Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 506036 (CVE-2014-0134) - <sys-cluster/nova-2013.2.2-r1 : Nova host data leak to vm instance in rescue mode (CVE-2014-0134) [OSSA 2014-009]
Summary: <sys-cluster/nova-2013.2.2-r1 : Nova host data leak to vm instance in rescue ...
Status: RESOLVED FIXED
Alias: CVE-2014-0134
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-28 09:08 UTC by Agostino Sarubbo
Modified: 2014-03-30 11:59 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-03-28 09:08:21 UTC
From ${URL} :

OpenStack Security Advisory: 2014-009
CVE: CVE-2014-0134
Date: March 27, 2014
Title: Nova host data leak to vm instance in rescue mode.
Reporter: Stanislaw Pitucha (HP)
Products: Nova
Versions: 2013.2 versions up to 2013.2.2

Description:
Stanislaw Pitucha from Hewlett Packard reported a vulnerability in the
Nova instance rescue mode. By overwriting the disk inside an instance
with a malicious image and switching the instance to rescue mode, an
authenticated user would be able to leak an arbitrary file from the
compute host to the virtual instance. Note that the host file must be
readable by the libvirt/kvm context to be exposed. Only setups using
libvirt to spawn instance, and having "use_cow_images = False" in Nova
configuration are affected.

Icehouse (development branch) fix:
https://review.openstack.org/82840

Havana fix:
https://review.openstack.org/82841

Notes:
This fix will be included in the icehouse-rc1 development milestone and
in a future 2013.2.3 release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0134
https://launchpad.net/bugs/1221190



@maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-03-28 14:21:21 UTC
fixed (and refixed) already, removing self from cc