Bug 980591

Summary: openstack-nova: CVE-2013-0326 OpenStack nova: _base images permissions should not be world readable [openstack-rdo]
Product: [Community] RDO Reporter: Kurt Seifried <kseifried>
Component: openstack-novaAssignee: RHOS Maint <rhos-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Ami Jeain <ajeain>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: afazekas, aortega, apevec, ayoung, bdobreli, chrisw, iheim, jkt, kchamart, markmc, ndipanov, rbryant, sclewis, yeylon
Target Milestone: ---Keywords: Security, SecurityTracking, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: component:openstack-nova
Fixed In Version: Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-12 21:07:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 913377    

Description Kurt Seifried 2013-07-02 19:36:01 UTC 
openstack-rdo tracking bug for openstack-nova: see blocks bug list for full details of the security issue(s).

This bug is never intended to be made public, please put any public notes
in the blocked bugs.

[bug automatically created by: add-tracking-bugs]
Comment 2 Kurt Seifried 2013-08-09 04:23:29 UTC 
*** Bug 961135 has been marked as a duplicate of this bug. ***
Comment 3 Xavier Queralt 2014-02-11 11:40:06 UTC 
This is already fixed in Icehouse-2 and will be included in Havana in the 2013.2.2 rebase.
Comment 4 Kashyap Chamarthy 2014-11-12 21:07:10 UTC 
CLOSING this is already fixed in Havana and IceHouse.


The fix is in in IceHouse
----------------------------------------------------------------------------
$ git branch
* (detached from origin/el6-havana)
  el6

$ git log | grep 70b47d2a27a7b49c221ce096334ceaf542133d43 -A6
commit 70b47d2a27a7b49c221ce096334ceaf542133d43
Author: Xavier Queralt <xqueralt>
Date:   Fri Nov 29 08:52:47 2013 +0100

    Ensure we don't boot oversized images
    
    Resolves: CVE-2013-0326
kashyap@el6$ 

-------------------------------------------------------------------------------

Since this is a CVE fix, I also manually compared by checking sources:

  $ wget https://repos.fedorapeople.org/repos/openstack/openstack-havana/epel-6/openstack-nova-2013.2.2-1.el6.src.rpm
  $ rpm2cpio openstack-nova-2013.2.2-1.el6.src.rpm | cpio --extract --make-directories

Then, compare the source with the upstream commit FIX:

---------------
https://review.openstack.org/#/c/54767/
commit f6810be4ae1a6c93e7d8017ee67d5344dfdf4a30
Author: Pádraig Brady <pbrady>
Date:   Fri Sep 27 04:07:14 2013 +0100

    ensure we don't boot oversized images
---------------