Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 512296 (CVE-2014-2573) - <sys-cluster/nova-2014.1-r2: VMWare driver leaks rescued images (CVE-2014-2573) (OSSA 2014-017)
Summary: <sys-cluster/nova-2014.1-r2: VMWare driver leaks rescued images (CVE-2014-257...
Status: RESOLVED FIXED
Alias: CVE-2014-2573
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-03 14:24 UTC by Agostino Sarubbo
Modified: 2014-06-16 02:48 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-06-03 14:24:57 UTC
From ${URL} :

OpenStack Security Advisory: 2014-017
CVE: CVE-2014-2573
Date: May 29, 2014
Title: Nova VMWare driver leaks rescued images
Reporter: Jaroslav Henner (Red Hat)
Products: Nova
Versions: from 2013.2 to 2013.2.3, and 2014.1

Description:
Jaroslav Henner from Red Hat reported a vulnerability in Nova. By
requesting Nova place an image into rescue, then deleting the image,
an authenticated user my exceed their quota. This can result in a
denial of service via excessive resource consumption. Only setups
using the Nova VMWare driver are affected.

Juno (development branch) fix:
https://review.openstack.org/75788
https://review.openstack.org/80284

Icehouse fix:
https://review.openstack.org/88514
https://review.openstack.org/89217

Havana fix:
https://review.openstack.org/89762
https://review.openstack.org/89768

Notes:
This fix will be included in the juno-1 development milestone and in
future 2013.2.4 and 2014.1.1 releases.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2573
https://launchpad.net/bugs/1269418


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-09 04:53:34 UTC
icehouse fixed in nova-2014.1-r2.ebuild but we remain vulnerable in nova-2013.2.3-r2.ebuild.  They have touched that file so much they don't have a clean patch to apply to it to fix the cve...
Comment 2 Vadim Kuznetsov (RETIRED) gentoo-dev 2014-06-10 11:17:07 UTC
(In reply to Matthew Thode ( prometheanfire ) from comment #1)
> icehouse fixed in nova-2014.1-r2.ebuild but we remain vulnerable in
> nova-2013.2.3-r2.ebuild.  They have touched that file so much they don't
> have a clean patch to apply to it to fix the cve...

nova-2014.1-r2.ebuild patch reverted two previous revisions ... :(
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-12 01:14:23 UTC
what did it revert?
Comment 4 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-15 04:31:41 UTC
removed 2013.2.3.* from tree, removing myself from bug since I'm done here
Comment 5 Yury German Gentoo Infrastructure gentoo-dev Security 2014-06-16 02:48:09 UTC
Maintainer(s), Thank you for cleanup!

No GLSA needed as there are no stable versions.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-06-16 02:48:44 UTC
CVE-2014-2573 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2573):
  The VMWare driver in OpenStack Compute (Nova) 2013.2 through 2013.2.2 does
  not properly put VMs into RESCUE status, which allows remote authenticated
  users to bypass the quota limit and cause a denial of service (resource
  consumption) by requesting the VM be put into rescue and then deleting the
  image.