Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 494026 (CVE-2013-7048) - <sys-cluster/nova-{2013.1.4,2013.2.1} : live snapshots use an insecure local directory (CVE-2013-7048) [OSSA 2014-001]
Summary: <sys-cluster/nova-{2013.1.4,2013.2.1} : live snapshots use an insecure local ...
Alias: CVE-2013-7048
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~4 [noglsa]
Depends on:
Reported: 2013-12-12 10:53 UTC by Agostino Sarubbo
Modified: 2016-03-29 07:25 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-12-12 10:53:27 UTC
From ${URL} :

Title: Nova live snapshots use an insecure local directory
Reporter: Daniel Berrange (Red Hat)
Products: Nova
Affects: Grizzly and later

Daniel Berrange from Red Hat reported that the directories used to
temporarily store live snapshots on Nova compute nodes were writeable to
all local users. A local attacker with shell access on compute nodes
could therefore read and modify the contents of live snapshots before
those are uploaded to the image service.


@maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-01-27 08:45:19 UTC
patches applied.

old badness removed

new hotness added ( nova-2013.1.4-r5 and nova-2013.2.1-r3 )

removing myself from cc as I'm unneeded here (along with openstack herd) :D
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-01-27 18:23:14 UTC
CVE-2013-7048 (
  OpenStack Compute (Nova) Grizzly 2013.1.4, Havana 2013.2.1, and earlier uses
  world-writable and world-readable permissions for the temporary directory
  used to store live snapshots, which allows local users to read and modify
  live snapshots.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-03-29 07:25:04 UTC
Later versions in tree and all vulnerable have been removed.