Bug 767236 (CVE-2011-4596)

Summary: CVE 2011-4596 openstack-nova: Sanitize EC2 manifests and image tarballs
Product: [Other] Security Response Reporter: Mark McLoughlin <markmc>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akscram, alexander.sakhnov, asalkeld, bfilippov, jonathansteffan, jrusnack, markmc, matt_domsch, mlvov, p, rbryant, rkukura, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-30 18:05:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 767251    
Bug Blocks: 761607    

Description Mark McLoughlin 2011-12-13 15:27:25 UTC 
This just made public upstream:

  Prevent potential directory traversal with malicious EC2 image tarballs,
  by making sure the tarfile is safe before unpacking it. Fixes bug 894755

  Prevent potential directory traversal with malicious file names in
  EC2 image manifests. Fixes bug 885167

See also:

  https://review.openstack.org/#change,2284
  https://bugs.launchpad.net/bugs/cve/2011-4596
Comment 1 Vincent Danen 2011-12-13 16:19:46 UTC 
Created openstack-nova tracking bugs for this issue

Affects: fedora-16 [bug 767251]
Comment 2 Fedora Update System 2011-12-23 03:28:04 UTC 
openstack-nova-2011.3-13.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.