Bug 767236 (CVE-2011-4596)

Summary: CVE 2011-4596 openstack-nova: Sanitize EC2 manifests and image tarballs
Product: [Other] Security Response Reporter: Mark McLoughlin <markmc>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akscram, alexander.sakhnov, asalkeld, bfilippov, jonathansteffan, jrusnack, markmc, matt_domsch, mlvov, p, rbryant, rkukura, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: impact=moderate,source=distros,reported=20111208,public=20111213,cvss2=5.8/AV:N/AC:M/Au:N/C:P/I:P/A:N,fedora-16/openstack-nova=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-30 14:05:54 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 767251    
Bug Blocks: 761607    

Description Mark McLoughlin 2011-12-13 10:27:25 EST
This just made public upstream:

  Prevent potential directory traversal with malicious EC2 image tarballs,
  by making sure the tarfile is safe before unpacking it. Fixes bug 894755

  Prevent potential directory traversal with malicious file names in
  EC2 image manifests. Fixes bug 885167

See also:

Comment 1 Vincent Danen 2011-12-13 11:19:46 EST
Created openstack-nova tracking bugs for this issue

Affects: fedora-16 [bug 767251]
Comment 2 Fedora Update System 2011-12-22 22:28:04 EST
openstack-nova-2011.3-13.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.