576802 – (CVE-2016-2140) <sys-cluster/nova-12.0.2-r1: host data leak through resize/migration (CVE-2016-2140)

Bug 576802 (CVE-2016-2140) - <sys-cluster/nova-12.0.2-r1: host data leak through resize/migration (CVE-2016-2140)

Summary: <sys-cluster/nova-12.0.2-r1: host data leak through resize/migration (CVE-201...

Status:	RESOLVED FIXED

Alias:	CVE-2016-2140

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:	576886
Blocks:
	Show dependency tree

Reported:	2016-03-08 20:15 UTC by Matthew Thode ( prometheanfire )
Modified:	2016-05-30 05:20 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthew Thode ( prometheanfire ) archtester

2016-03-08 20:15:40 UTC

Matthew Booth from Red Hat reported a vulnerability in Nova instance
resize/migration. By overwriting an ephemeral or root disk with a
malicious image before requesting a resize, an authenticated user may be
able to read arbitrary files from the compute host. Only setups using
libvirt driver with raw storage and setting "use_cow_images = False"
(not default) are affected.

Comment 1 Agostino Sarubbo gentoo-dev

2016-03-09 16:50:37 UTC

amd64 stable

Comment 2 Agostino Sarubbo gentoo-dev

2016-03-09 16:52:55 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 3 Matthew Thode ( prometheanfire ) archtester

2016-03-09 17:19:48 UTC

cleaned up