwd[1]) == pwd[1]:`
			`return True`
			`+ except Exception, e:`
			`+ self.passExc = "Can't verify password: %s" % str(e)`
			`+ return False`

			`- if pwd[0] == password:`
			`- return True`
			`-`
			`- return False`
			`- except:`
			`+ # ... and if not, we compare it as a plain text`
			`+ if pwd[0] == password:`
			`return True`

			`def set(self, line):`
			`Index: xen-3.4.1-testing/tools/pygrub/src/pygrub`
			`===================================================================`
			`--- xen-3.4.1-testing.orig/tools/pygrub/src/pygrub`
			`+++ xen-3.4.1-testing/tools/pygrub/src/pygrub`
			`@@ -487,7 +487,11 @@ class Grub:`
			`pwd = self.text_win.getstr(6, 8)`
			`if not self.cf.checkPassword(pwd):`
			`self.text_win.addstr(6, 1, "Password: ")`
			`- self.text_win.addstr(7, 0, "Failed!")`
			`+ if self.cf.passExc is not None:`
			`+ self.text_win.addstr(7, 0, "Exception: %s"`
			`+ % self.cf.passExc)`
			`+ else:`
			`+ self.text_win.addstr(7, 0, "Failed!")`
			`self.cf.setPasswordAccess( False )`
			`else:`
			`self.cf.setPasswordAccess( True )`