Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 470056 (CVE-2013-2096)

Summary: sys-cluster/nova : fails to verify image virtual size (CVE-2013-2096)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~2 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-05-16 11:20:34 UTC
From ${URL} :

OpenStack Security Advisory: 2013-012
CVE: CVE-2013-2096
Date: May 16, 2013
Title: Nova fails to verify image virtual size
Reporter: Loganathan Parthipan
Products: Nova
Affects: All versions

Loganathan Parthipan publicly reported a vulnerability in Nova. Nova
did not implement checking for the virtual size of a qcow2 image used
as ephemeral storage for instances. It is therefore possible for a
user to create an image which has a large virtual size, but little
data. Once the instance is created, the user can then proceed to fill
the virtual disk, and consume all available disk on the host node file

Havana (development branch) fix:

Grizzly fix:

Folsom fix:


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-05-17 14:56:36 UTC
fix commited for 2013.1 and 2012.4 as nova-2012.2.4-r2.ebuild and nova-2013.1.1-r2.ebuild

old badness removed from tree
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-07-02 22:01:52 UTC
No glsa needed, was never stable.
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-02 22:06:58 UTC
My mistake. Closing.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-08-29 03:15:28 UTC
CVE-2013-2096 (
  OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not verify the
  virtual size of a QCOW2 image allows local users to cause a denial of
  service (host file system disk consumption) by creating an image with a
  large virtual size that does not contain a large amount of data.