512296 – (CVE-2014-2573) <sys-cluster/nova-2014.1-r2: VMWare driver leaks rescued images (CVE-2014-2573) (OSSA 2014-017)

Bug 512296 (CVE-2014-2573) - <sys-cluster/nova-2014.1-r2: VMWare driver leaks rescued images (CVE-2014-2573) (OSSA 2014-017)

Summary: <sys-cluster/nova-2014.1-r2: VMWare driver leaks rescued images (CVE-2014-257...

Status:	RESOLVED FIXED

Alias:	CVE-2014-2573

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2014-06-03 14:24 UTC by Agostino Sarubbo
Modified:	2014-06-16 02:48 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2014-06-03 14:24:57 UTC

From ${URL} :

OpenStack Security Advisory: 2014-017
CVE: CVE-2014-2573
Date: May 29, 2014
Title: Nova VMWare driver leaks rescued images
Reporter: Jaroslav Henner (Red Hat)
Products: Nova
Versions: from 2013.2 to 2013.2.3, and 2014.1

Description:
Jaroslav Henner from Red Hat reported a vulnerability in Nova. By
requesting Nova place an image into rescue, then deleting the image,
an authenticated user my exceed their quota. This can result in a
denial of service via excessive resource consumption. Only setups
using the Nova VMWare driver are affected.

Juno (development branch) fix:
https://review.openstack.org/75788
https://review.openstack.org/80284

Icehouse fix:
https://review.openstack.org/88514
https://review.openstack.org/89217

Havana fix:
https://review.openstack.org/89762
https://review.openstack.org/89768

Notes:
This fix will be included in the juno-1 development milestone and in
future 2013.2.4 and 2014.1.1 releases.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2573
https://launchpad.net/bugs/1269418


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.

Comment 1 Matthew Thode ( prometheanfire ) archtester

2014-06-09 04:53:34 UTC

icehouse fixed in nova-2014.1-r2.ebuild but we remain vulnerable in nova-2013.2.3-r2.ebuild.  They have touched that file so much they don't have a clean patch to apply to it to fix the cve...

Comment 2 Vadim Kuznetsov (RETIRED) gentoo-dev

2014-06-10 11:17:07 UTC

(In reply to Matthew Thode ( prometheanfire ) from comment #1)
> icehouse fixed in nova-2014.1-r2.ebuild but we remain vulnerable in
> nova-2013.2.3-r2.ebuild.  They have touched that file so much they don't
> have a clean patch to apply to it to fix the cve...

nova-2014.1-r2.ebuild patch reverted two previous revisions ... :(

Comment 3 Matthew Thode ( prometheanfire ) archtester

2014-06-12 01:14:23 UTC

what did it revert?

Comment 4 Matthew Thode ( prometheanfire ) archtester

2014-06-15 04:31:41 UTC

removed 2013.2.3.* from tree, removing myself from bug since I'm done here

Comment 5 Yury German Gentoo Infrastructure

2014-06-16 02:48:09 UTC

Maintainer(s), Thank you for cleanup!

No GLSA needed as there are no stable versions.

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2014-06-16 02:48:44 UTC

CVE-2014-2573 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2573):
  The VMWare driver in OpenStack Compute (Nova) 2013.2 through 2013.2.2 does
  not properly put VMs into RESCUE status, which allows remote authenticated
  users to bypass the quota limit and cause a denial of service (resource
  consumption) by requesting the VM be put into rescue and then deleting the
  image.