Michael Still (mikal) reports: Title: Nova fails to verify image virtual size Reporter: Loganathan Parthipan Products: Nova Affects: All versions Loganathan Parthipan publicly reported a vulnerability in Nova. Nova did not implement checking for the virtual size of a qcow2 image used as ephemeral storage for instances. It is therefore possible for a user to create an image which has a large virtual size, but little data. Once the instance is created, the user can then proceed to fill the virtual disk, and consume all available disk on the host node file system. Havana (development branch) fix: https://review.openstack.org/28717 Grizzly fix: https://review.openstack.org/28901 Folsom fix: https://review.openstack.org/29192 References: https://bugs.launchpad.net/nova/+bug/1177830
Public via: http://www.openwall.com/lists/oss-security/2013/05/16/7
This issue did NOT affect the version of the openstack-nova package, as shipped with Fedora release of 17. -- This issue affects the version of the openstack-nova package, as shipped with Fedora release of 18. Please schedule an update. -- This issue affects the version of the openstack-nova package, as shipped with Fedora EPEL-6. Please schedule an update.
Created openstack-nova tracking bugs for this issue Affects: fedora-18 [bug 963727] Affects: epel-6 [bug 963728]
This issue has been addressed in following products: Red Hat OpenStack 3.0 Snap 1 Via RHBA-2013-0878 https://rhn.redhat.com/errata/RHBA-2013-0878.html
Statement: The Red Hat Security Response Team has rated this issue as having moderate security impact. This issue is not currently planned to be addressed in OpenStack 2.1 (Folsom). This issue is planned to be addressed in version OpenStack 3.0 (Grizzly). For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Upstream patches: https://review.openstack.org/28717 (Havana) https://review.openstack.org/28901 (Grizzly) https://review.openstack.org/29192 (Folsom) External References: http://lists.openstack.org/pipermail/openstack-announce/2013-May/000102.html