Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 963462 - (CVE-2013-2096) CVE-2013-2096 OpenStack Nova: fails to verify image virtual size denial of service
CVE-2013-2096 OpenStack Nova: fails to verify image virtual size denial of se...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130516,repor...
: Security
Depends On: 963463 963470 963727 963728
Blocks: 963471
  Show dependency treegraph
 
Reported: 2013-05-15 16:24 EDT by Kurt Seifried
Modified: 2016-04-26 11:14 EDT (History)
30 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-09 20:51:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Kurt Seifried 2013-05-15 16:24:36 EDT 
Michael Still (mikal@stillhq.com) reports:

Title: Nova fails to verify image virtual size
Reporter: Loganathan Parthipan
Products: Nova
Affects: All versions

Loganathan Parthipan publicly reported a vulnerability in Nova. Nova
did not implement checking for the virtual size of a qcow2 image used
as ephemeral storage for instances. It is therefore possible for a
user to create an image which has a large virtual size, but little
data. Once the instance is created, the user can then proceed to fill
the virtual disk, and consume all available disk on the host node file
system.

Havana (development branch) fix:
https://review.openstack.org/28717

Grizzly fix:
https://review.openstack.org/28901

Folsom fix:
https://review.openstack.org/29192

References:
https://bugs.launchpad.net/nova/+bug/1177830
Comment 3 Jan Lieskovsky 2013-05-16 08:55:50 EDT 
Public via:
  http://www.openwall.com/lists/oss-security/2013/05/16/7
Comment 4 Jan Lieskovsky 2013-05-16 09:30:21 EDT 
This issue did NOT affect the version of the openstack-nova package, as shipped with Fedora release of 17.

--

This issue affects the version of the openstack-nova package, as shipped with Fedora release of 18. Please schedule an update.

--

This issue affects the version of the openstack-nova package, as shipped with Fedora EPEL-6. Please schedule an update.
Comment 5 Jan Lieskovsky 2013-05-16 09:31:46 EDT 
Created openstack-nova tracking bugs for this issue

Affects: fedora-18 [bug 963727]
Affects: epel-6 [bug 963728]
Comment 6 Kurt Seifried 2013-06-10 15:23:46 EDT 
This issue has been addressed in following products:

  Red Hat OpenStack 3.0 Snap 1

Via RHBA-2013-0878 https://rhn.redhat.com/errata/RHBA-2013-0878.html
Comment 7 Kurt Seifried 2013-07-04 02:54:22 EDT 
Statement:

The Red Hat Security Response Team has rated this issue as having moderate security impact. This issue is not currently planned to be addressed in OpenStack 2.1 (Folsom). This issue is planned to be addressed in version OpenStack 3.0 (Grizzly). For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.