Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 470056 (CVE-2013-2096) - sys-cluster/nova : fails to verify image virtual size (CVE-2013-2096)
Summary: sys-cluster/nova : fails to verify image virtual size (CVE-2013-2096)
Status: RESOLVED FIXED
Alias: CVE-2013-2096
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-16 11:20 UTC by Agostino Sarubbo
Modified: 2013-08-29 03:15 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-05-16 11:20:34 UTC
From ${URL} :

OpenStack Security Advisory: 2013-012
CVE: CVE-2013-2096
Date: May 16, 2013
Title: Nova fails to verify image virtual size
Reporter: Loganathan Parthipan
Products: Nova
Affects: All versions

Description:
Loganathan Parthipan publicly reported a vulnerability in Nova. Nova
did not implement checking for the virtual size of a qcow2 image used
as ephemeral storage for instances. It is therefore possible for a
user to create an image which has a large virtual size, but little
data. Once the instance is created, the user can then proceed to fill
the virtual disk, and consume all available disk on the host node file
system.

Havana (development branch) fix:
https://review.openstack.org/28717

Grizzly fix:
https://review.openstack.org/28901

Folsom fix:
https://review.openstack.org/29192

References:
https://bugs.launchpad.net/nova/+bug/1177830
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2096



@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-05-17 14:56:36 UTC
fix commited for 2013.1 and 2012.4 as nova-2012.2.4-r2.ebuild and nova-2013.1.1-r2.ebuild

old badness removed from tree
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-07-02 22:01:52 UTC
No glsa needed, was never stable.
Comment 3 Chris Reffett gentoo-dev Security 2013-07-02 22:06:58 UTC
My mistake. Closing.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-08-29 03:15:28 UTC
CVE-2013-2096 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2096):
  OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not verify the
  virtual size of a QCOW2 image allows local users to cause a denial of
  service (host file system disk consumption) by creating an image with a
  large virtual size that does not contain a large amount of data.